Re: [icann-eu] NSI selling data of domain name holders issue

["Griffini Giorgio" <grunz@tin.it>]

Hello, 

here in Italy we have a privacy law (known as 675/96) that, in short, 
estabilishes two few key points:

First, collection of personal data should be limited to just minimum data 
needed for the purpose for which one is collecting such data. ( That is, to not 
ask how many cars you do have if you are just setting up a contract for 
energy or phone service)

Second, data must be used only for the purpose for which they have been 
collected and cannot be published, used, transferred to other parties without 
a specific allowance by the individual the data refers to.

These two principle applies when from such data is possibile to track back to 
a specific individual while instead for data in aggregate form (we say for 
example, "# of customers of a company in the 15-30 age range per region") 
usage and transfer is allowed quite freely.

There are also provisions for allowing data updates and removal and all 
accessory tasks to keep the whole thing working, but I prefer to save you 
from entering into deeper details here.

Going back on topic focus (NSI selling of data) I think that if this fall under 
the 'aggregate form' it may be acceptable because it is just a well 
estabilished marketing pratice to do statistical customer analisys (and sell 
them to others) and it is already an accepted pratice also in our 'real life' 
when we buy something at supermarket, for example. 
If instead the kind of data sold out allows someone to track down a specific 
behavior of a specific individual this should not be allowed because it is a 
clear privacy violation.

Best regards
Giorgio Griffini