GNSO registration directory services (RDS) policy development process working group meeting

24 Mar 2017 01:00h

Event report

The Next Generation gTLD Registration Directory Service (RDS) to Replace WHOIS Policy Development Process Working Group was established with the aim to provide the Generic Names Supporting Organization (GNSO) Council with policy recommendations regarding two main questions:

’What are the fundamental requirements for gTLD registration data? Is a new policy framework and next-generation RDS needed to address these requirements?’

The agenda of the session was qualified as ‘unique’, as it aimed to present 19 questions that were developed for Cannataci. It was underlined that questions were developed with the aim to understand more the importance of data protection and privacy requirements in the context of the domain name system.

Cannataci addressed the following questions raised by the chair, in more depth: ‘What do you mean when you say ICANN to specify the purpose of domain name? What criteria should be used to determine the legitimate purposes? What is the difference between primary and secondary purposes?’

It was stated by Cannataci that ICANN needs to consider sustainability. He invited ICANN to look into setting up a transversal group which deals with privacy and other human rights, such as freedom of expression. The group would be open to others to join the discussion, and would help ‘bounce off’ important questions. He emphasised that ‘the purpose of collecting data remains the key’. It is important that the collection of ‘specific personal data’ is one in line with a specific purpose, which can never be a general one: “Jurisprudence does not say ‘Just in case I need it’.”

Addressing the question of primary and secondary purpose for data collection, he stated that it is not up to the regulators to define secondary purpose, and that this needs to be carefully stipulated by the data controller when he/she defines the goal of looking for data. ‘When you talk about the secondary purpose, please be specific and don’t expect or let regulator do it., Cannataci said.

Another question was raised in relation to the Article 6.1. b) of the EU Data Protection Directive which provides that personal data may only be collected for specified, explicitly and legitimate purpose and not further processed in a way incompatible with those purposes, specified in Article 7 of the Directive.

‘Under what circumstances might the publication of domain name registration data elements that are personal be allowable?’ Cannataci addressed the question stating that ‘we need to start from knowing whyat all we want to publish anything. If you what to publish personal data, then there must be a reason for it. What is the public interest for publishing the information? Is it transparency, for example?”

He continued by stating that once data is easily associated with an identified or identifiable individual, then it becomes personal data. , such as in the case of domain name, it becomes a personal information. If data related to a domain nameis linked to someone who is identifiable,  then it becomes a personal data.He concluded by saying that the question ‘What is the purpose of publishing (personal) data?’ should be the main question.

As the time  allocated for the session ended, it was said that the 19 questions would be further fine-tuned, and, once answers are collected, the could be published on the group’s webpage, if the members find that useful.