[gnso-rds-pdp-wg] List topics for this week
Denny Watson
watson at spamhaus.org
Sun Jun 18 16:54:32 UTC 2017
Denny Watson wrote:
> Rob Golding wrote:
> (snip)
>> "even after personal data are made public, they are still personal and
>> as a consequence the data subjects can not be deprived of the protection
>> they are entitled to as regards the processing of their data."
>> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf
>
I want offer an opinion on this document. I'm going to take it at face
value, and if there are other documents that are needed to properly
frame this one in some way, then please let me know.
Please note that I am not a lawyer, and I am even less so in Europe (But
I can read English)
[PDF reformatted into ASCII, footnotes moved to end, and presented as an
email reply]
Comments inline, and are in relationship to Whois data, but I believe
would also be the same for any Whois replacement. I.e. What we are
discussing here.
> Opinion on the application of the data protection principles to the
> Whois directories
>
> THE WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE
> PROCESSING OF PERSONAL DATA
>
> set up by Directive 95/46/EC of the European Parliament and of the
> Council of 24 October 1995[1],
>
> having regard to Articles 29 and 30 paragraphs 1 (a) and 3 of that
> Directive, and Article14 paragraph 3 of Directive 97/66/EC of the
> European Parliament and of the Council of 15 December 1997
>
> having regard to its Rules of Procedure and in particular to Articles 12
> and 14 thereof,
>
> has adopted the present Opinion:
>
> 1. Introduction:
> The Whois directories raise several issues from the data protection
> perspective. Whois data relates to those who have registered a domain
> name and it contains in particular information as to the name of the
> contact-point for the domain name, including phonenumber, e-mail address
> and other personal data. These data were originally made publicly
> available to give people who operate networks a way of contacting the
> person technically responsible for another network, another domain, when
> there was a problem. This purpose is in itself a legitimate purpose.
>
> The Working Party is conscious of the growing importance of the Whois
> discussion asmore and more individuals (private persons) are registering
> their own domain names and there have been complaints about improper use
> of the Whois data in several countries. The registration of domain names
> by individuals raises different legal considerations than that of
> companies or other legal persons registering domain names, as it will be
> explained more in detail later on in this opinion.
>
At this point the working group here identifies that
* Private persons (I like the term "natural persons", and I have seen in
other EU documents "natural persons" also) (I.e. living, breathing
humans) are registering domains.
* There have been complaints about improper use of Whois data with
regards to privacy concerns.
* There are different legal considerations between natural persons and
legal persons (I like the term "juridical persons", but it appears that
the EU often uses "legal persons") I.e. corporations, and other
non-natural persons.
> The Working Party has therefore followed with interest the work of the
> ICANN Whois Task Force concerning the Whois directories as well as the
> work undertaken by the International Working Group on Data Protection in
> Telecommunications concerning this matter[2].
>
> The Working Party is aware of the fact that a Whois discussion will take
> place in the framework of the ICANN/GAC conference that will be held in
> Montreal at the end of June. It would like to contribute to this
> discussion through this opinion that aims at underlying a number of
> fundamental questions arising from the application of the data
> protection principles to the Whois directories. This opinion focuses on
> the Whois directories but, to the extent that the same or similar
> circumstances relate to them, the same considerations apply to other
> registries of domain names and IP addresses atregional level such as
> RIPE for Europe, AP-NIC for Asia and so on.
>
* Back in 2003 work was ongoing.
* This applies to both IP and domain Whois objects.
> 2. The application of the data protection principles to the Whois
> directories:
>
> * From the data protection viewpoint it is essential to determine in
> very clear terms what is the purpose of the Whois and which purpose(s)
> can be considered as legitimate and compatible to the original purpose.
> The reports of the Whois TaskForce have failed to address these
> questions. This is an extremely delicate matter as the purpose of the
> Whois directories can not be extended to other purposes just because
> they are considered desirable by some potential users of the
> directories. Some purposes that could raise data protection
> (compatibility) issues are for example the use of the data by private
> sector actors in the framework of self-police activities related to
> alleged breaches of their rights e.g. in the digital right management field.
>
The questions being ask are in relation to the "data protection
viewpoint" and as such, I believe are relevant to natural persons. If
framed in this way, then I am willing to concede that European privacy
protections apply in most cases. If expanded to legal persons then I do
not agree;
At dinner the other night I had asked four Europeans if there existed
laws in their countries that required publication of Corporate names,
Corporate ID, numbers, Phone numbers, and addresses on the webpages for
Corporate and those offering professional services. All four answered
yes -- the countries of those in my company included Austria, France,
Germany, and Italy. If these juridical persons are required to publish
this data on webpages for the domains, then I can not see justification
to not include it it Whois.
I'm not going to comment on DRM, such a thing doesn't appear to have
been developed for Whois.
> * Article 6c of the Directive imposes clear limitations concerning the
> collection and processing of personal data meaning that data should be
> relevant and not excessive for the specific purpose. In that light it is
> essential to limit the amount of personal data to be collected and
> processed. This should be kept particularly in mind when discussing the
> wishes of some parties to increase the uniformity of the diverse Whois
> directories. The registration of domain names by individuals
> raises different legal considerations than that of companies or other
> legal persons registering domain names.
>
Again the document notes the difference between natural persons and
legal persons.
> - In the first case, the publication of certain information about
> the company or organisation (such as their identification and their
> physical address) is often a requirement by law in the framework of the
> commercial or professional activities they perform. It should be noted
> however that, also in the cases of companies or organisations
> registering domain names, individuals can not be forced to have their
> name published as contact-point, as a consequence of the right to object.
>
* Legal persons are often _required_ to publish certain information, but
it is not a requirement to publish the name of a natural person to
comply with the requirement.
