My notes from the discussion with the Data Protection Commissioners on 13 March 2017
Greetings all, I took some notes during the Cross-Community Discussion with the Data Protection Commissioners on Monday, and thought I would share them as an informal resource in case you find them useful. Please find attached. Best wishes, Ayden Férdeline [linkedin.com/in/ferdeline](http://www.linkedin.com/in/ferdeline)
Thanks for sharing Sent from my iPhone
On Mar 18, 2017, at 12:27, Ayden Férdeline <icann@ferdeline.com> wrote:
Greetings all,
I took some notes during the Cross-Community Discussion with the Data Protection Commissioners on Monday, and thought I would share them as an informal resource in case you find them useful. Please find attached.
Best wishes,
Ayden Férdeline linkedin.com/in/ferdeline
<AydenFerdeline-Summary-DataProtectionCommissioners-13March17.pdf> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Thanks for the notes Ayden. Theo On 18-3-2017 18:27, Ayden Férdeline wrote:
Greetings all,
I took some notes during the Cross-Community Discussion with the Data Protection Commissioners on Monday, and thought I would share them as an informal resource in case you find them useful. Please find attached.
Best wishes,
Ayden Férdeline linkedin.com/in/ferdeline <http://www.linkedin.com/in/ferdeline>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Ayden Thanks – it’s helpful. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/<http://www.blacknight.host/> http://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Ayden Férdeline <icann@ferdeline.com> Reply-To: Ayden Férdeline <icann@ferdeline.com> Date: Saturday 18 March 2017 at 18:27 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Greetings all, I took some notes during the Cross-Community Discussion with the Data Protection Commissioners on Monday, and thought I would share them as an informal resource in case you find them useful. Please find attached. Best wishes, Ayden Férdeline linkedin.com/in/ferdeline<http://www.linkedin.com/in/ferdeline>
Thank you! Nathalie On Saturday, March 18, 2017 3:20 PM, Michele Neylon - Blacknight <michele@blacknight.com> wrote: #yiv6696331078 #yiv6696331078 -- _filtered #yiv6696331078 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv6696331078 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv6696331078 #yiv6696331078 p.yiv6696331078MsoNormal, #yiv6696331078 li.yiv6696331078MsoNormal, #yiv6696331078 div.yiv6696331078MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6696331078 a:link, #yiv6696331078 span.yiv6696331078MsoHyperlink {color:blue;text-decoration:underline;}#yiv6696331078 a:visited, #yiv6696331078 span.yiv6696331078MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6696331078 span.yiv6696331078EmailStyle17 {font-family:Calibri;color:windowtext;}#yiv6696331078 span.yiv6696331078msoIns {text-decoration:underline;color:teal;}#yiv6696331078 .yiv6696331078MsoChpDefault {font-size:10.0pt;} _filtered #yiv6696331078 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv6696331078 div.yiv6696331078WordSection1 {}#yiv6696331078 Ayden Thanks – it’s helpful. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ http://ceo.hosting/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265, Ireland Company No.: 370845 From: <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Ayden Férdeline <icann@ferdeline.com> Reply-To: Ayden Férdeline <icann@ferdeline.com> Date: Saturday 18 March 2017 at 18:27 To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Greetings all, I took some notes during the Cross-Community Discussion with the Data Protection Commissioners on Monday, and thought I would share them as an informal resource in case you find them useful. Please find attached. Best wishes, Ayden Férdeline linkedin.com/in/ferdeline _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here. “Data controllers should not fragment their policies depending on the territory. (GB, JC)” •••••••• While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view. ““The major treaty on data protection is Convention 108. And Convention 108 is open for signature to countries across the world. Uruguay has signed it. Tunisia has signed it. And another ten countries are now observers. And it is that convention [not the European Union’s GDPR] which has actually provided the standard with which more than another 100 countries around the world have followed.” (JC)” •••••••• I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that? ““Is there any other less intrusive method compared to mandatory publication that would serve the purpose of the WHOIS directories without all data being directly available online to everybody?” (GB)” •••••••• Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this. ““We would like to have more accountable data controllers. Controllers should do more homework and identify a sustainable policy, have an answer to different problems, identify relevant risk, allocate responsibilities, demonstrated [they] comply with the law and [they] have a suitable policy.” (GB)” •••••••• If we assume that ICANN is the data controller for much of the registration data, isn’t our task as a WG to help ICANN be more accountable? I suspect that it will be helpful for us to come back to most if not all of your notes as we move forward. In most cases, we are going to deliberate on the DC statements made and evaluate them in light of information from other sources. Chuck From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Saturday, March 18, 2017 1:28 PM To: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Greetings all, I took some notes during the Cross-Community Discussion with the Data Protection Commissioners on Monday, and thought I would share them as an informal resource in case you find them useful. Please find attached. Best wishes, Ayden Férdeline linkedin.com/in/ferdeline<http://www.linkedin.com/in/ferdeline>
