Fully understand that, Greg, but the fact that ICANN is headquartered in a territory with objectively poor privacy laws does not mean we cannot look to respect the wishes of the 108 countries who do offer a general right to information privacy. Sorry if my views on this issue have come out, but yes, I support the principles of privacy-by-default, which in economically-advanced economies outside of the United States is not an abstract concept. Best wishes, Ayden On Mon, Mar 28, 2016 at 6:43 PM, Greg Shatan < gregshatanipc@gmail.com > wrote: Ayden, EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand. Best regards, Greg Shatan Gregory S. Shatan | Partner McCARTER & ENGLISH, LLP 245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 F: 212-416-7613 gshatan @mccarter.com | www.mccarter. com BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline < gnso-rds-pdp-privacy@icann. org > wrote: Hello all, I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement < http://curia. europa.eu/juris/document/ document.jsf?text=&docid= 152065&pageIndex=0&doclang=EN& mode=req&dir=&occ=first&part= 1&cid=11654 >. The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments. It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'. This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants. I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-) Best wishes, Ayden Férdeline On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy < gnso-rds-pdp-privacy@icann. org > wrote: Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering. Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group.This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/ download/attachments/58730879/ RDS-PDP-Proposed-Summary- Approach.pdf At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work. Looking forward to working with you all. David ______________________________ _________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-privacy Ayden Férdeline +44.77.8018.7421 ______________________________ _________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/ listinfo/gnso-rds-pdp-privacy Ayden Férdeline +44.77.8018.7421

I am disappointed by the tone that this discussion has taken already. Perhaps we can eliminate the prejudgment of positions that should be welcomed and freely examined. Ayden, there are many intelligent positions which support the balance of legitimate privacy interests with consumer protection and anti-fraud/phising/malware interests. Arguably, even the laws you cite are not as broadly applicable as you are attempting to present them here, taking into account the need to balance interests. Frankly this dialogue is a fantastic demonstration of why complex legal issues should not be debated within ICANN working groups. We should seek independent review of these issues and (most importantly) the application of these laws to Whois/Registration Directory Services. This important issue shouldn’t be a he said/she said. Thanks, Kiran Kiran Malancharuvil Policy Counselor MarkMonitor 415.222.8318 (t) 415.419.9138 (m) www.markmonitor.com<http://www.markmonitor.com/> From: gnso-rds-pdp-privacy-bounces@icann.org [mailto:gnso-rds-pdp-privacy-bounces@icann.org] On Behalf Of Ayden Fabien Férdeline via Gnso-rds-pdp-privacy Sent: Monday, March 28, 2016 10:53 AM To: Greg Shatan Cc: gnso-rds-pdp-privacy@icann.org Subject: Re: [Gnso-rds-pdp-privacy] Privacy sub-group Fully understand that, Greg, but the fact that ICANN is headquartered in a territory with objectively poor privacy laws does not mean we cannot look to respect the wishes of the 108 countries who do offer a general right to information privacy. Sorry if my views on this issue have come out, but yes, I support the principles of privacy-by-default, which in economically-advanced economies outside of the United States is not an abstract concept. Best wishes, Ayden [Image removed by sender.] On Mon, Mar 28, 2016 at 6:43 PM, Greg Shatan <gregshatanipc@gmail.com<mailto:gregshatanipc@gmail.com>> wrote: Ayden, EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand. Best regards, Greg Shatan [http://hilweb1/images/signature.jpg] Gregory S. Shatan | Partner McCARTER & ENGLISH, LLP 245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873<tel:212-609-6873> F: 212-416-7613<tel:212-416-7613> gshatan @mccarter.com<mailto:gshatan%20@mccarter.com> | www.mccarter.com<http://www.mccarter.com/> BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Hello all, I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement<https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...>. The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments. It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'. This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants. I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-) Best wishes, Ayden Férdeline On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering. Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group. This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-Summary-Approach.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_58730879_RDS-2DPDP-2DProposed-2DSummary-2DApproach.pdf&d=CwMBAg&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=u1EVRiHe_hJc7jxNs5HvrA_j6PFk6zDIgTHzeV5HW-I&s=2ky2gNfugoilw7hdnuB-Li1SPS7b_5IFQFq5Dm1QeEk&e=> At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work. Looking forward to working with you all. David _______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org<mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy Ayden Férdeline +44.77.8018.7421<tel:%2B44.77.8018.7421> [cid:image003.gif@01D188E6.DBF558C0] _______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org<mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy Ayden Férdeline +44.77.8018.7421

Hi,

On Mar 28, 2016, at 7:43 PM, Greg Shatan via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org> wrote:

Ayden,

EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand.

