Dear Lynn and All,
I wanted to say how much I appreciate Lynn posting the key regional data protection frameworks to the group. I think they are very important, and she and I have discussed the need for us to look at them more closely in relation to the Whois data. I hope we can do this soon!

Regarding sensitive vs private data, I wanted to add my views as an attorney who specializes in the area of data protection and privacy since starting my telecommunications practice in 1993. While sensitive data may focus on the areas of financial, birth, religion, health, and let's add political affiliation and sexual orientation, that's not where the story ends.

Data protection and privacy laws certainly consider home address, home phone number, and now cell phone data as "private" or "personal data." Certainly telecommunications laws in the US, as one example, regularly protect the right of a person to "opt-out" of sharing their home address or home phone number in a public directory as a matter of personal privacy.  In fact, opt-out in directories was chosen by a majority of Californians when last I researched it (and the state protects privacy as part of its state constitution) because home addresses and home phone numbers are considered very personal information, and worthy of protection.

These are the very elements that have been such an issue of controversy within the ICANN arena. Over the last decade, as part of the history of Whois within ICANN, at least four Data Protection Commissioners and their senior staffs have warned ICANN about the problems of this data, and its data protection implications. They are very concerned with the elements now collected and published in the Whois. I will gather their letters to ICANN and share them, as well as notes of the speeches they have given. I would like to request that we ask ICANN Staff to work with us on this important matter as well.

Ultimately, I do not think this is a matter for us to decide on (which may relieve everyone greatly). As many of you know, I have been thinking about this issue a great deal. I will be submitting a recommendation to our Team asking that GAC provide ICANN with clear information about relevant applicable laws, including data protection laws, and their guidance, based on these laws, as to the elements of the Whois now published. I'll distribute this before our meeting tomorrow.

All the best,
Kathy

Since data privacy is an area of specialization for me, I would like to offer a couple of
comments on the dialogue about privacy laws.

Although WHOIS data contains personal data, it does not have any data elements that are
considered to be "sensitive" in nature.  The focus and priority of data protection authorities throughout the world is on protection of sensitive data such as financial account details, date of birth, religious affiliations, medical conditions, etc.

For global, multi-national organizations who need to develop and maintain policies regarding the collection and use of personal data, there are multi-lateral privacy frameworks and principles that have been accepted and are well established including:

1) OECD Guidelines on the Protection of Privacy and Transborder Flows
2) UN Guidelines Concerning Computerized Personal Data Files
3) EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personsal Data and on the Free Movement of Such Data
4) APEC Privacy Framework

Since ICANN is headquartered in the State of California and the United States, I would note that California has an Office of Privacy Protection.  At the national level, the U.S. Federal Trade Commission has been accepted as the equivalent of a Data Protection Authority.

Hope these brief comments are helpful.
Lynn





 

_______________________________________________
Rt4-whois mailing list
Rt4-whois@icann.org
https://mm.icann.org/mailman/listinfo/rt4-whois



--