I have been asked to summarize that portion of the EWG's Report pertaining privacy, inclusive of the FAQs. Much of what is said can be gleaned from Pages 11-12 and Section VI of the report, Here goes: ----------------------------------------------------------------------------- The EWG explicitly adopted that for the next generation RDS, registrants have a right to privacy and the reasonable expectation for the protection of their personal data, even when jurisdictions do not have data protection laws. We explicitly recommended adoption of a policy framework of 'privacy from the start' and implement mechanisms to introduce, harmonize and routinely reinforce this perspective; privacy by design. We recommended adoption of several overarching legal principles as framework: *" Personal data must be:* *· processed lawfully, fairly and in a transparent manner in relation to the data subject,* *· collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes,* * · adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed, and* *· accurate and kept up-to-date as required for the specified purposes.* *Lawful processing, including transfer and disclosure can be – subject to the relevant jurisdiction – based on:* *• consent of the data subject,* *• the necessity for the performance of a contract to which the data subject is party, and* *• the necessity for compliance with a legal obligation to which the controller is subject.* *​"​* ​In addition, the Group adopted as principle the a right ​ of the data subject to access ​the information and a right to rectify inaccuracy ​in the information kept on them. ​ The report then outlined several ways privacy would be embraced and even enhanced in the next generation RDS: - ICANN adopt and disseminate a privacy policy - Add and use standard contract clauses that are harmonized with privacy and data protection laws and codified in policy - A “rules engine” to apply data protection laws by jurisdiction - a pre-validated Contact Directory which offers unique Contact IDs to deter personal data fraud - a centralized interface from whence to access all gTLD registration data - gated dataset beyond a small subset of RD for publication - RDAP or EPP to access gTLD data in the several registration data stores - purpose driven access to data inside the gate and only to users who disclose their identity, are authenticated, request gated data for a previously determined permissible purpose and are accountable. This includes law enforcement. - An accredited Privacy/Proxy Service for general use - An accredited Secure Protected Credentials Service for persons at risk and in instances where free speech rights may be denied or speakers persecuted. -------------------------------------------------------------------------------------------- -Carlton ============================== Carlton A Samuels Mobile: 876-818-1799 *Strategy, Planning, Governance, Assessment & Turnaround* =============================