Fair enough, but what I hope we as a group do take into consideration is how EU rulings impact our approach to how contracted parties that exist within the EU comply with contractual obligations with ICANN. Thanks. Amr

Stephanie, There is a HUGE difference between acknowledging that something is important to a field of study and crowning it the "top" and calling it an "international best practice." Thanks, Kiran From: gnso-rds-pdp-privacy-bounces@icann.org [mailto:gnso-rds-pdp-privacy-bounces@icann.org] On Behalf Of Stephanie Perrin via Gnso-rds-pdp-privacy Sent: Monday, March 28, 2016 12:38 PM To: gnso-rds-pdp-privacy@icann.org Subject: Re: [Gnso-rds-pdp-privacy] Privacy sub-group With great respect Greg, there is a field called privacy scholarship, and in that field folks absolutely do pay a great deal of attention to the rulings of the EU Court of Justice, and the opinions of the Article 29 working group. You are free to make the argument that thought leadership rests in the United States or anywhere else (Cate, Westin, etc) but there are a great many US privacy scholars who look to the EU for thought leadership (Reidenberg, Schwartz, Solove, Rotenberg, Nissenbaum, Gellman, I could go on but that might be tedious). So I think it is not really fair to rule out recent contributions if they are important, and the material Ayden is introducing certainly qualifies as important in my book. The fact is that there has been a struggle going on for the last 25 years between the US and Europe over the regulatory vs non-regulatory approach to privacy. Lets explicitly put that on the table and recognize our differences on this matter. Kind regards stephanie On 2016-03-28 13:43, Greg Shatan via Gnso-rds-pdp-privacy wrote: Ayden, EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand. Best regards, Greg Shatan [http://hilweb1/images/signature.jpg] Gregory S. Shatan | Partner McCARTER & ENGLISH, LLP 245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873<tel:212-609-6873> F: 212-416-7613<tel:212-416-7613> gshatan @mccarter.com<mailto:gshatan%20@mccarter.com> | www.mccarter.com<http://www.mccarter.com> BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Hello all, I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement<https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...>. The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments. It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'. This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants. I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law... :-) Best wishes, Ayden Férdeline On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering. Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group. This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S... At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work. Looking forward to working with you all. David _______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org<mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy Ayden Férdeline +44.77.8018.7421<tel:%2B44.77.8018.7421> [Image removed by sender.] _______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org<mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy _______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org<mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Hello All, I’d like to chime in here. It is an important distinction being made by Kiran, and perhaps it is not the most useful way of approaching this exercise, to come in thinking there is an obvious answer, or best practice. There clearly is not a universally agreed set of principles we can turn to as of yet, which is why we find ourselves here trying to work through these issues as part of this PDP. It is something to be arrived at and it will require consideration of multiple stakeholder goals and needs. The tone we adopt at this early stage should reflect our willingness to be nuanced in this discussion and I think it will help us avoid a lot of roadblocks later on. Having said that, I would like to once more draw attention to what Amr said. "Fair enough, but what I hope we as a group do take into consideration is how EU rulings impact our approach to how contracted parties that exist within the EU comply with contractual obligations with ICANN.” Whether EU rulings on privacy can be judged to be international best practice, is not the question we should be attempting to answer here, at least not first and foremost. What we should be attempting to answer, is if there is anything within those rulings, which places limitations on what proposals we can arrive at with regards to what information is shared and with who. Once we answer that question, we can address the further question of whether these limitations are problematic enough to require us answering the more fundamental question of which countries' laws do we classify as limiting factors on this PDP and ICANN’s work in general? As Greg has stated elsewhere, perhaps we will find it within our remit to assess all countries for their privacy regulations before coming to this decision. If we are approaching this PDP with the notion that the most constrictive (or some could say, the most protective) regimes will be our standard of measurement, then we can probably agree, the EU’s rulings on data protection and privacy will be of greater relevance to this PDP than the privacy regulations of a country that offers fewer such constrictions/protections, whether it be the US, or Pakistan. I think ultimately, we will have to answer the jurisdictional question at some stage, the question is whether we will choose to do it here and now. Will enough people within this process find EU privacy rulings too constrictive and worthy of causing ICANN contracted parties to have to ‘violate’? If so, does ICANN even have the ability to contractually demand this violation on behalf of contracted parties? These are big questions, and I by no means have an answer to them. But they naturally follow if we were to at some stage take issue with EU privacy rulings, whether we agree with Ayden that they count as international best practice or not. They are certainly of relevance, so thank you for bringing them up, Ayden. Sana Ali sana.ali2030@gmail.com <mailto:sana.ali2030@gmail.com> https://ca.linkedin.com/in/sanaali2030 <https://ca.linkedin.com/in/sanaali2030>

