[gnso-rds-pdp-wg] Some items missing from triage document
Kathy Kleiman
kathy at kathykleiman.com
Wed Jul 20 03:27:45 UTC 2016
I have been reviewing the triaged document. Am I correct in seeing that
over 130 Privacy Items [PR] have been reduced to 4? In that case, we are
missing much. Unlike other areas of this triaged document, Privacy has
been stripped to its most skeletal provisions. What's missing is the
breadth, depth and nuances of privacy and data protection laws, and
frankly, the full obligations to which Registrars, Registries and ICANN
must comply. This fullness was captured in our original analysis of the
Privacy documents and reflected in the Possible Requirements doc.
I urge the WG to keep this triaged document open as others may have
additional items to add that should be added.
At a minimum, here are some of the critical missing elements (below).
Kathy
------------------------------------------------------------------------------------------------------------------------
*[PR-D01-R01]* – “. . . in some jurisdictions, privacy rights extend to
legal persons and to entities with respect to free speech and freedom of
association.” (Next to last paragraph on p.81)
*[PR-D25-R04]*– Council of Europe's Treaty 108 on Data Protections,
Article 6, Special categories of data, restricts the collection of data
under its privacy laws to only that data that is: “Personal data
revealing racial origin, political opinions or religious or other
beliefs, as well as personal data concerning health or sexual life, may
not be processed automatically unless domestic law provides appropriate
safeguards. The same shall apply to personal data relating to criminal
convictions.”
*[PR-D26-R06] – *According to the _Directive
<http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV%3Al14012>
(33),_whereas data which are capable by their nature of infringing
fundamental freedoms or privacy should not be processed unless the data
subject gives his explicit consent; whereas, however, derogations from
this prohibition must be explicitly provided for in respect of specific
needs, in particular where the processing of these data is carried out
for certain health-related purposes by persons subject to a legal
obligation of professional secrecy or in the course of legitimate
activities by certain associations or foundations the purpose of which
is to permit the exercise of fundamental freedoms;
*[PR-D28-R01]*– “The people or bodies that collect and manage personal
data are called "data controllers". They must respect EU law when
handling the data entrusted to them.”
*[PR-D28-R02]*– The EU Privacy Directive “refers to the persons or
entities which collect and process personal data as ‘data controllers’.
For instance, a medical practitioner is usually the controller of his
patients' data; a company is the controller of data on its clients and
employees; a sports club is controller of its members' data and a
library of its borrowers' data.” See also *[UP-D28-R03]*
*[PR-D28-R03]*– Data controllers determine 'the purposes and the means
of the processing of personal data'. This applies to both public and
private sectors. See also *[UP-D28-R04]*
*[PR-D28-R04]*– “Data controllers must respect the privacy and data
protection rights of those whose personal data is entrusted to them.
They must:
*
collect and process personal data only when this is legally permitted;
*
respect certain obligations regarding the processing of personal data;
*
respond to complaints regarding breaches of data protection rules;
*
*collaborate with national data protection supervisory authorities.
(note: highlights are in the original) See also [UP-D28-R05]*
*[PR-D30-R04]*– Because the Privacy Shield will also be used to transfer
data outside the US, the WP29 insists that onward transfers from a
Privacy Shield entity to third country recipients should provide the
same level of protection on all aspects of the Shield (including
national security) and should not lead to lower or circumvent EU data
protection principles pg. 3
*[PR-D30-R05]*– The requirement for a third country to ensure an
adequate level of data protection was further defined by the CJEU in
Schrems…It also indicated that the wording ‘adequate level of
protection’ must be understood as “requiring the third country in fact
to ensure, by reason of its domestic law or its international
commitments, a level of protection of fundamental rights and freedoms
that is essentially equivalent to that guaranteed within the European
Union by virtue of the Directive read in the light of the Charter” pg.10
*[PR-D31-R03]*– On personal data, the Africa Union convention makes
personal data processing subject to a declaration before the protection
authority and each authority may establish standards for such
processing. Article 8: Objective of this Convention states with respect
to personal data:
*
“Each State Party shall commit itself to establishing a legal
framework aimed at strengthening fundamental rights and public
freedoms, particularly the protection of physical data, and punish
any violation of privacy without prejudice to the principle of free
flow of personal data.
*
The mechanism so established shall ensure that any form of data
processing respects the fundamental freedoms and rights of natural
persons while recognizing the prerogatives of the State, the rights
of local communities and the purposes for which the businesses were
established.”
