RE: [gnso-whois-study] WHOIS study group call Tuesday 8 April 2008 at 15:00 UTC]

[Eric Brunner-Williams <ebw@xxxxxxxxxxxxxxxxxxxx>]

All,

I was too ill to attend to the call this morning, so I've listened to it 
via mpeg delay.
There is a data collection policy element in EPP (rfc3730). It allows 
for the following to be stated by the data collecting entity (nominally 
a registry, or a registrar, or both, and possibly third-parties such as 
ICANN or an escrow provider) to the data providing entity (nominally a 
registrant):
   the access type, the purpose type, the recipient type, the retention 
period, and the expiry type
The W3C's P3P Spec activity, which Lori Cranor chaired and to which I 
contributed (I get all the blame for how privacy policy is attached to 
http cookies), attempted to create a mechanism that would meet the needs 
of data collection within "data protection" jurisdictions (The EU, with 
all the nuances each member state's implementation of the data 
protection directives that attend), the OECD jurisdictions (Canada, 
Japan, etc) and the fabulously weak American jurisdiction, where privacy 
arises from contract (barely).
That's about all I have energy for today. I tried to put the mechanism 
into the provisioning protocol anticipating the problem of multiple 
jurisdictions and their associated policies.
Eric