If the subject looses control over her data at a certain point in time, wouldn't it be possible to ask the new controller (ICANN) to obtain consent before control is being handed over? If you can get consent from users for other uses of the data, then the data can be used for other purposes. 
With respect to cookies, you just have to inform the user and give her the option of opting out. But the use of other sensitive personal data for other purposes could probably require an opt-in concept.
The system would vary across the EU, as data protection laws are crafted by member state governments.
In Germany, it might be an opt-in, whereas in the U.K. it could be an opt-out. Registrars and companies will have to follow the rules set out by the data protection office in the country where they are located. This isn’t likely to be based on where the user is located.
The issue could become more complicated if EU member states decide that PII collection issue isn't just a data protection issue but also a consumer protection issue. In those cases, companies would have to tailor their policies to align with local rules.
So for those companies situated in Ireland, they will claim that the Irish law will apply. But Germans might make the case that this is a consumer protection issue and that their laws might have to apply as well to German users. Some German courts have ruled that this isn’t just a data protection issue but also a consumer protection issue. What a mess!
Could an opt-in scheme prevent the conundrum of the application of local data laws, as far as ICANN is concerned? Opt-in requirements are more stringent than opt-out, of course. What would happen, if the subject refused to allow for multiple uses of his data? Then, unauthorized uses of her data would be illegal, unless a company can prove that by not allowing multiple uses of her data, the subject would violate a higher obligation of the company to prevent online fraud or hacking, for example. 

Is retaining this data for an indefinite amount of time resulting in an indiscriminate data retention? The principle of proportionality has to be applied to measure the need for data retention with regards to it final purpose. An example of non-proportionate data retention is what Google is doing now and holding this data indefinitely. 
Is there a "legitimate interest" for ICANN to retain this data indefinitely? The list of possible "legitimate interests" are the prevention of online fraud, consumer protection, the security of the DNS,... (Please add to this non-exhaustive list). By requiring ICANN to delete the data after a certain period of time would alleviate issues linked to data security, reduce the security burden of data controllers, and maybe contribute to a safer environment for the data subject. But it also in contradiction with the wish of certain PDP participants to have the RDS reflect the life-cycle of the domain.  
As an end-user advocate, I must say this is the solution which seems to make more sense for the group of people I claim to represent. We have two fronts to defend: privacy and security. 
Nathalie



 

 
     
Nathalie 


On Sunday, September 11, 2016 11:40 AM, Alan Greenberg <alan.greenberg@mcgill.ca> wrote:


Two comments:

1. This is a PDP. We do not based our actions by what is in an ICANN policy, but it is our job to decide what is in the policies (in relation to our topic).

2. ICANN is here for far more than to enforce its own policies. We must ensure that the policies and all they imply address the public interest. If we judge that something related to the RDS (or whatever) is in the public interest, our job is to see that it happens or can happen. That is complex, because there are clearly multiple conflicting desires/needs, but we ARE supposed to be factoring them all in.

Alan

At 09/09/2016 02:26 PM, Mark Svancarek via gnso-rds-pdp-wg wrote:

Greg, I disagree with your conclusion here:
 
I do know that published registration data has uses and justifications for its existence and use other than managing the domain's lifecycle.  For example there is the need to identify a registrant for various legal purposes, some of which (like UDRP) are enshrined in current ICANN policy.  So "supporting the lifecycle" may be a mechanical and possibly exclusionary or reductive lens through which to view the issues. 
 
If something is enshrined in ICANN policy, and one is obligated to do it, then it is very much part of “supporting the lifecycle†in my opinion.  It’s a task within the Registered portion chart to which you’ve linked.
 
Ironically, I think you may be the one applying an exclusionary or reductive lens.
 
/marksv

_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg