[gnso-rds-pdp-wg] Some items missing from triage document

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Wed Jul 20 20:53:49 UTC 2016 

As I predicted, I was still having trouble getting the doc to unfurl (I 
think possibly the different versions of Msoft Office may be a problem, 
but likely it is just my doofus lack of skills in excel) so I called up 
an expert and found the right thing to do....I had to insert and remove 
filters.

A tremendous amount of work ladies, kudos to Susan and Lisa for pulling 
this together. Tons of material to decipher.

cheers Stephanie


On 2016-07-20 15:03, Susan Kawaguchi wrote:
> Kathy,
>
> Just checking to see if you were able to filter the document to see 
> the full list of PR?
>
> Best
> Susan Kawaguchi
> Domain Name Manager
> Facebook Legal Dept.
>
>
> From: <gnso-rds-pdp-wg-bounces at icann.org 
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Kathy Kleiman 
> <kathy at kathykleiman.com <mailto:kathy at kathykleiman.com>>
> Date: Tuesday, July 19, 2016 at 8:27 PM
> To: "gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>" 
> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
> Subject: [gnso-rds-pdp-wg] Some items missing from triage document
>
> I have been reviewing the triaged document. Am I correct in seeing 
> that over 130 Privacy Items [PR] have been reduced to 4? In that case, 
> we are missing much. Unlike other areas of this triaged document, 
> Privacy has been stripped to its most skeletal provisions. What's 
> missing is the breadth, depth and nuances of privacy and data 
> protection laws, and frankly, the full obligations to which 
> Registrars, Registries and ICANN must comply. This fullness was 
> captured in our original analysis of the Privacy documents and 
> reflected in the Possible Requirements doc.
>
> I urge the WG to keep this triaged document open as others may have 
> additional items to add that should be added.
>
> At a minimum, here are some of the critical missing elements (below).
>
> Kathy
>
> ------------------------------------------------------------------------------------------------------------------------
>
> *[PR-D01-R01]* – “. . . in some jurisdictions, privacy rights extend 
> to legal persons and to entities with respect to free speech and 
> freedom of association.” (Next to last paragraph on p.81)
>
> *[PR-D25-R04]*– Council of Europe's Treaty 108 on Data Protections, 
> Article 6, Special categories of data, restricts the collection of 
> data under its privacy laws to only that data that is: “Personal data 
> revealing racial origin, political opinions or religious or other 
> beliefs, as well as personal data concerning health or sexual life, 
> may not be processed automatically unless domestic law provides 
> appropriate safeguards. The same shall apply to personal data relating 
> to criminal convictions.”
>
> *[PR-D26-R06] – *According to the _Directive 
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__eur-2Dlex.europa.eu_legal-2Dcontent_EN_TXT_-3Furi-3DURISERV-253Al14012&d=CwMD-g&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=tqmtJYU7tT2jcsKP-b0v-rGvVswWSqfs2DZ48lrHUsU&s=BU5LMkSSXQNZZOe2cLNekjWHbhNTTVdRetC-Xcx7AQo&e=> 
> (33),_whereas data which are capable by their nature of infringing 
> fundamental freedoms or privacy should not be processed unless the 
> data subject gives his explicit consent; whereas, however, derogations 
> from this prohibition must be explicitly provided for in respect of 
> specific needs, in particular where the processing of these data is 
> carried out for certain health-related purposes by persons subject to 
> a legal obligation of professional secrecy or in the course of 
> legitimate activities by certain associations or foundations the 
> purpose of which is to permit the exercise of fundamental freedoms;
>
> *[PR-D28-R01]*– “The people or bodies that collect and manage personal 
> data are called "data controllers". They must respect EU law when 
> handling the data entrusted to them.”
>
> *[PR-D28-R02]*– The EU Privacy Directive “refers to the persons or 
> entities which collect and process personal data as ‘data 
> controllers’. For instance, a medical practitioner is usually the 
> controller of his patients' data; a company is the controller of data 
> on its clients and employees; a sports club is controller of its 
> members' data and a library of its borrowers' data.” See also 
> *[UP-D28-R03]*
>
> *[PR-D28-R03]*– Data controllers determine 'the purposes and the means 
