[gnso-rds-pdp-data] Summary of Article 29 - Data Protection Working Party
Richard Padilla
padilla.richard at gmail.com
Thu Apr 14 00:23:00 UTC 2016
Dear all,
As I hadn't properly defined the summary I produced here a revised copy of
my summary.
After reviewing the documents in the section above the following can be
summarised as follows:
There has been enough discussion on the if I can call it the maintenance of
how data should be kept in according to the laws of various countries as
all have different laws that more or less try to do the same thing in
different words and explanation. For e.g.
Opinion 5/2000 - The use of Public Directories for Reverse or
Multi-criteria Searching Services
1. Directive 95/46/EC - the protection of individuals
with regard to the processing of the personal data, in Article 6.1 b),
which establishes that personal data must be "collected
for specified, explicit and legitimate purpose and not further processed in
a way incompatible with those purposes".
2. Note the purpose of conventional telephone directories is
the disclosure of subscriber's telephone number starting from the knowledge
of subscriber's name and that its use is limited to that specific purposes.
3. Must establish the balance of interests, the interests and risks
to privacy at stake have to be identified and evaluated. Directive 97/66/EC
gives helpful indications: as long as the minimum information necessary to
identify a subscriber is at stake, thus this information can be included in
conventional public directories unless the subscriber objects. It must be
considered that the interest of the individual in being protected override
the interests of controller or third parties. Therefore such processing is
only legitimate if the individual has given his/her informed consent prior
to any inclusion of his /her personal data in public directories for
reverse or multi-criteria searches.
4. Specific and informed consent of the subscriber must be obtained
prior to the inclusion of his personal data into all kinds of public
directories which include all type of communication devices used for
reverse or multi-criteria searches. There must be some given consent on how
personal data can be used.
5. As most conclusions regard the directives of the EC previous WP
on the Protection of Individuals with regards to protection of data takes
the position that processing of said personal data in
reverse directories or multi-criteria searching services
without unambiguous and informed consent by subscriber is unfair and
unlawful. Thus fully implementing and accepting the EC proposal
for draft directive on processing personal data.
t Opinion 4/2001 - On the Council of Europe's Draft Convention on
Cyber-Crime
1. Article 15 of draft Convention could create the impression
that the protection of human rights shall only be considered when it is
"due" and shall on be "adequate". It can be seen as limiting the safeguards
and procedures it would considerably low if not fully undermine the
protection of fundamental rights.
2. Finally with several EU countries implementing Directive
95/46/EC shows that national laws requires personal data can be in principle
only be sent to non-EU countries if this country does provide an
adequate level
of protection of individuals with regard to the processing of their
personal data. The level of protection in these countries must be checked.
Otherwise if no adequate protection on offer in third country then
transfer f personal data may nevertheless be necessary to fight against
crime.
Adopted 30/2002 - Working document on determining the international
application of EU data protection law to personal data processing on the
Internet by non-EU based web site
In all these cases, the application of EU data protection law means among
other things the following:
1. With a view to making the collection of personal data fair and
lawful, the controller has to clearly define the purpose of the processing.
2. The controller has also to ensure that the data are adequate,
relevant and not excessive in relation to the purpose for which they are
collected.
3. The collection must be based on a legitimate ground (unambiguous
consent, performance of a contract, compliance with a legal obligation, in
pursuance of legitimate interests of the controller etc.) and the
individual has the right of access to and the rectification or erasure of
his personal data.
4. The individual has at least to be informed about the identity of the
controller and his representative if any, the purpose of the collection,
the recipients and about his rights 32 .
5. Another important aspect is the security of the processing which may
require the controller, right from the collection on, to apply specific
technical and organisational measures in order to protect the data against
accidental or unlawful destruction or accidental loss, alteration,
unauthorised disclosure or access, in particular where the data are
transmitted over a network. Such measures shall ensure a level of security
appropriate to the risks presented and the nature of the data.
6. As regards sensitive data, specific provisions, dealing in particular
with security requirements, regulate their collection.
7. The Article 29 Data Protection Working Party considers that the
development of a programme for the promotion of European data protection
rules in a pragmatic way would also help controllers in third countries to
better understand, implement and demonstrate privacy compliance. A European
system of labels/web seals, open also to non-EU web sites, could be the
cornerstone of such action.
17 April 2014 - ICANN's public consultation on 2013 RAA Data Retention
Specification Data Elements and Legitimate Purposes for Collection and
Retention
1. The Draft Specification should only require collection of personal
data, which is genuinely necessary for the performance of the contract
between the Registrar and the Registrant (e.g. billing) or for other
compatible purposes such as fighting fraud related to domain name
registration. This data should be retained for no longer than is necessary
for these purposes. It would not be acceptable for the data to be retained
for longer periods or for other, incompatible purposes, such as law
enforcement purposes or to enforce copyright.
2. Retention of personal data originally collected for commercial
purposes, and subsequently retained for law enforcement purposes, has been
the subject of a recent landmark ruling by the European Court of Justice,
which held Directive 2006/24/EC to be invalid, as an unjustified
interference with those rights. The Court recognised that the retention of
personal data might be considered appropriate for the purposes of the
detection, investigation and prosecution of serious crime, but judged that
the Directive 'exceeded the limits imposed by compliance with the principle
of proportionality'. It is reasonable to expect requirements for retaining
personal data to be subject to increasing scrutiny and legal challenges in
the EU. And limit processing of this data to compatible purposes, such as
proportionate measures to fight fraud related to domain name registration.
Opinion 6/2014 - Opinion of the European Data Protection Supervisor on the
Commission Communication on Internet Policy and Governance - Europe`s role
in shaping the future of Internet Governance
1. Base the future development of Internet Governance on the respect of
fundamental rights. We welcome this principle, but we stress the need to
translate it into practical policy initiatives, which is not always
sufficiently the case.
2. We emphasise that, in order to "sustain and develop the Internet as
an essential part of life" and to create a "single, open, free,
unfragmented network of networks" with a "safe, secure, sound and resilient
architecture", Internet Governance should be built starting from commonly
shared international rights and values. Consequently, privacy and data
protection principles need to gain more weight within Internet Governance
fora and mechanisms.
3. We note some positive developments at international level in
recognising privacy and data protection as essential values for the
internet. At the Net Mundial, a general consensus was reached on the need
to protect privacy on the Internet, by pointing out that "The right to
privacy must be protected. This includes not being subject to arbitrary or
unlawful surveillance, collection, treatment and use of personal data. The
right to the protection of the law against such interference should be
ensured".
4. The Communication emphasizes that the Internet has become a key
infrastructure with global dimensions and that, as a consequence, greater
international balance within the existing structures would increase the
probability of issuing legitimate outcomes.
Finally the other documents seem to repeat or rewrite similar points that
will not make this summary any easier to further what can be used as a
defined process of how data can be collated for use and kept in the way
that provides the privacy required. This shows that the EU or EC directive
on the protection of personal data has been the benchmark and implemented
to used to protect personal data and privacy. No specific mention of length
of time to hold such data although I think 6 weeks has been mentioned in
one document I think. Also the last couple of summarised documents are
definitely more on the privacy relation of personal data but think there
may show some relevance towards the items we collect that can reference
how data can be seen.
Hope I defined it better this time
Regards
R. Padilla MSc.
--
Richard Padilla MSc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-data/attachments/20160414/82bff5f5/attachment-0001.html>
More information about the gnso-rds-pdp-data
mailing list