[gnso-rds-pdp-wg] Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017

Lisa Phifer lisa at corecom.com
Tue Feb 7 19:18:41 UTC 2017 

Dear all,

 

Below please find notes from today’s RDS PDP WG call.

 

Best regards,

Lisa

 

Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017

These high-level notes are designed to help PDP WG members navigate through
the content of the call and are not meant as a substitute for the transcript
and/or recording. The MP3, transcript, and chat are provided separately and
are posted on the wiki at  <https://community.icann.org/x/HIzRAw>
https://community.icann.org/x/HIzRAw

1. Roll call / SOI

*	Roll call will be taken from Adobe Connect
*	Please remind to update your SOIs as needed
*	Please remember to state your name before speaking as well as muting
your microphone when not speaking

2. Intro to Data Protection principles that may apply to thin data
collection

   a. Overview from Stephanie Perrin & Peter Kimpian

Presentation by Peter Kimpian

*	See slides at
<https://community.icann.org/download/attachments/64064540/Kimpian_pdp_rds_2
_2_17.pdf>
https://community.icann.org/download/attachments/64064540/Kimpian_pdp_rds_2_
2_17.pdf
*	Right to privacy is a universal right, even if it is interpreted
differently in different countries.
*	Individuals have to be in control of their personal data (the whole
trail of data). Overarching principles: necessity, proportionality, purpose
specification / purpose limitation.
*	For data processing there has to be a legitimate aim/purpose. Lawful
and fair means of data processing. Lawful = it has to be regulated and/or
not forbidden by legislation.
*	Valid legal basis (law, consent, contract, vital interest of the
individual). This concept is also present in other legal frameworks, not
only the European one.
*	Data processing needs to be adequate, relevant and not excessive.
*	Data minimization principle: no processing of data for the sake of
data, only for a purpose. During the processing, the data controller has the
obligation to process the minimum amount of data that is fit for purpose.
*	There are a number of exemptions (see slide 4). Always conditions to
these exemptions. Need to establish criteria under which such exemptions are
permissible.
*	Disclosure of data (slide 5) - same rules apply as for processing,
however there is a third party that enters into the picture using the data
for a secondary purpose.
*	Accountability (slide 6) - data controller is accountable for
upholding data protection principles.

Comments from Stephanie Perrin

*	One of the basic principles of data protection law is that
processing needs to be fair and lawful. 
*	Fair = there need to be limits to the collection of PI. Collection
needs to be focused on the purpose. Most common law countries, there has to
be a legal mandate for a government department to collect data. This gets
fuzzier in the private sector.
*	Private sector companies that are offering a service that is not
mandatory, they can define what is relevant and gain consent. Notice and
choice appears to have become the rule for Internet services, based on US
practice.
*	The restriction of collection of data to what is needed. Defining
the purpose of collection is therefore fundamental.
*	There are differences across countries with regards to data
protection laws. and how some of these principles are applied. A good
overview can be found here:
<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2603502>
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2603502.
*	What is the purpose of ICANN in gathering personal information?
*	Not arguing that potential uses are not appropriate or useful, but
these potential uses for other purposes can be considered secondary use.
This is not sufficient purpose for collection though.

