[NCUC-DISCUSS] ICANN privacy policy

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Thu Mar 27 06:14:23 CET 2014


Data protection law does not arrange itself around the way ICANN governs itself, or dictates the collection, use and disclosure of personal information to its stakeholders, and to the public which it governs through contractual reach.  I propose to sketch what a data protection policy would look like, if I were coming in here to draft for the organization.  Process:  first you interview people, collect documents, map the data elements and data flows.  I think I know enough to do that briefly now.  Then you map it to the framework….I am going to use an old amalgamated framework I did when working at the standards body in Europe (CEN/ISSS) because it is rather neutral.  That gives us elements for each principle. 
Does that explanation help?  A privacy policy is a discrete instrument that is well known to folks in the privacy realm, we cannot draft a new ICANN style instrument anymore thane we could dictate to any other regulatory instrument how they would adjust to our multi-stakeholder environment….
i think once you see the draft, you will understand.  Right now what we have is a web declaration, that denies all liability.  Not quite adequate for the 21st century, at least in my view.
cheers Stephanie
On Mar 27, 2014, at 1:13 AM, Amr Elsadr <aelsadr at egyptig.org> wrote:

> Hi Stephanie,
> 
> I think it is important to decide early on wether we are going to have separate discussions regarding ICANN’s privacy and data protection policies within their own corporate practices and within the policies developed through the GNSO impacting obligations imposed on contracted parties, or not.
> 
> The first group is focused more on privacy and data protection policies in place when using ICANN services (such as their website, email lists, etc…), the use of the online new gTLD application form and policies affecting their own human resources. The second group of is focused more on discussions relevant to domain name registration data services (whois), privacy/proxy services and data retention practices all of which are either specified, or will be specified, in the Registrar Accreditation Agreement (RAA).
> 
> I believe the EWG recommendations explore both, and I imagine that there are folks who would like to make contributions on both fronts. I bring this up because you said in your last email:
> 
> On Mar 27, 2014, at 11:04 AM, Stephanie Perrin <stephanie.perrin at mail.utoronto.ca> wrote:
> 
>> I don’t wish to stifle discussion, but the development of a privacy policy which is compliant to law is a matter which requires detailed knowledge of data protection law.  Our criticism was that the one they have does not comply, and I feel very comfortable making that assertion and going about proving it.  We should perhaps separate discussion of broader privacy issues, and the preparation of the draft.
> 
> I’m not clear on what you mean by this.
> 
> Thanks.
> 
> Amr



More information about the Ncuc-discuss mailing list