[gnso-rds-pdp-wg] Some items missing from triage document

Kathy Kleiman kathy at kathykleiman.com
Wed Jul 20 03:27:45 UTC 2016 

I have been reviewing the triaged document. Am I correct in seeing that 
over 130 Privacy Items [PR] have been reduced to 4? In that case, we are 
missing much. Unlike other areas of this triaged document, Privacy has 
been stripped to its most skeletal provisions. What's missing is the 
breadth, depth and nuances of privacy and data protection laws, and 
frankly, the full obligations to which Registrars, Registries and ICANN 
must comply. This fullness was captured in our original analysis of the 
Privacy documents and reflected in the Possible Requirements doc.

I urge the WG to keep this triaged document open as others may have 
additional items to add that should be added.

At a minimum, here are some of the critical missing elements (below).

Kathy

------------------------------------------------------------------------------------------------------------------------

*[PR-D01-R01]* – “. . . in some jurisdictions, privacy rights extend to 
legal persons and to entities with respect to free speech and freedom of 
association.” (Next to last paragraph on p.81)

*[PR-D25-R04]*– Council of Europe's Treaty 108 on Data Protections, 
Article 6, Special categories of data, restricts the collection of data 
under its privacy laws to only that data that is: “Personal data 
revealing racial origin, political opinions or religious or other 
beliefs, as well as personal data concerning health or sexual life, may 
not be processed automatically unless domestic law provides appropriate 
safeguards. The same shall apply to personal data relating to criminal 
convictions.”

*[PR-D26-R06] – *According to the _Directive 
<http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV%3Al14012> 
(33),_whereas data which are capable by their nature of infringing 
fundamental freedoms or privacy should not be processed unless the data 
subject gives his explicit consent; whereas, however, derogations from 
this prohibition must be explicitly provided for in respect of specific 
needs, in particular where the processing of these data is carried out 
for certain health-related purposes by persons subject to a legal 
obligation of professional secrecy or in the course of legitimate 
activities by certain associations or foundations the purpose of which 
is to permit the exercise of fundamental freedoms;

*[PR-D28-R01]*– “The people or bodies that collect and manage personal 
data are called "data controllers". They must respect EU law when 
handling the data entrusted to them.”

*[PR-D28-R02]*– The EU Privacy Directive “refers to the persons or 
entities which collect and process personal data as ‘data controllers’. 
For instance, a medical practitioner is usually the controller of his 
patients' data; a company is the controller of data on its clients and 
employees; a sports club is controller of its members' data and a 
library of its borrowers' data.” See also *[UP-D28-R03]*

*[PR-D28-R03]*– Data controllers determine 'the purposes and the means 
of the processing of personal data'. This applies to both public and 
private sectors. See also *[UP-D28-R04]*

*[PR-D28-R04]*– “Data controllers must respect the privacy and data 
protection rights of those whose personal data is entrusted to them. 
They must:

  *

    collect and process personal data only when this is legally permitted;

  *

    respect certain obligations regarding the processing of personal data;

  *

    respond to complaints regarding breaches of data protection rules;

  *

    *collaborate with national data protection supervisory authorities.
    (note: highlights are in the original) See also [UP-D28-R05]*

*[PR-D30-R04]*– Because the Privacy Shield will also be used to transfer 
data outside the US, the WP29 insists that onward transfers from a 
Privacy Shield entity to third country recipients should provide the 
same level of protection on all aspects of the Shield (including 
national security) and should not lead to lower or circumvent EU data 
protection principles pg. 3

*[PR-D30-R05]*– The requirement for a third country to ensure an 
adequate level of data protection was further defined by the CJEU in 
Schrems…It also indicated that the wording ‘adequate level of 
protection’ must be understood as “requiring the third country in fact 
to ensure, by reason of its domestic law or its international 
commitments, a level of protection of fundamental rights and freedoms 
that is essentially equivalent to that guaranteed within the European 
Union by virtue of the Directive read in the light of the Charter” pg.10

*[PR-D31-R03]*– On personal data, the Africa Union convention makes 
personal data processing subject to a declaration before the protection 
authority and each authority may establish standards for such 
processing. Article 8: Objective of this Convention states with respect 
to personal data:

  *

    “Each State Party shall commit itself to establishing a legal
    framework aimed at strengthening fundamental rights and public
    freedoms, particularly the protection of physical data, and punish
    any violation of privacy without prejudice to the principle of free
    flow of personal data.

  *

    The mechanism so established shall ensure that any form of data
    processing respects the fundamental freedoms and rights of natural
    persons while recognizing the prerogatives of the State, the rights
    of local communities and the purposes for which the businesses were
    established.”

