[gnso-rds-pdp-wg] Purpose in accordance with Registry Agreement section 2.18

Fri Jun 2 19:11:24 UTC 2017

We are talking in circles as a registrar according to the RAA is not
prohibited from complying with applicable privacy laws. I respectfully
would like to see proof (seeiously, I'd like to see a transcript) that any
group of lawyers specializing in privacy in any jurisdiction opined that
having these provisions in the RAA is a "breach" of any applicable law.
These provisions have to be read together with the rest of the RAA, which
expressly states that registrars must comply with applicable law. To call
the provisions requiring a minimum threshold of privacy obligations a
"breach" of data protection laws in any judisdiction is simply an untenable
position.

Jonathan Matkowsky

On Fri, 2 Jun 2017 at 21:33 Stephanie Perrin <
stephanie.perrin at mail.utoronto.ca> wrote:

> This clause has not been acceptable in the past, even before GDPR.  I
> think it is worth pointing out that what is in the ICANN agreements has
> been repeatedly pointed out, notably by the Art 29 WG, but certainly by
> others such as the IWGDPT, as violating DP law.  These documents I believe
> are all in our repository.  So please let us not assume that what has been
> happening is ok, even if we sign contract after contract with the same
> offending clauses in them.  Consent in most jurisdictions has to be some
> variant of "free, enlightened, and informed".  Noone can be compelled to
> consent to a practice that is disproportionate or fails the necessity
> test...An ability to withdraw consent has to be available.  I won't go on
> and on but this clause obviously does not pass this test.
>
> In my opinion, the longer ICANN tries to stymie the DPAs and ignore
> necessary changes in privacy policy, the greater the risk they run that a
> viral campaign will be launched among ordinary users, to appeal to the
> Courts.  DPAs try to effect change through dialogue.  WHen dialogue fails,
> individuals have to take cases to Court.  We don't want that.
>
> Stephanie
>
> On 2017-06-02 08:19, Volker Greimann wrote:
>
> I was just reviewing the changes to the registry agreement again and I
> noticed a section that has relevance here as well and that had not been
> discussed here.
>
> Apparently the definition of the purpose for personal data collection as
> far as ICANN is concerned is the job of the registry operators:
>
> 2.18 Personal Data. Registry Operator shall (i) notify each
> ICANN-accredited registrar that is a party to the Registry-Registrar
> Agreement for the TLD of the purposes for which data about any identified
> or identifiable natural person (“Personal Data”) submitted to Registry
> Operator by such registrar is collected and used under this Agreement or
> otherwise and the intended recipients (or categories of recipients) of such
> Personal Data, and (ii) require such registrar to obtain the consent of
> each registrant in the TLD for such collection and use of Personal Data.
> Registry Operator shall take reasonable steps to protect Personal Data
> collected from such registrar from loss, misuse, unauthorized disclosure,
> alteration or destruction. Registry Operator shall not use or authorize the
> use of Personal Data in a way that is incompatible with the notice provided
> to registrars.
>
> This does have some relevance to our current discussion, so I thought I'd
> recklessly post it here!
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- 
jonathan matkowsky, vp - ip & head of global brand threat mitigation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170602/7c8f4d99/attachment.html>