The next GNSO Next-Gen RDS PDP Working Group teleconference will take place on Tuesday, 14 February at 17:00 UTC for 90 minutes 09:00 PST, 12:00 EST, 17:00 London, 18:00 CET 

For other times: http://tinyurl.com/ha4rw2r

PROPOSED AGENDA: 

1. Roll call / SOI
2. Practical Examples to illustrate Purpose Limitation
    Presentation by Peter Kimpian (see below) and Q&A
3. Continue deliberation on the Privacy charter question:

Question 4.1 (revised): For thin data only -- Do existing gTLD registration directory services policies sufficiently address compliance with applicable data protection, privacy, and free speech laws about purpose? If not, what requirements might those laws place on RDS policies regarding purposes associated with thin data?

4. Confirm action items and proposed decision points
5. Confirm next meeting date:  Wednesday, 22 February 2017 at 06.00 UTC

Attendance

Apologies: Patrick Lenihan, Ayden Federline, Geoffrey Noakes, Susan Prosser, Sam Lanfranco, Geoffrey Noakes, Steve Metalitz, Alan Greenberg, Holly Raiche, Andrew Sullivan, David Cake, Lawrence Owalale Roberts

AC Chat

Mp3

Adobe Connect Recording

Transcript


Notes:

1. Roll call / SOI

  • Roll call will be taken from Adobe Connect
  • Please remind to update your SOIs as needed
  • Please remember to state your name before speaking as well as muting your microphone when not speaking

2. Practical Examples to illustrate Purpose Limitation

  • Presentation by Peter Kimpian and Q&A
  • Posted at link: https://community.icann.org/x/HIzRAw
  • Working now to improve all of our understanding of data protection and privacy needs, just as it will be important to understand the needs of other SGs as we move forward
  • Right now we are focusing on thin data only, but we will get to other data elements as we move forward
  • WG members are encouraged to ask questions and share viewpoints

Slide from Stephanie Perrin's deck

  • Broad interpretation of the purpose of collection, use and disclosure allows subsequent reuse for different reasons (if you interpret broadly, reuse may be broader; the opposite would also be true)
  • Purpose limitation is the first premise of data protection analysis - purpose must be narrow & proportionate
  • How narrow? That is the subject of our deliberation

Examples from Peter Kimpian to illustrate purpose principles

  • Providing real life examples from outside of ICANN environment, from actual court cases, to illustrate privacy as a human right, recognized globally, but with different privacy frameworks and also international instruments that are not legally binding but can guide us
  • Illustrating Convention 108 Article 5 principles regarding legitimacy of data processing and qualify of data. Modernized version has very pragmatic explanation of the main principles (see slide 2)
  • 1) Data processing shall be proportionate in relation to the legitimate purpose pursued - legitimate purpose must be defined in advance (refer to last week's presentation)
  • 2) Data processing can be carried out on the basis of free, specific, informed and unambiguous consent
  • Practical example of these principles for purpose specification - drawn from outside the ICANN environment, but can be related to ICANN's work...

Example #1: Retail company and consumer's health conditions is famous example within DP community. Consumer had a loyalty card and purchased articles in a retail store using the card, the company used the data to deliver better service (articles of interest to consumer). Company also used analytics to determine consumer is pregnant, used for telemarketing and offer of diapers. Information inadvertently revealed to consumer's father. Health condition (pregnancy) is personal data in this case, but this retail company did not have a purpose for processing data to determine this. Can only process data under strict conditions for specific purposes.

Example #2: Personal data collected by drones, use of drones is growing but there are privacy concerns. While on vacation, drone appeared and was recording people. With drones they very easily process personal data of people who are unaware and may not want to become data subjects for that drone, breaches most privacy legislation to record so broadly. Couples on beach filming each other differs from people on street doing same thing which inevitably films other people. Court said that you have expectation that you will not be filmed, image will not be captured without a specific purpose - even in public space, journalists and others must follow DP law

Example #3: Public authorities data processing, e.g., immigration v law enforcement/national security purposes. Databases not created for crime-fighting but for immigration purpose - concern that personal data will be used by law enforcement. There are some cases where this is allowed, but they are specific and limited.

Example #4: Digital Ireland and Tele2 case on data retention. EU judgement but relevant to ICANN as well. Retention of metadata (telecoms), not content of communication itself. Court said this practice infringes upon individual's right to privacy and protection of personal data. Interferes with fundamental right - if there, it must be balanced. In this case, not balanced because there was no criteria for retention, just blanket retention. There was not a specific purpose (who, why, for what period).

