[gnso-rds-pdp-wg] another document that might be of interest

theo geurts gtheo at xs4all.nl
Sat Oct 21 19:02:11 UTC 2017 

Nice!

https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment-toolkit/ 
through multiple choice.

https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/guidelines_on_data_protection_impact_assessment_dpia.pdf 


Given the fact that we can start from scratch without the concept of 
WHOIS it might be useful to preform a  DPIA. Applying a DPIA to WHOIS 
itself is not so useful, I tried a few DPIA's for some legacy systems at 
work, and the result is not so great, for new projects it works 
perfectly though.

Theo

On 21-10-2017 18:10, Kris Seeburn wrote:
> Theo,
>
> I get your point and understand this fully and effectively it is 
> there. I came across another assessment or self assessment tool from 
> Microsoft which is quite interesting and has the right questions.
>
> https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx
>
> This may be something we may need to rethink for sure but any self 
> assessment is worth and may perhaps help us redefine the move ahead.
>
>> On Oct 21, 2017, at 19:54, theo geurts <gtheo at xs4all.nl 
>> <mailto:gtheo at xs4all.nl>> wrote:
>>
>> A couple of pointers here for everyone and not directed at anyone 
>> specifically.
>>
>> Eurid will update their Registrar agreement soon. So perhaps is not 
>> handy to dig into some agreement.
>> The agreement will state very clear who will be the data controller 
>> (Registry) and the data processor (Registrar/Reseller). As the all 
>> roles are defined and PII is not available through the WHOIS no 
>> consent is required.
>>
>> Let's dive a little into consent and the organizational "challenges."
>>
>>   * Be specific and granular. Vague or blanket consent is not enough
>>   * Name any third parties who will rely on the consent
>>   * Make it easy for people to withdraw consent and tell them how
>>
>> Consent must specifically cover the controller’s name, the purposes 
>> of the processing and the types of processing activity
>>
>> Okay? Let's dig a little deeper into consent.
>> Consent will be needed for different processing operations wherever 
>> appropriate – so you need to give granular options to consent 
>> separately to separate purposes.
>>
>> So a registrant will have to consent to at least
>>
>>   * Escrow Registry to Escrow provider in country X
>>   * Escrow Registrar to Escrow provider in country X
>>   * Cross-border transfer of data to Registry in country X
>>   * ICANN staff USA under set conditions must have access to Registry
>>     or Registrar RDE deposit
>>   * ICANN staff access for audits
>>   * Third parties selected by ICANN for audits
>>   * Place holder for all the other stuff I am forgetting
>>
>>
>> As the PII will be published in the WHOIS that will require consent 
>> also. But you have to warn the Registrant, so it has to be crystal 
>> clear what will happen as soon that data becomes public. Spam, phone 
>> calls by folks trying to sell you stuff, i.e., the good stuff we all 
>> know about and encounter on a daily basis and much more.
>> /
>> //In data protection, there is the fundamental principle which is 
>> unchanged even in the age of Big Data.//
>> //The data subject has to be in control of her/his data, which means 
>> for consent that you need consent for every each of the data 
>> processing activities (even for minor changes in the processing)/
>>
>> Now picture a domain name registration flow here.
>> We are talking over a thousand of TLD's here scattered all over the 
>> world.
>> This will not increase consumer trust for starters when it comes to 
>> gTLDs. It will be one big click fest and registration conversion will 
>> go down the drain.
>>
>> But let's assume we go this route.
>> Right to be forgotten? How do we do that when the WHOIS is scraped 
>> day and night by unknown third parties? I am not sure how we will 
>> meet this GDPR requirement. Most likely consent was not "freely" 
>> given. Perhaps part two will cover this so more.
>>
>>  Withdrawal of consent, how do we envision this GDPR requirement? I 
>> do not see how we will ever get this working if the current status 
>> quo is not changing.
>>
>> Art 6.1(b) can be used for companies who have a very direct customer 
>> relation on a small base. This is not a solution for Registrars nor 
>> Registries when it comes to mass registrations that happen on a daily 
>> basis.
>>
>> Thanks,
>>
>> Theo
>>
>>
>> On 21-10-2017 02:41, John Bambenek via gnso-rds-pdp-wg wrote:
>>> Not the last few items discussed, no. That said I have been 
>>> traveling from the past few weeks and need to read them side by side 
>>> for a definitive synthesis. That aside, my primary concern is that 
>>> said officials are not hearing enough from the anti-abuse and 
>>> security community on these tools to have a more fully informed 
>>> discussion. We are working to rectify that.
>>>
>>> Sent from my iPad
>>>
>>> On Oct 21, 2017, at 2:35 AM, Ayden Férdeline <icann at ferdeline.com 
>>> <mailto:icann at ferdeline.com>> wrote:
>>>
>>>> My apologies, John. It was not clear to me that you had read the 
>>>> memo. I am glad to hear that you have. Particularly in relation to 
>>>> consent, I thought the advice that the memo contained (along with 
>>>> the Hamilton memo) was consistent with the advice that we received 