*[PR-D31-R08] – *Article 14: Specific principles for the processing of 
sensitive data, states: “State Parties shall undertake to prohibit any 
data collection and processing revealing racial, ethnic and regional 
origin, parental filiation, political opinions, religious or 
philosophical beliefs, trade union membership, sex life and genetic 
information or, more generally, data on the state of health of the data 
subject.” …

*[PR-D37-R03] – *The U.S. Supreme Court Case – McIntyre v. Ohio 
Elections Commission, states that, “Despite readers' curiosity and the 
public's interest in identifying the creator of a work of art, an author 
generally is free to decide whether or not to disclose her true 
identity. The decision in favor of anonymity may be motivated by fear of 
economic or official retaliation, by concern about social ostracism, or 
merely by a desire to preserve as much of one's privacy as possible. 
Whatever the motivation may be, at least in the field of literary 
endeavor, the interest in having anonymous works enter the marketplace 
of ideas unquestionably outweighs any public interest in requiring 
disclosure as a condition of entry.”

*[PR-D38-R01]*– The following sections of the Ghana Protection Act could 
possibly confer requirements on a gTLD directory service.

*[PR-D38-R02]*– Section 17, Privacy of the individual, states: “A person 
who processes data shall take into account the privacy of the individual 
by applying the following principles: (a) accountability, (b) lawfulness 
of processing, (c) specification of purpose, (d) compatibility of 
further processing with purpose of collection, (e) quality of 
information, (f) openness, (g) data security safeguards, and (h) data 
subject participation.”

*[PR-D39-R05]*– Section 26, Prohibition on processing of special 
personal information, states: “A responsible party may, subject to 
section 27, not process personal information concerning—

 1.

    the religious or philosophical beliefs, race or ethnic origin, trade
    union membership, political persuasion, health or sex life or
    biometric information of a data subject; or

 2.

    the criminal behaviour of a data subject to the extent that such
    information relates to—

     1.

        the alleged commission by a data subject of any offence; or

     2.

        any proceedings in respect of any offence allegedly committed by
        a data subject or the disposal of such proceedings.”

*[PR-D44-R02]*– [gTLD directory services policies must take into 
consideration this statement by Professor Greenleaf: ] “Countries 
without data privacy laws now in a minority.” “Future growth: Heading 
toward ubiquity.” “Global growth is likely to continue beyond 2020.

*[PR-D44-R03] – *[gTLD directory services policies must take into 
consideration] Greenleaf's years of research [which] are summarized in 
his finding that by the end of this decade the number of countries with 
data privacy laws, all of which have a strong ‘family resemblance,’ will 
be between 66% and 80% of all independent jurisdictions globally.



On 7/18/2016 1:47 PM, Lisa Phifer wrote:
>
> Dear all,
>
> The next GNSO Next-Gen RDS PDP Working Group teleconference is 
> scheduled for *Wednesday, 20 July at 05:00 UTC for 90 minutes.*
>
> Note that for some this is Tuesday evening: 22:00 PDT (Tuesday), 01:00 
> EDT, 06:00 London, 07:00 CEST. For other times: http://tinyurl.com/jnhobkh
>
> Attached please find materials for this meeting, also linked to the 
> meeting page on the wiki below.
>
> *Proposed Agenda for RDS PDP WG Call *
>
> 1. Roll call/SOI updates
> 2. Brief updates on:
>
>   * Completion of work task #11 (final clean v13 attached)
>   * Doodle poll results/ICANN57 planning
>   * Update on problem statement
>
> 3. Review and discuss triage of possible requirements (see D3 Triage, 
> below)
>
> ·*RDS PDP List of Possible Requirements D3 - TriageInProgress - 13 
> July.docx 
> <https://community.icann.org/download/attachments/56986791/RDS%20PDP%20List%20of%20Possible%20Requirements%20D3%20-%20TriageInProgress%20-%2013%20July.docx?version=1&modificationDate=1468513314000&api=v2> 
> (previously distributed)*
>
> ·An Excel workbook version is also available for filtering on phase 
> and group: *PRSpreadsheets-D3Triage-13July.xlsx 
> <https://community.icann.org/download/attachments/60490860/PRSpreadsheets-D3Triage-13July.xlsx?version=1&modificationDate=1468861768733&api=v2> 
> (attached)*
>
> 4. Start work on purpose and use cases (see Example Use Cases attached)
>
> ·EWG Report - Example Use Case and Related Data Annexes.doc 
> <https://community.icann.org/download/attachments/60490860/EWG%20Report%20-%20Use%20Case%20and%20Data%20Annexes.doc?version=1&modificationDate=1468862831998&api=v2>
>
> ·During this meeting, RDS PDP WG members will be invited to volunteer 
> to draft use cases.
>
> ·Draft example use cases listed on pages 1-2 of the attached may be 
> used as input by volunteers if they wish.
>
> 5. Confirm Next Meeting - Tuesday 26 July
>
> Meeting Materials: https://community.icann.org/x/bASbAw
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160719/79d891cb/attachment.html>

More information about the gnso-rds-pdp-wg mailing list