Re: [gnso-dow123] Whois task force draft minutes 9 August 2005]

[Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>]

On 2005-08-11 23:31:55 +0200, GNSO Secretariat wrote:

>    Niklas Largergren responded that it was their interpretation
>    but not the European Union's position.  The Article 29 Working
>    Party was an informal group that gathered the data protection
>    commissioners from the 25 member states of the European Union
>    and they adopted the document but it did not mean that it was
>    the official view of the European Union.  

The Article 29 Working Party was, quite formally, created by article
29 of directive 95/46/EC -- I wonder what lead to the statement that
this was an "informal" group.  It is the most senior advisory body
on privacy that you can find in the European Union.  It would
probably be a good idea to take that group's view seriously, and not
dismiss it lightly.

>    The only body which could fully pronounce on the applicability
>    would be the Court of Justice and to a lesser extent the
>    European Commission.

This is technically true.  But it does not justify dismissing the
best advice that is available at this point of time, and replacing
it by the task force's (or, even worse, some particular
constituency's) own second-guessing.


Speaking of the IPC "backgrounder", I'm amazed by its discussion of
article 7 (e) and (f) of the directive.

To recall, the legal text:

| Article 7
| 
| Member States shall provide that personal data may be processed
| only if:

[...]

| e) processing is necessary for the performance of a task carried
| out in the public interest or in the exercise of official
| authority vested in the controller or in a third party to whom
| the data are disclosed; or

Note "necessary for the performance of a task." That is, if the IPC
can define a specific task that is carried out in the public
interest, then the processing *necessary* for that task is legal
under the directive.  There is a reason why the legal text here says
"necessary", not "convenient."

| f) processing is necessary for the purposes of the legitimate
| interests pursued by the controller or by the third party or
| parties to whom the data are disclosed, except where such
| interests are overridden by the interests for fundamental rights
| and freedoms of the data subject which require protection under
| Article 1 (1).

Note "interests pursued by the controller or by the third party or
parties to whom the data are disclosed." Note "necessary for the
purpose."


All the IPC "backgrounder" does with this legal text is to argue why
IP enforcement is in the public interest and/or a legitimate
purpose.

The "backgrounder" doesn't even bother to argue how *public*
disclosure of WHOIS information is (a) necessary (as opposed to
merely convenient) for the performance of that task / for the
purposes of the legitimate interest, and (b) compatible with 7 (f)'s
notion that the data are disclosed to certain parties that pursue
some interest (as opposed to anyone who asks).

However, this rather significant gap in its reasoning does not keep
the IPC "backgrounder" from jumping to conclusions and happily
proclaiming that a "free and public WHOIS data base, which
facilitates protection of intellectual property rights on the
Internet, is consistent with the Data Protection Directive."


Amazing.

-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.