Bastiaan Goslings rationale for abstention:
- Other jurisdictions _have_ privacy regulations, and there are more coming. The EPDP charter explicitly says 'This EPDP Team is being chartered to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law.’
- Privacy is a good thing and we should preserve it? The right to a private life is a human right. And I therefor think, especially for an organisation like ICANN that sets global policies for contracted partes, that we should look at privacy principles as being universally applicable.
It seems very odd to me for the EPDP team to have put so much work in defining purposes and establishing the legal basis’ for the processing of personal data, and then to suddenly say these can be ignored only because a registrant is from a jurisdiction where the GDPR is not applicable. ICANN as an org strives to act in the global public interest and has an, albeit dormant, core value in its Bylaws to respect internationally recognised human rights as required by applicable law.
(I of course know that privacy as a (human) right is not absolute. But that is precisely the reason why work is going to be done on a UAM so redacted personal WHOIS data can be disclosed to those with substantiated legitimate interests)
Besides the arguments above, I think the ‘unified access’ that the ALAC is pushing for requires a ‘unified’ approach to data protection. In terms of offering clarity, predictability, consistency and reliability when it comes to the _global_ policy setting by ICANN. For all involved, from end-users to contracted parties. The same standards should apply to everyone. Isn’t ICANN’s motto „one world - one Internet“?
I do not think we want to set up a system where some users have the right to be forgotten, to access their data, data portability, data to be redacted etc and other users, who will not benefit from that.
(Btw Even if geographical distinction would be mandated, according to recommendation #10 of the phase 1 end-report contracted parties can still choose to redact data even if the GDPR is not applicable.)
As said, I can agree with the ’Thick WHOIS’ part of the draft advice. And while I can also agree with the call to deal with the Legal vs Natural persons (non) distinction in phase 2 of the EPDP, I think this is already explicitly covered by the phase 1 end-report (recommendation #17).
So this leaves the question whether geographic distinction of registrants by contracted parties should be mandated. I made it clear this should not be be the case and I disagree with the position in the draft-advice on this, as well as when it comes to the framing of the ‘issue’. I do however support us reminding the board that this topic, in our and others’ recollection (e.g. SSAC), was to be discussed further and decided on in phase 2. Which is what the Advice also asks for.
So, that is why I ‘abstained’ from supporting the ratification of the Advice instead of saying ’no’. ‘