* It is often common convention to publish instead a role account name.
E.g. "Domain Admin" or "Acme Widgets Corp"
> - In the second case, where an individual registers a domain name,
> the situation is different and, while it is clear that the identity and
> contact information should be known to his/her service provider, there
> is no legal ground justifying the mandatory publication of personal
> data referring to this person. Such a publication of the personal
> data of individuals, for instance their address and their telephone
> number, would conflict with their right to determine whether their
> personal data are included in a public directory and if so which[3].
> The original purpose of the Whois directories can however equally be
> served as the details of the person are known to the ISP that can, in
> case of problems related to the site, contact the individual[4].
>
* Relates to natural persons.
* "Service provider" should know the identity and contact information.
In this case "Service provider" would include the registrar.
* "There no legal ground justifying the mandatory publication of
personal data referring to this person." Mechanisms exist currently for
those that wish to not publish this data. I.e. Whois anonymizing services.
> * In the light of the proportionality principle, it is necessary to
> look for less intrusive methods that would still serve the purpose of
> the Whois directories without having all data directly available on-line
> to everybody. As it was already mentioned in the introduction, the
> Internet Service Providers can and are playing in some countries an
> important role in this field. In any case filter mechanisms should be
> developed to secure purpose limitation in the interfaces for accessing
> the directories.
>
Again, the purpose of this document is to address the limitation of data
regarding natural persons. I'm guessing that I need a history of Whois
anonymizing services, as I have forgotten when they came into wide
spread use. Perhaps the were not yet available in 2003.
> * The fact that personal data are publicly available does not mean
> that the requirements of the data protection directive do not apply to
> that data. On the contrary, as it has been already stated in previous
> opinions of the Working party[5], it is perfectly clear from the wording
> of the data protection legislation that it applies to personal data made
> publicly available: even after personal data are made public, they are
> still personal and as a consequence the data subjects can not be
> deprived of the protection they are entitled to as regards the
> processing of their data.
>
Again. I have no issue with the status-quo and that if a natural
person, having given informed consent as to where his or her data will
be published, wishes to publish via Whois or not. This is their
decision. Perhaps the default for registrars when signing up an EU
citizen should be to use a Whois anonymizing service.
> * The Working Party is particularly concerned about the proposals
> regarding more searchable Whois facilities. In that context it would
> like to mention the conclusions of its Opinion 5/2000 on The Use of
> Public Directories for Reverse or Multi-criteria Searching Services
> (Reverse Directories)[6]: the processing of personal data in reverse
> directories or multi-criteria searching services without unambiguous and
> informed consent by the individual is unfair and unlawful.
>
This relates to post processing of data of natural persons, and again
this document appears to predate Whois anonymizing services.
> * The Working Party wishes to state its support for the proposals
> concerning accuracy of the data (which is also one of the principles of
> the European Data Protection Directive[7]) and limitation of bulk access
> for direct marketing issues. Bulk use of Whois data for direct marketing
> is by no means in line with the purpose for which the directories were
> set up and are being maintained. In the light of the provisions of the
> electronic communications directive[8] any use of e-mail addresses for
> direct marketing must be based on opt-in only.
>
Agreed.
> The Working Party encourages ICANN and the Whois community to look at
> privacy enhancing ways to run the Whois directories in a way that serves
> its original purpose whilst protecting the rights of individuals. It
> should in any case be possible for individuals to register domain names
> without their personal details appearing on a publicly available register.
>
Whois anonymizing services.
> Done at Brussels, on 13 June 2003
> For the Working Party,
> The Chairman
> Stefano RODOTA
>
>
> [1] Official Journal no. L 281 of 23/11/1995, p. 31, available at:
> http://europa.eu.int/comm/internal_market/en/media/dataprot/index.htm
>
> [2] Common Position on Privacy and Data Protection aspects of the
> Registration of Domain Names on the Internet adopted at the 27th meeting
> of the Working Group on 4/5 May 2000 in Rethymnon / Crete, available at
> http://www.datenschutz-berlin.de/doc/int/iwgdpt/dns_en.htm )
>
> [3] Article 12.2 of Directive 2002/58/EC of the European Parliament and
> of the Council of 12 July 2002 concerning the processing of personal
> data and the protection of privacy in the electronic
> communications sector (Directive on privacy and electronic communications).
>
> [4] Such a system has been put in place in several European countries
> such as for instance France (through AFNIC) and United Kingdom. For
> instance in the UK individual registrants of domain names
> (‘tag-holders’) can have an entry on Whois that is ‘care of’ their ISP,
> this means that someone who has a problem with a website can contact its
> owner through the ISP with no need for the registrant’s home address
> etc. to appear on an open database.
>
> [5] Opinion No. 3/99 on Public sector information and the protection of
> personal data, WP 20.
>
> [6]
> http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wpdocs_2k.htm
>
> [7] See article 6d of the Directive.
>
> [8] Directive 2002/58/EC of the European Parliament and of the Council
> of 12 July 2002 concerning the processing of personal data and the
> protection of privacy in the electronic communications sector (Directive
> on privacy and electronic communications).
>
Final thoughts. I would believe that Whois anonymizing services will
fill the needed gap with regards to _natural_ persons, if this is the
path that we want to take, then I also believe that these services
should be offered by the registrars free of charge.
Whois anonymizing services is not the only way to handle this, but
suggesting that data about _legal_ persons (corporations) also be
removed from Whois, not only reduces the function and usefulness of
Whois, but might actually run afoul of E.U. laws requiring the
publication of such data.
--
Denny Watson
Sr. Investigator
The Spamhaus Project
More information about the gnso-rds-pdp-wg
mailing list