[ALAC] Draft Principles for GDPR

Alan Greenberg alan.greenberg at mcgill.ca
Wed Jul 11 00:19:17 UTC 2018 

Thanks Jonathan. You beat me to it.

The temp spec is what it is, and we may want to 
change it based on what we believe are "user" 
needs. I do not believe that the temp spec nor 
the EPDP need principles that echo what is in the 
GDPR. They are the premise under which this work 
will be done. So, for instance, the blurb below 
on consent is simply tailoring the GDPR consent 
rules to WHOIS (mentioning escrow, and 
registries). That is effectively a given (of 
course, consent applies ONLY to data that we 
cannot claim is essential to collect).

Jonathan's bullet point is the lead-in. The first 
question we need to address is WHY we want to or 
feel we need to contribute to this process. Or to 
be clearer, why do USERS (not registrants) even 
care how we implement GDPR with respect to WHOIS?

Alan

At 10/07/2018 05:27 PM, Jonathan Zuck wrote:

>Thanks Holly for getting this started.  I guess 
>what we’re after are some basic principles on 
>our perspective on the GDPR. The temp spec is 
>the temp spec so some of this will apply for 
>sure, if we reach some consensus on these but 
>there are areas that are simply part of the law 
>over which we don’t have influence. A principle might be something like
>
>    * The ALAC feels responsible to represent 
> the interests of non-registrants more so than 
> registrants as they represent the majority of users.
>I’m not saying we’ve agreed to that but 
>that’s the kind of filter we could send our reps in with?
>Jonathan
>
>
>From: ALAC 
><alac-bounces at atlarge-lists.icann.org> on behalf 
>of "h.raiche at internode.on.net" <h.raiche at internode.on.net>
>Reply-To: "h.raiche at internode.on.net" <h.raiche at internode.on.net>
>Date: Tuesday, July 10, 2018 at 5:22 PM
>To: ALAC List <alac at atlarge-lists.icann.org>, A t <staff at atlarge.icann.org>
>Subject: [ALAC] Draft Principles for GDPR
>
>Folks
>
>Since we all think principles are a good idea, I 
>have set down the basics from the Temporary Spec 
>- very simplistic, but it's a start.  What we 
>need now is discussion on the principles.
>
>Evin - I'm not sure if you have a new wiki page 
>for discussion on the temporary spec, but if not, would you create on.
>
>And Olivier - the Temporary Spec necessarily 
>will deal with access - at the least, guiding 
>principles, so whoever is on the EPDP will have 
>some guidance on our red lines on access.
>
>So please everyone - comments
>
>Thanks
>
>Holly
>
>
>Temporary Specification for gTLD Registration Data
>
>
>Principles for requirements to replace the RAA/Registry Requirements
>(within the context of compliance with the GDPR)
>
>Purpose of Collection of Data
>
>Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:<
>
>purpose is to coordinate the bottom-up, 
>multistakeholder development and implementation 
>of policies “[f]or which uniform or 
>coordinated resolution is reasonably necessary 
>to facilitate the openness, interoperability, 
>resilience, security and/or stability of the DNS 
>including, with respect to gTLD registrars and registries”
>Purpose includes
>
>·        resolution of disputes regarding the 
>registration of domain names (as opposed to the 
>use of such domain names, but including where 
>such policies take into account use of the domain names);
>
>·        maintenance of and access to accurate 
>and up-to-date information concerning registered names and name servers;
>
>·        procedures to avoid disruptions of 
>domain name registrations due to suspension or 
>termination of operations by a registry operator 
>or a registrar (e.g., escrow); and
>
>·        the transfer of registration data upon 
>a change in registrar sponsoring one or more registered names.
>
>
>
>the Bylaws specifically obligate ICANN, in 
>carrying out its mandate, to “adequately 
>address issues of competition, consumer 
>protection, security, stability and resiliency, 
>malicious abuse issues, sovereignty concerns, and rights protection”
>
>Geographic Coverage of EPDP Outcome:
>
>·      Apply globally or
>
>·      Apply only to European Economic Area (the coverage of the GD
>R) and otherwise lesser requirements (existing RAA requirements?)
>
>Data Collected
>
>·      ‘Thick Whois” – based on the 
>differing uses of the data is listed in the purpose above – OR
>
>·      Some lesser amount of information
>
>Consent
>
>·      Registrants must be told, at the time of 
>collection, what personal information is 
>collected, why the collection is  necessary to 
>achieve the purposes, who will have access and 
>in what circumstances  access will be given to 
>what information, and all circumstances in which 
>the data will be transferred (to Registry, 
>Escrow) and where heldThey must also be told 
>their consent can be withdrawn at any time (and 
>consequences of withdrawal) and how to withdraw consent
>
>Access to Data – Tiered access (largelly what is 
>in the Technical Specification)
>
>·      Applies to all Registrants – natural or corporatte persons
>
>·      Information generally publicly available
>
>o   Registrant name
>
>o   Anonymised email or other anonymous contact means
>
>·      Access to other personal information –
>
>o   Only to accredited entities (not individuals)–
>
>o   Only in specific circumstances that warrant access
>
>
>_______________________________________________
>ALAC mailing list
>ALAC at atlarge-lists.icann.org
>https://atlarge-lists.icann.org/mailman/listinfo/alac
>
>At-Large Online: http://www.atlarge.icann.org
>ALAC Working Wiki: 
>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://atlarge-lists.icann.org/pipermail/alac/attachments/20180710/72776b72/attachment.html>

More information about the ALAC mailing list