> of the processing of personal data'. This applies to both public and 
> private sectors. See also *[UP-D28-R04]*
>
> *[PR-D28-R04]*– “Data controllers must respect the privacy and data 
> protection rights of those whose personal data is entrusted to them. 
> They must:
>
>  *
>
>     collect and process personal data only when this is legally permitted;
>
>  *
>
>     respect certain obligations regarding the processing of personal data;
>
>  *
>
>     respond to complaints regarding breaches of data protection rules;
>
>  *
>
>     *collaborate with national data protection supervisory authorities.
>     (note: highlights are in the original) See also [UP-D28-R05]*
>
> *[PR-D30-R04]*– Because the Privacy Shield will also be used to 
> transfer data outside the US, the WP29 insists that onward transfers 
> from a Privacy Shield entity to third country recipients should 
> provide the same level of protection on all aspects of the Shield 
> (including national security) and should not lead to lower or 
> circumvent EU data protection principles pg. 3
>
> *[PR-D30-R05]*– The requirement for a third country to ensure an 
> adequate level of data protection was further defined by the CJEU in 
> Schrems…It also indicated that the wording ‘adequate level of 
> protection’ must be understood as “requiring the third country in fact 
> to ensure, by reason of its domestic law or its international 
> commitments, a level of protection of fundamental rights and freedoms 
> that is essentially equivalent to that guaranteed within the European 
> Union by virtue of the Directive read in the light of the Charter” pg.10
>
> *[PR-D31-R03]*– On personal data, the Africa Union convention makes 
> personal data processing subject to a declaration before the 
> protection authority and each authority may establish standards for 
> such processing. Article 8: Objective of this Convention states with 
> respect to personal data:
>
>  *
>
>     “Each State Party shall commit itself to establishing a legal
>     framework aimed at strengthening fundamental rights and public
>     freedoms, particularly the protection of physical data, and punish
>     any violation of privacy without prejudice to the principle of
>     free flow of personal data.
>
>  *
>
>     The mechanism so established shall ensure that any form of data
>     processing respects the fundamental freedoms and rights of natural
>     persons while recognizing the prerogatives of the State, the
>     rights of local communities and the purposes for which the
>     businesses were established.”
>
> *[PR-D31-R08] – *Article 14: Specific principles for the processing of 
> sensitive data, states: “State Parties shall undertake to prohibit any 
> data collection and processing revealing racial, ethnic and regional 
> origin, parental filiation, political opinions, religious or 
> philosophical beliefs, trade union membership, sex life and genetic 
> information or, more generally, data on the state of health of the 
> data subject.” …
>
> *[PR-D37-R03] – *The U.S. Supreme Court Case – McIntyre v. Ohio 
> Elections Commission, states that, “Despite readers' curiosity and the 
> public's interest in identifying the creator of a work of art, an 
> author generally is free to decide whether or not to disclose her true 
> identity. The decision in favor of anonymity may be motivated by fear 
> of economic or official retaliation, by concern about social 
> ostracism, or merely by a desire to preserve as much of one's privacy 
> as possible. Whatever the motivation may be, at least in the field of 
> literary endeavor, the interest in having anonymous works enter the 
> marketplace of ideas unquestionably outweighs any public interest in 
> requiring disclosure as a condition of entry.”
>
> *[PR-D38-R01]*– The following sections of the Ghana Protection Act 
> could possibly confer requirements on a gTLD directory service.
>
> *[PR-D38-R02]*– Section 17, Privacy of the individual, states: “A 
> person who processes data shall take into account the privacy of the 
> individual by applying the following principles: (a) accountability, 
> (b) lawfulness of processing, (c) specification of purpose, (d) 
> compatibility of further processing with purpose of collection, (e) 
> quality of information, (f) openness, (g) data security safeguards, 
> and (h) data subject participation.”
>
> *[PR-D39-R05]*– Section 26, Prohibition on processing of special 
