<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Calibri">Hi All, <br>
</font></p>
<p><font face="Calibri">I reached out to Peter Kimpian of the
Council of Europe on the important question Victoria asked
yesterday about consent. I did so because it is my understanding
that the definitions of "consent" are different in the US and
Europe - particularly for the type of personal and sensitive
data we are discussing. <br>
</font></p>
<p><font face="Calibri">Peter writes that <u>consent </u>is "a
paramount question and it is for all those who have signed (and
not signed off yet) to Universal Declaration on Human Rights and
the the International Covenant on <span class="keyword">Civil
and</span> Political <span class="keyword">Rights and</span>
the International Covenant on Economic, Social <span
class="keyword">and</span> Cultural <span class="keyword">Rights
and <b>not </b>only in Europe! So the core principle for
privacy and data protection is that the data subject has to be
in control ALWAYS what is happening with his/her data. <b>Consent
is one possible legal base for processing data but it can
not be considered as one consent for everything. Consent
should be informed and free. therefore if the purpose of the
data processing changes data controller have to be sure it
has still the consent for the new purpose.</b>"</span></font></p>
<p><font face="Calibri"><span class="keyword">Best, Kathy<br>
</span></font></p>
<br>
<div class="moz-cite-prefix">On 1/25/2017 2:45 PM, Victoria Sheckler
wrote:<br>
</div>
<blockquote
cite="mid:SN1PR07MB2318D04852AB413E27F95C8CD5740@SN1PR07MB2318.namprd07.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"Lucida Grande";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman",serif;
        color:black;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Isn’t
consent always been acceptable for use and disclosure
purposes? And doesn’t all of this have to be balanced with
the public’s legitimate interest in transparency?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a>
[<a class="moz-txt-link-freetext" href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
<b>On Behalf Of </b>Stephanie Perrin<br>
<b>Sent:</b> Wednesday, January 25, 2017 2:33 PM<br>
<b>To:</b> nathalie coupet
<a class="moz-txt-link-rfc2396E" href="mailto:nathaliecoupet@yahoo.com"><nathaliecoupet@yahoo.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] Now open: 18
January Poll on Purpose<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">WHOIS at the moment is a phone book, and
it is a phone book that arguably violates data protection
law. The purpose of this pdp is to determine what the
policy behind the RDS ought to be....not just limp along
with the vestigial WHOIS we inherited from Jon Postel. </span><o:p></o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">The analogy with health data was to
demonstrate that if the management of the DNS was in the
hands of government, they would have public policy
responsibilities, enforced in their parliaments or
legislatures, to take ALL views with due consideration (read
with a grain of salt) and act in compliance with law and
with their respective Constitutions and Charters. That was
the point I was trying to make...we are in a
multistakeholder environment where stakeholders can
influence policy to a greater extent, with no recourse to a
higher authority to question the inclusion of perspectives
that may not be agreed by others (eg. a Parliament). and I
am aware that the list of exceptions for third party access
is long. But they are for release or sharing of
data....they are not purposes of collection. In the cases
of many of the government exceptions you list, those are
releases or sharing agreements authorized by law, and
subject to legal protection. They are not, in most cases
where there is a constitution in place that protects
fundamental rights and due process, reasons for broader
collection for those purposes. There are rare exceptions to
that general principle, but by and large they are rare.</span><o:p></o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">Apologies if that example was not
sufficiently clear.</span><o:p></o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">cheers Stephanie</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 2017-01-25 07:53, nathalie coupet
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Regarding the analogy with health data,
the list of exceptions is long, when it comes to the
application of data protection laws. For example, they do
not apply in cases where public health and safety require
it;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">For government research and statistics
needs;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">In case of a law enforcement
investigation;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">When the security of the President or
