[Accred-Model] Version 1.6 of the Accreditation and Access Model
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Wed Jun 20 16:14:41 UTC 2018
I think you just need to up your numbers a bit Michael...I might get
more in small claims Court these days! (Don't got there, it is just a
comparator).
cheers Stephanie
PS still pondering the whole issue of giving up rights...Doubt I would
ever buy it. What happens if data subject finds out subsequently that
their data has been sold to criminal gangs? (think equifax, choicepoint
cases here). Remember that I am not just talking about WHOIS data in a
tiered access case....I am assuming that queries will also lead to
direct contact with registrars to get financial data. We should not
build two systems here...
On 2018-06-20 12:03, Michael Palage wrote:
>
> Brian,
>
> Thanks for the constructive feedback, and I welcome your additional
> feedback in connection with my response below.
>
> As I have noted previously, the final ADR component of the Philly
> Special has not yet been finalized, although I am working at it
> diligently. In fact I have a call with a former JAMS employee today to
> discuss some of her thoughts on my framework. My goal is to have a
> framework document (not specific policy and rules) out for discussion
> by the beginning of Panama.
>
> As you accurately note, Privacy Shield DOES NOT provide for
> “damages.” However, Section 82, Paragraph 1 of the GDPR does provide
> that “Any person who has suffered material or non-material damage as a
> result of an infringement of this Regulation shall have the right to
> receive compensation from the controller or processor for the damage
> suffered.” Moreover Section 80 provides for a qualified third party to
> represent a Data Subject(s) and the right “to receive compensation
> referred to in Article 82 on his or her behalf where provided for by
> Member State law.”
>
> So what I am trying to do with the Philly Special ADR component is
> thread the needle with a ADR framework that provides “some”
> compensation to the Data Subject. I believe that the majority of the
> IPC/BC participants will likely support the proposition that the Data
> Subject get nothing per the Privacy Shield provision. However, the
> GDPR does provide for a private right of action and compensation and
> that cannot be ignored.
>
> My current best thinking involves a hybrid approach where a Data
> Subject waives their rights under Section 80 and 82, if they elect for
> the ADR that has some type of renumeration for their harm. TO BE
> CLEAR, THE DATA SUBJECT WOULD NOT BE REQUIRED TO WAIVE THEIR RIGHT TO
> REPORT OR FILE A COMPLAINT WITH A DPA. OBVIOUSLY THAT WOULD BE A
> NON-STARTER FOR THE EDPB.
>
> In a recent discussion with a privacy lawyer, the thought process
> involved giving businesses some predictability as to the damages/fines
> they might face through an adverse ADR decision, while empowering a
> Data Subject to have a quicker process to have their claim resolved.
>
> Now those last couple of paragraphs will probably result in my
> receiving universal objection from both the hardcore IPC/BC advocates
> on this list as well as from Stephanie and Kathy. However, I am
> wearing my standard issued ICANN Kevlar Body armor and flame resistant
> undergarments – so fire away. This is a unenviable middle ground I
> have often found myself in over the past 20 years.
>
> Stephine has made clear she thinks a Data Subject should be able to
> receive substantially much more than my proposed fine range. My
> response to Stephanie is if a Data Subject has been substantially
> harmed avoid my lightweight ADR and resort to the courts under Section
> 80 or 82. However, if the harm to the Data Subject is not truly
> onerous and the Data Subject does not have the financial resources to
> initiate a legal proceeding in a court of competent jurisdiction, the
> ADR and the nominal fine may be better than nothing.
>
> To my BC/IPC colleagues, Section 80 and 82 of the GDPR are real, and
> they provide for a private cause of action with real damages. Should
> the ultimate winner in ICANN’s Universal Access Model (UAM) steel cage
> match NOT account for a mechanism that provides Data Subjects an
> administrative right to remedy the alledged violation, it is not a
> matter “if” but “when” the Data Controllers and Data Processors
> associated with this UAM find themselves in court. That does not seem
> like the business predictability that most businesses strive to achieve.
