/
Privacy - Key Inputs

Privacy - Key Inputs

Owned by Lisa Phifer
Last updated: Mar 02, 2025 by Aleksey KhapchenkoVersion comment

To answer the question “What steps are needed to protect data and privacy?” for each purpose, the PDP should be informed by available inputs dealing with privacy.

The privacy sub-team considered this charter question, starting with key inputs identified in the PDP Issue Report and WG Charter, identified additional key inputs, and summarized them in the following document:

Summary of Key Inputs on Privacy - Final Template PDF

Those key inputs on privacy (including data protection) include:

Available Inputs - Hyperlinked to Source

ICANN Procedure For Handling WHOIS Conflicts with Privacy Law (2008)

and GNSO Policy underlying current procedure

Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law (2014)

2013 RAA's Data Retention Specification Waiver and Discussion Document (2014)

WHOIS Studies (2012-2014) , especially

-        WHOIS Privacy/Proxy Abuse Study

-        WHOIS Privacy/Proxy Relay and Reveal Survey

SAC055, WHOIS: Blind Men and an Elephant (September 2012)

Privacy & Proxy Services Accreditation PDP Final Report (2015)

Thick WHOIS PDP Final Report (2011-2013)

and IRT Legal Review

Article 29 WP statement on the data protection impact of the ICANN RAA (2013-2014)
- https://www.icann.org/en/system/files/correspondence/namazi-to-kohnstamm-25mar14-en.pdf
- https://www.icann.org/en/system/files/correspondence/kohnstamm-to-jeffrey-08jan14-en.pdf
- https://www.icann.org/en/system/files/correspondence/jeffrey-to-kohnstamm-20sep13-- en.pdf
https://www.icann.org/en/system/files/correspondence/kohnstamm-to-crocker-chehade-06jun13-en.pdf

Article 29 WP comments on the data protection impact of the revision of the ICANN RAA concerning accuracy and data retention of WHOIS (2012)
- https://www.icann.org/en/system/files/correspondence/kohnstamm-to-crocker-atallah-26sep12-en.pdf
- https://www.icann.org/en/news/correspondence/chehade-to-kohnstamm-09oct12-en

Article 29 WP on ICANN Procedure for Handling WHOIS Conflicts with Privacy Law (2007)
- http://gnso.icann.org/en/correspondence/cerf-to-schaar-24oct07.pdf
- https://www.icann.org/en/system/files/files/cerf-to-schaar-15mar07-en.pdf
- https://www.icann.org/en/correspondence/schaar-to-cerf-12mar07.pdf

Article 29 WP on ICANN’s WHOIS Database Policy (2006)
- https://www.icann.org/en/system/files/files/schaar-to-cerf-22jun06-en.pdf
- https://www.icann.org/en/correspondence/lawson-to-cerf-22jun06.pdf
- https://www.icann.org/en/correspondence/parisse-to-icann-22jun06.pdf
- https://www.icann.org/en/system/files/files/fingleton-to-cerf-20jun06-en.pdf

Article 29 WP Opinion on the application of the data protection principles to WHOIS directories
Article 29 WP 76 Opinion 2/2003 

Additional Article 29 WP documents that may be of interest to this PDP WG

-        Article 29 WP 5 Recommendation 2/97 

-        Article 29 WP 33 Opinion 5/2000 

-        Article 29 WP 41 Opinion 4/2001 

-        Article 29 WP 56 Working Document 5/2002

-        Article 29 WP 217 Opinion 6/2014

-        Article 29 WP Opinion 1/2010

-        Article 29 WP 20 Opinion 3/1999

Council of Europe Declaration

-        Declaration of Committee of Ministers on ICANN, human rights and the rule of law (3 June 2015)

-        Council of Europe's Treaty 108 on Data Protection

EDPS Correspondence regarding Registration Data

-        Opinion of the European Data Protection Supervisor: Europe's role in shaping the future of Internet Governance (23 June 2014)