From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Gomes, Chuck via gnso-rds-pdp-wg Sent: Sunday, March 19, 2017 8:33 AM To: icann@ferdeline.com; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here. “Data controllers should not fragment their policies depending on the territory. (GB, JC)” ••••••••• While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view. ““The major treaty on data protection is Convention 108. And Convention 108 is open for signature to countries across the world. Uruguay has signed it. Tunisia has signed it. And another ten countries are now observers. And it is that convention [not the European Union’s GDPR] which has actually provided the standard with which more than another 100 countries around the world have followed.” (JC)” ••••••••• I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that? [SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si... If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified. ““Is there any other less intrusive method compared to mandatory publication that would serve the purpose of the WHOIS directories without all data being directly available online to everybody?” (GB)” ••••••••• Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this. [SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”. Scott
Thanks Scott. Chuck From: Hollenbeck, Scott Sent: Monday, March 20, 2017 7:12 AM To: Gomes, Chuck <cgomes@verisign.com>; 'icann@ferdeline.com' <icann@ferdeline.com> Cc: 'gnso-rds-pdp-wg@icann.org' <gnso-rds-pdp-wg@icann.org> Subject: RE: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Gomes, Chuck via gnso-rds-pdp-wg Sent: Sunday, March 19, 2017 8:33 AM To: icann@ferdeline.com<mailto:icann@ferdeline.com>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here. “Data controllers should not fragment their policies depending on the territory. (GB, JC)” •••••••• While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view. ““The major treaty on data protection is Convention 108. And Convention 108 is open for signature to countries across the world. Uruguay has signed it. Tunisia has signed it. And another ten countries are now observers. And it is that convention [not the European Union’s GDPR] which has actually provided the standard with which more than another 100 countries around the world have followed.” (JC)” •••••••• I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that? [SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si... If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified. ““Is there any other less intrusive method compared to mandatory publication that would serve the purpose of the WHOIS directories without all data being directly available online to everybody?” (GB)” •••••••• Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this. [SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”. Scott
I agree with Scott, gated access was an early agreement. It is worth noting that the data commissioners have asked for this before. (Offhand I cannot remember which documents, but I think it was a rhetorical question from Buttarelli....they are aware of the tiered access that some ccTLDs operate.) Regarding the numbers cited for COE's convention 108, I would have to check the transcript, but I recall the mention of over a hundred countries which have based their data protection laws on the COE convention. This number is different than countries who have ratified the convention....Canada, for instance, relied on the principles in both OECD Guidelines and Convention 108 for our privacy legislation, but are only observers, and have not signed on to the treaty. This is doubtless the case for many other countries. The point here is that the basic principles have been adopted in most data protection laws. Many countries of course based their legislation on the EU Directive 95/46 because they wanted to be deemed adequate at the same time, but 95/46 also was based on/congruent with COE 108. Stephanie Perrin On 2017-03-20 07:11, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:*gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Gomes, Chuck via gnso-rds-pdp-wg *Sent:* Sunday, March 19, 2017 8:33 AM *To:* icann@ferdeline.com; gnso-rds-pdp-wg@icann.org *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017
Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here.
“Data controllers should not fragment their policies depending on the territory. (GB, JC)”
·While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view.
““The major treaty on data protection is Convention 108. And Convention 108 is open
for signature to countries across the world. Uruguay has signed it. Tunisia has signed
it. And another ten countries are now observers. And it is that convention [not the
European Union’s GDPR] which has actually provided the standard with which more
than another 100 countries around the world have followed.” (JC)”
·I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that?
[SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si...
If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified.
““Is there any other less intrusive method compared to mandatory publication that
would serve the purpose of the WHOIS directories without all data being directly
available online to everybody?” (GB)”
·Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this.
[SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”.