>
> Finally in response to John’s most recent email about the
> unworkability of the Philly Special model when someone refuses to pay
> the fine, thus resulting in future denied access. The Philly Special
> specifically provides for a financial instrument to be put in place to
> prevent this type of bad actor walking away from their wrong/debt.
> This provision was not only provided for in the Philly Special 2.0
> policy document but it was also provided for in the proposed legal
> template that Users would have to sign prior to gaining access to the
> system.
>
> Brian thanks again for the constructive engagement, and hopefully this
> email provides additional insight into how I am proposing to navigate
> the complex ADR minefield.
>
> Best regards,
>
> Michael
>
> *From:*Accred-Model <accred-model-bounces at icann.org> *On Behalf Of
> *BECKHAM, Brian
> *Sent:* Wednesday, June 20, 2018 7:55 AM
> *To:* accred-model at icann.org
> *Subject:* Re: [Accred-Model] Version 1.6 of the Accreditation and
> Access Model
>
> With respect to Michael’s request for feedback, and merely for
> information, the binding arbitration provided for under the Privacy
> Shield framework that Kathy has helpfully pointed out proposes the
> following:
>
> https://www.privacyshield.gov/article?id=B-Available-Remedies
>
> B. Available Remedies
>
> Under this arbitration option, the Privacy Shield Panel (consisting of
> one or three arbitrators, as agreed by the parties) has the authority
> to impose individual-specific, non-monetary equitable relief (such as
> access, correction, deletion, or return of the individual’s data in
> question) necessary to remedy the violation of the Principles only
> with respect to the individual. These are the only powers of the
> arbitration panel with respect to remedies. In considering remedies,
> the arbitration panel is required to consider other remedies that
> already have been imposed by other mechanisms under the Privacy
> Shield. No damages, costs, fees, or other remedies are available.
> Each party bears its own attorney’s fees.
>
> Perhaps the types of equitable relief foreseen here are meant to speak
> to the difficulty in being “made whole”?
>
> Kind regards,
>
> Brian
>
> *From:*Accred-Model [mailto:accred-model-bounces at icann.org] *On Behalf
> Of *Stephanie Perrin
> *Sent:* Wednesday, June 20, 2018 1:13 AM
> *To:* accred-model at icann.org <mailto:accred-model at icann.org>
> *Subject:* Re: [Accred-Model] Version 1.6 of the Accreditation and
> Access Model
>
> I think Mike has come up with a reasonable solution, although the
> numbers are low. If I have to replace my phone number because it is
> out there now, $250 does not cover my trouble. This is the
> fundamental problem with privacy loss, it is often impossible to be
> made whole.
>
> Stephanie Perrin
>
> On 2018-06-19 14:23, Michael Palage wrote:
>
> John,
>
> So I think it is fair to say that no matter what Kathy or I say you will not be happy with any meaningful Data Subject centric safeguard, so this will be my last response on the list.
>
> So the "complex" problem we are seeking to solve is respecting the Fundamental Human Right to Privacy that Europeans have. Much like I respect my fellow Americans and their love of the Second Amendment, I have learned to respect European's passion for their Right to Privacy.
>
> Now the problem with ICANN and the IPC/BC solution is that there is no mechanism to make a Data Subject whole after their Personal Data has been improperly processed. All of the proposed safeguards are focused on limiting a third party to harm additional Data Subjects in the future. I just find that problematic.
>
> When Kathy I worked on the UDRP and Working Group B almost 20 years ago, we were on the opposite side of the issue. However, we recognized that any solution that ICANN proposed had to be modeled after well established international law, and respect the rights of both Complainant (Trademark Owner) and Respondent (Domain Registrant).
>
> What I tried to do in my proposal was model that seed of compromise that was so successful almost 20 years ago in connection with the UDRP. As Kathy noted there are ADR components in the Privacy Shield that provide for the resolution of disputes. You are also correct that there are requirements that businesses pay for these services and there are no fees to Data Subjects, which creates the potential for abuse. That is why I have been looking to modify the JAMS ADR rules to perhaps find a middle ground that balances the respect rights of the Data Subject and Controller/Processor.
