[Gnso-rds-pdp-privacy] Human Rights and Privacy Frameworks

Kathy Kleiman kathy at kathykleiman.com
Thu Apr 7 22:06:32 UTC 2016


Hi All,
I know we need additional documents like a hole in the head, but 
"sensitive data" is going to be key to our WG evaluation. "Sensitive 
data" involves ethnicity and race, political opinions, religious 
beliefs, memberships, and more. "Sensitive data" in the EU and other 
countries has its own privacy protections for individuals and the 
institutions/organizations in which they exercise rights and fundamental 
freedoms. The documents below are largely on our list already, but if 
not, I would like to add them; if they are on the list, I would like to 
flag the sections below for special inclusion in our summary for the WG:

1. /United National Universal Declaration of Human Rights//
/Protects "sensitive data" surrounding race, colour, sex, language, 
religious, political or other opinion, national or social origin, 
property, birth or other status." Particularly Article 2, /"Equality and 
Non-discrimination",/ http://ccnmtl.columbia.edu/projects/mmt/udhr/

2. /European Convention 108, Article 1 and Article 6:
A/ddresses issues regarding "rights and fundamental freedoms" and 
"special categories of data" specifically related to race, political 
review, health and sexual life, religion, etc, that /"may not be 
processed automatically unless domestic law provides appropriate 
safeguards." /Convention 108 is on our list already, but these sections 
may not have been flagged. /David and Lisa: //has anyone selected this 
doc to summarize? If not, I will.

/3. /European Data Protective Directive
/Article 8 addresses "sensitive data" issues pertaining to health or sex 
life, racial or ethnic original, political opinions, religious or 
philosophical beliefs, trade-union membership/.
//Ditto - same question as above. /

