<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_97493"><span id="yui_3_16_0_ym19_1_1473607843685_97579">If the subject looses control over her data at a certain point in time, wouldn't it be possible to ask the new controller (ICANN) to obtain consent before control is being handed over? </span><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1473607843685_97561">If
you can get consent from users for other uses of the data, then the data can be
used for other purposes. </span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_97493"><span style="color: rgb(86, 90, 92); font-family: Arial, sans-serif;" id="yui_3_16_0_ym19_1_1473607843685_97612">With respect to cookies, you just have to
inform the user and give her the option of opting out. But the use of other sensitive personal data for other purposes could probably require an opt-in concept.</span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1473607843685_97562"><span style="font-family:"Arial",sans-serif;color:#565A5C" id="yui_3_16_0_ym19_1_1473607843685_97563">The system would vary across the EU, as data protection laws are crafted
by member state governments.<o:p id="yui_3_16_0_ym19_1_1473607843685_97564"></o:p></span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1473607843685_97565"><span style="font-family:"Arial",sans-serif;color:#565A5C;background:yellow;mso-highlight:yellow" id="yui_3_16_0_ym19_1_1473607843685_97566">In Germany, it might be an opt-in,
whereas in the U.K. it could be an opt-out. Registrars and companies will have to
follow the rules set out by the data protection office in the country where
they are located. This isn’t likely to be based on where the user is located.<o:p id="yui_3_16_0_ym19_1_1473607843685_97567"></o:p></span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" id="yui_3_16_0_ym19_1_1473607843685_97568"><span style="font-family:"Arial",sans-serif;color:#565A5C;background:yellow;mso-highlight:yellow" id="yui_3_16_0_ym19_1_1473607843685_97569">The issue could become more
complicated if EU member states decide that PII collection issue isn't just
a data protection issue but also a consumer protection issue. In those cases,
companies would have to tailor their policies to align with local rules.<o:p id="yui_3_16_0_ym19_1_1473607843685_97570"></o:p></span></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_97571"><span style="font-family:"Arial",sans-serif;color:#565A5C;background:yellow;mso-highlight:yellow" id="yui_3_16_0_ym19_1_1473607843685_97572">So for those companies situated in Ireland, they will claim that the Irish law will apply. But
Germans might make the case that this is a consumer protection issue and that
their laws might have to apply as well to German users. Some German courts have
ruled that this isn’t just a data protection issue but also a consumer
protection issue. What a mess!</span></div><div></div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr">Could an opt-in scheme prevent the conundrum of the application of local data laws, as far as ICANN is concerned? Opt-in requirements are more stringent than opt-out, of course. What would happen, if the subject refused to allow for multiple uses of his data? Then, unauthorized uses of her data would be illegal, unless a company can prove that by not allowing multiple uses of her data, the subject would violate a higher obligation of the company to prevent online fraud or hacking, for example. </div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"><br></div>
<div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_101736">Is retaining this data for an indefinite amount of time resulting in an indiscriminate data retention? The principle of proportionality has to be applied to measure the need for data retention with regards to it final purpose. An example of non-<span id="yui_3_16_0_ym19_1_1473607843685_102589" style="color: rgb(86, 90, 92); font-family: Arial, sans-serif; font-size: 11pt; line-height: 15.6933px;">proportionate data retention is what Google is doing now and holding this data indefinitely. </span></div><div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_101736">Is there a "legitimate interest" for ICANN to retain this data indefinitely? The list of possible "legitimate interests" are the prevention of online fraud, consumer protection, the security of the DNS,... (Please add to this non-exhaustive list). By requiring ICANN to delete the data after a certain period of time would alleviate issues linked to data security, reduce the security burden of data controllers, and maybe contribute to a safer environment for the data subject. But it also in contradiction with the wish of certain PDP participants to have the RDS reflect the life-cycle of the domain. </div><div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_101736">As an end-user advocate, I must say this is the solution which seems to make more sense for the group of people I claim to represent. We have two fronts to defend: privacy and security. </div><div style="margin: 0in 0in 15pt; background-image: initial; background-attachment: initial; background-size: initial; background-origin: initial; background-clip: initial; background-position: initial; background-repeat: initial;" dir="ltr" id="yui_3_16_0_ym19_1_1473607843685_101736">Nathalie</div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"><br></div><span style="font-size:11.0pt;line-height:107%;font-family:"Arial",sans-serif;mso-fareast-font-family:Calibri;mso-fareast-theme-font:minor-latin;color:#565A5C;mso-ansi-language:EN-US;mso-fareast-language:EN-US;mso-bidi-language:AR-SA" id="yui_3_16_0_ym19_1_1473607843685_102516"> <br id="yui_3_16_0_ym19_1_1473607843685_102517"></span><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"> </div><div id="yui_3_16_0_ym19_1_1473607843685_97490" dir="ltr"> </div><div class="signature" id="yui_3_16_0_ym19_1_1473607843685_97488">Nathalie </div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Sunday, September 11, 2016 11:40 AM, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div id="yiv5545400861">
<div>
Two comments:<br><br>
1. This is a PDP. We do not based our actions by what is in an ICANN
policy, but it is our job to decide what is in the policies (in relation
to our topic).<br><br>
2. ICANN is here for far more than to enforce its own policies. We must
ensure that the policies and all they imply address the public interest.
If we judge that something related to the RDS (or whatever) is in the
public interest, our job is to see that it happens or can happen. That is
complex, because there are clearly multiple conflicting desires/needs,
but we ARE supposed to be factoring them all in.<br><br>
Alan<br><br>
At 09/09/2016 02:26 PM, Mark Svancarek via gnso-rds-pdp-wg
wrote:<br><br>
<blockquote type="cite" class="yiv5545400861cite" cite="">Greg, I disagree with your
conclusion here:<br>
<br>
<blockquote type="cite" class="yiv5545400861cite" cite=""><i>I do know that published
registration data has uses and justifications for its existence and use
other than managing the domain's lifecycle. For example there is
the need to identify a registrant for various legal purposes, some of
which (like UDRP) are enshrined in current ICANN policy. So
"supporting the lifecycle" may be a mechanical and possibly
exclusionary or reductive lens through which to view the issues.
</i></blockquote> <br>
If something is enshrined in ICANN policy, and one is obligated to do it,
then it is very much part of “supporting the lifecycle†in my
opinion. It’s a task within the Registered portion chart to which
you’ve linked.<br>
<br>
Ironically, I think you may be the one applying an exclusionary or
reductive lens.<br>
<br>
/marksv</blockquote></div>
</div><br>_______________________________________________<br>gnso-rds-pdp-wg mailing list<br><a ymailto="mailto:gnso-rds-pdp-wg@icann.org" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br><br></div> </div> </div> </div></div></body></html>