[gnso-rds-pdp-wg] Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017
Farell Folly
farellfolly at gmail.com
Wed Feb 8 19:33:05 UTC 2017
Dear Lisa,
Thanks once more for the update.
@All, yesterday was one of the most interesting meeting for me. I am really
sure that It will make things clear for many of us as far as the poll is
concern.
Have a nice week.
Le mar. 7 févr. 2017 à 21:11, Ayden Férdeline <icann at ferdeline.com> a
écrit :
> My sincere apologies for missing this call; I had overlooked it in my
> calendar. From the notes below it sounds like it was a very insightful
> session, so I look forward very much to listening to the recording.
>
> Best wishes,
>
> Ayden Férdeline
> linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
>
>
> -------- Original Message --------
> Subject: [gnso-rds-pdp-wg] Notes from Next-Gen RDS PDP WG call on Tuesday,
> 7 February 2017
> Local Time: 7 February 2017 7:18 PM
> UTC Time: 7 February 2017 19:18
> From: lisa at corecom.com
> To: gnso-rds-pdp-wg at icann.org
>
> Dear all,
>
>
>
> Below please find notes from today’s RDS PDP WG call.
>
>
>
> Best regards,
>
> Lisa
>
>
>
> *Notes from Next-Gen RDS PDP WG call on Tuesday, 7 February 2017*
>
> *These high-level notes are designed to help PDP WG members navigate
> through the content of the call and are not meant as a substitute for the
> transcript and/or recording. The MP3, transcript, and chat are provided
> separately and are posted on the wiki at**
> https://community.icann.org/x/HIzRAw <https://community.icann.org/x/HIzRAw>*
>
> 1. Roll call / SOI
>
> - Roll call will be taken from Adobe Connect
> - Please remind to update your SOIs as needed
> - Please remember to state your name before speaking as well as muting
> your microphone when not speaking
>
> 2. Intro to Data Protection principles that may apply to thin data
> collection
>
> a. Overview from Stephanie Perrin & Peter Kimpian
>
> *Presentation by Peter Kimpian*
>
> - See slides at
> https://community.icann.org/download/attachments/64064540/Kimpian_pdp_rds_2_2_17.pdf
> - Right to privacy is a universal right, even if it is interpreted
> differently in different countries.
> - Individuals have to be in control of their personal data (the whole
> trail of data). Overarching principles: necessity, proportionality, purpose
> specification / purpose limitation.
> - For data processing there has to be a legitimate aim/purpose. Lawful
> and fair means of data processing. Lawful = it has to be regulated and/or
> not forbidden by legislation.
> - Valid legal basis (law, consent, contract, vital interest of the
> individual). This concept is also present in other legal frameworks, not
> only the European one.
> - Data processing needs to be adequate, relevant and not excessive.
> - Data minimization principle: no processing of data for the sake of
> data, only for a purpose. During the processing, the data controller has
> the obligation to process the minimum amount of data that is fit for
> purpose.
> - There are a number of exemptions (see slide 4). Always conditions to
> these exemptions. Need to establish criteria under which such exemptions
> are permissible.
> - Disclosure of data (slide 5) - same rules apply as for processing,
> however there is a third party that enters into the picture using the data
> for a secondary purpose.
> - Accountability (slide 6) - data controller is accountable for
> upholding data protection principles.
>
> *Comments from Stephanie Perrin*
>
> - One of the basic principles of data protection law is that
> processing needs to be fair and lawful.
> - Fair = there need to be limits to the collection of PI. Collection
> needs to be focused on the purpose. Most common law countries, there has to
> be a legal mandate for a government department to collect data. This gets
> fuzzier in the private sector.
> - Private sector companies that are offering a service that is not
> mandatory, they can define what is relevant and gain consent. Notice and
> choice appears to have become the rule for Internet services, based on US
> practice.
> - The restriction of collection of data to what is needed. Defining
> the purpose of collection is therefore fundamental.
> - There are differences across countries with regards to data
> protection laws. and how some of these principles are applied. A good
> overview can be found here:
> https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2603502.
> - What is the purpose of ICANN in gathering personal information?
> - Not arguing that potential uses are not appropriate or useful, but
> these potential uses for other purposes can be considered secondary use.
> This is not sufficient purpose for collection though.
>
> b. Q&A
>
> - Q: Is ICANN the "data controller" in our world? Or is it the
> registries/registrars?
> - A: One view is that ICANN is the data controller, because it sets
> the RAA which defines collection, use and disclosure. Registrars and
> registries could be considered data processors WRT the data that ICANN
> tells them to collect and display, including all relevant policies. They
> are data controllers with respect to their own business operations, data
> they gather to sell other services for which ICANN does not set policy. So
> they are hybrid. It was pointed out that this issue was hotly debated
> during the EWG without reaching a conclusion.
> - See Key Inputs section of wiki for A29 documents on concept of data
> controller and processor
> - See also chat dialog regarding application of the terms "data
> controller" and "data processor" to WHOIS data
> - Q: What aspects of this apply to commercial entities? Would a
> commercial entity have the same right to privacy of their data as an
> individual data subject?
> - A: No. Privacy is a human right, linked to human beings (natural
> persons). There are discussions about this but for now no, only applies to
> human beings.
> - Q: For example, see WHOIS for domain name facebook.hu - Has the
> Hungarian registry defined purposes for collecting this data? If so, could
> help us in our discussion for gTLDs.
> - A: Don't know if they have done so, or if they are compliant.
> - Q: Do these privacy principles just apply to Personally Identifiable
> Information (PII) or other types of information?
