David Leys* believes one of the important factors in the discussion of cyber governance of countries, is the question of real understanding of exposure of organizations and companies to cyber security issues in countries.
Asr-e-Ertebat as the first and oldest weekly ICT Area in Iran had an interview with him about countries and boundaries of cyber governance.
by Farahnaz Sepehri
* Basically, what factors are important in the discussion of cyber governance of countries?
To begin with, one of the important factors in the discussion of cyber governance of countries, is the question of real understanding of exposure of organizations and companies to cyber security issues in countries. Companies and organizations are important players in countries. They must test their cybersecurity infrastructures to the potential risks of their daily business. They must also allocate part of their budget to appropriate resources and leadership in cybersecurity. They must have a management that is aware of such issues.It is crucial for the viability of their business on the long-term to predict cybersecurity threats and to tackle them quickly and efficiently. In addition, the Parliaments of the countries must adopt regulations in cyber governance taking into consideration the specificities of each industry. The private sector must be supported by the public sector and vice versa.
* Does cyber governance require a country to comply with technology giants? If not, then will that country face restrictions?
As a qualified lawyer of Belgium, I do not think about cyber governance at national level but more at European level. The European Union adopted the General Data Protection Regulation (GDPR) which directly applies in the 27 Member States. It means that the Parliaments of these countries cannot adopt any national laws in cyber governance. Professor Anu Bradford talks about the Brussels effect. The European Union (EU) is powerful from a legal point of view. Most of the companies on earth must respect the GDPR as it applies to them when they sell products or services to individuals who are in the EU. The same applies for companies who have their registered office in the EU. The GDPR applies also to technology giants. There is no distinction between small and medium companies with technology giants. If they do not comply with the GDPR, they will need to pay fines that can go up to 4% of their turnover or 20 million euro. The EU countries would not face restrictions from technology giants if they do not comply with their practices because they are protected by the GDPR which has strong legitimacy worldwide. Technology giants lost their power to impose individuals to voluntarily waivetheirrights regarding personal data. The rights of individuals have precedence to the power of technology giants. The European Commission, which takes care of the enforcement of the GDPR, will not hesitate to impose fines to technology giants which are dependent on the customers in the EU. Technology giants do not have much leeway in this field.
* In your opinion, the general data protection regulations of the European Union or in the United States, where a document has been prepared in this regard, should these regulations be followed in other countries, for example, in Asia? Or if they have their own regulations, will these things lead to restrictions?
As explained above, the GDPR applies to any company on earth that sells products and / or services to individuals in the EU. The countries themselves do not need to comply with the GDPR but the public authorities, the companies and the organizations in the countries which are not members of the European Union must respect the GDPR. If they do not, they will be fined. For instance, the EU created the EU Agency for cybersecurity (ENISA). This agency has the mandate to prepare specific certification schemes for cybersecurity. Companies must get these certifications if they want to get EU customers and be trusted by EU individuals in general.
* In your opinion, what are the limits and boundaries of cyber governance by countries and how should it be applied?
In my opinion, countries must apply cyber governance practices that are proportionate and legal. Countries must adopt laws that ensure companies to detect cyber incidents efficiently. Companies need organizational and technical support from the public sector. After the covid-pandemic, remote workers have beenthe target for cybercriminals.Cloud breaches will increase tremendously in the coming years. The same goes for IoT devices that will become more vulnerable to cyberattacks as 5G increases bandwidth to connected devices. The authorities of the countries should ensure cyber security, meaning to make sure that personal data, including sensitive data, are not stolen. This mission should not allow countries to limit the production of data and control the content of the data.
* Some believe that cyber governance is seen as the end of the open and free internet, and on the other hand, countries have their own rules and excuses for nationalizing the internet. How you think maintaining freedom of expression and at the same time protecting the rights of citizens and exercising national governance in the cyberspace should be balanced.
The freedom of expression may be restricted in limited cases when the rights of the citizens are in danger. Any measure restricting freedom of expression must be justified. The measure must be prescribed by law, needs to pursue legitimate aims and must be necessary and proportional to the legitimate aim pursued.