Scott
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Hi, I seem to remember (through a haze of jetlag) a discussion regarding getting input and thoughts from the ccTLD community – especially those based in the EU. Id like to suggest we pursue this. After an informal chat with a European ccTLD operator during one of the breaks it was clear their input (based on concrete experience) would be quite useful. Alex On 3/20/17, 12:12 PM, <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree with Scott, gated access was an early agreement. It is worth noting that the data commissioners have asked for this before. (Offhand I cannot remember which documents, but I think it was a rhetorical question from Buttarelli....they are aware of the tiered access that some ccTLDs operate.) Regarding the numbers cited for COE's convention 108, I would have to check the transcript, but I recall the mention of over a hundred countries which have based their data protection laws on the COE convention. This number is different than countries who have ratified the convention....Canada, for instance, relied on the principles in both OECD Guidelines and Convention 108 for our privacy legislation, but are only observers, and have not signed on to the treaty. This is doubtless the case for many other countries. The point here is that the basic principles have been adopted in most data protection laws. Many countries of course based their legislation on the EU Directive 95/46 because they wanted to be deemed adequate at the same time, but 95/46 also was based on/congruent with COE 108. Stephanie Perrin On 2017-03-20 07:11, Hollenbeck, Scott via gnso-rds-pdp-wg wrote: From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Gomes, Chuck via gnso-rds-pdp-wg Sent: Sunday, March 19, 2017 8:33 AM To: icann@ferdeline.com<mailto:icann@ferdeline.com>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here. “Data controllers should not fragment their policies depending on the territory. (GB, JC)” · While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view. ““The major treaty on data protection is Convention 108. And Convention 108 is open for signature to countries across the world. Uruguay has signed it. Tunisia has signed it. And another ten countries are now observers. And it is that convention [not the European Union’s GDPR] which has actually provided the standard with which more than another 100 countries around the world have followed.” (JC)” · I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that? [SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si... If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified. ““Is there any other less intrusive method compared to mandatory publication that would serve the purpose of the WHOIS directories without all data being directly available online to everybody?” (GB)” · Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this. [SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”. Scott _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I agree, it could be useful. Although one of the DP authorities (sadly I cannot remember which one) did point out that it was not a given that any ccTLD approach is necessarily legally correct. But the point is, various among them have consulted their DPAs and have a different approach than ICANN. Stephanie On 2017-03-20 18:15, Deacon, Alex wrote:
Hi,
I seem to remember (through a haze of jetlag) a discussion regarding getting input and thoughts from the ccTLD community – especially those based in the EU. Id like to suggest we pursue this.
After an informal chat with a European ccTLD operator during one of the breaks it was clear their input (based on concrete experience) would be quite useful.
Alex
On 3/20/17, 12:12 PM, <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree with Scott, gated access was an early agreement. It is worth noting that the data commissioners have asked for this before. (Offhand I cannot remember which documents, but I think it was a rhetorical question from Buttarelli....they are aware of the tiered access that some ccTLDs operate.)
Regarding the numbers cited for COE's convention 108, I would have to check the transcript, but I recall the mention of over a hundred countries which have based their data protection laws on the COE convention. This number is different than countries who have ratified the convention....Canada, for instance, relied on the principles in both OECD Guidelines and Convention 108 for our privacy legislation, but are only observers, and have not signed on to the treaty. This is doubtless the case for many other countries. The point here is that the basic principles have been adopted in most data protection laws.
Many countries of course based their legislation on the EU Directive 95/46 because they wanted to be deemed adequate at the same time, but 95/46 also was based on/congruent with COE 108.
Stephanie Perrin
On 2017-03-20 07:11, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Gomes, Chuck via gnso-rds-pdp-wg *Sent:* Sunday, March 19, 2017 8:33 AM *To:* icann@ferdeline.com <mailto:icann@ferdeline.com>; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017
Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here.
“Data controllers should not fragment their policies depending on the territory. (GB, JC)”
·While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view.
““The major treaty on data protection is Convention 108. And Convention 108 is open
for signature to countries across the world. Uruguay has signed it. Tunisia has signed
it. And another ten countries are now observers. And it is that convention [not the
European Union’s GDPR] which has actually provided the standard with which more
than another 100 countries around the world have followed.” (JC)”
·I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that?
[SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si...
If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified.
““Is there any other less intrusive method compared to mandatory publication that
would serve the purpose of the WHOIS directories without all data being directly
available online to everybody?” (GB)”
·Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this.
[SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”.
Scott
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
Was a question asked of the data protection authorities if whois privacy where a *free* option, would that satisfy them? Sent from my iPhone
On Mar 20, 2017, at 18:20, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:
I agree, it could be useful. Although one of the DP authorities (sadly I cannot remember which one) did point out that it was not a given that any ccTLD approach is necessarily legally correct. But the point is, various among them have consulted their DPAs and have a different approach than ICANN.
Stephanie
On 2017-03-20 18:15, Deacon, Alex wrote: Hi,
I seem to remember (through a haze of jetlag) a discussion regarding getting input and thoughts from the ccTLD community – especially those based in the EU. Id like to suggest we pursue this.
After an informal chat with a European ccTLD operator during one of the breaks it was clear their input (based on concrete experience) would be quite useful.
