[gnso-rds-pdp-wg] Purpose in accordance with Registry Agreement section 2.18

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Fri Jun 2 18:38:20 UTC 2017 

This clause has not been acceptable in the past, even before GDPR.  I 
think it is worth pointing out that what is in the ICANN agreements has 
been repeatedly pointed out, notably by the Art 29 WG, but certainly by 
others such as the IWGDPT, as violating DP law. These documents I 
believe are all in our repository.  So please let us not assume that 
what has been happening is ok, even if we sign contract after contract 
with the same offending clauses in them.  Consent in most jurisdictions 
has to be some variant of "free, enlightened, and informed". Noone can 
be compelled to consent to a practice that is disproportionate or fails 
the necessity test...An ability to withdraw consent has to be 
available.  I won't go on and on but this clause obviously does not pass 
this test.

In my opinion, the longer ICANN tries to stymie the DPAs and ignore 
necessary changes in privacy policy, the greater the risk they run that 
a viral campaign will be launched among ordinary users, to appeal to the 
Courts.  DPAs try to effect change through dialogue.  WHen dialogue 
fails, individuals have to take cases to Court.  We don't want that.

Stephanie


On 2017-06-02 08:19, Volker Greimann wrote:
> I was just reviewing the changes to the registry agreement again and I 
> noticed a section that has relevance here as well and that had not 
> been discussed here.
>
> Apparently the definition of the purpose for personal data collection 
> as far as ICANN is concerned is the job of the registry operators:
>
> 2.18 Personal Data. Registry Operator shall (i) notify each 
> ICANN-accredited registrar that is a party to the Registry-Registrar 
> Agreement for the TLD of the purposes for which data about any 
> identified or identifiable natural person (“Personal Data”) submitted 
> to Registry Operator by such registrar is collected and used under 
> this Agreement or otherwise and the intended recipients (or categories 
> of recipients) of such Personal Data, and (ii) require such registrar 
> to obtain the consent of each registrant in the TLD for such 
> collection and use of Personal Data. Registry Operator shall take 
> reasonable steps to protect Personal Data collected from such 
> registrar from loss, misuse, unauthorized disclosure, alteration or 
> destruction. Registry Operator shall not use or authorize the use of 
> Personal Data in a way that is incompatible with the notice provided 
> to registrars.
>
> This does have some relevance to our current discussion, so I thought 
> I'd recklessly post it here!
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170602/30684b93/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list