[Gnso-epdp-team] CENTR Survey: Whois status and impacts from GDPR

Margie Milam margiemilam at fb.com
Thu Oct 18 17:35:18 UTC 2018 

Hi Volker –
Yes, I  understand they are different.  What makes them relevant is that it shows what can be done from an operational point of view, to make the natural/legal person and geographic distinction, as part of a domain registration process.  It is not acceptable to defer this discussion to after the EPDP concludes because it is very much relevant to compliance with GDPR.   It is also not acceptable to assume that the level of inaccuracies we see with WHOIS should continue, without improvements, especially under the enhanced accuracy requirements under GDPR.  This is one of the parking lot issues we have remaining from the LA meeting that I want to make sure we don’t lose sight of.

All the best,

Margie


From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Volker Greimann <vgreimann at key-systems.net>
Date: Tuesday, October 16, 2018 at 6:18 AM
To: "gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] CENTR Survey: Whois status and impacts from GDPR


Hi all,

ccTLDs and gTLDs cannot be viewed as the same as they are subject to different regulatory regimes and fall under different models of registration.

For example, in many of the listed ccTLDs, the registrant is assumed to have a direct contractual relationship with the registry, so the ability to collect and process data is different for such registries compared to gTLD registries that have no such relationship.

While the topics you raise are important and worth further deliberation, I would propose that these be postponed until after the ePDP concludes and be included in subsequent, proper policy work as they are highly contentious issues and focussing on these now has the potential to derail or at least significantly delay our output. As we are on a strict timeline, we should focus on the uncontentious issues first to ensure the Temp Spec can be replaced in time.

The distinction between legal and natural personas is a red herring as it does not solve any of the issues. Any data provided by legal persons may still contain personal data of natural persons in many of the fields that would be near impossible to detect for contracted parties.

Further, even if such a distinction were to be found to provide additional benefits,  making such a distinction may perhaps be possible for new registrations going forward, but it is definitely near impossible with regard to already existing registrations as it would require receiving a whois update from all current registrants. Given the high amount of reluctance in parts of the community to accept any form of grandfathering or dual system as I have experienced in the Whois RT2 deliberations, such a dual system where domain names would be treated different based on their registration gate, I cannot in good conscience support this as a way forward either.

But I also have significant doubts that contracted parties could even rely on such self-declarations of our customers without facing additional liabilities for public disclosure.

As far as accuracy "verification" goes (which in many cases is closer to the validation requirements currently included in the RAA), this is an issue relegated entirely to the contracts of the contracted parties. Work on this issue is currently ongoing between ICANN and registrars. Opening this issue up here would create a double track and be in violation of the process currently included in the contracts. Many of the ccTLDs also do not face the same issue that most gTLDs face in that they do not aspire to a global registrant base and can perform their validation/verification on a national level, which naturally reduces costs and provides better results. As soon as international registrations enter into the picture, the accuracy of these verification sources drops to unacceptable percentages. As one example, when Nominet introduced their verification scheme, the numbers of "failed verifications" for registrations of registrants outside the UK were horrendous, and Nominet was quick to treat such registrations with much more leeway than those inside the UK.

Additionally, in our experience higher requirements on data accuracy usually lead to more incidents of identity theft since abusers of the system will always find ways around. Just because a data set is accurate that does not mean it actually belongs to the registrant.

Geographic distinction assumes that it is feasible for contracted parties to differentiate accurately for each data set they receive which data protection standards apply to that set. That determination cannot simply be made based on the country code provided by the registrant however. Further, for many registrars that process their data in other jurisdictions, that distinction is pointless. It also places a significant burden on contracted parties that would have to implement and operate multiple systems of whois.

Data access: Just so we do not resort to cherry picking, we should also look at how these registries handle requests for data access. These registries provide access based on law enforcement, parties identified in a court order and someone with legitimate interest. In case of the latter, the legal department makes the judgement on that. This is exactly what is already in the Temp Spec, where the registrar makes the judgement regarding the purported legitimate interest and informs the requester accordingly.

Best,

Volker

RrSG Alternate

Am 16.10.2018 um 00:29 schrieb Margie Milam:
Hi-

Thanks Georgios for sharing this document.  This is really great information, and can help with several issues for the EPDP, including:


  *   Legal/Natural person distinction
  *   Geographic distinction
  *   Accuracy
  *
We would like to propose that Staff  invite someone from Centr who can talk to us at Barcelona about these issues, to help inform our policy recommendations.   We would also like to ensure that all of the issues that were “parked” at our F2F meeting are considered as part of our deliberations in Barcelona.

Thanks,

Margie



From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org><mailto:gnso-epdp-team-bounces at icann.org> on behalf of "Georgios.TSELENTIS at ec.europa.eu"<mailto:Georgios.TSELENTIS at ec.europa.eu> <Georgios.TSELENTIS at ec.europa.eu><mailto:Georgios.TSELENTIS at ec.europa.eu>
Date: Friday, October 12, 2018 at 1:33 AM
To: "kurt at kjpritz.com"<mailto:kurt at kjpritz.com> <kurt at kjpritz.com><mailto:kurt at kjpritz.com>, "gnso-epdp-team at icann.org"<mailto:gnso-epdp-team at icann.org> <gnso-epdp-team at icann.org><mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] CENTR Survey: Whois status and impacts from GDPR

Dear Kurt, EPDP colleagues,

Please find a recent survey among European ccTLDs on impacts from GDPR:
The survey report can be found here: https://centr.org/library/library/survey-report/centr-report-whois-status-and-impacts-from-gdpr.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__centr.org_library_library_survey-2Dreport_centr-2Dreport-2Dwhois-2Dstatus-2Dand-2Dimpacts-2Dfrom-2Dgdpr.html&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=T4R_SFZkRFdOpZ15H9XgTW4ZlbBvQTBqJgwmkYtvT3E&e=>
The presentation has been uploaded at: https://centr.org/library/library/external-event/whois-status-and-the-impact-of-gdpr.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__centr.org_library_library_external-2Devent_whois-2Dstatus-2Dand-2Dthe-2Dimpact-2Dof-2Dgdpr.html&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=Ul6EQT0lYlA4EMiD0i0hCdqJvk2hj0enVaKnc05XP2w&e=>
The overview of data collected and published via the WHOIS is available at: https://stats.centr.org/pub_whois<https://urldefense.proofpoint.com/v2/url?u=https-3A__stats.centr.org_pub-5Fwhois&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=GgicT8PChIKhcba_NAzGpxR4ZU1EINwS6_vooi-iNBk&e=>

Best  regards,
Georgios




_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>

https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMDaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=f9eVrzyohsHfZjq_cGldOaBjwBtokJTlNp6LtFoDF8c&s=LlDdOBtddksAd15edK0jUcOZUkjmCx-HZMwWcg9lPV4&e=>



--

Volker A. Greimann

General Counsel and Policy Manager

KEY-SYSTEMS GMBH



T: +49 6894 9396901

F: +49 6894 9396851

W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMDaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=f9eVrzyohsHfZjq_cGldOaBjwBtokJTlNp6LtFoDF8c&s=jVsZctoefFGoHZu3KolnWVoZ2KRgwANd6eHyjRzVpFs&e=>



Key-systems is a company registered in Germany with Registration No.: HR B 18835 - Saarbruecken: CEO: Alexander Siffrin

Registered Offices: Im Oberen Werk 1, DE-66386 St. Ingbert, Germany



Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181018/17e75efe/attachment-0001.html>

More information about the Gnso-epdp-team mailing list