Hi All, I know we need additional documents like a hole in the head, but "sensitive data" is going to be key to our WG evaluation. "Sensitive data" involves ethnicity and race, political opinions, religious beliefs, memberships, and more. "Sensitive data" in the EU and other countries has its own privacy protections for individuals and the institutions/organizations in which they exercise rights and fundamental freedoms. The documents below are largely on our list already, but if not, I would like to add them; if they are on the list, I would like to flag the sections below for special inclusion in our summary for the WG: 1. /United National Universal Declaration of Human Rights// /Protects "sensitive data" surrounding race, colour, sex, language, religious, political or other opinion, national or social origin, property, birth or other status." Particularly Article 2, /"Equality and Non-discrimination",/ http://ccnmtl.columbia.edu/projects/mmt/udhr/ 2. /European Convention 108, Article 1 and Article 6: A/ddresses issues regarding "rights and fundamental freedoms" and "special categories of data" specifically related to race, political review, health and sexual life, religion, etc, that /"may not be processed automatically unless domestic law provides appropriate safeguards." /Convention 108 is on our list already, but these sections may not have been flagged. /David and Lisa: //has anyone selected this doc to summarize? If not, I will. /3. /European Data Protective Directive /Article 8 addresses "sensitive data" issues pertaining to health or sex life, racial or ethnic original, political opinions, religious or philosophical beliefs, trade-union membership/. //Ditto - same question as above. / Best and tx, Kathy On 4/6/2016 5:57 AM, Kimpián Péter wrote:

Sorry, one minor issue to be clear if we are in ICANN context in example 3,4 (not in EU general data protection legislation) then the same argumentation goes for me as in example 1,2.

best regards,

Peter

*From:*Kimpián Péter [mailto:kimpian.peter@naih.hu] *Sent:* Wednesday, April 6, 2016 11:44 AM *To:* 'Kathy Kleiman' <kathy@kathykleiman.com>; 'Monika.Zalnieriute@eui.eu' <Monika.Zalnieriute@eui.eu>; 'KWASNY Sophie' <Sophie.KWASNY@coe.int>; 'Stephanie Perrin' <stephanie.perrin@MAIL.UTORONTO.CA> *Subject:* RE: Human Rights and Privacy

Dear Kathy, dear Stephanie, Monika and Sophie,

Thank you for the wonderful questions, these are very relevant one. Some piece of legislation and my understanding of it:

To always start with the highest level:

·*The Universal Declaration of Human Rights: *Article 2. : /Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty./

//

·From European point of view there are different human rights which are at stake in the examples you gave: rights of association, freedom of religion, freedom of opinion, principle of non-discrimination, rights to privacy, right to data protection, freedom of speech. every each of them has an extensive jurisprudence mainly from the European Court of Human Rights to determine the ways of their implementation and scope, limits. As for privacy and data protection: these rights are guaranteed for individuals as you will see in CoE Convention 108 and in Directive 95/46: //

o*Convention 108: Article 1 – Object and purpose: */The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection")./

oYou will see the same concept in the *EU Directive 95/46 *: *Article 1 Object of the Directive*: /1. In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data./

oIn the examples you mention the data controller have to deal with individuals _“sensitive data” _(as we call it in Europe). Our higher legislations call it “special categories of data” and they are protected in a greater way. Usually only in cases falling under exceptions that those data can be processed but in any case additional safeguards have to be added wen processing those data://

//

§*Convention 108: Article 6*//*– Special categories of data:*/ Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions./

§*Exceptions*:

·/ a, protecting State security, public safety, the monetary interests of the State or the suppression of criminal offences;/

·/ b, protecting the data subject or the rights and freedoms of others./

//

§*Directive 95/46: Article 8, The processing of special categories of data*: /1. Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life./

§*Exceptions/:/*/2. Paragraph 1 shall not apply where: /

//

·/(a) the data subject has given his explicit consent to the processing of those data, except where the laws of the Member State provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject's giving his consent; or/

·/(b) processing is necessary for the purposes of carrying out the obligations and specific rights of the controller in the field of employment law in so far as it is authorized by national law providing for adequate safeguards; or/

·/(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving his consent; or/

·/(d) processing is carried out in the course of its legitimate activities with appropriate guarantees by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; or/

·/(e) the processing relates to data which are manifestly made public by the data subject or is necessary for the establishment, exercise or defence of legal claims./

·/3. Paragraph 1 shall not apply where processing of the data is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject under national law or rules established by national competent bodies to the obligation of professional secrecy or by another person also subject to an equivalent obligation of secrecy./

·/4. Subject to the provision of suitable safeguards, Member States may, for reasons of substantial public interest, lay down exemptions in addition to those laid down in paragraph 2 either by national law or by decision of the supervisory authority./

·/5. Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority./

·/Member States may provide that data relating to administrative sanctions or judgements in civil cases shall also be processed under the control of official authority./

