[gnso-rds-pdp-wg] List topics for this week

[Rob Golding]

On 2017-06-14 22:09, allison nixon wrote:
> Alright. I want to discuss the customer education process, because it
> does seem to underlie a point of misunderstanding and I want to
> understand better:
> -Are customers notified that WHOIS data is made public when they buy
> domains?

It doesn't matter whether someone has it explained that this will be 
'public' or not - the distribution / storage / control / audit / 
accountability levels required are simply not in place at the moment.

"even after personal data are made public, they are still personal and 
as a consequence the data subjects can not be deprived of the protection 
they are entitled to as regards the processing of their data."
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf

I'm a European (for now at least), so put in simple terms, data about 
me, is mine to ultimately control.
* I am entitled to decide who can have that data
* I am entitled to decide what they can do with it
* I am entitled to decide if and who they can share it with (and those 
it's shared with gain NO right to further share it) or to decide they 
can have it and not share it
* I am entitled to determine when the access/view/use of it gets revoked
and so on

A-N-Other-Party (ANOP) might want / think they need access to my data, 
but certainly have no _right_ to it.

ANOP might be granted access to it for a pre-approved stated purpose and 
subject to contract but ANOP cannot just do what they like with it, ONLY 
what I specifically permit which is why the A29WP said "filter mechanism 
should be developed to secure purpose limitation in the interfaces for 
accessing the directories. "

There is currently no way I can get a list of everyone who has copied my 
details from a whois of my domain name (currently) because the whois has 
no requirement to authenticate the requestors ID and then 
confirm/restrict/revoke their usage - how can I therefore verify the 
purpose limitations ?

Being a directory, is subject to 95/46/EC, means that the data subject 
has "the right to modify, at every moment and free of charge, his 
decision to allow each specific data processing." (as well as outlawing 
the copying of the directory contents, use of the data for 
unspecified/further processing and much more)
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2000/wp33_en.pdf

At the moment I'm not sure how RDS will need to be architected to list 
the 4 permissible purposes for the data (and effectively police that), 
for the instance where I as a registrant has chosen to _opt in_ to those 
I will permit

Rob