Best and tx,
Kathy


On 4/6/2016 5:57 AM, Kimpián Péter wrote:
>
> Sorry, one minor issue to be clear if we are in ICANN context in 
> example 3,4 (not in EU general data protection legislation) then the 
> same argumentation goes for me as in example 1,2.
>
> best regards,
>
> Peter
>
> *From:*Kimpián Péter [mailto:kimpian.peter at naih.hu]
> *Sent:* Wednesday, April 6, 2016 11:44 AM
> *To:* 'Kathy Kleiman' <kathy at kathykleiman.com>; 
> 'Monika.Zalnieriute at eui.eu' <Monika.Zalnieriute at eui.eu>; 'KWASNY 
> Sophie' <Sophie.KWASNY at coe.int>; 'Stephanie Perrin' 
> <stephanie.perrin at MAIL.UTORONTO.CA>
> *Subject:* RE: Human Rights and Privacy
>
> Dear Kathy, dear Stephanie, Monika and Sophie,
>
> Thank you for the wonderful questions, these are very relevant one. 
> Some piece of legislation and my understanding of it:
>
> To always start with the highest level:
>
> ·*The Universal Declaration of Human Rights: *Article 2. : /Everyone 
> is entitled to all the rights and freedoms set forth in this 
> Declaration, without distinction of any kind, such as race, colour, 
> sex, language, religion, political or other opinion, national or 
> social origin, property, birth or other status. Furthermore, no 
> distinction shall be made on the basis of the political, 
> jurisdictional or international status of the country or territory to 
> which a person belongs, whether it be independent, trust, 
> non-self-governing or under any other limitation of sovereignty./
>
> //
>
> ·From European point of view there are different human rights which 
> are at stake in the examples you gave: rights of association, freedom 
> of religion, freedom of opinion, principle of non-discrimination, 
> rights to privacy, right to data protection, freedom of speech. every 
> each of them has an extensive jurisprudence mainly from the European 
> Court of Human Rights to determine the ways of their implementation 
> and scope, limits.  As for privacy and data protection: these rights 
> are guaranteed for individuals as you will see in CoE Convention 108 
> and in Directive 95/46: //
>
> o*Convention 108: Article 1 – Object and purpose: */The purpose of 
> this Convention is to secure in the territory of each Party for every 
> individual, whatever his nationality or residence, respect for his 
> rights and fundamental freedoms, and in particular his right to 
> privacy, with regard to automatic processing of personal data relating 
> to him ("data protection")./
>
> oYou will see the same concept in the *EU Directive 95/46 *: *Article 
> 1 Object of the Directive*: /1. In accordance with this Directive, 
> Member States shall protect the fundamental rights and freedoms of 
> natural persons, and in particular their right to privacy with respect 
> to the processing of personal data./
>
> oIn the examples you mention the data controller have to deal with 
> individuals _“sensitive data” _(as we call it in Europe). Our higher 
> legislations call it “special categories of data” and they are 
> protected in a greater way. Usually only in cases falling under 
> exceptions that those data can be processed but in any case additional 
> safeguards have to be added wen processing those data://
>
> //
>
> §*Convention 108: Article 6*//*– Special categories of 
> data:*/ Personal data revealing racial origin, political opinions or 
> religious or other beliefs, as well as personal data concerning health 
> or sexual life, may not be processed automatically unless domestic law 
> provides appropriate safeguards. The same shall apply to personal data 
> relating to criminal convictions./
>
> §*Exceptions*:
>
> ·/ a, protecting State security, public safety, the monetary interests 
> of the State or the suppression of criminal offences;/
>
> ·/ b,  protecting the data subject or the rights and freedoms of others./
>
> //
>
> §*Directive 95/46: Article 8, The processing of special categories of 
> data*: /1. Member States shall prohibit the processing of personal 
> data revealing racial or ethnic origin, political opinions, religious 
> or philosophical beliefs, trade-union membership, and the processing 
> of data concerning health or sex life./
>
> §*Exceptions/:/*/2. Paragraph 1 shall not apply where: /
>
> //
>
> ·/(a) the data subject has given his explicit consent to the 
> processing of those data, except where the laws of the Member State 
> provide that the prohibition referred to in paragraph 1 may not be 
> lifted by the data subject's giving his consent; or/
>
> ·/(b) processing is necessary for the purposes of carrying out the 
> obligations and specific rights of the controller in the field of 
> employment law in so far as it is authorized by national law providing 
> for adequate safeguards; or/
>
> ·/(c) processing is necessary to protect the vital interests of the 
> data subject or of another person where the data subject is physically 
> or legally incapable of giving his consent; or/
>
> ·/(d) processing is carried out in the course of its legitimate 
> activities with appropriate guarantees by a foundation, association or 
> any other non-profit-seeking body with a political, philosophical, 
> religious or trade-union aim and on condition that the processing 
> relates solely to the members of the body or to persons who have 
> regular contact with it in connection with its purposes and that the 
> data are not disclosed to a third party without the consent of the 
> data subjects; or/
>
> ·/(e) the processing relates to data which are manifestly made public 
> by the data subject or is necessary for the establishment, exercise or 
> defence of legal claims./
>
> ·/3. Paragraph 1 shall not apply where processing of the data is 
> required for the purposes of preventive medicine, medical diagnosis, 
> the provision of care or treatment or the management of health-care 
> services, and where those data are processed by a health professional 
> subject under national law or rules established by national competent 
> bodies to the obligation of professional secrecy or by another person 
> also subject to an equivalent obligation of secrecy./
>
> ·/4. Subject to the provision of suitable safeguards, Member States 
> may, for reasons of substantial public interest, lay down exemptions 
> in addition to those laid down in paragraph 2 either by national law 
> or by decision of the supervisory authority./
>
> ·/5. Processing of data relating to offences, criminal convictions or 
> security measures may be carried out only under the control of 
> official authority, or if suitable specific safeguards are provided 
> under national law, subject to derogations which may be granted by the 
> Member State under national provisions providing suitable specific 
> safeguards. However, a complete register of criminal convictions may 
> be kept only under the control of official authority./
>
> ·/Member States may provide that data relating to administrative 