On Mar 28, 2016, at 4:02 PM, Kiran Malancharuvil via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org> wrote:

Stephanie,

There is a HUGE difference between acknowledging that something is important to a field of study and crowning it the “top” and calling it an “international best practice.”

Thanks,

Kiran

From: gnso-rds-pdp-privacy-bounces@icann.org [mailto:gnso-rds-pdp-privacy-bounces@icann.org] On Behalf Of Stephanie Perrin via Gnso-rds-pdp-privacy Sent: Monday, March 28, 2016 12:38 PM To: gnso-rds-pdp-privacy@icann.org Subject: Re: [Gnso-rds-pdp-privacy] Privacy sub-group

With great respect Greg, there is a field called privacy scholarship, and in that field folks absolutely do pay a great deal of attention to the rulings of the EU Court of Justice, and the opinions of the Article 29 working group. You are free to make the argument that thought leadership rests in the United States or anywhere else (Cate, Westin, etc) but there are a great many US privacy scholars who look to the EU for thought leadership (Reidenberg, Schwartz, Solove, Rotenberg, Nissenbaum, Gellman, I could go on but that might be tedious). So I think it is not really fair to rule out recent contributions if they are important, and the material Ayden is introducing certainly qualifies as important in my book. The fact is that there has been a struggle going on for the last 25 years between the US and Europe over the regulatory vs non-regulatory approach to privacy. Lets explicitly put that on the table and recognize our differences on this matter. Kind regards stephanie

On 2016-03-28 13:43, Greg Shatan via Gnso-rds-pdp-privacy wrote: Ayden,

EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand.

Best regards,

Greg Shatan

<image001.jpg>

Gregory S. Shatan | Partner McCARTER & ENGLISH, LLP

245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 <tel:212-609-6873> F: 212-416-7613 <tel:212-416-7613> gshatan @mccarter.com <mailto:gshatan%20@mccarter.com> | www.mccarter.com <http://www.mccarter.com/>

BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC

On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Hello all,

I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement <https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn... <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=11654>>.

The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments.

It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'.

This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants.

I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-)

Best wishes,

Ayden Férdeline

On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering.

Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group. This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S... <https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S...>

At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work.

Looking forward to working with you all.

David

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

Ayden Férdeline +44.77.8018.7421 <tel:%2B44.77.8018.7421> <image002.jpg>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Fair enough, Greg. I did not by any means wish to imply we had agreement on how we were approaching this PDP, simply that these were questions that we would eventually need to deliberate on, along with its broader implications. I assure you, solutions are something everyone here is seeking, since I am willing to bet nobody wants to be working on this PDP fifteen years from now ;) As Chuck said, this is supposed to be a discussion guided by the team lead, and should have a narrower scope than the one we have currently bled into. I’ll wait for the prompt for comment on these matters, as we must to not complicate this process more than it already is. Sana Ali sana.ali2030@gmail.com <mailto:sana.ali2030@gmail.com> https://ca.linkedin.com/in/sanaali2030 <https://ca.linkedin.com/in/sanaali2030>

