Page History
...
7. Confirm next steps & next meeting
Joining late:
Apologies: Ayden Férdeline, Stefania Milan, Susan Prosser, Andrew Sullivan, Greg Shaton, Amr Elsadr, Richard Leaning, Peter Kimpian, Olevie Kouami
On audio only:
Reference Documents
RDSPurpose-InputsSummaries-1May.pdf
RDSData-InputsSummaries-1May.pdf
RDSPrivacy-InputsSummaries-1May.pdf
RDS-PDP-Phase1-FundamentalQs-SubQs-MindMap-2May 2016.pdf
...
None
Notes and Action Items
1. Roll Call / SOI
...
- Privacy team identified and summarized many documents - a good bit of overlap with the Purpose list but often summarized by different people from different perspectives, so useful to read all summaries of same input
- Among the inputs identified as most relevant by the sub-team are: SAC054, EWG recommendations, EU Data Protection Directive, Council of Europe's Treaty 108, Professor's Greenleaf's articles on trends and laws, A29 Opinion 2/2003 on the application of data protection principles to WHOIS directories, the Thick WHOIS PDP report and legal review provided to the implementation review team, other A29 correspondence with ICANN. Two additional inputs were flagged as highly relevant by some but not all agreed: Schrems v. Data Protection Commissioner (2015) and McIntyre v. Ohio Elections Commission.
- Additional comments from purpose sub-team members:
- Stephanie is still working on summary of A29 Opinion 6/2004 on the legitimate interests of data controllers w/r/t any impact that new EU data protection regulations may have on this opinion
- As additional documents become relevant to our work, they will need to be taken into account
- See Professor Greenleaf's article and summary for information on emerging trends as well as comprehensive list of data protection laws
- Purpose and Privacy overlap - can be helpful to look at purpose through the prism of DP laws
- Chat comments on this topic from other WG members:
- Data protection regulation will supplant the framework directive, not coexist with it. (Once the regulation comes into force in 2018)
- Article 29 WP 76 Opinion 2/2003 is in the summaries and does say "registration of domain names by individuals raises different legal considerations than that of companies or other legal persons registering domain names" ... "the publication of certain information about the company or organisation (such as their identification and their physical address) is often a requirement by law in the framework of the commercial or professional activities they perform
- Should the privacy team should include more documents about limitations of privacy rights? Article 29 WG in 2006 stated that companies do not necessarily have a right to privacy and that imposes an obligation on us to explore that limitation and others"
- Should the privacy team add some of the legal analysis that was presented to the PPSAI group?
- <additional chat comments to be included here>
- Note that protection of human rights is not included in the privacy group's summariesThere are really two issues in the quesion: what data is needed (purpose of collecion will focus on why the information is collected) and then what of that information should be available - and to whom
- Does any data currently collected and disclosed via Whois meet the EU definition of "senstitive data"?
- It's not just the privacy of individuals that is protected under data protection laws, but of course, that of human rights groups, minority political groups, minority ethnic and sexual groups. This is covered in the privacy sub-team's summaries, which sub-team members may highlight after the call.
- Should we make a distinction between personal data of individuals and data from a company or commercial enterprise?
- Re: privacy, UN’s website on Right to Privacy in the Digital Age states that the “right to privacy under international human rights law is not absolute” and one can interfere with the right to privacy where it’s necessary, legitimate, and proportional." and all I've read in A29 seems to support this
- Article 19 - Freedom of Expression extends to organizations as well as individuals (and many organizations are organized as "companies" for tax purposes).
- How does Freedom of Expression relate to registration data?
- Noted that protection of human rights is not included in the privacy group's summaries.
- Human rights protections must be considered, but constitutional proections vary from place to place and aren't universally adopted.
- Are we conflating two principles? Question as to whether chat accurately reflects A29 Opinion. All WG members should review A29 opinions and all sub-team summaries of them.
- We may need to introduce some nuance into how we talk about individuals vs companies' right to privacy.
- "Sensitive speech:" also has privacy protections, especially when the organizations are engaged in categories of expression protected under law.
- National law provides more rights to employees in some jurisdictions than in others....but that does not invalidate the principle that we must consider the implications of protection, use and disclosure on groups and individuals.
- All of these sub-team outputs were created to inform the full WG as it continues its phase 1 work.
- Thank you to the sub-teams. While more summaries can always be added as further key inputs are identified, this initial sub-team assignment has now been completed.
- Question: New RAA includes additional requirements w/r/t data collection, how will this PDP WG's recommendations impact those requirements?
Answer: Registries and registrars have an obligation to follow consensus policies and commit to following them even before we know what they'll be.
In this PDP WG"s phase 1 work, the WG will make a recommendation about whether a new RDS is needed or WHOIS can be modified to meet requirements, as well as whether to continue to phases 2-3 to make policy recommendations.
Phase 2 will draft new consensus policies, phase 3 implementation guidance.
This PDP WG will make recommendations for consensus policies, give those to the GNSO council.
The GNSO council will decide whether to recommend adoption to the board.
Only when the board approves the recommended consensus policies do they then get implemented into the registry and registrar agreements.
This long process can change future contractual requirements - new consensus policies would be incorporated into agreements with registries and registrars.
Part of the board's motion to adopt new consensus policies typically tasks staff with making adjustments to contracts and forming an implementation review team to implement the new policies in as efficient and timely manner as possible.
No need for renegotiation of agreements.
From Chat: For example, see Section 2.2 of Registry Agreement: Compliance with Consensus Policies and Temporary Policies. Registry Operator shall comply with and implement all Consensus Policies and Temporary Policies found at <http://www.icann.org/general/consensus-policies.htm>, as of the Effective Date and as may in the future be developed and adopted in accordance with the ICANN Bylaws, provided such future Consensus Polices and Temporary Policies are adopted in accordance with the procedure and relate to those topics and subject to those limitations set forth in Specification 1 attached hereto (“Specification 1”).
3. Review updated mind map (revised)
...
Action item: Staff to schedule early leadership team meeting (possibly Wednesday of this week) to finalize draft work plan for distribution to full WG
Reference Documents
RDSPurpose-InputsSummaries-1May.pdf
RDSData-InputsSummaries-1May.pdf
RDSPrivacy-InputsSummaries-1May.pdf
RDS-PDP-Phase1-FundamentalQs-SubQs-MindMap-2May 2016.pdf
RDS PDP - SO AC SG C Input Template - 2 May 2016 rev.pdf
Latest versions of all sub-team outputs: https://community.icann.org/x/p4xlAw.
Membership of the sub-teams: https://community.icann.org/x/DDCAAw
