[Gnso-epdp-team] EPDP Team Preliminary Recommendation #8 - Redaction of RNH Organization Field

[Amr Elsadr]

Hi,

I would like to once again raise the issue of the optional “Organization” field listed in the draft initial report, and ask that it be changed from “Non-redacted” to either “Redacted”, or at a minimum, indicate that there is no consensus on the EPDP Team on whether this data element should be redacted or not.

The Outstanding Issues document dated 6 November circulated by staff described recommendation #8 on data redaction as follows:

> "The current language aims to reflect the EPDP Team discussion during ICANN63. What aspects need to be further considered? It is the expectation that further information obtained during the public comment period may help to further inform this discussion."

I don’t believe this is entirely accurate, as the text rationalizing recommendation #8 in the draft initial report did not capture the discussion that took place on the last day of our F2F meetings at ICANN 63. There is a bullet in the draft initial report specifically addressing this data element, yet it makes no mention of the concerns raised about how non-redacted information may, in combination with other data elements, result in a data subject becoming identifiable. This is a nuance in GDPR compliance, which the EPDP needs to address and has been previously discussed.

As a reminder, in Barcelona, the NCSG referenced the legal advice provided by WSGR to the GNSO RDS PDP WG on this issue, which reads as follows:

> "Data elements are considered to be personal data if they relate to an identified or identifiable natural person (i.e., an individual). This depends on the context and the particular data element involved, and data that may not seem identifiable on their face may still be considered to be personal data (e.g., a 16-digit number may actually be a credit card number). Given the growth of computing power, much data that was earlier not considered to be personal has become viewed as personal data, so the concept is fluid. Under current data protection law (i.e., the Directiveand national implementations of it), the data of legal persons is covered in only a few jurisdictions, while under the GDPR, it will not be covered by data protection law at all (see Recital 14). The GDPRgives as example of the data of legal persons, their name and form as well as their contact details, which it states, are not covered. However, the key factor is not just whether the name of the registrant is that of a natural or legal person, but how the different data fields, when taken together, relate to an individual."

Additionally, Recital 26 of the GDPR states that:

> "The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly."

Although a data element identifying an Organization name does not in itself identify a natural person, it certainly relates to one. Additionally, in combination with other non-redacted data elements such as “Country” and “State/province”, it can very likely contribute to a data subject becoming more identifiable.

The current text in the draft initial report addressing the “Organization” data element only indicates that the EPDP Team has questions regarding liability, should a RNH choose to provide PII within the “Organization” field. The NCSG's concerns are clearly broader than this scenario, and we ask that (at a minimum) the concern outlined here be included in the report, referencing the above sources, and indicating that this is an issue on which there is still no consensus.

Thanks.

Amr
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181110/c4a35b97/attachment-0001.html>