[gnso-rds-pdp-wg] Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017

Tue Feb 7 21:11:08 UTC 2017

My sincere apologies for missing this call; I had overlooked it in my calendar. From the notes below it sounds like it was a very insightful session, so I look forward very much to listening to the recording.

Best wishes,

Ayden Férdeline
[linkedin.com/in/ferdeline](http://www.linkedin.com/in/ferdeline)

-------- Original Message --------
Subject: [gnso-rds-pdp-wg] Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017
Local Time: 7 February 2017 7:18 PM
UTC Time: 7 February 2017 19:18
From: lisa at corecom.com
To: gnso-rds-pdp-wg at icann.org

Dear all,

Below please find notes from today’s RDS PDP WG call.

Best regards,

Lisa

Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at https://community.icann.org/x/HIzRAw

1. Roll call / SOI

- Roll call will be taken from Adobe Connect

- Please remind to update your SOIs as needed

- Please remember to state your name before speaking as well as muting your microphone when not speaking

2. Intro to Data Protection principles that may apply to thin data collection

a. Overview from Stephanie Perrin & Peter Kimpian

Presentation by Peter Kimpian

- See slides at https://community.icann.org/download/attachments/64064540/Kimpian_pdp_rds_2_2_17.pdf

- Right to privacy is a universal right, even if it is interpreted differently in different countries.

- Individuals have to be in control of their personal data (the whole trail of data). Overarching principles: necessity, proportionality, purpose specification / purpose limitation.

- For data processing there has to be a legitimate aim/purpose. Lawful and fair means of data processing. Lawful = it has to be regulated and/or not forbidden by legislation.

- Valid legal basis (law, consent, contract, vital interest of the individual). This concept is also present in other legal frameworks, not only the European one.

- Data processing needs to be adequate, relevant and not excessive.

- Data minimization principle: no processing of data for the sake of data, only for a purpose. During the processing, the data controller has the obligation to process the minimum amount of data that is fit for purpose.

- There are a number of exemptions (see slide 4). Always conditions to these exemptions. Need to establish criteria under which such exemptions are permissible.

- Disclosure of data (slide 5) - same rules apply as for processing, however there is a third party that enters into the picture using the data for a secondary purpose.

- Accountability (slide 6) - data controller is accountable for upholding data protection principles.

Comments from Stephanie Perrin

- One of the basic principles of data protection law is that processing needs to be fair and lawful.

- Fair = there need to be limits to the collection of PI. Collection needs to be focused on the purpose. Most common law countries, there has to be a legal mandate for a government department to collect data. This gets fuzzier in the private sector.

- Private sector companies that are offering a service that is not mandatory, they can define what is relevant and gain consent. Notice and choice appears to have become the rule for Internet services, based on US practice.

- The restriction of collection of data to what is needed. Defining the purpose of collection is therefore fundamental.

- There are differences across countries with regards to data protection laws. and how some of these principles are applied. A good overview can be found here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2603502.

- What is the purpose of ICANN in gathering personal information?

- Not arguing that potential uses are not appropriate or useful, but these potential uses for other purposes can be considered secondary use. This is not sufficient purpose for collection though.

b. Q&A

- Q: Is ICANN the "data controller" in our world? Or is it the registries/registrars?

- A: One view is that ICANN is the data controller, because it sets the RAA which defines collection, use and disclosure. Registrars and registries could be considered data processors WRT the data that ICANN tells them to collect and display, including all relevant policies. They are data controllers with respect to their own business operations, data they gather to sell other services for which ICANN does not set policy. So they are hybrid. It was pointed out that this issue was hotly debated during the EWG without reaching a conclusion.

- See Key Inputs section of wiki for A29 documents on concept of data controller and processor

- See also chat dialog regarding application of the terms "data controller" and "data processor" to WHOIS data

- Q: What aspects of this apply to commercial entities? Would a commercial entity have the same right to privacy of their data as an individual data subject?

- A: No. Privacy is a human right, linked to human beings (natural persons). There are discussions about this but for now no, only applies to human beings.

- Q: For example, see WHOIS for domain name [facebook.hu](http://facebook.hu/) - Has the Hungarian registry defined purposes for collecting this data? If so, could help us in our discussion for gTLDs.

- A: Don't know if they have done so, or if they are compliant.

- Q: Do these privacy principles just apply to Personally Identifiable Information (PII) or other types of information?

- A: Yes - PII applies only to humans, and so human rights only apply to PII

- Q: Re: exemptions for protecting the data subject or the rights and freedoms of others - How do these exemptions apply to and inform our work in the RDS PDP?

