[gnso-rds-pdp-wg] RDS Statement of Purpose

[nathalie coupet]

If the subject looses control over her data at a certain point in time, wouldn't it be possible to ask the new controller (ICANN) to obtain consent before control is being handed over? Ifyou can get consent from users for other uses of the data, then the data can beused for other purposes. With respect to cookies, you just have toinform the user and give her the option of opting out. But the use of other sensitive personal data for other purposes could probably require an opt-in concept.The system would vary across the EU, as data protection laws are craftedby member state governments.

In Germany, it might be an opt-in,whereas in the U.K. it could be an opt-out. Registrars and companies will have tofollow the rules set out by the data protection office in the country wherethey are located. This isn’t likely to be based on where the user is located.

The issue could become morecomplicated if EU member states decide that PII collection issue isn't justa data protection issue but also a consumer protection issue. In those cases,companies would have to tailor their policies to align with local rules.

So for those companies situated in Ireland, they will claim that the Irish law will apply. ButGermans might make the case that this is a consumer protection issue and thattheir laws might have to apply as well to German users. Some German courts haveruled that this isn’t just a data protection issue but also a consumerprotection issue. What a mess!Could an opt-in scheme prevent the conundrum of the application of local data laws, as far as ICANN is concerned? Opt-in requirements are more stringent than opt-out, of course. What would happen, if the subject refused to allow for multiple uses of his data? Then, unauthorized uses of her data would be illegal, unless a company can prove that by not allowing multiple uses of her data, the subject would violate a higher obligation of the company to prevent online fraud or hacking, for example. 
Is retaining this data for an indefinite amount of time resulting in an indiscriminate data retention? The principle of proportionality has to be applied to measure the need for data retention with regards to it final purpose. An example of non-proportionate data retention is what Google is doing now and holding this data indefinitely. Is there a "legitimate interest" for ICANN to retain this data indefinitely? The list of possible "legitimate interests" are the prevention of online fraud, consumer protection, the security of the DNS,... (Please add to this non-exhaustive list). By requiring ICANN to delete the data after a certain period of time would alleviate issues linked to data security, reduce the security burden of data controllers, and maybe contribute to a safer environment for the data subject. But it also in contradiction with the wish of certain PDP participants to have the RDS reflect the life-cycle of the domain.  As an end-user advocate, I must say this is the solution which seems to make more sense for the group of people I claim to represent. We have two fronts to defend: privacy and security. Nathalie


 

      Nathalie  

    On Sunday, September 11, 2016 11:40 AM, Alan Greenberg <alan.greenberg at mcgill.ca> wrote:
 

 Two comments:

1. This is a PDP. We do not based our actions by what is in an ICANNpolicy, but it is our job to decide what is in the policies (in relationto our topic).

2. ICANN is here for far more than to enforce its own policies. We mustensure that the policies and all they imply address the public interest.If we judge that something related to the RDS (or whatever) is in thepublic interest, our job is to see that it happens or can happen. That iscomplex, because there are clearly multiple conflicting desires/needs,but we ARE supposed to be factoring them all in.

Alan

At 09/09/2016 02:26 PM, Mark Svancarek via gnso-rds-pdp-wgwrote:


Greg, I disagree with yourconclusion here:
 

I do know that publishedregistration data has uses and justifications for its existence and useother than managing the domain's lifecycle.  For example there isthe need to identify a registrant for various legal purposes, some ofwhich (like UDRP) are enshrined in current ICANN policy.  So"supporting the lifecycle" may be a mechanical and possiblyexclusionary or reductive lens through which to view the issues. 
 
If something is enshrined in ICANN policy, and one is obligated to do it,then it is very much part of “supporting the lifecycle†in myopinion.  It’s a task within the Registered portion chart to whichyou’ve linked.
 
Ironically, I think you may be the one applying an exclusionary orreductive lens.
 
/marksv

_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160911/b814c148/attachment.html>