[gnso-rds-pdp-wg] a suggestion for "purpose in detail"

John Bambenek jcb at bambenekconsulting.com
Wed Mar 22 14:30:37 UTC 2017 


Sent from my iPhone

On Mar 22, 2017, at 09:14, Ayden Férdeline <icann at ferdeline.com> wrote:

>> The legal review previously discussed seemed pretty clear. What data protection law requires changes greatly if data elements are optional and/or can be masked. 
>> 
>> Facebook doesn't have to consider every piece of information it collects and each field because all of them are optional. 
> 
> Yes, it is different when data elements are truly optional and data subjects provide their explicit, informed consent for their personally-identifiable information to be collected and processed by known entities. 
> 
> However, consent is not a magic bullet. We will still need to address the point raised last week - that we separate what data is collected from discussions around how data is processed or released - and we will need to discuss how consent can inappropriately legitimise processing restricted by law, and the cross-border transfers of data in the absence of adequate safeguards. Meaningful consent also entails the right to revoke that consent; the right to erasure.
> 
>> For instance, we can't say DP laws say we don't need phone number and can't collect it if we aren't considering consent and whether its an option or requirement. 
> 
> As a general rule, I would think that if one is reasonably confident that a data subject would not grant their consent for their data to be collected or processed in a certain way, that should be a warning sign to reconsider whether that data should really be collected or processed in the first place…
> 
But some WOULD publish it and that's the point. I have no problem with my corp number on my domain records because people have called me to resolve issues. 

Making most of the fields optional/maskable means we don't have to adopt a one-size fits all approach. 


> Best wishes,
> 
> Ayden Férdeline
> linkedin.com/in/ferdeline
> 
> 
>> -------- Original Message --------
>> Subject: Re: [gnso-rds-pdp-wg] a suggestion for "purpose in detail"
>> Local Time: 22 March 2017 1:46 PM
>> UTC Time: 22 March 2017 13:46
>> From: gnso-rds-pdp-wg at icann.org
>> To: David Cake <dave at davecake.net>
>> gnso-rds-pdp-wg at icann.org
>> 
>> The legal review previously discussed seemed pretty clear. What data protection law requires changes greatly if data elements are optional and/or can be masked. 
>> 
>> Facebook doesn't have to consider every piece of information it collects and each field because all of them are optional. 
>> 
>> We very clearly DO need to consider whether fields are optional and/or they can be masked if we are going to consider data protection laws as a requirement. 
>> 
>> For instance, we can't say DP laws say we don't need phone number and can't collect it if we aren't considering consent and whether its an option or requirement. 
>> 
>> Sent from my iPhone
>> 
>>> On Mar 22, 2017, at 04:02, David Cake <dave at davecake.net> wrote:
>>> I agree with Stephanie strongly here.
>>> Free privacy services and similar might make a lot of the practical design issues go away, or might not, But I think that is an issue for Phase 2, in which we construct what a new RDS looks like (presuming we conclude that one is needed). 
>>> 
>>> Phase 1 concentrates on fundamental requirements, and knowing which data elements we collect and why is necessary, even if that data is not generally made available to the public. Ant this will impact data protection law even if the data that is collected and retained is not widely accessible. Even if we decided that certain data was only accessible with a warrant, we would still need to justify collecting it. 
>>> 
>>> Regards
>>> 
>>> David
>>> 
>>>> On 22 Mar 2017, at 3:49 am, Stephanie Perrin <stephanie.perrin at mail.utoronto.ca> wrote:
>>>> 
>>>> Indeed, the WHOIS disclosure instrument may be the thing that sticks in everybody's mind, but it is not the first place to start in addressing a comprehensive approach to RDS privacy.  First you have to address why you are collecting each data element.  Is the core purpose justifiable and proportionate? etc, we spent an hour on it with Mr. Canatacci and we are not done yet....
>>>> 
>>>> Yes, privacy proxy services have been the stop gap over the years.  The data is still being collected without a clear statement of purpose, disclosed in a variety of ways that may not pass muster, retained in violation of at least EU law and likely others, data subject access and disclosure rights inadequately addressed......
>>>> 
>>>> Lets wait till we get our answers to the questions before we start discussing possible solutions.  I think we are jumping ahead quite a bit.
>>>> 
>>>> Stephanie Perrin
>>>> 
>>>> 
>>>>> On 2017-03-21 15:18, allison nixon wrote:
>>>>> I find myself in agreement with the free whois privacy idea. It renders a lot of these privacy concerns moot, and it isn't a big leap to make because many registrars already offer it for free. It also won't break the many security systems used by companies and law enforcement every day. It will also resolve the spam issue. And it does seem that giving users a true, zero-cost, choice as to how they want their data disseminated will resolve a lot of the legal issues as well.
>>>>> 
>>>>>> On Tue, Mar 21, 2017 at 3:06 PM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
>>>>>> 
>>>>>> And part of the "if so" includes whether the individual chooses to protect it in some free privacy regime. It's the same question.
>>>>>> 
>>>>>> Its why Twitter can exist. If you post publicly knowing you are doing so and having a true choice, then privacy issues become greatly reduced.
>>>>>> 
>>>>>> Here we have (1) you MUST provide "all this stuff" and (2) you MUST pay extra or we broadcast it to the world.
>>>>>> 
>>>>>> It isn't an ancillary question. Its the fundamental one.
>>>>>> 
>>>>>> Sent from my iPhone
>>>>>> 
>>>>>> 
>>>>>> > On Mar 21, 2017, at 13:55, "ajs at anvilwalrusden.com" <ajs at anvilwalrusden.com> wrote:
>>>>>> >
>>>>>> >> On Tue, Mar 21, 2017 at 01:22:18PM -0500, John Bambenek wrote:
>>>>>> >> I think we should also discuss at a higher level that if privacy services were free from the registrars if that would largely resolve all of this.
>>>>>> >
>>>>>> > I don't see how.  The experts last week were quite clear that the
>>>>>> > first question is about collection, and our PDP is chartered to talk
>>>>>> > about that too, so we have to discuss whether some of this data should
>>>>>> > be collected at all, and if so by whom.
>>>>>> >
>>>>>> > A
>>>>>> >
>>>>>> > --
>>>>>> > Andrew Sullivan
>>>>>> > ajs at anvilwalrusden.com
>>>>>> > _______________________________________________
>>>>>> > gnso-rds-pdp-wg mailing list
>>>>>> > gnso-rds-pdp-wg at icann.org
>>>>>> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>> 
>>>>>> _______________________________________________
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org
>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> 
>>>>> _________________________________
>>>>> Note to self: Pillage BEFORE burning.
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> gnso-rds-pdp-wg mailing list
>>>>> gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>> 
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170322/89496158/attachment.html>

More information about the gnso-rds-pdp-wg mailing list