- A: Thousands of pages of case law of how courts have defined ways of striking a balance between contradicting rights. For example cases in Europe and also US - helpful but not absolute because future cases will also judge

- Re: commercial v personal data, it varies by jurisdiction whether employees of a company are considered to have rights to personal data (e.g., business card carve out). In for instance Germany you have to seek consent from employees before you put their name on the Internet.

- Q: A lot of the arguments that took place in the PPSAI PDP examined needs of small organizations w/r/t protecting the privacy of data. But are those "other" privacy rights that apply to small organizations or data protection rights?

- A: It depends - for example, volunteers may have data protection rights for their personal information.

- When it comes to ICANN and notice required of registrars to provide individuals when collecting registration data, do all registrars do this today? disclosure and obtaining consent ("a.k.a. notice and choice"?) is required under RAA 3.7.7.4 and 3.7.7.5. Registrars are required to "3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4."

- Comment: the requirement wasn't to inform about rights, but to provide information sufficient to obtain "specific and informed consent of the subscriber ... prior to the inclusion of his personal data into all kinds of public directories (traditional telephony, mobile telephony, electronic mail, electronic signatures etc.) used for reverse or multi-criteria searches." Article 29 WP 33 Opinion 5/2000

- Q: Do we have a duty not to convey individual human rights to a commercial entity?

- A: Spectrum of organizations (large, small...) but we need to deal with this. Many ccTLDs make a distinction between individual and commercial registrations (e.g., CIRA) Practices vary across ccTLDs and the jurisdictions in which they operate.

- One view: Most ccTLD registries comply perfectly when it comes to personal data and data regulation/law in combination of whois output - at least in Europe

- Q: In WHOIS today, there is no formal method of distinguishing fields that contain personal data from fields that do not. Do we need to consider flagging the fields that contain personal data?

- A: This certainly can be something this WG can consider when deliberating on policy or implementation guidance

- Shouldn't we be using privacy by design with we enter our deliberations?

- Q: Are there any of the "thin data" elements as we have discussed over the past few weeks considered PII?

- A: One view: a small subset of thin data may not be considered personally identifiable because there's no name, address, or phone number - but if the data is traceable back to the individual, it may be considered "personal data." For example, if a timestamp links to an action that links to an individual, it's personal data - which is not to say that it cannot be disclosed. Becoming more of an issue w IoT - for example, refrigerator reporting activity may be linked to an individual's actions. See also file cabinet example.

- "personal data" is a defined term in RAA "data about any identified or identifiable natural person."

- See meeting handout for example of a "thin" WHOIS record data elements

- Sometimes depends on circumstance (e.g. IP address). European registries publish thin data and have gotten that vetted. Can this WG proceed without legal advice, whether reusing advice provided to thick data PDP or EWG, or seeking advice specific to this PDP

- Possible source of inspiration: "The principles have been drafted against a background of economies with separate policies that draw distinctions between data. Despite differences, framework has been drafted to ... apply to personal information which is information that can be used to identify an individual, including information which would not be personal alone but can be used in that way" (refer to transcript)

- Perhaps what we need to focus on is perhaps not whether data elements are personal data but rather look at each data element and decide whether it can be collected, whether it can be disclosed?

- Do we also need to balance the value of having this data disclosed for identified purposes?

c. Update on planning for Copenhagen session with Data Commissioners

· Session is planned on 13 March in Copenhagen during which data protection commissioners will debate these topics. Objective to have a better understanding of how privacy principles are interpreted by authorities and legislators.

3. Begin deliberation on the Privacy charter question, starting with the following: (see [meeting handout](https://community.icann.org/download/attachments/64064540/7FebMeeting-PrivacyForThinData-Handout.pdf?version=1&modificationDate=1486398912000&api=v2))

· Question 4.1 (revised): For thin data only -- Do existing gTLD registration directory services policies sufficiently address compliance with applicable data protection, privacy, and free speech laws about purpose? If not, what requirements might those laws place on RDS policies regarding purposes associated with thin data?

· See comments made under agenda item 2: Q&A

4. Information on planned dates for the RDS PDP WG meetings in Copenhagen:

· Saturday from 14.00 - 16.45 local time (main F2F) and

· Wednesday from 13.45 - 15.00 (secondary slot available)

· Remote participation will be available for those not being able to participate in person.

5. Confirm action items and proposed decision points

Action: Leadership team to review today's discussion and identify points (if any) for confirmation in a poll or else continued deliberation in next week's call.

6. Confirm next meeting date: Tuesday 14 February 2017 at 17.00 UTC

Meeting materials: https://community.icann.org/x/HIzRAw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170207/011688b0/attachment.html>