-        ICANN's public consultation on 2013 RAA Data Retention Specification Data Elements and - Legitimate Purposes for Collection and Retention (17 April 2014)

European Commission Website: Obligations of Data Controllers and Definition of Data Controllers

European Commission EU-US Privacy Shield related documents

-        European Commission News Announcement: EU-US Privacy Shield

-        Judgment of the Court (Grand Chamber) - Maximillian Schrems v Data Protection Commissioner

-        EU-U.S. Privacy Shield draft (full text, February 2016)

-        Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision of the Article 29 WP 238

European Parliament

-        News: Data protection reform – Parliament approves new rules fit for the digital era (April 2016)

-        Final Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016)

European Data Protection Directive, 1995

International Working Group on Data Protection in Telecommunications and Media Documents

-        Common Position relating to Reverse Directories (Hong Kong, 15.04.1998)

-        Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet (Crete, 4./5.05.2000)

-        Common Position on Privacy and Data Protection aspects of the Publication of Personal Data contained in publicly available documents on the Internet (Crete, 4./5.05.2000)

-        Common Position on Incorporation of telecommunications-specific principles in multilateral privacy agreements: Ten Commandments to protect Privacy in the Internet World (Berlin, 13/14.09.2000)

-        Common Position on data protection aspects in the Draft Convention on cyber-crime of the Council of Europe (Berlin, 13/14.09.2000)

NORC Study of WHOIS Privacy/Proxy Prevalence (2010)

EWG Recommendations for a Next-Generation RDS, especially

-        Section 6a, Data Protection Principles

-        Section 6b, Principles for Data Access by Law Enforcement

-        Section 7, Improving Registrant Privacy

-        Annex H, Model for Relay and Reveal

EWG Research: Data Protection Considerations Applicable to Collection of gTLD Reg Data Memo

EWG Research: WHOIS Privacy and Proxy Service Provider Practices Survey

EWG Tutorial Pages 28-30 and EWG FAQs 31-38

Statements/Blogs by Ajayi and Perrin

Process Framework for a PDP on Next-Generation RDS, especially Page 9, Row 5

Human Rights Council - Report by the UN Special Rapporteur on the right to privacy

Judgement on preliminary ruling under Article 267 TFEU from Audiencia Nacional (Spain)

Judgement on preliminary ruling under Article 267 TFEU from the Oberster Gerichtshof (Supreme Court, Austria)

Judgment on preliminary ruling under Article 267 TFEU, from the Bundesgerichtshof (Federal Court of Justice, Germany)

Africa Union Convention on Cybersecurity and Personal Data Protection

National Laws or Court Rulings that may apply to gTLDs, including

-        U.S. Supreme Court Case - McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995)

-        The Constitution of the State of California (USA): Article 1, Section 1

-        Massachusetts (USA) Right of Privacy, MGL c.214, s.1B

-        U.S. Judicial Redress Act of 2015

-        U.S. Federal Communications Commission Proposed Rule FCC 16-39: Protecting the Privacy of Customers of Broadband and Other Telecommunications Services

-        Ghana Protection Act, 2012

-        South Africa’s Act No. 4 of 2013: Protection of Personal Information Act

Book: Global Tables of Data Privacy Laws and Bills (Greenleaf, 4rd Edition, January 2015)

Article: Global data privacy laws 2015: 109 countries, with European laws now a minority (Greenleaf)

WorldLII Database of National Data Privacy Legislation

Pew Research Center Surveys on Privacy:
-        Anonymity, Privacy, and Security Online (2013)
-        What Americans Think About Privacy (2014)
-        Teens, Social Media, and Privacy (2013)

TRUSTe, Ipsos, and National Cybersecurity Alliance Survey on Privacy:

-        eMarketer Article: Who Do Great Britain's Internet Users Trust with Data? (2016)


See also Public Comments on Issue Report for input to be considered by PDP WG
.