[gnso-rds-pdp-wg] Some items missing from triage document

Lisa Phifer lisa at corecom.com
Wed Jul 20 04:46:35 UTC 2016


Hi Kathy 

Just change the filter on the group column to All. It looks like the file was last saved when the filter was set to group A but all of the possible requirements for purpose are indeed  in the file.

Lisa

Sent from Lisa Phifer's iPhone

> On Jul 19, 2016, at 9:27 PM, Kathy Kleiman <kathy at kathykleiman.com> wrote:
> 
> I have been reviewing the triaged document. Am I correct in seeing that over 130 Privacy Items [PR] have been reduced to 4? In that case, we are missing much. Unlike other areas of this triaged document, Privacy has been stripped to its most skeletal provisions. What's missing is the breadth, depth and nuances of privacy and data protection laws, and frankly, the full obligations to which Registrars, Registries and ICANN must comply. This fullness was captured in our original analysis of the Privacy documents and reflected in the Possible Requirements doc.
> I urge the WG to keep this triaged document open as others may have additional items to add that should be added.     
> At a minimum, here are some of the critical missing elements (below). 
> Kathy
> ------------------------------------------------------------------------------------------------------------------------
> [PR-D01-R01] – “. . . in some jurisdictions, privacy rights extend to legal persons and to entities with respect to free speech and freedom of association.” (Next to last paragraph on p.81)
> [PR-D25-R04] – Council of Europe's Treaty 108 on Data Protections, Article 6, Special categories of data, restricts the collection of data under its privacy laws to only that data that is: “Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.”
> 
> [PR-D26-R06] – According to the Directive (33), whereas data which are capable by their nature of infringing fundamental freedoms or privacy should not be processed unless the data subject gives his explicit consent; whereas, however, derogations from this prohibition must be explicitly provided for in respect of specific needs, in particular where the processing of these data is carried out for certain health-related purposes by persons subject to a legal           obligation of professional secrecy or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms;
> 
> [PR-D28-R01] – “The people or bodies that collect and manage personal data are called "data controllers". They must respect EU law when handling the data entrusted to them.”
> [PR-D28-R02] – The EU Privacy Directive “refers to the persons or entities which collect and process personal data as ‘data controllers’. For instance, a medical practitioner is usually the controller of his patients' data; a company is the controller of data on its clients and employees; a sports club is controller of its members' data and a library of its borrowers' data.” See also [UP-D28-R03]
> [PR-D28-R03] – Data controllers determine 'the purposes and the means of the processing of personal data'. This applies to both public and private sectors. See also [UP-D28-R04]
> [PR-D28-R04] – “Data controllers must respect the privacy and data protection rights of those whose personal data is entrusted to them. They must:
> collect and process personal data only when this is legally permitted;
> respect certain obligations regarding the processing of personal data;
> respond to complaints regarding breaches of data protection rules;
> collaborate with national data protection supervisory authorities. 
> (note: highlights are in the original) See also [UP-D28-R05]
> [PR-D30-R04] – Because the Privacy Shield will also be used to transfer data               outside the US, the WP29 insists that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles pg. 3
> 
> [PR-D30-R05] – The requirement for a third country to ensure an adequate level of data protection was further defined by the CJEU in Schrems…It also indicated that the wording ‘adequate level of protection’ must be understood as “requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the Directive read in the light of the Charter” pg.10
> 
> [PR-D31-R03] – On personal data, the Africa Union convention makes personal data processing subject to a declaration before the protection authority and each authority may establish standards for such processing. Article 8: Objective of this Convention states with respect to personal data:
> “Each State Party shall commit itself to establishing a legal framework aimed at strengthening fundamental rights and public freedoms, particularly the protection of physical data, and punish any violation of privacy without prejudice to the principle of free flow of personal data.