> personal information, states: “A responsible party may, subject to 
> section 27, not process personal information concerning—
>
> 1.
>
>     the religious or philosophical beliefs, race or ethnic origin,
>     trade union membership, political persuasion, health or sex life
>     or biometric information of a data subject; or
>
> 2.
>
>     the criminal behaviour of a data subject to the extent that such
>     information relates to—
>
>     1.
>
>         the alleged commission by a data subject of any offence; or
>
>     2.
>
>         any proceedings in respect of any offence allegedly committed
>         by a data subject or the disposal of such proceedings.”
>
> *[PR-D44-R02]*– [gTLD directory services policies must take into 
> consideration this statement by Professor Greenleaf: ] “Countries 
> without data privacy laws now in a minority.” “Future growth: Heading 
> toward ubiquity.” “Global growth is likely to continue beyond 2020.
>
> *[PR-D44-R03] – * [gTLD directory services policies must take into 
> consideration] Greenleaf's years of research [which] are summarized in 
> his finding that by the end of this decade the number of countries 
> with data privacy laws, all of which have a strong ‘family 
> resemblance,’ will be between 66% and 80% of all independent 
> jurisdictions globally.
>
>
>
> On 7/18/2016 1:47 PM, Lisa Phifer wrote:
>>
>> Dear all,
>>
>> The next GNSO Next-Gen RDS PDP Working Group teleconference is 
>> scheduled for *Wednesday, 20 July at 05:00 UTC for 90 minutes.*
>>
>> Note that for some this is Tuesday evening: 22:00 PDT (Tuesday), 
>> 01:00 EDT, 06:00 London, 07:00 CEST. For other times: 
>> http://tinyurl.com/jnhobkh 
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__tinyurl.com_jnhobkh&d=CwMD-g&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=tqmtJYU7tT2jcsKP-b0v-rGvVswWSqfs2DZ48lrHUsU&s=_0YeK9yAw9M3VCGlFZ93H44Jm_erLRA3Vc7plSGMEys&e=>
>>
>> Attached please find materials for this meeting, also linked to the 
>> meeting page on the wiki below.
>>
>> *Proposed Agenda for RDS PDP WG Call *
>>
>> 1. Roll call/SOI updates
>> 2. Brief updates on:
>>
>>   * Completion of work task #11 (final clean v13 attached)
>>   * Doodle poll results/ICANN57 planning
>>   * Update on problem statement
>>
>> 3. Review and discuss triage of possible requirements (see D3 Triage, 
>> below)
>>
>> ·*RDS PDP List of Possible Requirements D3 - TriageInProgress - 13 
>> July.docx 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_56986791_RDS-2520PDP-2520List-2520of-2520Possible-2520Requirements-2520D3-2520-2D-2520TriageInProgress-2520-2D-252013-2520July.docx-3Fversion-3D1-26modificationDate-3D1468513314000-26api-3Dv2&d=CwMD-g&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=tqmtJYU7tT2jcsKP-b0v-rGvVswWSqfs2DZ48lrHUsU&s=dAnEqVGRvNLnd7HzReILHaOm1mTA4ZhFBitH93_7N-s&e=> 
>> (previously distributed)*
>>
>> ·An Excel workbook version is also available for filtering on phase 
>> and group: *PRSpreadsheets-D3Triage-13July.xlsx 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_60490860_PRSpreadsheets-2DD3Triage-2D13July.xlsx-3Fversion-3D1-26modificationDate-3D1468861768733-26api-3Dv2&d=CwMD-g&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=tqmtJYU7tT2jcsKP-b0v-rGvVswWSqfs2DZ48lrHUsU&s=X6sXeFQd-bC5KPzStgNO2EiahNYL3GJWhVbwFowbWjg&e=> 
>> (attached)*
>>
>> 4. Start work on purpose and use cases (see Example Use Cases attached)
>>
>> ·EWG Report - Example Use Case and Related Data Annexes.doc 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_60490860_EWG-2520Report-2520-2D-2520Use-2520Case-2520and-2520Data-2520Annexes.doc-3Fversion-3D1-26modificationDate-3D1468862831998-26api-3Dv2&d=CwMD-g&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=tqmtJYU7tT2jcsKP-b0v-rGvVswWSqfs2DZ48lrHUsU&s=1JFVwAxlxlRoLHk-DuFbzA3DV3Ror5qGt2-Vid-Dkc0&e=>
>>
>> ·During this meeting, RDS PDP WG members will be invited to volunteer 
>> to draft use cases.
>>
>> ·Draft example use cases listed on pages 1-2 of the attached may be 
>> used as input by volunteers if they wish.
>>
>> 5. Confirm Next Meeting - Tuesday 26 July
>>
>> Meeting Materials: https://community.icann.org/x/bASbAw 
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_bASbAw&d=CwMD-g&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=tqmtJYU7tT2jcsKP-b0v-rGvVswWSqfs2DZ48lrHUsU&s=98nWiuANmTZtl5GyIur_2IoN9MFTdcML9HXEVrIWaUo&e=>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160720/18c313e2/attachment.html>

More information about the gnso-rds-pdp-wg mailing list