I have been asked to summarize that portion of the EWG's Report pertaining privacy, inclusive of the FAQs.
Much of what is said can be gleaned from Pages 11-12 and Section VI of the report, Here goes:
-----------------------------------------------------------------------------
The EWG explicitly adopted that for the next generation RDS, registrants have a right to privacy and the reasonable expectation for the protection of their personal data, even when jurisdictions do not have data protection laws. We explicitly recommended adoption of a policy framework of 'privacy from the start' and implement mechanisms to introduce, harmonize and routinely reinforce this perspective; privacy by design.
We recommended adoption of several overarching legal principles as framework:
" Personal data must be:
· processed lawfully, fairly and in a transparent manner in relation to the data subject,
· collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes,
· adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed, and
· accurate and kept up-to-date as required for the specified purposes.
Lawful processing, including transfer and disclosure can be – subject to the relevant jurisdiction – based on:
• consent of the data subject,
• the necessity for the performance of a contract to which the data subject is party, and
• the necessity for compliance with a legal obligation to which the controller is subject.
"
In addition, the Group adopted as principle the a
right of the data subject to
access the
information and a right to rectify inaccuracy in the information kept on them.
The report then outlined several ways privacy would be embraced and even enhanced in the next generation RDS:
- ICANN adopt and disseminate a privacy policy
- Add and use standard contract clauses that are harmonized with privacy and data protection laws and codified in policy
- A “rules engine” to apply data protection laws by jurisdiction
- a pre-validated Contact Directory which offers unique Contact IDs to deter personal data fraud
- a centralized interface from whence to access all gTLD registration data
- gated dataset beyond a small subset of RD for publication
- RDAP or EPP to access gTLD data in the several registration data stores
- purpose driven access to data inside the gate and only to users who disclose their identity, are authenticated, request gated data for a previously determined permissible purpose and are accountable. This includes law enforcement.
- An accredited Privacy/Proxy Service for general use
- An accredited Secure Protected Credentials Service for persons at risk and in instances where free speech rights may be denied or speakers persecuted.
--------------------------------------------------------------------------------------------
-Carlton