  • These questions regarding purpose come up time and again in many court cases, and examined against requirements for purpose specification and need to be as precise as possible about data processing
  • See also Article 29 WP 203 Opinion 3/2013 on purpose limitation, Annexes on purpose specification and compatibility
  • Examples are not ICANN-specific but chosen to provide guidance. Have also just begun to examine ccTLD privacy statements regarding purposes for registration data collection and processing.

Question and Answer

  • Q: Is modernized Convention 108 a law? Does it apply to the RDS PDP WG's work?
  • A: Used because it's the only international treaty on privacy on human rights, it's an open convention, currently 3 states outside of Europe have joined with 47 states within Europe - for those states, it has a binding effect. Economic reasons to join convention: enables free flow of information and data, if you join, you can send/receive data without specifically addressing national legislation. In phase of getting more countries to join this convention.
  • Q: Companies must also ensure adequate processing of data? If data is public in WHOIS, how can companies do this? How are we going to make sure that we are compliant with EU law and other DP laws?
  • A: To be deliberated under item 3 of agenda - requirements first and later implementation guidance
  • Q: Stephanie's slide, what is origin of two bullets?
  • A: Statements from Stephanie, based on input documents such as A29 WP 203 on purpose limitation (refer to source document for specific text)
  • Q: As we debated on the purpose of RDS, we got a little stuck. (refer to chat debate on purpose(s)) Do you have any guidance that would help us in agreeing upon the purpose(s) of RDS?
  • A: The principles have to be followed by implementation, if needed with assistance of data commissioners. Convention 108 encompasses all of the internationally recognized principles and does not contain anything that's not followed by the 110 countries that have DP laws. Also use APAC privacy framework as a reference, to demonstrate similarity to EU privacy framework. Also must take into consideration US laws that apply. Can debate possible purposes that apply under ICANN's remit, but after that we must apply the balance test - whether we are defending others' interest while hurting data subject's rights and is this balanced?
  • See also book on Data Protection law that provides examples on purpose limitation
  • It is the Data Controller that must address secondary purposes. For example, immigration data - immigration authorities don't need to consider whether immigration data will be useful to fight drug activity. It must determine whether data is obtained in lawful way for immigration purposes only. Other secondary uses occur when for example the police come to the immigration authority to requests data.
  • Q: How do we address trademark protection for example? How do we craft a purpose statement that protects intellectual property rights?
  • A: You have to decide what will be ICANN's first level purpose for registration data - TM protection, law enforcement, other interests - but must first take into account all of the requirements for data processing according to data protection/privacy principles. ICANN may not be data controller under all jurisdictions, but in some countries there may be a law that defines a primary purpose - for ICANN, it must define for itself.
  • Q: Does our purpose statement for an RDS need to be specific enough to discuss not only primary purpose but also secondary purposes?
  • A: To be safe, yes.
  • In Canada, first privacy act refers to primary, secondary, tertiary purposes and consistency - need to look at what each law requires. Example: birth details in health records and daycare needs for health records. In ICANN space, IPC and WIPO argued need for Internet crime fighting data, reflected in RAA today. Is ICANN in its current state set up to be the instrument to enforce IP rights?

3. Continue deliberation on the Privacy charter question:

Question 4.1 (revised): For thin data only -- Do existing gTLD registration directory services policies sufficiently address compliance with applicable data protection, privacy, and free speech laws about purpose? If not, what requirements might those laws place on RDS policies regarding purposes associated with thin data?

  • Possible Agreement: We as a WG need to agree on a purpose statement for the RDS.
  • Note that draft purpose statement developed last fall is contained in section 2.3 of working document posted at https://community.icann.org/x/p4xlAw
  • Possible Agreement: The answer is "no" for Question 4.1 (above) - that is, existing gTLD RDS policies do NOT sufficiently address compliance with applicable laws about purpose.

4. Confirm action items and proposed decision points

Action: Staff to develop poll to test the above-two possible agreements. WG members encouraged to participate in that poll.

Action: To prepare for cross-community and possibly WG session with Data Commissioners at Copenhagen, small group to develop a proposed list of questions for DCs, to be submitted to WG for review in next week or two. Seeking 1-2 volunteers from each SG or interest group, to nominate themselves on-list by Monday. Small group will have one week to complete draft list.

5. Confirm next meeting date: Wednesday, 22 February 2017 at 06.00 UTC

 

Materials

  • No labels