[gnso-rds-pdp-wg] another document that might be of interest
theo geurts
gtheo at xs4all.nl
Sat Oct 21 19:02:11 UTC 2017
Nice!
https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/
through multiple choice.
https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/guidelines_on_data_protection_impact_assessment_dpia.pdf
Given the fact that we can start from scratch without the concept of
WHOIS it might be useful to preform a DPIA. Applying a DPIA to WHOIS
itself is not so useful, I tried a few DPIA's for some legacy systems at
work, and the result is not so great, for new projects it works
perfectly though.
Theo
On 21-10-2017 18:10, Kris Seeburn wrote:
> Theo,
>
> I get your point and understand this fully and effectively it is
> there. I came across another assessment or self assessment tool from
> Microsoft which is quite interesting and has the right questions.
>
> https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
>
> This may be something we may need to rethink for sure but any self
> assessment is worth and may perhaps help us redefine the move ahead.
>
>> On Oct 21, 2017, at 19:54, theo geurts <gtheo at xs4all.nl
>> <mailto:gtheo at xs4all.nl>> wrote:
>>
>> A couple of pointers here for everyone and not directed at anyone
>> specifically.
>>
>> Eurid will update their Registrar agreement soon. So perhaps is not
>> handy to dig into some agreement.
>> The agreement will state very clear who will be the data controller
>> (Registry) and the data processor (Registrar/Reseller). As the all
>> roles are defined and PII is not available through the WHOIS no
>> consent is required.
>>
>> Let's dive a little into consent and the organizational "challenges."
>>
>> * Be specific and granular. Vague or blanket consent is not enough
>> * Name any third parties who will rely on the consent
>> * Make it easy for people to withdraw consent and tell them how
>>
>> Consent must specifically cover the controller’s name, the purposes
>> of the processing and the types of processing activity
>>
>> Okay? Let's dig a little deeper into consent.
>> Consent will be needed for different processing operations wherever
>> appropriate – so you need to give granular options to consent
>> separately to separate purposes.
>>
>> So a registrant will have to consent to at least
>>
>> * Escrow Registry to Escrow provider in country X
>> * Escrow Registrar to Escrow provider in country X
>> * Cross-border transfer of data to Registry in country X
>> * ICANN staff USA under set conditions must have access to Registry
>> or Registrar RDE deposit
>> * ICANN staff access for audits
>> * Third parties selected by ICANN for audits
>> * Place holder for all the other stuff I am forgetting
>>
>>
>> As the PII will be published in the WHOIS that will require consent
>> also. But you have to warn the Registrant, so it has to be crystal
>> clear what will happen as soon that data becomes public. Spam, phone
>> calls by folks trying to sell you stuff, i.e., the good stuff we all
>> know about and encounter on a daily basis and much more.
>> /
>> //In data protection, there is the fundamental principle which is
>> unchanged even in the age of Big Data.//
>> //The data subject has to be in control of her/his data, which means
>> for consent that you need consent for every each of the data
>> processing activities (even for minor changes in the processing)/
>>
>> Now picture a domain name registration flow here.
>> We are talking over a thousand of TLD's here scattered all over the
>> world.
>> This will not increase consumer trust for starters when it comes to
>> gTLDs. It will be one big click fest and registration conversion will
>> go down the drain.
>>
>> But let's assume we go this route.
>> Right to be forgotten? How do we do that when the WHOIS is scraped
>> day and night by unknown third parties? I am not sure how we will
>> meet this GDPR requirement. Most likely consent was not "freely"
>> given. Perhaps part two will cover this so more.
>>
>> Withdrawal of consent, how do we envision this GDPR requirement? I
>> do not see how we will ever get this working if the current status
>> quo is not changing.
>>
>> Art 6.1(b) can be used for companies who have a very direct customer
>> relation on a small base. This is not a solution for Registrars nor
>> Registries when it comes to mass registrations that happen on a daily
>> basis.
>>
>> Thanks,
>>
>> Theo
>>
>>
>> On 21-10-2017 02:41, John Bambenek via gnso-rds-pdp-wg wrote:
>>> Not the last few items discussed, no. That said I have been
>>> traveling from the past few weeks and need to read them side by side
>>> for a definitive synthesis. That aside, my primary concern is that
>>> said officials are not hearing enough from the anti-abuse and
>>> security community on these tools to have a more fully informed
>>> discussion. We are working to rectify that.
>>>
>>> Sent from my iPad
>>>
>>> On Oct 21, 2017, at 2:35 AM, Ayden Férdeline <icann at ferdeline.com
>>> <mailto:icann at ferdeline.com>> wrote:
>>>
>>>> My apologies, John. It was not clear to me that you had read the
>>>> memo. I am glad to hear that you have. Particularly in relation to
>>>> consent, I thought the advice that the memo contained (along with
>>>> the Hamilton memo) was consistent with the advice that we received
>>>> from the European Data Protection Commissioners earlier this year.
>>>> Would you agree?
