The next GNSO Next-Gen RDS PDP Working Group teleconference will take place on Wednesday, 15 March at 13:45 CET for 75 minutes. 

For other times: http://tinyurl.com/hwqpv8c 


SESSION DESCRIPTION: http://sched.co/9npc

LOCATION: Hall C1.4 (GNSO)

LINKS FOR ADOBE CONNECT AND AUDIO: http://sched.co/9npc


PROPOSED AGENDA: 

1. Introductions

Guest presenters will be introduced to RDS PDP WG:

  • Joe Cannataci, UN Special Rapporteur on the right to privacy
  • Peter Kimpian, Data Protection Unit of the Council of Europe

2. Data Protection Expert – Q&A session

The moderator Chuck Gomes will briefly introduce our charter to provide the GNSO Council with recommendations on the following questions: What are the fundamental requirements for gTLD registration data and is a new policy framework and next-generation RDS needed to address these requirements? Indicate that the WG is currently deliberating upon key concepts upon which to base requirements in the following areas:

  • Users/Purposes: Who should have access to gTLD registration data and why?
  • Data Elements: What data should be collected, stored, and disclosed?
  • Privacy: What steps are needed to protect data and privacy?

Moderator will lead the panel through the WG’s list of questions (RDSPDP-QuestionsForDataCommissioners-7March2017.pdf), allowing time for open Q&A.

3. Continuation of Saturday F2F session deliberation, time permitting

4. Conclusions and Adjourn


Adobe Connect Multimedia Session Recording

English AudioSession Recording

AC Chat

Transcript


Notes - RDS PDP WG Meetings at ICANN58

These high-level notes are designed to help PDP WG members navigate through the content of these meetings and are not meant as a substitute for the transcripts and/or recordings. The MP3, transcript, and Adobe Connect recording are provided separately and are posted on the wiki here:

Saturday 11 March: http://sched.co/9npN and https://community.icann.org/x/GbLRAw
Wednesday 15 March: http://sched.co/9npc
 and https://community.icann.org/x/HbLRAw

Many WG members also attended a cross-community discussion with Data Commissioners. The MP3, transcript, and Adobe Connect recording of that session can be found here: http://sched.co/9nnl

 


Notes - RDS PDP WG Meeting – Wednesday 15 March, 2017

1. Introductions: Guest presenters were introduced to RDS PDP WG:

  • Joe Cannataci, UN Special Rapporteur on the right to privacy
  • Peter Kimpian, Data Protection Unit of the Council of Europe

2. Data Protection Expert – Q&A session

  • The WG chair briefly introduced our charter and current areas of deliberation
  • Preface from Joe Cannataci: With regard to future interaction, we need to consider sustainability; may wish to set up a group to invite experts to join WG discussion formally
  • Guest presenters discussed the WG’s list of questions:
    RDSPDP-QuestionsForDataCommissioners-7March2017.pdf
  • Discussion with Joe Cannataci on purpose of a next generation RDS, including:
    • What specifying purpose entails
    • Where purpose of data will and will not apply in the RDS
    • Criteria that apply to legitimate purposes
    • Publication of data elements in the RDS
    • Feedback on the WG’s specific purpose #1:
       “A purpose of gTLD registration data is to provide information about the lifecycle of a domain name and its resolution on the Internet.”
    • Applicability to “thin” versus “thick” data elements
    • Differentiation between primary and secondary purposes
    • Notes below provide a brief overview of points raised during discussion; refer to the Transcript for a complete recap of this Q&A session

Q1. What do you mean when you tell ICANN to specify the purpose of WHOIS?

  • Test for purpose should be based on use studies or case studies.
  • Whenever you have someone stipulate they want to collect data, you must ask why.
  • Example of applying for a bank loan or insurance policy to assess risk.
  • Each bit of information must be in line with purpose.
  • Purpose cannot be general or just in case.
  • Can only keep records for as long as needed for purpose.
  • Purpose questions (and answers) will change over time.
  • If you are a bank or telecom developing a new service you must define your primary purpose.
  • A secondary purpose might be a different service marketed to the same client later on.
  • It would be good to get definitions for “primary purpose” and “secondary purpose.”
  • From chat: Australian Privacy Act 1988: "Use or disclosure of personal information for a purpose other than the primary purpose of collection (being a 'secondary purpose') is permitted under specific exceptions where that secondary use or disclosure is ... in the conduct of surveillance activities, intelligence gathering activities or monitoring activities, by a law enforcement agency"
  • The purpose must be clear – for example “in order to enable enforcement of specific law”
  • If a purpose is provided for by law then a purpose is legitimate.
  • For example, the purpose of collection of registrant data might be to ensure that the DNS works. There is a belief by some that there should be access to that data by others (e.g., those investigating cybercrime). Are those secondary purposes? The WG must decide.
  • Do you need separate purposes for collection, access, and display? Absolutely yes.

Q2. Under what circumstances might the publication of registration data elements that are personal data be allowable?

  • Why do you want to publish information? What is the public interest in publishing that data?
  • For example, why is information about the lifecycle of domain in the public interest?
  • If data is easily linked to an individual, then it is personal data.
  • Just because it is personal data doesn’t mean it cannot be in a WHOIS record
  • No data protection law prohibits publication of personal data for legitimate purposes

Q5. Do you believe that any of the following THIN data elements are considered personal information under the General Data Protection Directive, and why?

  • In this case (thin data example in #5) the data is not personal data, but in other cases it might be
  • If an individual registers their own name as a domain name, is the domain name personal data? WG view: In this case, the individual has chosen to publish their name in the DNS. A domain name is required for DNS resolution and as the key to the WHOIS record.
  • Why is expiration date published in a directory service? Isn’t that just of interest to the subscriber? Why is it of legitimate interest to others?
  • Analogy with telephone directory – in most countries, subscribers can opt out of being in the phone directory; why doesn’t that apply here?
  • There may be other analogies that are more appropriate than a telephone directory

3. Deferred: Continuation of Saturday F2F session deliberation, time permitting

4. Conclusions and Adjourn

  • Plan is to collect answers to the WG’s questions (all 19) from the data protection experts who participated in the Monday cross-community session.
  • In principle, there is broad agreement amongst panelists on the answers to the WG’s questions. Responses from data commissioners may be published on the WG’s wiki, if helpful.
  • Reminder for all WG members to participate in this week’s poll no later than COB 26 March.

Action Item: Peter Kimpian to gather answers to the 19 WG questions from the panelists and provide them (if possible) prior to the next WG call on 28 March 2017.  


Materials:

  • No labels