other high ranking officials is at stake;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">When the data can be collected from
other sources (such as the phone book);<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">When needed for legislative purposes;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">In case of a court order or other legal
mandate;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">If the person giving the data does so
willingly;<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">And data protection doesn't apply to
second or all subsequent sharings. <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">The truth is data protection is very
loosely applied and is not meant to prevent law
enforcement, legal processes from going their course. <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">By gating all data, or reducing RDS to
just a technician's tool, this would also break the
economy of the Internet. <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">WHOIS/RDS is also a phone book and as
such, it protects the end-user by affording her and
additional and important level of security. <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">Nowhere is it said that RDS is purely
technical.<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">This is reductive view. <o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal">Nathalie<o:p></o:p></p>
</div>
<div id="AppleMailSignature">
<p class="MsoNormal"><br>
Sent from my iPhone<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
On Jan 25, 2017, at 6:56 AM, Stephanie Perrin <<a
moz-do-not-send="true"
href="mailto:stephanie.perrin@mail.utoronto.ca">stephanie.perrin@mail.utoronto.ca</a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">Sorry, this discussion is
important. Your example proves my point. What you
show below is a disclosure. It is a disclosure of a
limited set of data. we are not supposed to be
talking about disclosure at this point in our
proceedings. I leave it to the experts on whether
this is "thin" in the sense of the thick transition
discussion, I really don't know because we are focused
on gTLD policy here. My point is this is a
disclosure. We do not "collect" thin data per se, we
collect a whole mess of mandatory data elements, as
per the RAA. Then we generate a whole mess as part of
activating and making real the domain's existence.
Then we share (release) a small subset.
</span><o:p></o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">So talking about collecting thin
data is misleading in my view. Purpose of disclosing
it is what we are in fact talking about. Calling it a
purpose for collection opens the barn door.</span><o:p></o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif">Stephanie</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 2017-01-25 06:46, Sam Lanfranco
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Thank you Michele, ( ignoring the
spell check driven typo of "think" for "thick" (-: ).
We should be able to put this "thin" discussion behind
us.<br>
The "thin" discussion should have taken about 2 email
exchanges. Here is CIRA's (thin) search for .ca domain
names [disclosure: it is my domain name]<br>
<o:p></o:p></p>
<div>
<div
id="ctl00_MainContent_ctlWhoisInformation_standardWhoIs">
<p class="MsoNormal"><span
style="font-size:10.0pt;color:#660000">Domain
name: <a moz-do-not-send="true"
href="http://artisanalpot.ca">
artisanalpot.ca</a><br>
Domain status: registered<br>
Creation date: 2016/12/14<br>
Expiry date: 2017/12/14<br>
Updated date: 2016/12/19<br>
DNSSEC: Unsigned<br>
Registrar:<br>
Name: Web Hosting Canada (7081936 Canada Inc.)<br>
Number: 5000080<br>
Name servers:<br>
<a moz-do-not-send="true"
href="http://ns1.whc.ca">ns1.whc.ca</a>
173.209.49.178<br>
<a moz-do-not-send="true"
href="http://ns2.whc.ca">ns2.whc.ca</a>
198.245.53.176<br>
<a moz-do-not-send="true"
href="http://ns3.whc.ca">ns3.whc.ca</a>
198.245.61.86<br>
% WHOIS look-up made at 2017-01-25 11:32:24
(GMT)<br>
% Use of CIRA's WHOIS service is governed by the
Terms of Use in its Legal<br>
% Notice, available at <a
moz-do-not-send="true"
href="http://www.cira.ca/legal-notice/?lang=en">http://www.cira.ca/legal-notice/?lang=en</a>
<br>
% (c) 2017 Canadian Internet Registration
Authority, (<a moz-do-not-send="true"
href="http://www.cira.ca/">http://www.cira.ca/</a>)</span><br>
<br>
Nothing private is disclosed and LEA would have to
resort to legal means to get to what is in the
"thick" data set.
<br>
There are no ICANN policy issues here.<br>
<br>
Sam L <<a moz-do-not-send="true"
href="http://artisanalpot.ca">artisanalpot.ca</a>>
(-: <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a moz-do-not-send="true"
href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<a moz-do-not-send="true"
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></p>
</div>
</blockquote>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>