On Mar 28, 2016, at 5:28 PM, Greg Shatan <gregshatanipc@gmail.com> wrote:

Sana,

You are leapfrogging a lot of steps and jumping to a lot of conclusions. In particular, there is certainly no agreement that "we are approaching this PDP with the notion that the most constrictive (or some could say, the most protective) regimes will be our standard of measurement." Using that as a platform to elevate a preferred set of laws above all others is premature, to say the least. We have not even reached the question of which countries' laws might apply at all, what their relevance might be, why and under what circumstances. The fundamental question is whether any countries' laws need to be limiting factors, not which countries' laws are limiting factors. To start with that second question is to distort our mission. As such, there can be no agreement that EU rulings are of greater relevance.

Similarly, coming to the conclusion that what might be recommended by this WG would be a "violation" of any jurisdiction's law (which may or may not be what rests in a particular court ruling) is vastly premature (though tempting for those who would like it to be so).

Whatever the factors we identify ("limiting" or otherwise), we will need to move from there to solutions. Identifying problems and advocating for a particular result is the easy part of the process, and if that's all we do, we will get nowhere. Finding a set of solutions that garner broad consensus (which by definition means moving away from the results you advocate and working to solve the problems you have identified) is the hard part.

Best regards,

Greg

On Mon, Mar 28, 2016 at 4:48 PM, Sana Ali via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Hello All,

I’d like to chime in here. It is an important distinction being made by Kiran, and perhaps it is not the most useful way of approaching this exercise, to come in thinking there is an obvious answer, or best practice. There clearly is not a universally agreed set of principles we can turn to as of yet, which is why we find ourselves here trying to work through these issues as part of this PDP. It is something to be arrived at and it will require consideration of multiple stakeholder goals and needs. The tone we adopt at this early stage should reflect our willingness to be nuanced in this discussion and I think it will help us avoid a lot of roadblocks later on.

Having said that, I would like to once more draw attention to what Amr said.

"Fair enough, but what I hope we as a group do take into consideration is how EU rulings impact our approach to how contracted parties that exist within the EU comply with contractual obligations with ICANN.”

Whether EU rulings on privacy can be judged to be international best practice, is not the question we should be attempting to answer here, at least not first and foremost. What we should be attempting to answer, is if there is anything within those rulings, which places limitations on what proposals we can arrive at with regards to what information is shared and with who. Once we answer that question, we can address the further question of whether these limitations are problematic enough to require us answering the more fundamental question of which countries' laws do we classify as limiting factors on this PDP and ICANN’s work in general? As Greg has stated elsewhere, perhaps we will find it within our remit to assess all countries for their privacy regulations before coming to this decision. If we are approaching this PDP with the notion that the most constrictive (or some could say, the most protective) regimes will be our standard of measurement, then we can probably agree, the EU’s rulings on data protection and privacy will be of greater relevance to this PDP than the privacy regulations of a country that offers fewer such constrictions/protections, whether it be the US, or Pakistan.

I think ultimately, we will have to answer the jurisdictional question at some stage, the question is whether we will choose to do it here and now. Will enough people within this process find EU privacy rulings too constrictive and worthy of causing ICANN contracted parties to have to ‘violate’? If so, does ICANN even have the ability to contractually demand this violation on behalf of contracted parties? These are big questions, and I by no means have an answer to them. But they naturally follow if we were to at some stage take issue with EU privacy rulings, whether we agree with Ayden that they count as international best practice or not. They are certainly of relevance, so thank you for bringing them up, Ayden.

Sana Ali sana.ali2030@gmail.com <mailto:sana.ali2030@gmail.com> https://ca.linkedin.com/in/sanaali2030 <https://ca.linkedin.com/in/sanaali2030>

...

On Mar 28, 2016, at 4:02 PM, Kiran Malancharuvil via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote:

Stephanie,

There is a HUGE difference between acknowledging that something is important to a field of study and crowning it the “top” and calling it an “international best practice.”