>>>>
>>>> —Ayden
>>>>
>>>>
>>>>> -------- Original Message --------
>>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of
>>>>> interest
>>>>> Local Time: 21 October 2017 1:27 AM
>>>>> UTC Time: 21 October 2017 00:27
>>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>>> To: Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>>
>>>>> Victoria Sheckler <vsheckler at riaa.com
>>>>> <mailto:vsheckler at riaa.com>>, GNSO RDS PDP
>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>
>>>>> Yes, I believe I pointed out on this very list that among other
>>>>> things, the notion the EU law should reign supreme globally even
>>>>> when it conflicts with local laws as patently offensive, among
>>>>> other things.
>>>>>
>>>>> Is there a particular outcome that you are trying to achieve by
>>>>> insinuating that I am ignorant and not reading the mounds of
>>>>> paperwork generated by this group? I mean besides the continual,
>>>>> consistent, and vigorous disrespect shown to those who work in
>>>>> anti-abuse or security?
>>>>>
>>>>> And if you’d like an analysis of the legal memo it is this: it is
>>>>> always better to take the word of the regulators over merely that
>>>>> of some lawfirm. Which is what I thought we were actually talking
>>>>> about in the first place.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> John Bambenek
>>>>>
>>>>> On Oct 20, 2017, at 19:10, Ayden Férdeline <icann at ferdeline.com
>>>>> <mailto:icann at ferdeline.com>> wrote:
>>>>>> John,
>>>>>>
>>>>>> Have you read the legal memo that we received from Wilson Sonsini
>>>>>> Goodrich & Rosati?
>>>>>>
>>>>>> It states on page 14, "asking for consent would not be simple,
>>>>>> would not solve all data protection issues, and would pose a
>>>>>> number of organizational challenges."
>>>>>>
>>>>>> The rationale behind this statement is contained within the memo.
>>>>>>
>>>>>> —Ayden
>>>>>>
>>>>>>
>>>>>>> -------- Original Message --------
>>>>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of
>>>>>>> interest
>>>>>>> Local Time: 21 October 2017 1:06 AM
>>>>>>> UTC Time: 21 October 2017 00:06
>>>>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>>>>> To: Ayden Férdeline <icann at ferdeline.com
>>>>>>> <mailto:icann at ferdeline.com>>
>>>>>>> Victoria Sheckler <vsheckler at riaa.com
>>>>>>> <mailto:vsheckler at riaa.com>>, GNSO RDS PDP
>>>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>>
>>>>>>> So, in short, if we create a consent system, we are fine.
>>>>>>>
>>>>>>> Am I missing something?
>>>>>>>
>>>>>>> --
>>>>>>> John Bambenek
>>>>>>>
>>>>>>> On Oct 20, 2017, at 17:31, Ayden Férdeline <icann at ferdeline.com
>>>>>>> <mailto:icann at ferdeline.com>> wrote:
>>>>>>>> I would like to flag two extracts from this Regulation that may
>>>>>>>> be relevant to our work:
>>>>>>>>
>>>>>>>> * "The Registry should also comply with the relevant data
>>>>>>>> protection rules, principles, guidelines and best
>>>>>>>> practices, notably concerning the amount and type of data
>>>>>>>> displayed in the WHOIS database." (page 3)
>>>>>>>> * "The WHOIS database shall contain information about the
>>>>>>>> holder of a domain name that is relevant and not excessive
>>>>>>>> in relation to the purpose of the database. In as far as
>>>>>>>> the information is not strictly necessary in relation to
>>>>>>>> the purpose of the database, and *if the domain name holder
>>>>>>>> is a natural person, the information that is to be made
>>>>>>>> publicly available shall be subject to the unambiguous
>>>>>>>> consent of the domain name holder*." (page 10 - emphasis added)
>>>>>>>>
>>>>>>>> Thank you,
>>>>>>>>
>>>>>>>> Ayden Férdeline
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -------- Original Message --------
>>>>>>>>> Subject: [gnso-rds-pdp-wg] another document that might be of
>>>>>>>>> interest
>>>>>>>>> Local Time: 20 October 2017 10:47 PM
>>>>>>>>> UTC Time: 20 October 2017 21:47
>>>>>>>>> From: vsheckler at riaa.com <mailto:vsheckler at riaa.com>
>>>>>>>>> To: GNSO RDS PDP <gnso-rds-pdp-wg at icann.org
>>>>>>>>> <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I think we missed this document when we were reviewing
>>>>>>>>> documents for this WG back in the day, and thought some of you
>>>>>>>>> might find it of interest given our current discussions on GDPR
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> COMMISSION REGULATION (EC) No 874/2004 of 28 April 2004 laying
>>>>>>>>> down public policy rules concerning the implementation and
>>>>>>>>> functions of the .eu Top Level Domain and the principles
>>>>>>>>> governing registration, available at
>>>>>>>>> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
>
> Kris Seeburn
> seeburn.k at gmail.com <mailto:seeburn.k at gmail.com>
>
> *
>
> www.linkedin.com/in/kseeburn/
> <http://www.linkedin.com/in/kseeburn/>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/f2b31523/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KeepItOn_Social_animated.gif
Type: image/gif
Size: 51490 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/f2b31523/KeepItOn_Social_animated-0001.gif>
More information about the gnso-rds-pdp-wg
mailing list