> sanctions or judgements in civil cases shall also be processed under 
> the control of official authority./
>
> //
>
> o*For religious questions*it is a bit more complicated. All European 
> states have to guarantee the freedom of religion (which also means no 
> interference, no discrimination on religious grounds, etc.) but the 
> modality is at the states hand. For this there are three ways: 
> religious state, laic state and state in between.  There are no 
> religious state in Europe which means in every country the gvt is 
> divided form the governance of a religious organisation. There are 
> several laic state in Europe where the most famous is France where 
> there is a strict separation of   state and religion. There a good 
> number of in between state like mine where the government support 
> actively and financially some religious organisations. (and this a 
> never ending debate on which ground they chose them and how much they 
> like one or another //
>
> //
>
> _To sum up:_there is no legislation which protects associations, 
> groups, religious groups rights to privacy or data protection, but 
> every data related to them can be easily classified as sensitive one 
> where in the majority of states there is a clear prohibition with the 
> narrowly interpreted exceptions and as a minimum standard a better 
> protection must be attributed to them and additional safeguards must 
> be put in place.
>
> Coming back to ICANN context and your examples:
>
> 1.For example, when individuals gather together to speak/write about 
> minority religious, ethnic, political views and would prefer not to 
> publish their physical location publicly àI would say that there is 
> contract between ICANN/Registrars and registrants and if under this 
> contract the individual who wish not to give its consent for the 
> publication of its address ICANN/Registrars cannot overrule tis 
> non-consent by the RDS requirements (one is a human right the other 
> one is a public company policy). In my opinion only one contact detail 
> as per the choice of the data subject would be sufficient to go on 
> public in ICANN context which preferably would be the e-mail ID. It is 
> for the Registrars to check under their contract that the email ID is 
> adequate and serves the purpose (the domain name holder can be 
> contacted through it). Furthermore if there is about a data which is 
> sensitive or can be related to a sensitive data than even for 
> non-public processing ICANN/Registrars should put additional 
> safeguards in place
>
> 2.Some minority religious groups, such as mosques in the US South or 
> synagogues in certain regions àthe same argumentation as above and in 
> the top of it we speak here ab ovo about sensitive data (which can 
> only be public with the deliberate and informed consent of the data 
> subject and additional safeguards have to be put in place)
>
> 3.If I am a home-based business, is there any protection under EU data 
> protection law that would protect me from having to publish my home 
> address àthis is a more difficult one. I would say no in this case 
> because the data subject is doing business and it is a valid 
> expectation to get to know the business official address. Moreover it 
> will fall under the exceptions mention above and will be prescribed by 
> the law. So if I am teaching at home as a self-employed private 
> business  I have to reveal my home address as the place of the 
> residence of the company. This is why all over Europe there are 
> business which are providing residence services for small and medium 
> size businesses which consist of providing their address as place of 
> residence for the self-employed company (same as the privacy proxy 
> services).
>
> 4.Would I be entitled to the privacy of my personal home even if I am 
> engaged in business activities under data protection laws? àWell, no 
> for the reasons specified above. You can hide most of the time your 
> home address if you are an individual but if you start operating a 
> business form your home there will be legislation which will foresee 
> the publication of the address of your residence of your company. It 
> is of your customers interest to know the legal address of the 
> company, business they are dealing with. Data protection is for 
> individuals (for now).
>
> Hope all this helps. If you have further question or you seek some 
> more claruty on one or several issue or you disagree just let me know 
> anytime.
>
> Best regards,
>
> Peter
>
> //
>
> //
>
> //
>
> *From:*Kathy Kleiman [mailto:kathy at kathykleiman.com]
> *Sent:* Tuesday, April 5, 2016 7:58 PM
> *To:* Monika.Zalnieriute at eui.eu <mailto:Monika.Zalnieriute at eui.eu>; 
> HUNGARY: Peter KIMPIAN (kimpian.peter at naih.hu 
> <mailto:kimpian.peter at naih.hu>) <kimpian.peter at naih.hu 
> <mailto:kimpian.peter at naih.hu>>; KWASNY Sophie <Sophie.KWASNY at coe.int 
> <mailto:Sophie.KWASNY at coe.int>>; Stephanie Perrin 
> <stephanie.perrin at MAIL.UTORONTO.CA 
> <mailto:stephanie.perrin at MAIL.UTORONTO.CA>>
> *Subject:* Human Rights and Privacy
>
> Hi Monica and Peter (I know Sophie is out of town),
> /Based on the discussions of the RDS WG today, Stephanie and I were 
> wondering if you could assist us in identifying human rights documents 
> that protect the privacy rights of groups and associations? /For 
> example, when individuals gather together to speak/write about 
> minority religious, ethnic, political views and would prefer not to 
> publish their physical location publicly. Some minority religious 
> groups, such as mosques in the US South or synagogues in certain 
> regions, might choose to remove themselves from local maps to avoid 
> easy targeting and would prefer not to list their physical address as 
> a condition of obtaining a domain name to share the time of their 
> services (with those who already know where to find them). /Is there 
> Human Rights legislation that you can point us to that might protect 
> the privacy of these groups and organizations? *
> */
> Data Protection and small business question -- If I am a home-based 
> business, is there any protection under EU data protection law that 
> would protect me from having to publish my home address?  In the US, 
> with such poor leave or flexibility for mothers, many women open their 
> own businesses when their children are young. They work parttime, from 
> home, often in a business-to-business context. /Is there any 
> protection in the EU for such an arrangement? Would I be entitled to 
> the privacy of my personal home even if I am engaged in business 
> activities under data protection laws?  I think so, but wanted to 
> confirm... /
>
> Best and tx!
> Kathy
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-privacy/attachments/20160407/b6be7e51/attachment-0001.html>


More information about the Gnso-rds-pdp-privacy mailing list