Thanks,

Kiran

From: gnso-rds-pdp-privacy-bounces@icann.org <mailto:gnso-rds-pdp-privacy-bounces@icann.org> [mailto:gnso-rds-pdp-privacy-bounces@icann.org <mailto:gnso-rds-pdp-privacy-bounces@icann.org>] On Behalf Of Stephanie Perrin via Gnso-rds-pdp-privacy Sent: Monday, March 28, 2016 12:38 PM To: gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org> Subject: Re: [Gnso-rds-pdp-privacy] Privacy sub-group

With great respect Greg, there is a field called privacy scholarship, and in that field folks absolutely do pay a great deal of attention to the rulings of the EU Court of Justice, and the opinions of the Article 29 working group. You are free to make the argument that thought leadership rests in the United States or anywhere else (Cate, Westin, etc) but there are a great many US privacy scholars who look to the EU for thought leadership (Reidenberg, Schwartz, Solove, Rotenberg, Nissenbaum, Gellman, I could go on but that might be tedious). So I think it is not really fair to rule out recent contributions if they are important, and the material Ayden is introducing certainly qualifies as important in my book. The fact is that there has been a struggle going on for the last 25 years between the US and Europe over the regulatory vs non-regulatory approach to privacy. Lets explicitly put that on the table and recognize our differences on this matter. Kind regards stephanie

On 2016-03-28 13:43, Greg Shatan via Gnso-rds-pdp-privacy wrote:

Ayden,

EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand.

Best regards,

Greg Shatan

<image001.jpg>

Gregory S. Shatan | Partner McCARTER & ENGLISH, LLP

245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 <tel:212-609-6873> F: 212-416-7613 <tel:212-416-7613> gshatan @mccarter.com <mailto:gshatan%20@mccarter.com> | www.mccarter.com <http://www.mccarter.com/>

BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC

On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote:

Hello all,

I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement <https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn... <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=11654>>.

The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments.

It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'.

This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants.

I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-)

Best wishes,

Ayden Férdeline

On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote:

Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering.

Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group.

This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S... <https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S...>

At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work.

Looking forward to working with you all.

David

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

Ayden Férdeline

+44.77.8018.7421 <tel:%2B44.77.8018.7421> <image002.jpg>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy>

Stephanie, With equal respect, I am fully aware of the field of privacy scholarship, and the related but distinct field of privacy advocacy. At no point did I state that attention should not be paid to rulings of the EU Court of Justice. (I will remain silent on the Article 29 Working Group....) Nor did I make any argument that any jurisdiction(s) have a monopoly or leading role in "thought leadership" in this area. So think it is not really fair to imply (actually, state) that I wanted to "rule out" any recent contributions. Casting them as 'the top" and "best practices" and other views as "objectively [sic] poor" is another thing entirely. I also did not seek to cast this as a scholarly battle between "US" and "Europe" or over "regulatory vs. non-regulatory" approaches to privacy. Of course, as I've been told many times, "ICANN is not a regulator...." In any event, scholarship will only take us so far. Scholars have the luxury of not worrying about implementation or the concerns of varied stakeholders, and can engage in extended periods of beard-stroking before issuing pronouncements that echo only amongst the ivory towers (where free speech is being replaced by "trigger words" and "safe spaces" and the marketplace of ideas is being replaced by political correctness and the hounding of those with the temerity to disagree). We have no such luxury. So, while we should and must be well informed on scholarship and law (and legal scholarship), we also have to heed a variety of practical concerns coming from a variety of directions. Best regards, Greg [image: http://hilweb1/images/signature.jpg] *Gregory S. Shatan | Partner*McCARTER & ENGLISH, LLP 245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 F: 212-416-7613 gshatan @mccarter.com | www.mccarter.com BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC On Mon, Mar 28, 2016 at 3:38 PM, Stephanie Perrin via Gnso-rds-pdp-privacy < gnso-rds-pdp-privacy@icann.org> wrote:

With great respect Greg, there is a field called privacy scholarship, and in that field folks absolutely do pay a great deal of attention to the rulings of the EU Court of Justice, and the opinions of the Article 29 working group. You are free to make the argument that thought leadership rests in the United States or anywhere else (Cate, Westin, etc) but there are a great many US privacy scholars who look to the EU for thought leadership (Reidenberg, Schwartz, Solove, Rotenberg, Nissenbaum, Gellman, I could go on but that might be tedious). So I think it is not really fair to rule out recent contributions if they are important, and the material Ayden is introducing certainly qualifies as important in my book. The fact is that there has been a struggle going on for the last 25 years between the US and Europe over the regulatory vs non-regulatory approach to privacy. Lets explicitly put that on the table and recognize our differences on this matter. Kind regards stephanie

On 2016-03-28 13:43, Greg Shatan via Gnso-rds-pdp-privacy wrote:

Ayden,

EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand.