*[PR-D31-R08] – *Article 14: Specific principles for the processing of
sensitive data, states: “State Parties shall undertake to prohibit any
data collection and processing revealing racial, ethnic and regional
origin, parental filiation, political opinions, religious or
philosophical beliefs, trade union membership, sex life and genetic
information or, more generally, data on the state of health of the data
subject.” …
*[PR-D37-R03] – *The U.S. Supreme Court Case – McIntyre v. Ohio
Elections Commission, states that, “Despite readers' curiosity and the
public's interest in identifying the creator of a work of art, an author
generally is free to decide whether or not to disclose her true
identity. The decision in favor of anonymity may be motivated by fear of
economic or official retaliation, by concern about social ostracism, or
merely by a desire to preserve as much of one's privacy as possible.
Whatever the motivation may be, at least in the field of literary
endeavor, the interest in having anonymous works enter the marketplace
of ideas unquestionably outweighs any public interest in requiring
disclosure as a condition of entry.”
*[PR-D38-R01]*– The following sections of the Ghana Protection Act could
possibly confer requirements on a gTLD directory service.
*[PR-D38-R02]*– Section 17, Privacy of the individual, states: “A person
who processes data shall take into account the privacy of the individual
by applying the following principles: (a) accountability, (b) lawfulness
of processing, (c) specification of purpose, (d) compatibility of
further processing with purpose of collection, (e) quality of
information, (f) openness, (g) data security safeguards, and (h) data
subject participation.”
*[PR-D39-R05]*– Section 26, Prohibition on processing of special
personal information, states: “A responsible party may, subject to
section 27, not process personal information concerning—
1.
the religious or philosophical beliefs, race or ethnic origin, trade
union membership, political persuasion, health or sex life or
biometric information of a data subject; or
2.
the criminal behaviour of a data subject to the extent that such
information relates to—
1.
the alleged commission by a data subject of any offence; or
2.
any proceedings in respect of any offence allegedly committed by
a data subject or the disposal of such proceedings.”
*[PR-D44-R02]*– [gTLD directory services policies must take into
consideration this statement by Professor Greenleaf: ] “Countries
without data privacy laws now in a minority.” “Future growth: Heading
toward ubiquity.” “Global growth is likely to continue beyond 2020.
*[PR-D44-R03] – *[gTLD directory services policies must take into
consideration] Greenleaf's years of research [which] are summarized in
his finding that by the end of this decade the number of countries with
data privacy laws, all of which have a strong ‘family resemblance,’ will
be between 66% and 80% of all independent jurisdictions globally.
On 7/18/2016 1:47 PM, Lisa Phifer wrote:
>
> Dear all,
>
> The next GNSO Next-Gen RDS PDP Working Group teleconference is
> scheduled for *Wednesday, 20 July at 05:00 UTC for 90 minutes.*
>
> Note that for some this is Tuesday evening: 22:00 PDT (Tuesday), 01:00
> EDT, 06:00 London, 07:00 CEST. For other times: http://tinyurl.com/jnhobkh
>
> Attached please find materials for this meeting, also linked to the
> meeting page on the wiki below.
>
> *Proposed Agenda for RDS PDP WG Call *
>
> 1. Roll call/SOI updates
> 2. Brief updates on:
>
> * Completion of work task #11 (final clean v13 attached)
> * Doodle poll results/ICANN57 planning
> * Update on problem statement
>
> 3. Review and discuss triage of possible requirements (see D3 Triage,
> below)
>
> ·*RDS PDP List of Possible Requirements D3 - TriageInProgress - 13
> July.docx
> <https://community.icann.org/download/attachments/56986791/RDS%20PDP%20List%20of%20Possible%20Requirements%20D3%20-%20TriageInProgress%20-%2013%20July.docx?version=1&modificationDate=1468513314000&api=v2>
> (previously distributed)*
>
> ·An Excel workbook version is also available for filtering on phase
> and group: *PRSpreadsheets-D3Triage-13July.xlsx
> <https://community.icann.org/download/attachments/60490860/PRSpreadsheets-D3Triage-13July.xlsx?version=1&modificationDate=1468861768733&api=v2>
> (attached)*
>
> 4. Start work on purpose and use cases (see Example Use Cases attached)
>
> ·EWG Report - Example Use Case and Related Data Annexes.doc
> <https://community.icann.org/download/attachments/60490860/EWG%20Report%20-%20Use%20Case%20and%20Data%20Annexes.doc?version=1&modificationDate=1468862831998&api=v2>
>
> ·During this meeting, RDS PDP WG members will be invited to volunteer
> to draft use cases.
>
> ·Draft example use cases listed on pages 1-2 of the attached may be
> used as input by volunteers if they wish.
>
> 5. Confirm Next Meeting - Tuesday 26 July
>
> Meeting Materials: https://community.icann.org/x/bASbAw
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160719/79d891cb/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list