Alex
On 3/20/17, 12:12 PM, <gnso-rds-pdp-wg-bounces@icann.org on behalf of stephanie.perrin@mail.utoronto.ca> wrote:
I agree with Scott, gated access was an early agreement. It is worth noting that the data commissioners have asked for this before. (Offhand I cannot remember which documents, but I think it was a rhetorical question from Buttarelli....they are aware of the tiered access that some ccTLDs operate.)
Regarding the numbers cited for COE's convention 108, I would have to check the transcript, but I recall the mention of over a hundred countries which have based their data protection laws on the COE convention. This number is different than countries who have ratified the convention....Canada, for instance, relied on the principles in both OECD Guidelines and Convention 108 for our privacy legislation, but are only observers, and have not signed on to the treaty. This is doubtless the case for many other countries. The point here is that the basic principles have been adopted in most data protection laws.
Many countries of course based their legislation on the EU Directive 95/46 because they wanted to be deemed adequate at the same time, but 95/46 also was based on/congruent with COE 108.
Stephanie Perrin
On 2017-03-20 07:11, Hollenbeck, Scott via gnso-rds-pdp-wg wrote: From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Gomes, Chuck via gnso-rds-pdp-wg Sent: Sunday, March 19, 2017 8:33 AM To: icann@ferdeline.com; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017
Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here.
“Data controllers should not fragment their policies depending on the territory. (GB, JC)” · While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view.
““The major treaty on data protection is Convention 108. And Convention 108 is open for signature to countries across the world. Uruguay has signed it. Tunisia has signed it. And another ten countries are now observers. And it is that convention [not the European Union’s GDPR] which has actually provided the standard with which more than another 100 countries around the world have followed.” (JC)” · I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that?
[SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si...
If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified.
““Is there any other less intrusive method compared to mandatory publication that would serve the purpose of the WHOIS directories without all data being directly available online to everybody?” (GB)” · Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this.
[SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”.
Scott
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Sorry John, I don't think I understand the question. What do you mean by a *free* option, do you mean if proxy services were free, would that satisfy them? My answer to that question would be no, because WHOIS is only one disclosure instrument. There are still other issues that violate DP law, such as over-collection, over-disclosure upon request, failure to describe the purpose of processing, failure to explain subject access rights, illegal data retention, problematic transfer of personal data to jurisdictions which are not *adequate* according to Directive 95/46, etc. Not to put words in their mouths or anything.... We only got through 1 of our questions. Stephanie On 2017-03-20 19:24, John Bambenek wrote:
Was a question asked of the data protection authorities if whois privacy where a *free* option, would that satisfy them?
Sent from my iPhone
On Mar 20, 2017, at 18:20, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree, it could be useful. Although one of the DP authorities (sadly I cannot remember which one) did point out that it was not a given that any ccTLD approach is necessarily legally correct. But the point is, various among them have consulted their DPAs and have a different approach than ICANN.
Stephanie
On 2017-03-20 18:15, Deacon, Alex wrote:
Hi,
I seem to remember (through a haze of jetlag) a discussion regarding getting input and thoughts from the ccTLD community – especially those based in the EU. Id like to suggest we pursue this.
After an informal chat with a European ccTLD operator during one of the breaks it was clear their input (based on concrete experience) would be quite useful.
Alex
On 3/20/17, 12:12 PM, <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:
I agree with Scott, gated access was an early agreement. It is worth noting that the data commissioners have asked for this before. (Offhand I cannot remember which documents, but I think it was a rhetorical question from Buttarelli....they are aware of the tiered access that some ccTLDs operate.)
Regarding the numbers cited for COE's convention 108, I would have to check the transcript, but I recall the mention of over a hundred countries which have based their data protection laws on the COE convention. This number is different than countries who have ratified the convention....Canada, for instance, relied on the principles in both OECD Guidelines and Convention 108 for our privacy legislation, but are only observers, and have not signed on to the treaty. This is doubtless the case for many other countries. The point here is that the basic principles have been adopted in most data protection laws.
Many countries of course based their legislation on the EU Directive 95/46 because they wanted to be deemed adequate at the same time, but 95/46 also was based on/congruent with COE 108.
Stephanie Perrin
On 2017-03-20 07:11, Hollenbeck, Scott via gnso-rds-pdp-wg wrote:
*From:*gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Gomes, Chuck via gnso-rds-pdp-wg *Sent:* Sunday, March 19, 2017 8:33 AM *To:* icann@ferdeline.com <mailto:icann@ferdeline.com>; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017
Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here.
“Data controllers should not fragment their policies depending on the territory. (GB, JC)”
·While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view.