Best regards,

Greg Shatan

[image: http://hilweb1/images/signature.jpg]

*Gregory S. Shatan | Partner *McCARTER & ENGLISH, LLP

245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 F: 212-416-7613 gshatan @mccarter.com <gshatan%20@mccarter.com> | <http://www.mccarter.com/>www.mccarter.com

BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC

On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline < <gnso-rds-pdp-privacy@icann.org>gnso-rds-pdp-privacy@icann.org> wrote:

...

Hello all,

I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement <https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> < <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...> http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...

...

.

The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments.

It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'.

This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants.

I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-)

Best wishes,

Ayden Férdeline

On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy < gnso-rds-pdp-privacy@icann.org> wrote:

...

Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering.

Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group.

This is a link to the RDS PDP WG document that describes the approach the WG agreed upon <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S...

At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work.

Looking forward to working with you all.

David

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Ayden Férdeline +44.77.8018.7421

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

_______________________________________________ Gnso-rds-pdp-privacy mailing listGnso-rds-pdp-privacy@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Stephanie, Thanks for your opinion. Identifying problems is a part of what we must do here (or anywhere for that matter). Creating solutions is another big part, and ultimately the one that defines our success. I like to say to that lawyers are in the solutions business, unless they want to act like they are in the problems business. I think that has wide applicability beyond the legal profession, and particularly in the making of policy. Best, Greg [image: http://hilweb1/images/signature.jpg] *Gregory S. Shatan | Partner*McCARTER & ENGLISH, LLP 245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 F: 212-416-7613 gshatan @mccarter.com | www.mccarter.com BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC On Mon, Mar 28, 2016 at 4:25 PM, Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:

I think we certainly agree on your comment below Greg. Having recently worked on the WHOIS conflicts with law implementation group, I would suggest that the practical problems which the RAA data collection, disclosure, and retention requirements place on Registrars are a significant source of practical problems for them and for the end users whose rights are being insufficiently respected. Some of us regard the advice that ICANN has received from the EU commissioners on these matter as best practice. I am in that group. cheers Stephanie

On 2016-03-28 16:15, Greg Shatan wrote:

we also have to heed a variety of practical concerns coming from a variety of directions.

Dear all, I agree again with David Cake. Let's focus on our topic. Stereotypes are not good advisors for security/data privacy/data protection. Le mar. 29 mars 2016 à 06:28, David Cake via Gnso-rds-pdp-privacy < gnso-rds-pdp-privacy@icann.org> a écrit :

The purpose of this sub-group is simply to decide what material is relevant and useful to the working groups deliberation, and help produce summaries etc that will guide the WG through the large amount of relevant material.

Whether or not EU principles represent international best practice or are otherwise desirable for other jurisdictions is not a helpful debate to have in this sub-group. Some ICANN registrars are within EU jurisdictions, and so must comply with those rules, so it is relevant. Thank you Ayden for identifying some material that you feel is relevant to this working groups work.

David

On 29 Mar 2016, at 1:43 AM, Greg Shatan <gregshatanipc@gmail.com> wrote:

Ayden,

EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand.

Best regards,

Greg Shatan

<image001.jpg>

*Gregory S. Shatan | Partner*McCARTER & ENGLISH, LLP

245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 F: 212-416-7613 gshatan @mccarter.com | www.mccarter.com

BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC

On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline < gnso-rds-pdp-privacy@icann.org> wrote:

...

Hello all,

I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement <https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> < http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...

...

.

The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments.

It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'.

This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants.

I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-)

Best wishes,

Ayden Férdeline

On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy < gnso-rds-pdp-privacy@icann.org> wrote:

...

Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering.

Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group.

This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S... <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...>

At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work.

Looking forward to working with you all.

David

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Ayden Férdeline +44.77.8018.7421

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

-- Best regards, @__f_f__

For those interested in which countries have privacy law, I think Graham Greenleaf's table is a good reference: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2603502 cheers Stephanie Perrin On 2016-03-30 6:04, DANIEL NANGHAKA via Gnso-rds-pdp-privacy wrote:

Dear All,

If we are to look at Privacy as a global issue which is a fact, we cannot rule out the fact that there are already some territories that are have drafted there own policy on Data Privacy and Protection. I would not like to reference at this moment to specific documentation taking a global perspective,

I agree with @Farell that we need to focus on the topic, the documentation listed in this case of Europa does not provide a full benchmark in the drafting of the RDS Privacy policy and we can come up with a standard.

First and foremost Any Institution that is subjected to gathering of data becomes a data handler and the data of the subject must be subject to privacy, before any data must be shared to the third party then there must be consent to share the data.

There should be a benchmark of the data that is shared to third parties for the data to be shared.

When it comes to the WHOIS Database, the information shared is worth too much that poses a security risk to the registrant which includes but not limited to spam, hacks, attacks to mention based on access.

There is an improvision of Domain Privacy but it only protects the user information which I feel leaves a security gap.

Secondly following the statement made by @David

" ... Whether or not EU principles represent international best practice or are otherwise desirable for other jurisdictions is not a helpful debate to have in this sub-group. Some ICANN registrars are within EU jurisdictions, and so must comply with those rules, so it is relevant..."

I agree, the EU principles should be a guide as EU does not necessarily represent other territories that are not included in the EU. Every registrant must comply to the rules and policies of there respective territories and where there is need to stretch into other respective regions, then a guiding territorial policy works best as a benchmark with reference to both territories privacy policies. This means there is need for a Global Policy Benchmark that references to cross territorial cases regarding to the respective privacy policy of the data handlers.

This is where once there is breach of privacy and it cuts across territorial boundaries then International Policy takes rule.

Regards Nanghaka Daniel K. Executive Director - ILICIT Africa / Council Member - FOSSFA / Community Lead - ISOC Uganda Chapter Mobile +256 772 898298 (Uganda) Skype: daniel.nanghaka

----------------------------------------- /"Working for Africa" /-----------------------------------------

On Tue, Mar 29, 2016 at 12:29 PM, Farell Folly via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote:

Dear all,

I agree again with David Cake. Let's focus on our topic. Stereotypes are not good advisors for security/data privacy/data protection.

Le mar. 29 mars 2016 à 06:28, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> a écrit :

The purpose of this sub-group is simply to decide what material is relevant and useful to the working groups deliberation, and help produce summaries etc that will guide the WG through the large amount of relevant material.

Whether or not EU principles represent international best practice or are otherwise desirable for other jurisdictions is not a helpful debate to have in this sub-group. Some ICANN registrars are within EU jurisdictions, and so must comply with those rules, so it is relevant. Thank you Ayden for identifying some material that you feel is relevant to this working groups work.

David

...

On 29 Mar 2016, at 1:43 AM, Greg Shatan <gregshatanipc@gmail.com <mailto:gregshatanipc@gmail.com>> wrote:

Ayden,

EU rulings do not necessarily impact the law in the rest of the world, much less California. I would not categorize an attempt to embrace EU principles as a "race to the top" nor would I categorize those principles as "international best practices." Certainly, we as a group should not adopt such attitudes. But, hey, it's nice to know where you stand.

Best regards,

Greg Shatan

<image001.jpg>

*Gregory S. Shatan | Partner *McCARTER & ENGLISH, LLP

245 Park Avenue, 27th Floor | New York, New York 10167 T: 212-609-6873 <tel:212-609-6873> F: 212-416-7613 <tel:212-416-7613> gshatan @mccarter.com <mailto:gshatan%20@mccarter.com> | www.mccarter.com <http://www.mccarter.com/>

BOSTON | HARTFORD | STAMFORD | NEW YORK | NEWARK EAST BRUNSWICK | PHILADELPHIA | WILMINGTON | WASHINGTON, DC

On Mon, Mar 28, 2016 at 12:01 PM, Ayden Fabien Férdeline <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote:

Hello all,

I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement <https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...>.