> The mechanism so established shall ensure that any form of data processing respects the fundamental freedoms and rights of natural persons while recognizing the prerogatives of the State, the rights of local communities and the purposes for which the businesses were established.”
> [PR-D31-R08] – Article 14: Specific principles for the processing of sensitive data, states: “State Parties shall undertake to prohibit any data collection and processing revealing racial, ethnic and regional origin, parental filiation, political opinions, religious or philosophical beliefs, trade union membership, sex life and genetic information or, more generally, data on the state of health of the data subject.” …
> [PR-D37-R03] – The U.S. Supreme Court Case – McIntyre v. Ohio Elections Commission, states that, “Despite readers' curiosity and the public's interest in identifying the creator of a work of art, an author generally is free to decide whether or not to disclose her true identity. The decision in favor of anonymity may be motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of one's privacy as possible. Whatever the motivation may be, at least in the field of literary endeavor, the interest in having anonymous works enter the marketplace of ideas unquestionably outweighs any public interest in requiring disclosure as a condition of entry.”
> 
> [PR-D38-R01] – The following sections of the Ghana Protection Act could possibly confer requirements on a gTLD directory service.
> [PR-D38-R02] – Section 17, Privacy of the individual, states: “A person who processes data shall take into account the privacy of the individual by applying the following principles: (a) accountability, (b) lawfulness of processing, (c) specification of purpose, (d) compatibility of further processing with purpose of collection, (e) quality of information, (f) openness, (g) data security safeguards, and (h) data subject participation.”
> [PR-D39-R05] – Section 26, Prohibition on processing of special personal information, states: “A responsible party may, subject to section 27, not process personal information concerning—
> the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
> the criminal behaviour of a data subject to the extent that such information relates to—
> the alleged commission by a data subject of any offence; or
> any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.”
> [PR-D44-R02] – [gTLD directory services policies must take into consideration this statement by Professor Greenleaf: ] “Countries without data privacy laws now in a minority.” “Future growth: Heading toward ubiquity.” “Global growth is likely to continue beyond 2020.
> 
> [PR-D44-R03] – [gTLD directory services policies must take into consideration] Greenleaf's years of research [which] are summarized in his finding that by the end of this decade the number of countries with data privacy laws, all of which have a strong ‘family resemblance,’ will be between 66% and 80% of all independent jurisdictions globally.
> 
> 
>> On 7/18/2016 1:47 PM, Lisa Phifer wrote:
>> Dear all,
>>  
>> The next GNSO Next-Gen RDS PDP Working Group teleconference is scheduled for Wednesday, 20 July at 05:00 UTC for 90 minutes.
>> Note that for some this is Tuesday evening: 22:00 PDT (Tuesday), 01:00 EDT, 06:00 London, 07:00 CEST. For other times: http://tinyurl.com/jnhobkh
>> Attached please find materials for this meeting, also linked to the meeting page on the wiki below.
>>  
>> Proposed Agenda for RDS PDP WG Call 
>> 1. Roll call/SOI updates
>> 2. Brief updates on:
>> Completion of work task #11 (final clean v13 attached)
>> Doodle poll results/ICANN57 planning
>> Update on problem statement
>> 3. Review and discuss triage of possible requirements (see D3 Triage, below)
>> ·        RDS PDP List of Possible Requirements D3 - TriageInProgress - 13 July.docx (previously distributed)
>> ·        An Excel workbook version is also available for filtering on phase and group: PRSpreadsheets-D3Triage-13July.xlsx (attached)
>> 4. Start work on purpose and use cases (see Example Use Cases attached)
>> 
>> ·        EWG Report - Example Use Case and Related Data Annexes.doc
>> ·        During this meeting, RDS PDP WG members will be invited to volunteer to draft use cases.
>> ·        Draft example use cases listed on pages 1-2 of the attached may be used as input by volunteers if they wish.
>> 5. Confirm Next Meeting - Tuesday 26 July
>>  
>>  
>> Meeting Materials: https://community.icann.org/x/bASbAw
>>  
>> 
>> 
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> 
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160719/ea6ba4c0/attachment.html>


More information about the gnso-rds-pdp-wg mailing list