[gnso-rds-pdp-wg] Notes from RDS PDP WG Call - 14 February 2017
Lisa Phifer
lisa at corecom.com
Tue Feb 14 19:10:46 UTC 2017
Dear all,
Below please find notes from today’s RDS PDP WG call.
Please note that there will be a poll this week, so watch the RDS PDP WG
mailing list for a poll invitation.
Best regards,
Lisa
Notes from Next-Gen RDS PDP WG call on Tuesday, 14 February 2017
These high-level notes are designed to help PDP WG members navigate through
the content of the call and are not meant as a substitute for the transcript
and/or recording. The MP3, transcript, and chat are provided separately and
are posted on the wiki at <https://community.icann.org/x/HIzRAw>
https://community.icann.org/x/HIzRAw
1. Roll call / SOI
· Roll call will be taken from Adobe Connect
· Please remind to update your SOIs as needed
· Please remember to state your name before speaking as well as
muting your microphone when not speaking
2. Practical Examples to illustrate Purpose Limitation
· Presentation by Peter Kimpian and Q&A
· Posted at link: <https://community.icann.org/x/HIzRAw>
https://community.icann.org/x/HIzRAw
· Working now to improve all of our understanding of data protection
and privacy needs, just as it will be important to understand the needs of
other SGs as we move forward
· Right now we are focusing on thin data only, but we will get to
other data elements as we move forward
· WG members are encouraged to ask questions and share viewpoints
Slide from Stephanie Perrin's deck
· Broad interpretation of the purpose of collection, use and
disclosure allows subsequent reuse for different reasons (if you interpret
broadly, reuse may be broader; the opposite would also be true)
· Purpose limitation is the first premise of data protection analysis
- purpose must be narrow & proportionate
· How narrow? That is the subject of our deliberation
Examples from Peter Kimpian to illustrate purpose principles
· Providing real life examples from outside of ICANN environment,
from actual court cases, to illustrate privacy as a human right, recognized
globally, but with different privacy frameworks and also international
instruments that are not legally binding but can guide us
· Illustrating Convention 108 Article 5 principles regarding
legitimacy of data processing and qualify of data. Modernized version has
very pragmatic explanation of the main principles (see slide 2)
· Data processing shall be proportionate in relation to the
legitimate purpose pursued - legitimate purpose must be defined in advance
(refer to last week's presentation)
· Data processing can be carried out on the basis of free, specific,
informed and unambiguous consent
· Practical example of these principles for purpose specification -
drawn from outside the ICANN environment, but can be related to ICANN's
work...
Example #1: Retail company and consumer's health conditions is famous
example within DP community. Consumer had a loyalty card and purchased
articles in a retail store using the card, the company used the data to
deliver better service (articles of interest to consumer). Company also used
analytics to determine consumer is pregnant, used for telemarketing and
offer of diapers. Information inadvertently revealed to consumer's father.
Health condition (pregnancy) is personal data in this case, but this retail
company did not have a purpose for processing data to determine this. Can
only process data under strict conditions for specific purposes.
Example #2: Personal data collected by drones, use of drones is growing but
there are privacy concerns. While on vacation, drone appeared and was
recording people. With drones they very easily process personal data of
people who are unaware and may not want to become data subjects for that
drone, breaches most privacy legislation to record so broadly. Couples on
beach filming each other differs from people on street doing same thing
which inevitably films other people. Court said that you have expectation
that you will not be filmed, image will not be captured without a specific
purpose - even in public space, journalists and others must follow DP law
Example #3: Public authorities data processing, e.g., immigration v law
enforcement/national security purposes. Databases not created for
crime-fighting but for immigration purpose - concern that personal data will
be used by law enforcement. There are some cases where this is allowed, but
they are specific and limited.
Example #4: Digital Ireland and Tele2 case on data retention. EU judgement
but relevant to ICANN as well. Retention of metadata (telecoms), not content
of communication itself. Court said this practice infringes upon
individual's right to privacy and protection of personal data. Interferes
with fundamental right - if there, it must be balanced. In this case, not
balanced because there was no criteria for retention, just blanket
retention. There was not a specific purpose (who, why, for what period).
· These questions regarding purpose come up time and again in many
court cases, and examined against requirements for purpose specification and
need to be as precise as possible about data processing
· See also
<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinio
n-recommendation/files/2013/wp203_en.pdf> Article 29 WP 203 Opinion 3/2013
on purpose limitation, Annexes on purpose specification and compatibility
· Examples are not ICANN-specific but chosen to provide guidance.
