[gnso-rds-pdp-purpose] Purpose Document Review

[Beth Allegretti]

Hi Group:



Below is my summary of two documents.  I've included several paragraphs from the first document and the entire second document (which is very short) and highlighted the relevant sections:



1) Opinion of the European Data Protection Supervisor on the Commission Communication on Internet Policy and Governance - Europe's role in shaping the future of Internet Governance



On February 12, 2104 the European Commission published a Communication on Internet Policy and Governance ("the Communication") in the wake of the NSA surveillance revelation.  The European Data Protection Supervisor subsequently issued an Opinion on the Communication, further discussing a number of issues addressed in the Communication.

8. With this opinion, we wish to contribute to the debate, as any reform of Internet Governance will likely have a significant impact on citizens and on their fundamental rights, not least the rights to privacy and data protection. While this Opinion addresses an issue of global nature and while it takes account of the developments at global level, it focuses on the actions that the European Union and its institutions can perform to influence the debate and the Internet Governance structures and processes themselves.



The Opinion urged that collection of data, including gTLD registration data, should be viewed in the context of privacy and data protection:



II.  PRIVACY AND DATA PROTECTION ARE STRONGLY RELATED TO GOOD INTERNET GOVERNANCE

13. We note some positive developments at international level in recognising privacy and data protection as essential values for the internet. At the Net Mundial, a general consensus was reached on the need to protect privacy on the Internet, by pointing out that "The right to privacy must be protected. This includes not being subject to arbitrary or unlawful surveillance, collection, treatment and use of personal data. The right to the protection of the law against such interference should be ensured".12
14. We therefore urge that privacy and data protection should be core elements of any Internet Governance model, and recommend that the European Union put its full weight behind initiatives ensuring that such integration process is undertaken at a global level.



II.2 Data protection as a cornerstone for shaping Internet Governance


16. When discussing Internet Governance, it should be kept in mind that the governance of the Internet's infrastructure and global resources such as names and addresses is not the only source for privacy risks, but that the services provided on the Internet often create even greater risks for the privacy of their users and of third parties. In order to develop a comprehensive policy for the protection of privacy on the Internet, the Union must not only look at the global processes, but also at other relevant rules and mechanisms. An example of a data protection issue which has to be addressed by the Internet governance bodies is the current WHOIS system with the authentication and data retention requirements.14 On the other hand, examples of activities performed on the Internet with significant data protection implications include eCommerce, eGovernment, eHealth, eMoney, ePayments. We would like to emphasise that, in each of the above cases, privacy and data protection principles must be at the core



The Opinion notes that there is still no consensus on the collection of registration data as it relates to privacy but urges that work continue to find a replacement for the current WHOIS:



26. We welcome that ICANN has undertaken the establishment of an expert working group on directory services for generic top level domains20 with a view to replacing the current WHOIS system with a solution taking account, inter alia, of privacy concerns. We also welcome the Commission's participation in this group. We take note that the EWG has so far failed to reach a full consensus in particular on privacy related issues. We urge the ICANN bodies and stakeholders to take proper account of the report and the related arguments21 in the forthcoming stages of its governance process which may lead eventually to a replacement



Any requirements for the collection and use of personal data must be based on trust:



III.2. Internet policies must reconcile security requirements and fundamental rights

37. The Communication argues that confidence in the Internet and its governance is a prerequisite for the realisation of the Internet's potential as an engine for economic growth and innovation. The safety, security, stability and resilience of the Internet are crucial to preserve and foster the economic and societal benefits of the digital ecosystem.25



38. We agree that -especially after the recent revelations about mass surveillance- there is a need to restore users´ confidence in the Internet and in the use of personal data on the Internet. As indicated in our previous opinion on the Cyber Security Strategy,26 we believe that, due to the ever growing use of Information and Communication Technologies, measures aimed at ensuring a high level of security on the Internet should help improve the security of all the information processed therein, including personal data. In particular, we consider that security of data processing has always been a crucial element of data protection as security requirements are included in a number of data protection provisions.27 Therefore, improving the security standards of the Internet will increase the protection of users` personal data and prevent undue interference to occur. We consider that improved standardisation of network and information security requirements at international level will also help address more efficiently the needs for trust and security.



The Opinion outlines a number of suggestions which could apply to the question of who should have access to gTLD registration data and why:



39. In this respect, we welcome the clarification that security is not opposed to privacy and data protection. We recall the explicit recognition of privacy and data protection in the Cyber Security Strategy and the fact that they are considered as core values which should guide cyber security policy in the EU and internationally.

