Dear colleagues,

You might be interested to hear that the California passed new data protection legislation last week, the 2018 Consumer Privacy Act. For those interested, the International Association of Privacy Professionals (IAPP) has produced a comprehensive overview of the new law: https://iapp.org/news/a/analysis-the-california-consumer-privacy-act-of-2018/ 

I found the following excerpt from their analysis particularly relevant to ICANN:

"Some companies implemented many of their new privacy protection measures worldwide in the hopes of being able to avoid having to make further jurisdiction-specific updates for a while. The passage of the California Consumer Privacy Act has now raised the question as to whether these measures will be sufficient to the extent they reach California residents with their GDPR-related compliance measures. Unfortunately, the answer is largely, ‘No.’ 

Global companies can and should try to address the requirements of the California Consumer Privacy Act, EU GDPR and other privacy regimes simultaneously and holistically in the interest of efficiency.” 

The Human Rights Bylaw (which will come into effect when the WS2 recommendations are approved, likely in Q4 of this year) states that ICANN should be guided by the core value of “respecting internationally recognized human rights as required by applicable law.” 

The HR FoI recognizes that the notion of applicable law “is a dynamic concept inasmuch as laws, regulations, etcetera, change over time.” However, based on the GDPR experience, it seems like waiting for rights-related laws to become applicable may not be the best strategy in the long run. 

Once the bylaw comes into effect, ICANN org and each SO and AC will be required to develop policies and frameworks to take human rights into account and avoid human rights violations in policy-development and decision-making processes. Some have perceived this as an additional administrative burden, though it’s hard to contest the bylaw's relevance given the amount of time the community has spent discussing access, accreditation, EPDPs, and other topics spawned by GDPR, a piece of privacy — and therefore human rights-related — legislation.

I therefore see strategic potential in developing new compliance mechanisms for the human rights bylaw. Just as corporate human rights impact assessments serve to identify gaps and mitigate risks, multistakeholder ICANN HRIAs should be devised and incorporated to promote more holistic, efficient, and proactive self-governance.

Thoughts and comments are certainly welcome! And as a reminder, you can find a few resources on related work on the ICANN Human Rights website, here: https://icannhumanrights.net/documents/ 


Warm regards,
Collin

--
Collin Kurre
ARTICLE 19