[gnso-rds-pdp-wg] More mandatory reading in preparation for ICANN AD

[Greg Aaron]

Thanks for that Volker.  A note for the group: There is a statement at the beginning of the document that seems overbroad and does not seem to comport with the laws and recent legal cases in the EU.  It may have been clumsily stated.

This statement is:  "In an ICANN context, even thin WHOIS data, IP addresses (including dynamic ones), metadata, etc. are to be considered personal data as the identification of an individual by using such data or by combining them with other publicly, easily accessible data is possible."

That incorrectly implies that no thin data can be published.  It's wrong to state that IP addresses and other thin data "are" always personal data.

The Court of Justice of the European Union has held that IP addresses and the like are "personal data" _only in certain circumstances_.   If one has no legal means of linking an IP address to the identity of its user, then that IP address is unlikely to be personal data.  The legal principle is not "all data is personally identifiable because any piece of data might potentially be connected to an individual by somebody somewhere by some means."

The statement might be more accurate if it said something like:  "In an ICANN context, it should be considered in what situations thin WHOIS data, IP addresses (including dynamic ones), metadata, etc. may be personal data, namely when the identification of an individual by using such data or by combining them with other publicly, easily accessible data is possible."

The CJEU recently decided that a dynamic IP address will be personal data in the hands of a website operator if:
* there is another party (such as the natural person's ISP) that can link the dynamic IP address to the identity of an individual; and
* the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
So in that case, the IP address was "personal data" only to the ISP (who knows what IP it assigned to its natural person customer), and to the German government (which could use legal process to compel the ISP to give it info about the user who used the IP).  The IP address was not PII for everyone else.
See: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases

As I've mentioned before, European TLD operators such as Nominet and SIDN have closely reviewed their legal obligations and have no issue publishing thin data.  So that's interesting.

And there's the little detail that if IP and nameserver data can’t be published, then the DNS won't work.

All best,
--Greg

**********************************
Greg Aaron
Vice-President, Product Management
iThreat Cyber Group / Cybertoolbelt.com
mobile: +1.215.858.2257
**********************************
The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Volker Greimann
Sent: Thursday, October 26, 2017 10:02 AM
To: gnso-rds-pdp-wg at icann.org
Subject: [gnso-rds-pdp-wg] More mandatory reading in preparation for ICANN AD

The Council of Europe has just published a guide on privacy and data protection principles specifically for ICANN related data processing.

TL;DR:

1) Data controller needs to define twofold purposes for processing; a) related to policy; b) for contracted parties and their agreements with data subjects.

2) Data controller is fully liable for all data processing performed in accordance with purpose statement in compliance with all applicable laws.

3) Data processed for purposes not included in purpose statement is unlawful.

4) Data processing must be limited by guiding principles of necessity, proportionality and purpose limitation

5) Data processing based on consent is practically impossible in ICANN context.

6) Personal data must not be stored for longer than absolutely necessary for the legitimate purpose pursued.

7) ICANN needs formal data transfer policy for trans-border transfers.

8) Privacy by design and default as basis for all processing considerations.

--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.