Have also just begun to examine ccTLD privacy statements regarding purposes
for registration data collection and processing.
Question and Answer
· Q: Is modernized Convention 108 a law? Does it apply to the RDS PDP
WG's work?
· A: Used because it's the only international treaty on privacy on
human rights, it's an open convention, currently 3 states outside of Europe
have joined with 47 states within Europe - for those states, it has a
binding effect. Economic reasons to join convention: enables free flow of
information and data, if you join, you can send/receive data without
specifically addressing national legislation. In phase of getting more
countries to join this convention.
· Q: Companies must also ensure adequate processing of data? If data
is public in WHOIS, how can companies do this? How are we going to make sure
that we are compliant with EU law and other DP laws?
· A: To be deliberated under item 3 of agenda - requirements first
and later implementation guidance
· Q: Stephanie's slide, what is origin of two bullets?
· A: Statements from Stephanie, based on input documents such as A29
WP 203 on purpose limitation (refer to source document for specific text)
· Q: As we debated on the purpose of RDS, we got a little stuck.
(refer to chat debate on purpose(s)) Do you have any guidance that would
help us in agreeing upon the purpose(s) of RDS?
· A: The principles have to be followed by implementation, if needed
with assistance of data commissioners. Convention 108 encompasses all of the
internationally recognized principles and does not contain anything that's
not followed by the 110 countries that have DP laws. Also use APAC privacy
framework as a reference, to demonstrate similarity to EU privacy framework.
Also must take into consideration US laws that apply. Can debate possible
purposes that apply under ICANN's remit, but after that we must apply the
balance test - whether we are defending others' interest while hurting data
subject's rights and is this balanced?
· See also book on Data Protection law that provides examples on
purpose limitation
· It is the Data Controller that must address secondary purposes. For
example, immigration data - immigration authorities don't need to consider
whether immigration data will be useful to fight drug activity. It must
determine whether data is obtained in lawful way for immigration purposes
only. Other secondary uses occur when for example the police come to the
immigration authority to requests data.
· Q: How do we address trademark protection for example? How do we
craft a purpose statement that protects intellectual property rights?
· A: You have to decide what will be ICANN's first level purpose for
registration data - TM protection, law enforcement, other interests - but
must first take into account all of the requirements for data processing
according to data protection/privacy principles. ICANN may not be data
controller under all jurisdictions, but in some countries there may be a law
that defines a primary purpose - for ICANN, it must define for itself.
· Q: Does our purpose statement for an RDS need to be specific enough
to discuss not only primary purpose but also secondary purposes?
· A: To be safe, yes.
· In Canada, first privacy act refers to primary, secondary, tertiary
purposes and consistency - need to look at what each law requires. Example:
birth details in health records and daycare needs for health records. In
ICANN space, IPC and WIPO argued need for Internet crime fighting data,
reflected in RAA today. Is ICANN in its current state set up to be the
instrument to enforce IP rights?
3. Continue deliberation on the Privacy charter question:
Question 4.1 (revised): For thin data only -- Do existing gTLD registration
directory services policies sufficiently address compliance with applicable
data protection, privacy, and free speech laws about purpose? If not, what
requirements might those laws place on RDS policies regarding purposes
associated with thin data?
· Possible Agreement: We as a WG need to agree on a purpose statement
for the RDS.
· Note that draft purpose statement developed last fall is contained
in section 2.3 of working document posted at
<https://community.icann.org/x/p4xlAw> https://community.icann.org/x/p4xlAw
· Possible Agreement: The answer is "no" for Question 4.1 (above) -
that is, existing gTLD RDS policies do NOT sufficiently address compliance
with applicable laws about purpose.
4. Confirm action items and proposed decision points
Action: Staff to develop poll to test the above-two possible agreements. WG
members encouraged to participate in that poll.
Action: To prepare for cross-community and possibly WG session with Data
Commissioners at Copenhagen, small group to develop a proposed list of
questions for DCs, to be submitted to WG for review in next week or two.
Seeking 1-2 volunteers from each SG or interest group, to nominate
themselves on-list by Monday. Small group will have one week to complete
draft list.
5. Confirm next meeting date: Wednesday, 22 February 2017 at 06.00 UTC
Meeting Materials: <https://community.icann.org/x/HIzRAw>
https://community.icann.org/x/HIzRAw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170214/17e66a3e/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list