For instance, there is the famous Google case from the Court of justice of the European Union (CJEU). On March 5, 2010, a Spanish citizen, lodged with the Spanish Data Protection Agency (AEPD) a complaint against La VanguardiaEdiciones SL, a Spanish newspaper, and Google Spain and Google Inc. The Spanish citizen complained that the reference to an old auction notice of his repossessed home for the recovery of social security debts on the results of Google was entirely irrelevant as it was outdated. According to him, his privacy rights were infringed. To this aim, he requested before the AEPD that the newspaper removes or alters the pages containing his personal data. Moreover, he requested that Google removes its personal data in the search results.
On July 30, 2010, AEPD decided to reject the complaint of the Spanish citizen against the newspaper since the publication containing the information was legally justified following an order of the Spanish Ministry of Labor and Social Affairs. But AEPD upheld the complaint against Google. AEPD requested that they remove the personal data related to the Spanish citizen in the search results.
Google appealed the decision of the AEPD before the National High Court of Spain that referred the case to the CJEU by asking (1) whether the Data Protection Directive (nowadays GDPR) applied to search engines such as Google; (2) whether the Directive applied to Google Spain, given that the company’s data processing server was in the United States; and (3) whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine.
On May 13, 2014, the CJEU replied to the three questions of the National High Court of Spain. First, the CJEU confirmed that the Data Protection Directive applies to internet search engines such as Google since they are controllers of personal data. Second, the CJEU decided that even if the physical server of a company processing data is located outside Europe, EU rules apply to search engine operators if they have a branch or a subsidiary in a Member State (territoriality principle). Third, the CJEU confirmed that an individual has a right to be forgotten when its personal data are inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing.In this context, internet search engines such as Google must assess deletion requests from data subjects on a case-by-case basis.
Nowadays, “the Internet does not forget” and “You are what Google says you are.” “Our pasts are becoming etched like a tattoo into our digital skins.” John Hendel pointed out that “We live naked on the Internet… in a brave new world where our data lives forever.” “The past is no longer the past, but an everlasting present.”The generalized application of the right to be forgotten in all cases could potentially enhance the power of companies such as Google. They will need to decide which information may potentially impede the right to be forgotten of private individuals. They would need to implement automatic filters and scans which delete personal information before an individual request the deletion of his or her personal data. This could lead to censorship.
I am convinced that a tailor-made assessment is more respectful of the fundamental rights. At the end of the day, the right to be forgotten included in the right to privacy and the freedom of expression are both valuable rights. What matters in practice is that the outcome of a case is fair both for the individuals and the society as a whole.
* About DAVID LEYS, Qualified Lawyer of the Brussels Bar
Having worked at major international law firms in Brussels, David Leys brings an international perspective towards privacy, IP, entertainment, antitrust and trade.
Having attended twice the Marché du Film at the Festival of Cannes, he has experience in licensing, partnerships and NDAs for companies in the cultural and creative sectors. He has also pleaded before trial and appeal courts in Belgium for companies in commercial and IP laws.
Moreover, he advises and represents governments, Fortune Global 500 companies, and associations with respect to privacy and international trade.
With an interest in technologies, energy and the arts, his other notable projects included dealing with an EU merger for Fortune 500 company and conducting due diligence for an IPO.
 Megan Angelo, You Are What Google Says You Are, WIRED (Feb. 11, 2009), available at http://www.wired.com/business/2009/02/you-are-what-go/.
Id., at 416.
 John Hendel, In Europe, a Right to Be Forgotten Trumps the Memory of the Internet, THE ATLANTIC (Feb. 3, 2011), available at http://www.theatlantic.com/technology/archive/2011/02/in-europe-a-right-to-be-forgottentrumps-the-memory-of-the-internet/70643/.
 Norberto Nuno Gomes de Andrade, Oblivion: The Right to Be Different … from Oneself Reproposing the Right to Be Forgotten, 2012.