>>>> from the European Data Protection Commissioners earlier this year. 
>>>> Would you agree?
>>>>
>>>> —Ayden
>>>>
>>>>
>>>>> -------- Original Message --------
>>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of 
>>>>> interest
>>>>> Local Time: 21 October 2017 1:27 AM
>>>>> UTC Time: 21 October 2017 00:27
>>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>>> To: Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>>
>>>>> Victoria Sheckler <vsheckler at riaa.com 
>>>>> <mailto:vsheckler at riaa.com>>, GNSO RDS PDP 
>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>
>>>>> Yes, I believe I pointed out on this very list that among other 
>>>>> things, the notion the EU law should reign supreme globally even 
>>>>> when it conflicts with local laws as patently offensive, among 
>>>>> other things.
>>>>>
>>>>> Is there a particular outcome that you are trying to achieve by 
>>>>> insinuating that I am ignorant and not reading the mounds of 
>>>>> paperwork generated by this group? I mean besides the continual, 
>>>>> consistent, and vigorous disrespect shown to those who work in 
>>>>> anti-abuse or security?
>>>>>
>>>>> And if you’d like an analysis of the legal memo it is this: it is 
>>>>> always better to take the word of the regulators over merely that 
>>>>> of some lawfirm. Which is what I thought we were actually talking 
>>>>> about in the first place.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> John Bambenek
>>>>>
>>>>> On Oct 20, 2017, at 19:10, Ayden Férdeline <icann at ferdeline.com 
>>>>> <mailto:icann at ferdeline.com>> wrote:
>>>>>> John,
>>>>>>
>>>>>> Have you read the legal memo that we received from Wilson Sonsini 
>>>>>> Goodrich & Rosati?
>>>>>>
>>>>>> It states on page 14, "asking for consent would not be simple, 
>>>>>> would not solve all data protection issues, and would pose a 
>>>>>> number of organizational challenges."
>>>>>>
>>>>>> The rationale behind this statement is contained within the memo.
>>>>>>
>>>>>> —Ayden
>>>>>>
>>>>>>
>>>>>>> -------- Original Message --------
>>>>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of 
>>>>>>> interest
>>>>>>> Local Time: 21 October 2017 1:06 AM
>>>>>>> UTC Time: 21 October 2017 00:06
>>>>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>>>>> To: Ayden Férdeline <icann at ferdeline.com 
>>>>>>> <mailto:icann at ferdeline.com>>
>>>>>>> Victoria Sheckler <vsheckler at riaa.com 
>>>>>>> <mailto:vsheckler at riaa.com>>, GNSO RDS PDP 
>>>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>>
>>>>>>> So, in short, if we create a consent system, we are fine.
>>>>>>>
>>>>>>> Am I missing something?
>>>>>>>
>>>>>>> --
>>>>>>> John Bambenek
>>>>>>>
>>>>>>> On Oct 20, 2017, at 17:31, Ayden Férdeline <icann at ferdeline.com 
>>>>>>> <mailto:icann at ferdeline.com>> wrote:
>>>>>>>> I would like to flag two extracts from this Regulation that may 
>>>>>>>> be relevant to our work:
>>>>>>>>
>>>>>>>>   * "The Registry should also comply with the relevant data
>>>>>>>>     protection rules, principles, guidelines and best
>>>>>>>>     practices, notably concerning the amount and type of data
>>>>>>>>     displayed in the WHOIS database." (page 3)
>>>>>>>>   * "The WHOIS database shall contain information about the
>>>>>>>>     holder of a domain name that is relevant and not excessive
>>>>>>>>     in relation to the purpose of the database. In as far as
>>>>>>>>     the information is not strictly necessary in relation to
>>>>>>>>     the purpose of the database, and *if the domain name holder
>>>>>>>>     is a natural person, the information that is to be made
>>>>>>>>     publicly available shall be subject to the unambiguous
>>>>>>>>     consent of the domain name holder*." (page 10 - emphasis added)
>>>>>>>>
>>>>>>>> Thank you,
>>>>>>>>
>>>>>>>> Ayden Férdeline
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> -------- Original Message --------
>>>>>>>>> Subject: [gnso-rds-pdp-wg] another document that might be of 
>>>>>>>>> interest
>>>>>>>>> Local Time: 20 October 2017 10:47 PM
>>>>>>>>> UTC Time: 20 October 2017 21:47
>>>>>>>>> From: vsheckler at riaa.com <mailto:vsheckler at riaa.com>
>>>>>>>>> To: GNSO RDS PDP <gnso-rds-pdp-wg at icann.org 
>>>>>>>>> <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I think we missed this document when we were reviewing 
>>>>>>>>> documents for this WG back in the day, and thought some of you 
>>>>>>>>> might find it of interest given our current discussions on GDPR
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> COMMISSION REGULATION (EC) No 874/2004 of 28 April 2004 laying 
>>>>>>>>> down public policy rules concerning the implementation and 
>>>>>>>>> functions of the .eu Top Level Domain and the principles 
>>>>>>>>> governing registration, available at 
>>>>>>>>> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
>
> Kris Seeburn
> seeburn.k at gmail.com <mailto:seeburn.k at gmail.com>
>
>  *
>
>         www.linkedin.com/in/kseeburn/
>         <http://www.linkedin.com/in/kseeburn/>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/f2b31523/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KeepItOn_Social_animated.gif
Type: image/gif
Size: 51490 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/f2b31523/KeepItOn_Social_animated-0001.gif>

More information about the gnso-rds-pdp-wg mailing list