<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Before asking any further questions on this topic we should - in
accordance with the Phase 1 Rec 17 - wait for the study by ICANN
Org to be completed as this study would likely duplicate some, if
not most of the work to be done to answer the proposed question
below. This study was clearly outlines as a pre-requesite of any
further work on this topic and until that time, part 1 of the
phase 1 rec should a be sufficient solution for this issue. <br>
</p>
<p>I therefore propose that this question be tabled until after the
completion of the study and then re-visited to see if the study
leaves any open questions. <br>
</p>
<p>Best,</p>
<p>Volker Greimann<br>
</p>
<div class="moz-cite-prefix">Am 14.10.2019 um 16:00 schrieb Tara
Whalen:<br>
</div>
<blockquote type="cite"
cite="mid:CA+T70AjrQn5_th+D6PVU6QjJPNNtb8hV1+2joQLchbC5_QB+qQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<p class="MsoNormal">Hello all,</p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal">As a follow-up to SSAC's
previously-proposed question on legal/natural persons: we
revised our original question in light of the recent memo from
Bird & Bird, to ensure it focused on specific unaddressed
issues involving consent. See full text below. We propose that
our new version replace the old one entirely.</p>
<p class="MsoNormal"><br>
</p>
<p class="MsoNormal">Thanks for your consideration,</p>
<p class="MsoNormal">Tara Whalen</p>
<p class="MsoNormal">---</p>
<p class="MsoNormal">[NEW VERSION]</p>
<p class="MsoNormal">LEGAL VERSUS NATURAL PERSONS:</p>
<p class="MsoNormal">Registration data submitted by legal person
registrants may contain the data of natural persons. A Phase
1 memo stated that registrars can rely on a registrant's
self-identification as legal or natural person, especially if
risk is mitigated by taking further steps to ensure the
accuracy of the registrant's designation. </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">As a follow-up to that memo: what are the
consent issues and requirements related to such designations?
Can registrars state that it is the responsibility of a legal
person registrant to obtain consent from any natural person
whose data it submits? </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">As part of the analysis, please examine the
GDPR policies and practices of the Internet protocol (IP
address) registries RIPE NCC (the registry in Europe, based in
the Netherlands) and ARIN (the registry in North America,
which has customer contacts in Europe). These registries
publish the data of natural person contacts who are subject to
the GDPR, publicly via their WHOIS services, by placing the
choice and responsibility on their registrants, who are legal
persons. These IP address registries state mission
justifications and collection purposes similar to those in
ICANN's Temporary Specification.</p>
<p class="MsoNormal">Please see:</p>
<p class="MsoNormal">1) “How We're Implementing the GDPR: Legal
Grounds for Lawful Personal Data Processing and the RIPE
Database”:</p>
<p class="MsoNormal"><a
href="https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database"
target="_blank" moz-do-not-send="true">https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database</a></p>
<p class="MsoNormal">2) “How We're Implementing the GDPR: The
RIPE Database”: <a
href="https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database"
target="_blank" moz-do-not-send="true">https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database</a></p>
<p class="MsoNormal">3) "Personal Data Privacy Considerations At
ARIN": <a
href="https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/"
target="_blank" moz-do-not-send="true">https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/</a></p>
<p class="MsoNormal">4) ARIN "Data Accuracy": <a
href="https://www.arin.net/reference/materials/accuracy/"
target="_blank" moz-do-not-send="true">https://www.arin.net/reference/materials/accuracy/</a></p>
<p class="MsoNormal">5) ARIN Registration Services Agreement,
paragraph 3: <a
href="https://www.arin.net/about/corporate/agreements/rsa.pdf"
target="_blank" moz-do-not-send="true">https://www.arin.net/about/corporate/agreements/rsa.pdf</a></p>
<p class="MsoNormal">6) ARIN Privacy Policy: <a
href="https://www.arin.net/about/privacy/" target="_blank"
moz-do-not-send="true">https://www.arin.net/about/privacy/</a></p>
<p class="MsoNormal"> </p>
<div
style="border-top:none;border-right:none;border-left:none;border-bottom:3pt
dotted windowtext;padding:0in 0in 1pt">
<p class="MsoNormal" style="border:none;padding:0in"> </p>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal">[OLD VERSION]</p>
<p class="MsoNormal">LEGAL VERSUS NATURAL PERSONS:</p>
<p class="MsoNormal">Registration data submitted by legal person
registrants may contain the data of natural persons. For
example the contact data they provide may include a natural
person's name and email address. Legal person registrants also
have the ability to publish non-personally identifiable
contact data ("<a href="mailto:admin@companyname.com"
target="_blank" moz-do-not-send="true">admin@companyname.com</a>")
should they desire.</p>
<p class="MsoNormal">If registrants are required to
self-identify as either a natural or legal person, then:</p>
<p class="MsoNormal">a. Can registrars rely on that
self-identification? </p>
<p class="MsoNormal">b. Can registrars make the
contact data submitted by legal person registrants publicly
available in RDS (WHOIS), by stating that it is the
responsibility of a legal person registrant to obtain consent
from any natural person whose data it submits? </p>
<p class="MsoNormal">Please state any considerations, such as
the ability of the registrant to correct its data.</p>
<p class="MsoNormal">As part of the analysis, please examine the
policies of the Internet protocol (IP address) registries RIPE
NCC (the registry in Europe, based in the Netherlands) and
ARIN (the registry in North America, which has customer
contacts in Europe). These registries publish the data of
natural persons who are subject to the GDPR, publicly via
their WHOIS services, by placing the choice and responsibility
on their registrants, who are legal persons. IP addresses and
domain names are two sides of the same coin, and these IP
address registries state mission justifications and collection
purposes similar to those in ICANN's Temporary Specification.
See:</p>
<p class="MsoNormal">1) “How We're Implementing the GDPR: Legal
Grounds for Lawful Personal Data Processing and the RIPE
Database”:</p>
<p class="MsoNormal"><a
href="https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database"
target="_blank" moz-do-not-send="true">https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database</a></p>
<p class="MsoNormal">2) “How We're Implementing the GDPR: The
RIPE Database”: <a
href="https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database"
target="_blank" moz-do-not-send="true">https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database</a></p>
<p class="MsoNormal">3) "Personal Data Privacy Considerations At
ARIN": <a
href="https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/"
target="_blank" moz-do-not-send="true">https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/</a></p>
<p class="MsoNormal">4) ARIN "Data Accuracy": <a
href="https://www.arin.net/reference/materials/accuracy/"
target="_blank" moz-do-not-send="true">https://www.arin.net/reference/materials/accuracy/</a></p>
<p class="MsoNormal">5) ARIN Registration Services Agreement,
paragraph 3: <a
href="https://www.arin.net/about/corporate/agreements/rsa.pdf"
target="_blank" moz-do-not-send="true">https://www.arin.net/about/corporate/agreements/rsa.pdf</a></p>
<p class="MsoNormal">6) ARIN Privacy Policy: <a
href="https://www.arin.net/about/privacy/" target="_blank"
moz-do-not-send="true">https://www.arin.net/about/privacy/</a></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-legal mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-legal@icann.org">Gnso-epdp-legal@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-legal">https://mm.icann.org/mailman/listinfo/gnso-epdp-legal</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>