<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>At best its personal only in a subset of cases. I don't know what the breakdown is but many domains are owned by corporate entities. Or are companies people in privacy law?<br><br>Sent from my iPhone</div><div><br>On May 31, 2017, at 16:13, Gomes, Chuck via gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Grande";
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Lucida\000D\000A Grande";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">Well said Stephanie. I still remember one of the DP experts in Copenhagen saying what you say below, because data is personal does not mean it cannot be disclosed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">Chuck<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> <a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a> [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
<b>On Behalf Of </b>Stephanie Perrin<br>
<b>Sent:</b> Wednesday, May 31, 2017 5:03 PM<br>
<b>To:</b> <a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [gnso-rds-pdp-wg] The principle for thin data (was Re: Principle on Proportionality for "Thin Data"access)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida Grande",serif">Your summary today was great Andrew.</span><o:p></o:p></p>
<p><span style="font-size:13.5pt;font-family:"Lucida Grande",serif">I am not arguing about the disclosure of thin data. We already voted on unauthenticated mandatory disclosure, weeks ago (or at least it feels like weeks ago). Lets please move on. We are
debating this yet again, because people keep asking, is thin data personal? </span><span style="font-size:13.5pt;font-family:"Lucida
Grande",serif"> [lots of people missed the last call]</span><span style="font-size:13.5pt;font-family:"Lucida Grande",serif">
The answer is yes (IMHO). Does that mean it cannot be disclosed? The answer is no. Does the proportionality principle apply? Yes. Have we already gone through this? Yes. Can we come back to it? Yes, but hopefully only if we have to.....we will have
to when we get to data elements.</span><o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">cheers Stephanie<br>
<span style="font-size:13.5pt">PS a fundamental problem here is that people try to categorize information that in their view should be disclosed, as not personal information. This fight has gone on for years over IP address, for instance. The important question
is not actually whether it is personal data or not, it is "do you need to disclose it to make things work?"....and if the answer is yes then you try to mitigate the disclosure and try to keep it minimized to what is absolutely required. Hence the PIA, which
should employ both data minimization and the test in the proportionality principle as techniques to evaluate data elements.<br>
A good and really simple example is a phone number. IS it personal info? (the telcos fought for years, trying to claim they owned it and it was not personal). Obviously it pertains to you, people feel strongly that it is personal (culturally relative of
course but...) and yet if noone ever learns your number your phone won't ever receive a call. That does not mean you have to disclose it everywhere.....only where necessary. And it should mean that it does not have to follow you everywhere, but that is becoming
increasingly hard to manage....<br>
<br>
By the way, informed consent is not the same as transparency requirements. Transparency requirements are exactly that....you have to be transparent about what you are doing with data. Let us not conflate that with consent.<br>
<br>
I will quit now and stop trying to answer questions. I would like to humbly suggest, however, that we have a real shortage of basic understanding of how data protection law works and is interpreted. If there is a data protection law expert that folks might
listen to, we should hire that person to advise us. It might save a lot of time.<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 2017-05-31 16:00, Andrew Sullivan wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Hi,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On Wed, May 31, 2017 at 03:20:59PM -0400, Stephanie Perrin wrote:<o:p></o:p></pre>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre>That does not mean we need to protect it, it means we have to examine it in<o:p></o:p></pre>
<pre>terms of DP law. May I repeat the suggestion that Canatacci made in<o:p></o:p></pre>
<pre>Copenhagen in response to a question.....(I forget the precise question he<o:p></o:p></pre>
<pre>was asked, sorry). If you want to figure out whether you have to protect<o:p></o:p></pre>
<pre>something or not, do a privacy impact assessment.<o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>As I think I've said more than once in this thread, I think we _have_<o:p></o:p></pre>
<pre>done that assessment and I think the answers are obvious and I think<o:p></o:p></pre>
<pre>therefore that there is nothing more to say about this principle in<o:p></o:p></pre>
<pre>respect of thin data:<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> - the data is either necessary for the operation of the system<o:p></o:p></pre>
<pre> itself or else necessary for distributed operation and<o:p></o:p></pre>
<pre> troubleshooting on the Internet.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> - the data does not expose identifying information about anyone,<o:p></o:p></pre>
<pre> except in rather strained examples where the identifying<o:p></o:p></pre>
<pre> information is already completely available via other means.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>What more is one supposed to do? <o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>A<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>gnso-rds-pdp-wg mailing list</span><br><span><a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a></span><br><span><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span></div></blockquote></body></html>