““The major treaty on data protection is Convention 108. And Convention 108 is open
for signature to countries across the world. Uruguay has signed it. Tunisia has signed
it. And another ten countries are now observers. And it is that convention [not the
European Union’s GDPR] which has actually provided the standard with which more
than another 100 countries around the world have followed.” (JC)”
·I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that?
[SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si...
If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified.
““Is there any other less intrusive method compared to mandatory publication that
would serve the purpose of the WHOIS directories without all data being directly
available online to everybody?” (GB)”
·Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this.
[SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”.
Scott
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Seems like a good idea Alex. We looked at the purpose statements for some ccTLDs after we started discussing purpose; as I recall we specifically looked at the one for .eu. The ones I saw weren’t very explicit so I am especially curious if they are considering making them more explicit to comply with the new directive. Chuck From: gnso-rds-pdp-wg-bounces@icann.org [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Deacon, Alex Sent: Monday, March 20, 2017 6:16 PM To: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca>; gnso-rds-pdp-wg@icann.org Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Hi, I seem to remember (through a haze of jetlag) a discussion regarding getting input and thoughts from the ccTLD community – especially those based in the EU. Id like to suggest we pursue this. After an informal chat with a European ccTLD operator during one of the breaks it was clear their input (based on concrete experience) would be quite useful. Alex On 3/20/17, 12:12 PM, <gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> on behalf of stephanie.perrin@mail.utoronto.ca<mailto:stephanie.perrin@mail.utoronto.ca>> wrote: I agree with Scott, gated access was an early agreement. It is worth noting that the data commissioners have asked for this before. (Offhand I cannot remember which documents, but I think it was a rhetorical question from Buttarelli....they are aware of the tiered access that some ccTLDs operate.) Regarding the numbers cited for COE's convention 108, I would have to check the transcript, but I recall the mention of over a hundred countries which have based their data protection laws on the COE convention. This number is different than countries who have ratified the convention....Canada, for instance, relied on the principles in both OECD Guidelines and Convention 108 for our privacy legislation, but are only observers, and have not signed on to the treaty. This is doubtless the case for many other countries. The point here is that the basic principles have been adopted in most data protection laws. Many countries of course based their legislation on the EU Directive 95/46 because they wanted to be deemed adequate at the same time, but 95/46 also was based on/congruent with COE 108. Stephanie Perrin On 2017-03-20 07:11, Hollenbeck, Scott via gnso-rds-pdp-wg wrote: From: gnso-rds-pdp-wg-bounces@icann.org<mailto:gnso-rds-pdp-wg-bounces@icann.org> [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Gomes, Chuck via gnso-rds-pdp-wg Sent: Sunday, March 19, 2017 8:33 AM To: icann@ferdeline.com<mailto:icann@ferdeline.com>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: [EXTERNAL] Re: [gnso-rds-pdp-wg] My notes from the discussion with the Data Protection Commissioners on 13 March 2017 Thank you very much for doing this Ayden. I found it very helpful and share a few personal comments here. “Data controllers should not fragment their policies depending on the territory. (GB, JC)” ••••••• While I do not question that this point was made, I suspect that when we get into the policy and implementation phases we will likely encounter some issues where different jurisdictions have conflicting requirements and we may have to localize some requirements by jurisdiction. If I remember correctly, I think the EWG addressed this and that RDAP makes this possible to do from a technical point of view. ““The major treaty on data protection is Convention 108. And Convention 108 is open for signature to countries across the world. Uruguay has signed it. Tunisia has signed it. And another ten countries are now observers. And it is that convention [not the European Union’s GDPR] which has actually provided the standard with which more than another 100 countries around the world have followed.” (JC)” ••••••• I could be mistaken but I thought that there were over 50 countries that signed on to Convention 108. Am I mistaken on that? [SAH] I found the list of signatories here, Chuck: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/si... If I’m counting correctly there are 47 countries identified as states that have signed and ratified the convention. Three others are identified as “Non-Members of Council of Europe” who have ratified. ““Is there any other less intrusive method compared to mandatory publication that would serve the purpose of the WHOIS directories without all data being directly available online to everybody?” (GB)” ••••••• Isn’t this essentially a conclusion that the EWG arrived at? I would appreciate it if EWG members would comment on this. [SAH] This EWG member’s recollection is that we recommended implementation of gated access to serve the purpose “without all data being directly available online to everybody”. Scott _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
participants (9)
-
Ayden Férdeline -
Deacon, Alex -
Gomes, Chuck -
Hollenbeck, Scott -
John Bambenek -
Michele Neylon - Blacknight -
nathalie coupet -
Stephanie Perrin -
theo geurts