[NCSG-PC] Fwd: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model

Ayden Férdeline icann at ferdeline.com
Tue Jun 19 21:28:12 EEST 2018


See Palage’s proposal below. Seems an excellent idea to me to issue fines.

-Ayden

Sent from ProtonMail Mobile

> ---------- Forwarded message ----------
> From: Michael Palage<michael at palage.com>
> Date: On Tue, Jun 19, 2018 at 20:23
> Subject: Fwd: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model
> To: 'John R. Levine' <johnl at iecc.com>,'Kathy Kleiman' <kathy at kathykleiman.com>
> Cc: <accred-model at icann.org>
> John, So I think it is fair to say that no matter what Kathy or I say you will not be happy with any meaningful Data Subject centric safeguard, so this will be my last response on the list. So the "complex" problem we are seeking to solve is respecting the Fundamental Human Right to Privacy that Europeans have. Much like I respect my fellow Americans and their love of the Second Amendment, I have learned to respect European's passion for their Right to Privacy. Now the problem with ICANN and the IPC/BC solution is that there is no mechanism to make a Data Subject whole after their Personal Data has been improperly processed. All of the proposed safeguards are focused on limiting a third party to harm additional Data Subjects in the future. I just find that problematic. When Kathy I worked on the UDRP and Working Group B almost 20 years ago, we were on the opposite side of the issue. However, we recognized that any solution that ICANN proposed had to be modeled after well established international law, and respect the rights of both Complainant (Trademark Owner) and Respondent (Domain Registrant). What I tried to do in my proposal was model that seed of compromise that was so successful almost 20 years ago in connection with the UDRP. As Kathy noted there are ADR components in the Privacy Shield that provide for the resolution of disputes. You are also correct that there are requirements that businesses pay for these services and there are no fees to Data Subjects, which creates the potential for abuse. That is why I have been looking to modify the JAMS ADR rules to perhaps find a middle ground that balances the respect rights of the Data Subject and Controller/Processor. In speaking with a number of privacy attorneys, Data Subject rarely get compensated for violations of their rights, although DPA can impose substantial fines against the Controller/Processor. The sweet spot I was looking at in connection with the ADR mechanism was something URS "like". I think this group and ICANN has done a really good job delineating under what set of circumstances a request can be legally made. In fact I think it would be constructive if a User enumerated at the time of the search what basis they were acting upon. The URS "like" ADR process would make use of templates for the complaint and response forms and NO formal written opinion by the panel just a summary decision. I am still surveying privacy professionals but I think a fine in the range of $250 to $500 for a violation of the terms of services would not be unreasonable. However, this is still at the spaghetti throwing stage. The other important mechanism is the need to have a disincentive for people to abuse the system by filing abusive requests. There may be the need for some type of speed bump mechanism to mitigate against abusive filings. Still noodling on this safeguard but would appreciate any group feedback. One of the hard lessons I have learned in ICANN is that it is easy to criticize but it is really hard to find a solution to both complex and simple problems. Safe travels and I look forward to hopefully seeing you in Panama next week. Best regards, Michael -----Original Message----- From: Accred-Model On Behalf Of John R. Levine Sent: Tuesday, June 19, 2018 1:32 PM To: Kathy Kleiman  Cc: accred-model at icann.org Subject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model > It's great when there is actually an easy solution. At least for the > many US companies, law firms, cybersecurity firms, and others (and > this a huge part of the group seeking access), they should > "self-certify" to the EU-US Privacy Shield, via procedures set up by > the US Department of Commerce and Federal Trade Commission. Well, at least until the EU courts kill privacy shield like they did Safe Harbor. Banks and non-profits such as CAUCE are not eligible for Privacy Shield (they're not regulated by the FTC or DOT.) For small organizations the PS rules are extremely conplex and there's a mandatory annual payment to cover potential arbitration costs. Can we back up and explain what problem this overcomplex "solution" is supposed to be solving here? Regards, John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ Accred-Model mailing list Accred-Model at icann.org https://mm.icann.org/mailman/listinfo/accred-model @kathykleiman.com> @icann.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20180619/f659e0de/attachment.htm>


More information about the NCSG-PC mailing list