//

o*For religious questions*it is a bit more complicated. All European states have to guarantee the freedom of religion (which also means no interference, no discrimination on religious grounds, etc.) but the modality is at the states hand. For this there are three ways: religious state, laic state and state in between. There are no religious state in Europe which means in every country the gvt is divided form the governance of a religious organisation. There are several laic state in Europe where the most famous is France where there is a strict separation of state and religion. There a good number of in between state like mine where the government support actively and financially some religious organisations. (and this a never ending debate on which ground they chose them and how much they like one or another //

//

_To sum up:_there is no legislation which protects associations, groups, religious groups rights to privacy or data protection, but every data related to them can be easily classified as sensitive one where in the majority of states there is a clear prohibition with the narrowly interpreted exceptions and as a minimum standard a better protection must be attributed to them and additional safeguards must be put in place.

Coming back to ICANN context and your examples:

1.For example, when individuals gather together to speak/write about minority religious, ethnic, political views and would prefer not to publish their physical location publicly àI would say that there is contract between ICANN/Registrars and registrants and if under this contract the individual who wish not to give its consent for the publication of its address ICANN/Registrars cannot overrule tis non-consent by the RDS requirements (one is a human right the other one is a public company policy). In my opinion only one contact detail as per the choice of the data subject would be sufficient to go on public in ICANN context which preferably would be the e-mail ID. It is for the Registrars to check under their contract that the email ID is adequate and serves the purpose (the domain name holder can be contacted through it). Furthermore if there is about a data which is sensitive or can be related to a sensitive data than even for non-public processing ICANN/Registrars should put additional safeguards in place

2.Some minority religious groups, such as mosques in the US South or synagogues in certain regions àthe same argumentation as above and in the top of it we speak here ab ovo about sensitive data (which can only be public with the deliberate and informed consent of the data subject and additional safeguards have to be put in place)

3.If I am a home-based business, is there any protection under EU data protection law that would protect me from having to publish my home address àthis is a more difficult one. I would say no in this case because the data subject is doing business and it is a valid expectation to get to know the business official address. Moreover it will fall under the exceptions mention above and will be prescribed by the law. So if I am teaching at home as a self-employed private business I have to reveal my home address as the place of the residence of the company. This is why all over Europe there are business which are providing residence services for small and medium size businesses which consist of providing their address as place of residence for the self-employed company (same as the privacy proxy services).

4.Would I be entitled to the privacy of my personal home even if I am engaged in business activities under data protection laws? àWell, no for the reasons specified above. You can hide most of the time your home address if you are an individual but if you start operating a business form your home there will be legislation which will foresee the publication of the address of your residence of your company. It is of your customers interest to know the legal address of the company, business they are dealing with. Data protection is for individuals (for now).

Hope all this helps. If you have further question or you seek some more claruty on one or several issue or you disagree just let me know anytime.

Best regards,

Peter

//

//

//

*From:*Kathy Kleiman [mailto:kathy@kathykleiman.com] *Sent:* Tuesday, April 5, 2016 7:58 PM *To:* Monika.Zalnieriute@eui.eu <mailto:Monika.Zalnieriute@eui.eu>; HUNGARY: Peter KIMPIAN (kimpian.peter@naih.hu <mailto:kimpian.peter@naih.hu>) <kimpian.peter@naih.hu <mailto:kimpian.peter@naih.hu>>; KWASNY Sophie <Sophie.KWASNY@coe.int <mailto:Sophie.KWASNY@coe.int>>; Stephanie Perrin <stephanie.perrin@MAIL.UTORONTO.CA <mailto:stephanie.perrin@MAIL.UTORONTO.CA>> *Subject:* Human Rights and Privacy

Hi Monica and Peter (I know Sophie is out of town), /Based on the discussions of the RDS WG today, Stephanie and I were wondering if you could assist us in identifying human rights documents that protect the privacy rights of groups and associations? /For example, when individuals gather together to speak/write about minority religious, ethnic, political views and would prefer not to publish their physical location publicly. Some minority religious groups, such as mosques in the US South or synagogues in certain regions, might choose to remove themselves from local maps to avoid easy targeting and would prefer not to list their physical address as a condition of obtaining a domain name to share the time of their services (with those who already know where to find them). /Is there Human Rights legislation that you can point us to that might protect the privacy of these groups and organizations? * */ Data Protection and small business question -- If I am a home-based business, is there any protection under EU data protection law that would protect me from having to publish my home address? In the US, with such poor leave or flexibility for mothers, many women open their own businesses when their children are young. They work parttime, from home, often in a business-to-business context. /Is there any protection in the EU for such an arrangement? Would I be entitled to the privacy of my personal home even if I am engaged in business activities under data protection laws? I think so, but wanted to confirm... /

Best and tx! Kathy