Thanks Jonathan. You beat me to it.
The temp spec is what it is, and we may want to change it based on what
we believe are "user" needs. I do not believe that the temp
spec nor the EPDP need principles that echo what is in the GDPR. They are
the premise under which this work will be done. So, for instance, the
blurb below on consent is simply tailoring the GDPR consent rules to
WHOIS (mentioning escrow, and registries). That is effectively a given
(of course, consent applies ONLY to data that we cannot claim is
essential to collect).
Jonathan's bullet point is the lead-in. The first question we need to
address is WHY we want to or feel we need to contribute to this process.
Or to be clearer, why do USERS (not registrants) even care how we
implement GDPR with respect to WHOIS?
Alan
At 10/07/2018 05:27 PM, Jonathan Zuck wrote:
Thanks Holly for getting this
started. I guess what we’re after are some basic principles on
our perspective on the GDPR. The temp spec is the temp spec so
some of this will apply for sure, if we reach some consensus on these but
there are areas that are simply part of the law over which we don’t
have influence. A principle might be something like
- The ALAC feels responsible to represent the interests of
non-registrants more so than registrants as they represent the majority
of users.
I’m not saying we’ve agreed to that but that’s the kind of
filter we could send our reps in with?
Jonathan
From: ALAC <alac-bounces@atlarge-lists.icann.org> on behalf
of "h.raiche@internode.on.net"
<h.raiche@internode.on.net>
Reply-To: "h.raiche@internode.on.net"
<h.raiche@internode.on.net>
Date: Tuesday, July 10, 2018 at 5:22 PM
To: ALAC List <alac@atlarge-lists.icann.org>, A t
<staff@atlarge.icann.org>
Subject: [ALAC] Draft Principles for GDPR
Folks
Since we all think principles are a good idea, I have set down the basics
from the Temporary Spec - very simplistic, but it's a start. What
we need now is discussion on the principles.
Evin - I'm not sure if you have a new wiki page for discussion on the
temporary spec, but if not, would you create on.
And Olivier - the Temporary Spec necessarily will deal with access - at
the least, guiding principles, so whoever is on the EPDP will have some
guidance on our red lines on access.
So please everyone - comments
Thanks
Holly
Temporary Specification for gTLD Registration Data
Principles for requirements to replace the RAA/Registry
Requirements
(within the context of compliance with the GDPR)
Purpose of Collection of Data
Quoting from the Temporary Spec which is quoting from the ICANN
Bylaws:<
purpose is to coordinate the bottom-up, multistakeholder development
and implementation of policies “[f]or which uniform or coordinated
resolution is reasonably necessary to facilitate the openness,
interoperability, resilience, security and/or stability of the DNS
including, with respect to gTLD registrars and registries”
Purpose includes
· resolution of disputes
regarding the registration of domain names (as opposed to the use of such
domain names, but including where such policies take into account use of
the domain names);
· maintenance of and access to
accurate and up-to-date information concerning registered names and name
servers;
· procedures to avoid
disruptions of domain name registrations due to suspension or termination
of operations by a registry operator or a registrar (e.g., escrow); and
· the transfer of registration
data upon a change in registrar sponsoring one or more registered names.
the Bylaws specifically obligate ICANN, in carrying out its mandate, to
“adequately address issues of competition, consumer protection,
security, stability and resiliency, malicious abuse issues, sovereignty
concerns, and rights protection”
Geographic Coverage of EPDP Outcome:
· Apply globally or
· Apply only to European Economic Area
(the coverage of the GD
R) and otherwise lesser requirements (existing RAA requirements?)
Data Collected
· ‘Thick Whois” – based on the
differing uses of the data is listed in the purpose above OR
· Some lesser amount of information
Consent
· Registrants must be told, at the time of
collection, what personal information is collected, why the collection
is necessary to achieve the purposes, who will have access and in
what circumstances access will be given to what information, and
all circumstances in which the data will be transferred (to Registry,
Escrow) and where heldThey must also be told their consent can be
withdrawn at any time (and consequences of withdrawal) and how to
withdraw consent
Access to Data Tiered access (largelly what is in the Technical
Specification)
· Applies to all Registrants natural or
corporatte persons
· Information generally publicly
available
o Registrant name
o Anonymised email or other anonymous contact means
· Access to other personal information
o Only to accredited entities (not individuals)
o Only in specific circumstances that warrant access
_______________________________________________
ALAC mailing list
ALAC@atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/alac
At-Large Online:
http://www.atlarge.icann.org
ALAC Working Wiki:
https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC
)