The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments.

It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'.

This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants.

I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-)

Best wishes,

Ayden Férdeline

On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org <mailto:gnso-rds-pdp-privacy@icann.org>> wrote:

Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering.

Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group.

This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-S... <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...>

At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work.

Looking forward to working with you all.

David

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Ayden Férdeline +44.77.8018.7421 <tel:%2B44.77.8018.7421>

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

-- Best regards,

@__f_f__

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org <mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

ᐧ

_______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy

Ayden Are you specifically referring to retention of registration / registrant data post-expiry or something broader? Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains http://www.blacknight.host/ http://blog.blacknight.com/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845 From: <gnso-rds-pdp-privacy-bounces@icann.org<mailto:gnso-rds-pdp-privacy-bounces@icann.org>> on behalf of Ayden Fabien Férdeline via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> Reply-To: Ayden Fabien Férdeline <ayden@ferdeline.com<mailto:ayden@ferdeline.com>> Date: Monday 28 March 2016 at 17:01 To: David Cake <davecake@gmail.com<mailto:davecake@gmail.com>> Cc: "gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>" <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> Subject: Re: [Gnso-rds-pdp-privacy] Privacy sub-group Hello all, I would like to introduce some material relating to the 'right to be forgotten' in Europe. Here's a court judgement<https://links2.mixmaxusercontent.com/aMjjKHWxnLSD3SEwj/l/Y6pG8Inj7cxRfeEQg?r...> <http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIn...>. The protection of personal data in Europe is seen as a fundamental right on equal standing with all other human rights. The Court of Justice of the European Union has consistently held that any and all data processing must be subject to stringent proportionality assessments. It has been unsuccessfully argued that allowing users to delete their data is an affront to other fundamental rights such as free speech. The Court of Justice of the EU has consistently ruled that if and when the privacy interests of the data subject outweigh the public interest, the individual should be able to enforce his or her 'right to be forgotten'. This decision is something we should carefully consider when looking at how long we retain information for. Certainly once a domain name has expired, it would be difficult to justify under these rulings the continued storage of the sensitive personal information of registrants. I appreciate that EU rulings do not necessarily impact Californian law, but hey, why not have a race to the top and adopt international best practices in privacy law… :-) Best wishes, Ayden Férdeline On Sun, Mar 27, 2016 at 5:37 AM, David Cake via Gnso-rds-pdp-privacy <gnso-rds-pdp-privacy@icann.org<mailto:gnso-rds-pdp-privacy@icann.org>> wrote: Welcome all of you to the Privacy sub-team. Thanks to all of you for volunteering. Our task is first to collect information on privacy issues relevant to registration data. Then we will go on to decide how best to present that information for use of the working group - we may consolidate, summarise, prioritise etc in order to make the important information easily available. Hopefully the privacy experts on this group will help us locate the most important material, and make it easily digestible to the broader working group. This is a link to the RDS PDP WG document that describes the approach the WG agreed upon https://community.icann.org/download/attachments/58730879/RDS-PDP-Proposed-Summary-Approach.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_58730879_RDS-2DPDP-2DProposed-2DSummary-2DApproach.pdf&d=CwMBAg&c=5VD0RTtNlTh3ycd41b3MUw&r=gvEx8xF7ynrYQ7wShqEr-w&m=u1EVRiHe_hJc7jxNs5HvrA_j6PFk6zDIgTHzeV5HW-I&s=2ky2gNfugoilw7hdnuB-Li1SPS7b_5IFQFq5Dm1QeEk&e=> At this early stage, we are in collection mode - please send documents that you think will be valuable to the group. If you add a bit more information for context as to why you think it would be useful, that will probably be very helpful for later work. Looking forward to working with you all. David _______________________________________________ Gnso-rds-pdp-privacy mailing list Gnso-rds-pdp-privacy@icann.org<mailto:Gnso-rds-pdp-privacy@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-privacy Ayden Férdeline +44.77.8018.7421