[gnso-rds-pdp-wg] List topics for this week
Rob Golding
rob.golding at astutium.com
Thu Jun 15 03:16:04 UTC 2017
On 2017-06-14 22:09, allison nixon wrote:
> Alright. I want to discuss the customer education process, because it
> does seem to underlie a point of misunderstanding and I want to
> understand better:
> -Are customers notified that WHOIS data is made public when they buy
> domains?
It doesn't matter whether someone has it explained that this will be
'public' or not - the distribution / storage / control / audit /
accountability levels required are simply not in place at the moment.
"even after personal data are made public, they are still personal and
as a consequence the data subjects can not be deprived of the protection
they are entitled to as regards the processing of their data."
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf
I'm a European (for now at least), so put in simple terms, data about
me, is mine to ultimately control.
* I am entitled to decide who can have that data
* I am entitled to decide what they can do with it
* I am entitled to decide if and who they can share it with (and those
it's shared with gain NO right to further share it) or to decide they
can have it and not share it
* I am entitled to determine when the access/view/use of it gets revoked
and so on
A-N-Other-Party (ANOP) might want / think they need access to my data,
but certainly have no _right_ to it.
ANOP might be granted access to it for a pre-approved stated purpose and
subject to contract but ANOP cannot just do what they like with it, ONLY
what I specifically permit which is why the A29WP said "filter mechanism
should be developed to secure purpose limitation in the interfaces for
accessing the directories. "
There is currently no way I can get a list of everyone who has copied my
details from a whois of my domain name (currently) because the whois has
no requirement to authenticate the requestors ID and then
confirm/restrict/revoke their usage - how can I therefore verify the
purpose limitations ?
Being a directory, is subject to 95/46/EC, means that the data subject
has "the right to modify, at every moment and free of charge, his
decision to allow each specific data processing." (as well as outlawing
the copying of the directory contents, use of the data for
unspecified/further processing and much more)
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2000/wp33_en.pdf
At the moment I'm not sure how RDS will need to be architected to list
the 4 permissible purposes for the data (and effectively police that),
for the instance where I as a registrant has chosen to _opt in_ to those
I will permit
Rob
More information about the gnso-rds-pdp-wg
mailing list