[Gnso-epdp-team] Zero-Draft Doc- Assessment of the data being requested

King, Brian Brian.King at markmonitor.com
Fri Aug 30 15:06:05 UTC 2019 

Hi Volker,

I’m sympathetic to the challenges involved in determining whether data is subject to data protection/privacy law (and which one(s) might apply), and totally get that’s part of why the EPDP Phase 1 decided not to make the distinction mandatory for publication/redaction. (not saying I agree with the outcome, but I understand)

We can discuss secondary liability in more detail online if you’d like. To try to boil down my point, consider a registrar who has profited financially from the registration of a domain name which is being used in a trademark counterfeiting scheme. Also consider that the registrar is on notice of the conduct (civil and/or criminal, depending on the jurisdiction) because the registrar has received a request for redacted WHOIS data. As a court would see it, this registrar has knowledge of wrongdoing, is profiting from the wrongdoing, is in a position both technically and legally (registration agreement prohibits unlawful use of the domain) to stop the wrongdoing, possesses information about the wrongdoer, and chooses neither to stop the wrongdoing nor provide information about the wrongdoer to the owner of the IP being infringed. This is a recipe for secondary liability.

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Volker Greimann <vgreimann at key-systems.net>
Sent: Friday, August 30, 2019 9:01 AM
To: King, Brian <Brian.King at markmonitor.com>
Cc: farzaneh badii <farzaneh.badii at gmail.com>; GNSO EPDP <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] Zero-Draft Doc- Assessment of the data being requested

That seems a bit of an extreme interpretation. We agreed not to make no differentiation based on geo for the smple fact that anything else would be an administrative nightmare.
There are so many variables why a set of data may be protected under the GDPR (and comparable regulations) that it seemed unfeasible to design a system that made such differentiations.

Consider the following scenarios triggering protection just under GDPR:
-Registrar in EU
-Reseller in EU
-Registry in EU
-Reseller of reseller (whom we usually do not know) in the EU
-Registrant in EU
-Other Contact in EU
-Registrar outside the EU, but processing in the EU (For example using a Registrar backend service)
-Registry outside the EU, but processing in the EU (For example using a Registry backend service)
-Registrar outside the EU, Reseller outside the EU but reseller processing in the EU
and many many more.

Having to look at each data set like this individually is simply not feasible for a contracted party, hence the decision (and need) to simply treat all data as protected.

And while I hate to contradict you Brian, the potentially problematic part is never the act of withholding, and always the act of disclosing, at least from a liability perspective.

--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=mIbt2RoiILHHK37EfokIxn4z4vBCeV5APNQsbr36nLo&s=MGBd0Y5i3nkyIsuMtHaKyQOXRY9rGZ81iotiZFFNGzc&e=>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.


[Image removed by sender.]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.avast.com_sig-2Demail-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dlink-26utm-5Fcampaign-3Dsig-2Demail-26utm-5Fcontent-3Dwebmail&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=mIbt2RoiILHHK37EfokIxn4z4vBCeV5APNQsbr36nLo&s=p1GU0pWfm0l3-U4_u3R4Viu8-wrHhAsAUsZR1g7ONFA&e=>
Virus-free. www.avast.com<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.avast.com_sig-2Demail-3Futm-5Fmedium-3Demail-26utm-5Fsource-3Dlink-26utm-5Fcampaign-3Dsig-2Demail-26utm-5Fcontent-3Dwebmail&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=mIbt2RoiILHHK37EfokIxn4z4vBCeV5APNQsbr36nLo&s=p1GU0pWfm0l3-U4_u3R4Viu8-wrHhAsAUsZR1g7ONFA&e=>

On Fri, Aug 30, 2019 at 1:56 PM King, Brian via Gnso-epdp-team <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>> wrote:
Hi Farzaneh,

That’s not quite right. We decided that CPs could differentiate in the context of publication/redaction, not in the context of SSAD.

In the SSAD context, the act of withholding data when someone needs it, without a legal basis for withholding it (i.e. application of privacy law), would be legally problematic for the entity withholding access. In this case, withholding the data could make the controller secondarily liable for the bad actor’s conduct.

So, the data must be disclosed unless there’s a legal basis for withholding it. For legal persons and natural persons not covered by data privacy law, there is no legal basis for withholding the data, and there should be no balancing test.
Brian J. King
Director of Internet Policy and Industry Affairs
MarkMonitor / Part of Clarivate Analytics
Phone: +1 (443) 761-3726
brian.king at markmonitor.com<mailto:brian.king at markmonitor.com>

On Aug 30, 2019, at 7:22 AM, farzaneh badii <farzaneh.badii at gmail.com<mailto:farzaneh.badii at gmail.com>> wrote:
I don't know if this has been flagged and I know that the zero draft is frozen for now but I believe the diagram about the assessment of the data requested Step 2, is not correct. It says that if the data is non-EEA data may be released with no balancing test performed. In phase one we agreed that the contracted parties can make geo diff if they want. The ones that do not do geo diff should definitely follow the disclosure policy we are coming up with and perform the balancing test regardless of EEA or non-EEA data. I don't think they should just release the data. As we argued, ICANN's policies are global. If disclosure is global, data protection has to be global too.


Farzaneh
<epdp-p2_swimlane_v0.2.2.pdf>
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=21TqJSMQV0kHuTo9rha44EVs9jCy7uBr8L8cveIHb6c&e=
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=VeFjG9M5NbXD9OqeCXKleOaEpa6_jMxj3EseaMJ5H2U&e= ) and the website Terms of Service (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=7E_OKnno3mhFtTwXIwua0a8Qwg3_dmrXTO150Q4GL8Y&e= ). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=mIbt2RoiILHHK37EfokIxn4z4vBCeV5APNQsbr36nLo&s=AqQdcpqmUEkLQTX-SFC03YY-slUMy9CSflI75Z4niCA&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=mIbt2RoiILHHK37EfokIxn4z4vBCeV5APNQsbr36nLo&s=7ZPj8A98GQugu-8zY3qLhJuPrJsu9OzwGeocgTvoNxA&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=mIbt2RoiILHHK37EfokIxn4z4vBCeV5APNQsbr36nLo&s=Ch4dzCpEfRFCwrYj2AAKzPvty4XMUVpJd1pELLckxYM&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190830/4b9c696d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 350 bytes
Desc: image001.jpg
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190830/4b9c696d/image001-0001.jpg>

More information about the Gnso-epdp-team mailing list