[gnso-thickwhoispdp-wg] Personal Data handling contractual basis
As I was reading up on the changes in the new gTLD agreement, I strayed into section 2.18, which may be relevant for our discussion. /2.18 Personal Data. Registry Operator shall (i) notify each ICANN-accredited registrar that is a party to the registry-registrar agreement for the TLD of the purposes for which data about any identified or identifiable natural person ("Personal Data") submitted to Registry Operator by such registrar is collected and used under this Agreement or otherwise and the intended recipients (or categories of recipients) of such Personal Data, and (ii) *require such registrar to obtain the consent of each registrant**in the TLD for such collection and use of Personal Data*. Registry Operator shall take reasonable steps to protect Personal Data collected from such registrar from loss, misuse, unauthorized disclosure, alteration or destruction. Registry Operator shall not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars./ Essentially, the registry must include terms in its RRA that require the registrar to consent to the collection and use of the data by the registry. Contrary to that, the recently adapted .com RRA (as a random example of a currently thin registry) contains the following language: /2.8.1 //*Handling of Personal Data. *//Verisign shall notify Registrar of the purposes for which Personal Data submitted to Verisign by Registrar is collected, the intended recipients (or categories of recipients) of such Personal Data, and the mechanism for access to and correction of such Personal Data. Verisign shall take reasonable steps to protect Personal Data from loss, misuse, unauthorized disclosure, alteration or destruction. Verisign shall not use or authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars. Verisign may from time to time use the demographic data collected for statistical analysis, provided that this analysis will not disclose individual Personal Data and provided that such use is compatible with the notice provided to registrars regarding the purpose and procedures for such use.// /This language is much more limiting as to the way that personal data can be requested and used. It makes no mention of obtaining consent from registrants and explicitly excludes the disclosure of said data. Neither does section 2.7 which refers specifically to the requirements for the actual registration agreements used by the registrar. Thus, from the registry side, there is currently no requirement to require the registrant to consent to a transfer of their personal data to the registrant. However, most, if not all registrars have adopted or adapted the Model Privacy Policy created by ICANN as part of their registration agreement (http://www.icann.org/en/resources/registrars/accreditation/model-privacy-policy) to comply with section 3.7.7.4 and 3.7.7.5 of the 2009 RAA, at least informing the registrant that he is required to provide certain personal data which will then be provided to the administrator of the registry and others. Effectively, the RAA already requires the registrar to obtain consent of the registrant to the collection and transfer of the data to the registry, as well as its publication in the whois. Hope this helps, Volker Volker |