[gnso-rds-pdp-data] Summary of Article 29 - Data Protection Working Party

[Richard Padilla]

Dear all,

As I hadn't properly defined the summary I produced here a revised copy of
my summary.

After reviewing the documents in the section above the following can be
summarised as follows:

There has been enough discussion on the if I can call it the maintenance of
how data should be kept in according to the laws of various countries as
all have different laws that more or less try to do the same thing in
different words and explanation. For e.g.

Opinion 5/2000 - The use of Public Directories for Reverse or
Multi-criteria Searching Services


   1.  Directive 95/46/EC - the protection of individuals
   with regard to the processing of the personal data, in Article 6.1 b),
   which establishes that personal data must be "collected
   for specified, explicit and legitimate purpose and not further processed in
   a way incompatible with those purposes".
   2. Note the purpose of conventional telephone directories is
   the disclosure of subscriber's telephone number starting from the knowledge
   of subscriber's name and that its use is limited to that specific purposes.
   3. Must establish the balance of interests, the interests and risks
   to privacy at stake have to be identified and evaluated. Directive 97/66/EC
   gives helpful indications: as long as the minimum information necessary to
   identify a subscriber is at stake, thus this information can be included in
   conventional public directories unless the subscriber objects. It must be
   considered that the interest of the individual in being protected override
   the interests of controller or third parties. Therefore such processing is
   only legitimate if the individual has given his/her informed consent prior
   to any inclusion of his /her personal data in public directories for
   reverse or multi-criteria searches.
   4. Specific and informed consent of the subscriber must be obtained
   prior to the inclusion of his personal data into all kinds of public
   directories which include all type of communication devices used for
   reverse or multi-criteria searches. There must be some given consent on how
   personal data can be used.
   5.  As most conclusions regard the directives of the EC previous WP
   on the Protection of Individuals with regards to protection of data takes
   the position that processing of said personal data in
   reverse directories or multi-criteria searching services
   without unambiguous and informed consent by subscriber is unfair and
   unlawful. Thus fully implementing and accepting the EC proposal
   for draft directive on processing personal data.

t     Opinion 4/2001 - On the Council of Europe's Draft Convention on
Cyber-Crime


   1.        Article 15 of draft Convention could create the impression
   that the protection of human rights shall only be considered when it is
   "due" and shall on be "adequate". It can be seen as limiting the safeguards
   and procedures it would considerably low if not fully undermine the
   protection of fundamental rights.
   2.        Finally with several EU countries implementing Directive
   95/46/EC shows that national laws requires personal data can be in principle
   only be sent to non-EU countries if this country does provide an
adequate level
   of protection of individuals with regard to the processing of their
   personal data. The level of protection in these countries must be checked.
   Otherwise if no adequate protection on offer in third country then
   transfer f personal data may nevertheless be necessary to fight against
   crime.

Adopted 30/2002 - Working document on determining the international
application of EU data protection law to personal data processing on the
Internet by non-EU based web site

In all these cases, the application of EU data protection law means among
other things the following:


   1. With a view to making the collection of personal data fair and
   lawful, the controller has to clearly define the purpose of the processing.
   2. The controller has also to ensure that the data are adequate,
   relevant and not excessive in relation to the purpose for which they are
   collected.
   3. The collection must be based on a legitimate ground (unambiguous
   consent, performance of a contract, compliance with a legal obligation, in
   pursuance of legitimate interests of the controller etc.) and the
   individual has the right of access to and the rectification or erasure of
   his personal data.
   4. The individual has at least to be informed about the identity of the
   controller and his representative if any, the purpose of the collection,
   the recipients and about his rights 32 .
   5. Another important aspect is the security of the processing which may
   require the controller, right from the collection on, to apply specific
   technical and organisational measures in order to protect the data against
   accidental or unlawful destruction or accidental loss, alteration,
   unauthorised disclosure or access, in particular where the data are
   transmitted over a network. Such measures shall ensure a level of security
   appropriate to the risks presented and the nature of the data.
   6. As regards sensitive data, specific provisions, dealing in particular
   with security requirements, regulate their collection.
   7. The Article 29 Data Protection Working Party considers that the
   development of a programme for the promotion of European data protection
   rules in a pragmatic way would also help controllers in third countries to
   better understand, implement and demonstrate privacy compliance. A European
   system of labels/web seals, open also to non-EU web sites, could be the
   cornerstone of such action.

17 April 2014 - ICANN's public consultation on 2013 RAA Data Retention
Specification Data Elements and Legitimate Purposes for Collection and
Retention


   1. The Draft Specification should only require collection of personal
   data, which is genuinely necessary for the performance of the contract
   between the Registrar and the Registrant (e.g. billing) or for other
   compatible purposes such as fighting fraud related to domain name
   registration. This data should be retained for no longer than is necessary
   for these purposes. It would not be acceptable for the data to be retained
   for longer periods or for other, incompatible purposes, such as law
   enforcement purposes or to enforce copyright.
   2. Retention of personal data originally collected for commercial
   purposes, and subsequently retained for law enforcement purposes, has been
   the subject of a recent landmark ruling by the European Court of Justice,
   which held Directive 2006/24/EC to be invalid, as an unjustified
   interference with those rights.  The Court recognised that the retention of
   personal data might be considered appropriate for the purposes of the
   detection, investigation and prosecution of serious crime, but judged that
   the Directive 'exceeded the limits imposed by compliance with the principle
   of proportionality'. It is reasonable to expect requirements for retaining
   personal data to be subject to increasing scrutiny and legal challenges in
   the EU. And  limit processing of this data to compatible purposes, such as
   proportionate measures to fight fraud related to domain name registration.

Opinion 6/2014 - Opinion of the European Data Protection Supervisor on the
Commission Communication on Internet Policy and Governance - Europe`s role
in shaping the future of Internet Governance


   1. Base the future development of Internet Governance on the respect of
   fundamental rights. We welcome this principle, but we stress the need to
   translate it into practical policy initiatives, which is not always
   sufficiently the case.
   2. We emphasise that, in order to "sustain and develop the Internet as
   an essential part of life" and to create a "single, open, free,
   unfragmented network of networks" with a "safe, secure, sound and resilient
   architecture", Internet Governance should be built starting from commonly
   shared international rights and values. Consequently, privacy and data
   protection principles need to gain more weight within Internet Governance
   fora and mechanisms.
   3. We note some positive developments at international level in
   recognising privacy and data protection as essential values for the
   internet. At the Net Mundial, a general consensus was reached on the need
   to protect privacy on the Internet, by pointing out that "The right to
   privacy must be protected. This includes not being subject to arbitrary or
   unlawful surveillance, collection, treatment and use of personal data. The
   right to the protection of the law against such interference should be
   ensured".
   4. The Communication emphasizes that the Internet has become a key
   infrastructure with global dimensions and that, as a consequence, greater
   international balance within the existing structures would increase the
   probability of issuing legitimate outcomes.

Finally the other documents seem to repeat or rewrite similar points that
will not make this summary any easier to further what can be used as a
defined process of how data can be collated for use and kept in the way
that provides the privacy required. This shows that the EU or EC directive
on the protection of personal data has been the benchmark and implemented
to used to protect personal data and privacy. No specific mention of length
of time to hold such data although I think 6 weeks has been mentioned in
one document I think. Also the last couple of summarised documents are
definitely more on the privacy relation of personal data but think there
may show some relevance towards the items we collect that can reference
how data can be seen.

Hope I defined it better this time


Regards


R. Padilla MSc.



-- 
Richard Padilla MSc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-data/attachments/20160414/82bff5f5/attachment-0001.html>