44. The Commission should promote structures and mechanisms supporting the application of both data protection-by-design and by-default as guiding principles in the shaping of a new governance model. It should therefore ensure that data protection mechanisms and safeguards are included, from the outset, in the design of normative and technical governance tools.
45. The Commission should also use its policy and financial instruments to support the development of technical solutions for the internet that demonstrate how privacy can be respected in internet protocols, services and applications.29



The Opinion concluded with the expectation that the Commission should promote EU standards on data protection:

We expect the Commission to show leadership and act as a catalyst in the discussions on the new Internet Governance model. In particular, we encourage the Commission to promote EU standards on data protection as well as to encourage the accession by third countries to relevant international data protection standards. Furthermore, we support the adoption of an international instrument requiring the respect of data protection standards by intelligence and law enforcement bodies.





2) European Data Protection Supervisor's response to the public consultation on 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention

According to the European Data Protection Supervisor, the 2013 RAA and the Draft Specification do not comply with European data protection law and he states that personal data should only be collected to perform the contract between Registrar and Registrant, and it should be retained no longer than is necessary for these purposes.

Whilst we duly acknowledge ICANN's efforts regarding acknowledge ICANN's efforts regarding data protection and privacy and its openness to continued dialogue, regrettably, neither the 2013 RAA approved by the ICANN Board on 27 June 2013 nor the Draft Specification addresses sufficiently our concerns which were raised in this correspondence between the Working Party and ICANN on the retention periods and data collection.

The Draft Specification defines in more detail the data to be collected, the purposes for which they may be used and the retention periods for which the data are to be kept under the 2013 RAA. This is welcome in that it would offer more transparency. Nevertheless, the 2013 RAA 2 and the Draft Specification continue to fall short of compliance with European data protection law.

The Draft Specification should only require collection of personal data, which is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing) or for other compatible purposes such as fighting fraud related to domain name registration. This data should be retained for no longer than is necessary for these purposes. It would not be acceptable for the data to be retained for longer periods or for other, incompatible purposes, such as law enforcement purposes or to enforce copyright.

Processing contrary to these recommendations would be contrary to three key principles of European data protection law set forth in Directive 95/46/EC. It would violate the principle of purpose limitation under Article 6(1)(b) of Directive 95/46/EC, which prohibits the processing of personal data for incompatible purposes4, the requirement under Article 7 of the Directive to have an appropriate legal ground for the processing of data, such as contract, consent or the legitimate interest of the controller5, and the requirement of proportionality, including the requirement not to retain data 'longer than is necessary for the purposes for which the data were collected or for which they are further processed' (Article 6(1)(e)). These provisions are specifications of the fundamental rights to privacy and the protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Retention of personal data originally collected for commercial purposes, and subsequently retained for law enforcement purposes, has been the subject of a recent landmark ruling by the European Court of Justice, which held Directive 2006/24/EC to be invalid, as an unjustified interference with those rights.  The Court recognised that the retention of personal data might be considered appropriate for the purposes of the detection, investigation and prosecution of serious crime, but judged that the Directive 'exceeded the limits imposed by compliance with the principle of proportionality'.7 It is reasonable to expect requirements for retaining personal data to be subject to increasing scrutiny and legal challenges in the EU.

Further, as you are aware, the current European data protection legislation is under reform. The European Parliament voted on 12 March 2014 overwhelmingly in favour of a new General Data Protection Regulation which is designed to replace Directive 95/46/EC and be directly applicable in each of the twenty-eight EU Member States. There is therefore now a more compelling need than ever before for ICANN to apply the waiver of the retention period under the 2013 RAA Data Retention Specification uniformly to all EU Member States as requested in the 'harmonised statement' of the Working Party issued by letter of 6 June 2013.

We would also encourage ICANN, being at the heart of the future of Internet evolution, and in view of its mandate to serve the public interest on a global scale, to take a lead in ensuring that privacy and data protection are embedded by default, when new tools and instruments or new internet policies are designed, for the benefit of all - not just European - Internet users.

On these grounds, we reiterate our recommendations to reduce the data collection and retention requirements in the 2013 RAA 'by default' to what is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing), and to limit processing of this data to compatible purposes, such as proportionate measures to fight fraud related to domain name registration. It is possible that the Working Party may wish to provide more details at a later stage.





Thanks.



Beth Allegretti


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-purpose/attachments/20160411/0db81613/attachment-0001.html>