<div dir="ltr"><div dir="ltr">Happy New Year!</div><div dir="ltr">Here is my re-drafted question for discussion tomorrow, re: legal/natural persons. As requested, I reviewed the Technical Contact memo but did not conclude that it led to any significant changes in the specific question below; the memo spoke to the question of whether consent must be obtained from technical contact, versus providing notice. This new question is about the methods/responsibilities of obtaining said consent and demonstrating that it has been obtained (using a real-world use case to illustrate a possible solution).</div><div dir="ltr">Apart from that task, the question was shortened and elements were highlighted from supplementary materials. We can discuss tomorrow whether the "if time permits" element (at the end) needs to be retained.<br><br></div><div dir="ltr">**Revised question**<br></div><div><br></div><div><p class="MsoNormal">Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">As a follow-up to that memo: what are the consent options and requirements related to such designations?  Specifically: can data controllers state that it is the responsibility of a legal person registrant to obtain consent from any natural person who will act as a contact, and whose data may be displayed publicly in RDS?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">As part of your analysis, please consult the GDPR policies and practices of the Internet protocol (IP address) registry RIPE-NCC (the registry for Europe, based in the Netherlands).  RIPE-NCC’s customers (registrants) are legal persons, usually corporations.  Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS.  RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that.  RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification.  Could similar policies and procedures be used at ICANN? <u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Please see these specific references:<u></u><u></u></p><p class="MsoNormal">1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:<u></u><u></u></p><p class="MsoNormal"><a href="https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database" target="_blank">https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database</a>  <u></u><u></u></p><p class="MsoNormal">2)  “How We're Implementing the GDPR: The RIPE Database”: <a href="https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database" target="_blank">https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database</a><u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">If time permits, also see the policies of ARIN, the IP address registry for North America.  ARIN has some customers located in the EU.  ARIN also publishes the data of natural persons in its WHOIS output.  ARIN’s customers are natural persons, who submit the data of natural person contacts.<u></u><u></u></p><p class="MsoNormal">3) ARIN "Data Accuracy": <a href="https://www.arin.net/reference/materials/accuracy/" target="_blank">https://www.arin.net/reference/materials/accuracy/</a><u></u><u></u></p><p class="MsoNormal">4) ARIN Registration Services Agreement, paragraph 3: <a href="https://www.arin.net/about/corporate/agreements/rsa.pdf" target="_blank">https://www.arin.net/about/corporate/agreements/rsa.pdf</a><u></u><u></u></p><p class="MsoNormal">"Personal Data Privacy Considerations At ARIN": <a href="https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/" target="_blank">https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/</a>  especially the first two paragraphs<u></u><u></u></p><br><p class="MsoNormal"><u></u> --------<u></u></p><p class="MsoNormal"><u></u><br></p></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_-2843776014787436421WordSection1"><div style="border-top:none;border-right:none;border-left:none;border-bottom:1.5pt solid windowtext;padding:0in 0in 1pt"><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">2. Tara to rephrase the SSAC Legal v. Natural question to rephrase the issue regarding transferring consent. Tara to review the </span><a href="https://community.icann.org/pages/viewpage.action?pageId=105386422" target="_blank">Technical Contact memo from Phase 1</a><span style="color:black">. Additionally, Tara to refer to specific excerpts of guidance from the cited sources.</span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">Previously-worded question: <u></u><u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person, especially if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. <u></u><u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">As a follow-up to that memo: what are the consent issues and requirements related to such designations?  Can registrars state that it is the responsibility of a legal person registrant to obtain consent from any natural person whose data it submits? </span><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="font-family:"Times New Roman",serif"><u></u> <u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">As part of the analysis, please examine the GDPR policies and practices of the Internet protocol (IP address) registries RIPE NCC (the registry in Europe, based in the Netherlands) and ARIN (the registry in North America, which has customer contacts in Europe).  These registries publish the data of natural person contacts who are subject to the GDPR, publicly via their WHOIS services, by placing the choice and responsibility on their registrants, who are legal persons.  These IP address registries state mission justifications and collection purposes similar to those in ICANN's Temporary Specification.</span><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="font-family:"Times New Roman",serif"><u></u> <u></u></span></p><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">Please see:<u></u><u></u></span></p></div><p class="MsoNormal" style="margin-right:0in;margin-bottom:12pt;margin-left:0in"><span style="color:black">1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:</span><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="margin-right:0in;margin-bottom:12pt;margin-left:0in"><a href="https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database%20%5blabs.ripe.net%5d" target="_blank">https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]</a><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="margin-right:0in;margin-bottom:12pt;margin-left:0in"><span style="color:black">2)  “How We're Implementing the GDPR: The RIPE Database”: </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.ripe.net_Members_Athina_how-2Dwe-2Dre-2Dimplementing-2Dthe-2Dgdpr-2Dthe-2Dripe-2Ddatabase&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=MHkNDZD5npTHhFCww7h37jH0dZVXjP3J6gC_3_MlKMA&e=" target="_blank"><span style="color:black">https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]</span></a><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="margin-right:0in;margin-bottom:12pt;margin-left:0in"><span style="color:black">3) "Personal Data Privacy Considerations At ARIN": </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__teamarin.net_2018_03_20_personal-2Ddata-2Dprivacy-2Dconsiderations-2Dat-2Darin_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=pk0huv2aNSfvLj6S90UIZ4QJUIpAr9Ht-yJyf7pEC2g&e=" target="_blank"><span style="color:black">https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]</span></a><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="margin-right:0in;margin-bottom:12pt;margin-left:0in"><span style="color:black">4) ARIN "Data Accuracy": </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_reference_materials_accuracy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=ckReulFNZOhT8xWNRFYx6OBfLxsYr0RaqxOEgr_Em6c&e=" target="_blank"><span style="color:black">https://www.arin.net/reference/materials/accuracy/ [arin.net]</span></a><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><p class="MsoNormal" style="margin-right:0in;margin-bottom:12pt;margin-left:0in"><span style="color:black">5) ARIN Registration Services Agreement, paragraph 3: </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_corporate_agreements_rsa.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=A__4cvbv8CN_aWnGqBhNkF9hSAUmtHzIDL2uiGtMtLI&e=" target="_blank"><span style="color:black">https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]</span></a><span style="font-family:"Times New Roman",serif"><u></u><u></u></span></p><div style="border-top:none;border-right:none;border-left:none;border-bottom:1.5pt solid windowtext;padding:0in 0in 1pt"><p class="MsoNormal" style="border:none;padding:0in"><span style="color:black">6) ARIN Privacy Policy: </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_privacy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=99xt1m5gH1mu0-Pt3ERCRTLchE2_nxsr0OLfK-0uyls&e=" target="_blank"><span style="color:black">https://www.arin.net/about/privacy/ [arin.net]</span></a></p></div></div></div></blockquote><div><br></div></div></div>