   b. Q&A

*	Q: Is ICANN the "data controller" in our world?   Or is it the
registries/registrars?  
*	A: One view is that ICANN is the data controller, because it sets
the RAA which defines collection, use and disclosure. Registrars and
registries could be considered data processors WRT the data that ICANN tells
them to collect and display, including all relevant policies. They are data
controllers with respect to their own business operations, data they gather
to sell other services for which ICANN does not set policy.  So they are
hybrid. It was pointed out that this issue was hotly debated during the EWG
without reaching a conclusion.
*	See Key Inputs section of wiki for A29 documents on concept of data
controller and processor
*	See also chat dialog regarding application of the terms "data
controller" and "data processor" to WHOIS data
*	Q: What aspects of this apply to commercial entities?  Would a
commercial entity have the same right to privacy of their data as an
individual data subject?  
*	A: No. Privacy is a human right, linked to human beings (natural
persons). There are discussions about this but for now no, only applies to
human beings.
*	Q: For example, see WHOIS for domain name  <http://facebook.hu/>
facebook.hu - Has the Hungarian registry defined purposes for collecting
this data? If so, could help us in our discussion for gTLDs. 
*	A: Don't know if they have done so, or if they are compliant.
*	Q: Do these privacy principles just apply to Personally Identifiable
Information (PII) or other types of information? 
*	A: Yes - PII applies only to humans, and so human rights only apply
to PII
*	Q: Re: exemptions for protecting the data subject or the rights and
freedoms of others - How do these exemptions apply to and inform our work in
the RDS PDP? 
*	A: Thousands of pages of case law of how courts have defined ways of
striking a balance between contradicting rights. For example cases in Europe
and also US - helpful but not absolute because future cases will also judge
*	Re: commercial v personal data, it varies by jurisdiction whether
employees of a company are considered to have rights to personal data (e.g.,
business card carve out). In for instance Germany you have to seek consent
from employees before you put their name on the Internet.
*	Q: A lot of the arguments that took place in the PPSAI PDP examined
needs of small organizations w/r/t protecting the privacy of data. But are
those "other" privacy rights that apply to small organizations or data
protection rights? 
*	A: It depends - for example, volunteers may have data protection
rights for their personal information.
*	When it comes to ICANN and notice required of registrars to provide
individuals when collecting registration data, do all registrars do this
today? disclosure and obtaining consent ("a.k.a. notice and choice"?) is
required under RAA 3.7.7.4 and 3.7.7.5.  Registrars are required to "3.7.7.5
The Registered Name Holder shall consent to the data processing referred to
in Subsection 3.7.7.4."
*	Comment: the requirement wasn't to inform about rights, but to
provide information sufficient to obtain "specific and informed consent of
the subscriber ... prior to the inclusion of his personal data into all
kinds of public directories (traditional telephony, mobile telephony,
electronic mail, electronic signatures etc.) used for reverse or
multi-criteria searches." Article 29 WP 33 Opinion 5/2000
*	Q: Do we have a duty not to convey individual human rights to a
commercial entity? 
*	A: Spectrum of organizations (large, small...) but we need to deal
with this. Many ccTLDs make a distinction between individual and commercial
registrations (e.g., CIRA) Practices vary across ccTLDs and the
jurisdictions in which they operate. 
*	One view: Most ccTLD registries comply perfectly when it comes to
personal data and data regulation/law in combination of whois output - at
least in Europe
*	Q: In WHOIS today, there is no formal method of distinguishing
fields that contain personal data from fields that do not. Do we need to
consider flagging the fields that contain personal data? 
*	A: This certainly can be something this WG can consider when
deliberating on policy or implementation guidance
*	Shouldn't we be using privacy by design with we enter our
deliberations?
*	Q: Are there any of the "thin data" elements as we have discussed
over the past few weeks considered PII? 
*	A: One view: a small subset of thin data may not be considered
personally identifiable because there's no name, address, or phone number -
but if the data is traceable back to the individual, it may be considered
"personal data." For example, if a timestamp links to an action that links
to an individual, it's personal data - which is not to say that it cannot be
disclosed. Becoming more of an issue w IoT - for example, refrigerator
reporting activity may be linked to an individual's actions. See also file
cabinet example.
*	"personal data" is a defined term in RAA "data about any identified
or identifiable natural person." 
*	See meeting handout for example of a "thin" WHOIS record data
elements
*	Sometimes depends on circumstance (e.g. IP address). European
registries publish thin data and have gotten that vetted. Can this WG
proceed without legal advice, whether reusing advice provided to thick data
PDP or EWG, or seeking advice specific to this PDP
*	Possible source of inspiration: "The principles have been drafted
against a background of economies with separate policies that draw
distinctions between data. Despite differences, framework has been drafted
to ... apply to personal information which is information that can be used
to identify an individual, including information which would not be personal
alone but can be used in that way" (refer to transcript)
*	Perhaps what we need to focus on is perhaps not whether data
elements are personal data but rather look at each data element and decide
whether it can be collected, whether it can be disclosed?
*	Do we also need to balance the value of having this data disclosed
for identified purposes?

   c. Update on planning for Copenhagen session with Data Commissioners

·        Session is planned on 13 March in Copenhagen during which data
protection commissioners will debate these topics. Objective to have a
better understanding of how privacy principles are interpreted by
authorities and legislators.

3. Begin deliberation on the Privacy charter question, starting with the
following: (see
<https://community.icann.org/download/attachments/64064540/7FebMeeting-Priva
cyForThinData-Handout.pdf?version=1&modificationDate=1486398912000&api=v2>
meeting handout)

·        Question 4.1 (revised): For thin data only -- Do existing gTLD
registration directory services policies sufficiently address compliance
with applicable data protection, privacy, and free speech laws about
purpose? If not, what requirements might those laws place on RDS policies
regarding purposes associated with thin data?

·        See comments made under agenda item 2: Q&A

4. Information on planned dates for the RDS PDP WG meetings in Copenhagen:

·        Saturday from 14.00 - 16.45 local time (main F2F) and

·        Wednesday from 13.45 - 15.00 (secondary slot available)

·        Remote participation will be available for those not being able to
participate in person.

5. Confirm action items and proposed decision points

Action: Leadership team to review today's discussion and identify points (if
any) for confirmation in a poll or else continued deliberation in next
week's call.

6. Confirm next meeting date: Tuesday 14 February 2017 at 17.00 UTC

 

Meeting materials:  <https://community.icann.org/x/HIzRAw>
https://community.icann.org/x/HIzRAw

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170207/0d230128/attachment.html>

More information about the gnso-rds-pdp-wg mailing list