[council] Proposed motion regarding Personal Data that is collected and retained by registrars

[Bruce Tonkin]

Hello All,


As discussed in my earlier email, and taking into account the email
discussions so far, I propose a separate motion to initiate further
dialogue with ICANN Advisory Committees such as the GAC, SSAC, and ALAC
on the topic of the purposes for which Personal Data is collected from
Registrants.  I want to make sure that we can relatively quickly have
some documentation to support a useful dialogue, without requiring the
formation of additional task forces or working groups.   We already have
large quantities of information on the WHOIS debate that are available
via either the DNSO or GNSO websites, along with transcripts of past
workshops at ICANN meetings.

Up until now, much of the Personal Data that is collected is made
available to the general public with almost no access control.  This
means that the purposes for which the data is collected is almost
irrelevant, as members of the public may use the data for all sorts of
things.   It is virtually impossible to police any "use limitation" of
this public data, ie Personal Data should not be disclosed, made
available or otherwise used for purposes other than those specified.
You can even print out the public data from the WHOIS service and use it
as a doorstop.

Note also that registrars are in no way constrained in what purposes
they collect Personal Data including for marketing purposes, as long as
these are part of their agreement with the Registered Name Holder. 


I propose the following new motion:

"The GNSO Council notes that consistent with generally accepted privacy
principles, Registrars shall provide notice to each new or renewed
Registered Name Holder stating:

(i) The purposes for which any Personal Data collected from the
applicant are intended;

(ii) The intended recipients or categories of recipients of the data
(including the Registry Operator and others who will receive the data
from Registry Operator);

(iii) Which data are obligatory and which data, if any, are voluntary;
and

(iv) How the Registered Name Holder or data subject can access and, if
necessary, rectify the data held about them.

To further understand the range of purposes for which data is intended,
the GNSO proposes the following steps:

(1) The ICANN staff will review a sample of registrar agreements with
Registered Name Holders to identify some of the purposes for which
registrars collected Personal Data from registrants.

(2) The ICANN staff will review a sample of cctld registry or cctld
registrar agreements with registrants to identify some of the purposes
for which these organisations collect Personal Data from registrants.

(3) The ICANN staff will summarise the current material that has
resulted from WHOIS discussions since 2002 that document the current
uses of the data that is currently made public through the WHOIS
service.

(4) Based on the material produced in steps (1), (2) and (3) above, the
Council will undertake a dialogue with the ICANN Advisory Committee's
such as the GAC, SSAC and ALAC to determine whether any work is required
on mandating particular purposes, consistent with ICANN's mission and
core values, for which registrars must collect Personal Data from
registrants.

The dialogue should seek to examine and understand consumer protection,
privacy/data protection and law enforcement views, perspectives and
concerns."