> - A: Yes - PII applies only to humans, and so human rights only apply
> to PII
> - Q: Re: exemptions for protecting the data subject or the rights and
> freedoms of others - How do these exemptions apply to and inform our work
> in the RDS PDP?
> - A: Thousands of pages of case law of how courts have defined ways of
> striking a balance between contradicting rights. For example cases in
> Europe and also US - helpful but not absolute because future cases will
> also judge
> - Re: commercial v personal data, it varies by jurisdiction whether
> employees of a company are considered to have rights to personal data
> (e.g., business card carve out). In for instance Germany you have to seek
> consent from employees before you put their name on the Internet.
> - Q: A lot of the arguments that took place in the PPSAI PDP examined
> needs of small organizations w/r/t protecting the privacy of data. But are
> those "other" privacy rights that apply to small organizations or data
> protection rights?
> - A: It depends - for example, volunteers may have data protection
> rights for their personal information.
> - When it comes to ICANN and notice required of registrars to provide
> individuals when collecting registration data, do all registrars do this
> today? disclosure and obtaining consent ("a.k.a. notice and choice"?) is
> required under RAA 3.7.7.4 and 3.7.7.5. Registrars are required to
> "3.7.7.5 The Registered Name Holder shall consent to the data processing
> referred to in Subsection 3.7.7.4."
> - Comment: the requirement wasn't to inform about rights, but to
> provide information sufficient to obtain "specific and informed consent of
> the subscriber ... prior to the inclusion of his personal data into all
> kinds of public directories (traditional telephony, mobile telephony,
> electronic mail, electronic signatures etc.) used for reverse or
> multi-criteria searches." Article 29 WP 33 Opinion 5/2000
> - Q: Do we have a duty not to convey individual human rights to a
> commercial entity?
> - A: Spectrum of organizations (large, small...) but we need to deal
> with this. Many ccTLDs make a distinction between individual and commercial
> registrations (e.g., CIRA) Practices vary across ccTLDs and the
> jurisdictions in which they operate.
> - One view: Most ccTLD registries comply perfectly when it comes to
> personal data and data regulation/law in combination of whois output - at
> least in Europe
> - Q: In WHOIS today, there is no formal method of distinguishing
> fields that contain personal data from fields that do not. Do we need to
> consider flagging the fields that contain personal data?
> - A: This certainly can be something this WG can consider when
> deliberating on policy or implementation guidance
> - Shouldn't we be using privacy by design with we enter our
> deliberations?
> - Q: Are there any of the "thin data" elements as we have discussed
> over the past few weeks considered PII?
> - A: One view: a small subset of thin data may not be considered
> personally identifiable because there's no name, address, or phone number -
> but if the data is traceable back to the individual, it may be considered
> "personal data." For example, if a timestamp links to an action that links
> to an individual, it's personal data - which is not to say that it cannot
> be disclosed. Becoming more of an issue w IoT - for example, refrigerator
> reporting activity may be linked to an individual's actions. See also file
> cabinet example.
> - "personal data" is a defined term in RAA "data about any identified
> or identifiable natural person."
> - See meeting handout for example of a "thin" WHOIS record data
> elements
> - Sometimes depends on circumstance (e.g. IP address). European
> registries publish thin data and have gotten that vetted. Can this WG
> proceed without legal advice, whether reusing advice provided to thick data
> PDP or EWG, or seeking advice specific to this PDP
> - Possible source of inspiration: "The principles have been drafted
> against a background of economies with separate policies that draw
> distinctions between data. Despite differences, framework has been drafted
> to ... apply to personal information which is information that can be used
> to identify an individual, including information which would not be
> personal alone but can be used in that way" (refer to transcript)
> - Perhaps what we need to focus on is perhaps not whether data
> elements are personal data but rather look at each data element and decide
> whether it can be collected, whether it can be disclosed?
> - Do we also need to balance the value of having this data disclosed
> for identified purposes?
>
> c. Update on planning for Copenhagen session with Data Commissioners
>
> · Session is planned on 13 March in Copenhagen during which data
> protection commissioners will debate these topics. Objective to have a
> better understanding of how privacy principles are interpreted by
> authorities and legislators.
>
> 3. Begin deliberation on the Privacy charter question, starting with the
> following: (see meeting handout
> <https://community.icann.org/download/attachments/64064540/7FebMeeting-PrivacyForThinData-Handout.pdf?version=1&modificationDate=1486398912000&api=v2>
> )
>
> · *Question 4.1 (revised): For thin data only -- Do existing gTLD
> registration directory services policies sufficiently address compliance
> with applicable data protection, privacy, and free speech laws about
> purpose? If not, what requirements might those laws place on RDS policies
> regarding purposes associated with thin data ?*
>
> · See comments made under agenda item 2: Q&A
>
> 4. Information on planned dates for the RDS PDP WG meetings in Copenhagen:
>
> · Saturday from 14.00 - 16.45 local time (main F2F) and
>
> · Wednesday from 13.45 - 15.00 (secondary slot available)
>
> · Remote participation will be available for those not being able
> to participate in person.
>
> 5. Confirm action items and proposed decision points
>
> *Action:* Leadership team to review today's discussion and identify
> points (if any) for confirmation in a poll or else continued deliberation
> in next week's call.
>
> 6. Confirm next meeting date: Tuesday 14 February 2017 at 17.00 UTC
>
>
>
> *Meeting materials: https://community.icann.org/x/HIzRAw
> <https://community.icann.org/x/HIzRAw>*
>
>
>
>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
Regards
@__f_f__
PhD Candidate, Universität der Bundeswehr München
Computer Security | Internet of Things
about.me/farell
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170208/1d0cd400/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list