>
> In speaking with a number of privacy attorneys, Data Subject rarely get compensated for violations of their rights, although DPA can impose substantial fines against the Controller/Processor. The sweet spot I was looking at in connection with the ADR mechanism was something URS "like". I think this group and ICANN has done a really good job delineating under what set of circumstances a request can be legally made. In fact I think it would be constructive if a User enumerated at the time of the search what basis they were acting upon. The URS "like" ADR process would make use of templates for the complaint and response forms and NO formal written opinion by the panel just a summary decision.
>
> I am still surveying privacy professionals but I think a fine in the range of $250 to $500 for a violation of the terms of services would not be unreasonable. However, this is still at the spaghetti throwing stage. The other important mechanism is the need to have a disincentive for people to abuse the system by filing abusive requests. There may be the need for some type of speed bump mechanism to mitigate against abusive filings. Still noodling on this safeguard but would appreciate any group feedback.
>
> One of the hard lessons I have learned in ICANN is that it is easy to criticize but it is really hard to find a solution to both complex and simple problems.
>
> Safe travels and I look forward to hopefully seeing you in Panama next week.
>
> Best regards,
>
> Michael
>
>
>
> -----Original Message-----
>
> From: Accred-Model<accred-model-bounces at icann.org> <mailto:accred-model-bounces at icann.org> On Behalf Of John R. Levine
>
> Sent: Tuesday, June 19, 2018 1:32 PM
>
> To: Kathy Kleiman<kathy at kathykleiman.com> <mailto:kathy at kathykleiman.com>
>
> Cc:accred-model at icann.org <mailto:accred-model at icann.org>
>
> Subject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model
>
> It's great when there is actually an easy solution. At least for the
>
> many US companies, law firms, cybersecurity firms, and others (and
>
> this a huge part of the group seeking access), they should
>
> "self-certify" to the EU-US Privacy Shield, via procedures set up by
>
> the US Department of Commerce and Federal Trade Commission.
>
> Well, at least until the EU courts kill privacy shield like they did Safe Harbor.
>
> Banks and non-profits such as CAUCE are not eligible for Privacy Shield (they're not regulated by the FTC or DOT.) For small organizations the PS rules are extremely conplex and there's a mandatory annual payment to cover potential arbitration costs.
>
> Can we back up and explain what problem this overcomplex "solution" is supposed to be solving here?
>
> Regards,
>
> John Levine,johnl at iecc.com <mailto:johnl at iecc.com>, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail.https://jl.ly
>
> _______________________________________________
>
> Accred-Model mailing list
>
> Accred-Model at icann.org <mailto:Accred-Model at icann.org>
>
> https://mm.icann.org/mailman/listinfo/accred-model
>
>
>
> The image of the 2018 GII cover shows crashing waves captured within
> the outline of a battery cell, representing the raw power of
> innovation.
> <http://www.wipo.int/gii/?utm_source=wipomail&utm_medium=signature&utm_campaign=gii2018>
>
>
>
>
>
> *GLOBAL*
> *INNOVATION*
> *INDEX****2018*
>
>
>
>
>
> Energizing the World with Innovation
>
>
>
>
>
> Launch July 10
>
>
>
> www.wipo.int/gii
> <http://www.wipo.int/gii/?utm_source=wipomail&utm_medium=signature&utm_campaign=gii2018>
>
>
>
> #GII2018
>
>
>
> World Intellectual Property Organization Disclaimer: This electronic
> message may contain privileged, confidential and copyright protected
> information. If you have received this e-mail by mistake, please
> immediately notify the sender and delete this e-mail and all its
> attachments. Please ensure all e-mail attachments are scanned for
> viruses prior to opening or using.
>
>
> _______________________________________________
> Accred-Model mailing list
> Accred-Model at icann.org
> https://mm.icann.org/mailman/listinfo/accred-model
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180620/f6e90e7f/attachment.html>
More information about the Accred-Model
mailing list