[Gnso-epdp-team] On the proposed guidance
Becky Burr
becky.burr at board.icann.org
Wed Apr 14 18:32:39 UTC 2021
I think we may be over-complicating this discussion.
Sounds to me like Volker and Melina have different views on what will
satisfy the NIS2 requirement that non-personal data be made "publicly
available" / "published without undue delay". If I'm understanding the
point of this discussion, Volker suggests that prompt disclosure of
non-personal data upon receipt of an SSAD request may be sufficient.
Melina suggests that non-personal data must be available for
non-intermediated access in some "always on" online RDDS database. If
Volker is right, the relevance of the up-front legal/natural distinction is
lessened because the disclosure is driven by the character of the data
(personal or not personal). I don't have a view on what NIS2 requires,
although access to things that are "published" on the Internet are almost
always intermediated in one way or another.
Also, FWIW, I think some ccTLDs differentiate registrant types in order to
satisfy nexis requirements.
On Wed, Apr 14, 2021 at 8:36 AM Hadia Abdelsalam Mokhtar EL miniawi via
Gnso-epdp-team <gnso-epdp-team at icann.org> wrote:
> Dear Volker and all,
>
>
>
> First I would like to thank ICANN org for conducting additional research
> in relation to the ccTLDs' registration directory service policies. Having
> briefly looked at Appendix A, I would like to share with you some
> observations
>
>
>
> · None of the ccTLDs who differentiate between the data of legal
> and natural persons don't differentiate between the registrants' types.
>
> · Two ccTLD registries do not differentiate between the
> publication of the data of the legal and natural persons because they
> publish the data of both.
>
> · Four ccTLD registries neither make a differentiate between the
> registrants' types nor the registrants' registration data.
>
> · The rest of the ccTLDs who do not differentiate between the
> publication of the data still differentiate between the registrants' types.
>
> · It is unclear whether the ccTLD of Slovakia differentiates
> between the publication of the data. However the registry differentiates
> between the registrants' types (Legal/natural)
>
>
>
> From the policies' summary, it is clear that in order to look into the
> issue of differentiating between the processing of the data of legal and
> natural persons, we need to consider at least two types of classifications.
> The first is the differentiation between the registrants' types, which
> does not necessary lead to the publication of the data and the second is
> the differentiation between the data type.
>
>
>
> Kind regards
>
> Hadia
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] *On
> Behalf Of *STROUNGI Melina via Gnso-epdp-team
> *Sent:* Monday, April 12, 2021 5:08 PM
> *To:* Volker Greimann
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>
>
>
> Hi Volker,
>
>
>
> Thank you for your comments. I thought we had clarified these points
> during the EPDP discussions but seeing your latest reactions on the
> guidance doc, I would like to add a few – hopefully – helpful
> clarifications.
>
>
>
> It is very positive to see that the NIS2 Proposal is taken into account;
> please note that NIS2 Proposal imposes two separate obligations:
>
>
>
> - providing access to specific domain name registration data
> upon lawful and duly justified requests of legitimate access seekers (this
> would mean disclosure via the SSAD and could entail both personal and
> non-personal data)
>
> - publication, without undue delay after the registration of a
> domain name, of domain registration data of legal persons which are not
> personal data (see recital 62 and article 23 (4)). This does *not* relate
> to SSAD – the publication requirement is a separate one and concerns
> providing data in the publicly accessible Registration Data Directory
> Services.
>
>
>
> It is hard to see how your vision, as currently phrased in your email
> below, meets any of these two requirements.
>
>
>
> Regarding your other point, I believe that it does matter to whom the data
> belongs. Data of natural persons are personal data and therefore should
> always be protected by default (unless there is consent) and data of legal
> persons are not protected, so in principle they should be disclosed (unless
> they contain personal data in which case you may decide to further
> distinguish and publish only the non-personal data of the legal persons –
> as also required by the NIS2 Proposal).
>
>
>
> Hope this helps. Happy to discuss further.
>
>
>
> Best,
>
> Melina
>
>
>
>
>
>
>
> *From:* Volker Greimann <vgreimann at key-systems.net>
> *Sent:* Thursday, March 25, 2021 4:22 PM
> *To:* STROUNGI Melina (CNECT) <Melina.STROUNGI at ec.europa.eu>
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>
>
>
> Hi Melina,
>
>
>
> if we differentiated between personal and non-personal data only, it would
> not matter whom the data belonged to, e.g. a legal person record that
> contains personal information would be treated as the default: Do not
> publish.
>
>
>
> My vision is that the differentiation would only make a difference in the
> handling of that data within SSAD where interested parties would be granted
> quick access to such non-personal data, as required by NIS2.
>
>
>
>
>
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
> <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD$>
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Oliver Fries and Robert Birkner
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
>
> This email and any files transmitted are confidential and intended only
> for the person(s) directly addressed. If you are not the intended
> recipient, any use, copying, transmission, distribution, or other forms of
> dissemination is strictly prohibited. If you have received this email in
> error, please notify the sender immediately and permanently delete this
> email with any files that may be attached.
>
>
>
>
>
> On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina <
> Melina.STROUNGI at ec.europa.eu> wrote:
>
> Hi everyone,
>
>
>
> Setting aside various points raised below which are not correct, for the
> benefit of continuation of a constructive discussion I would like to raise
> some clarification questions to which written input would be very much
> appreciated.
>
>
>
> @Volker:
>
> 1) I am confused. I understand you and Sarah propose to have a
> distinction between personal and non-personal data, correct? Yet, below you
> suggest ‘*protecting all data equally’* and that ‘*you do not need to
> differentiate’*. So in conclusion what are you proposing? Should you
> differentiate between personal and non-personal data or you should not
> differentiate at all (which would mean that you publish zero information)?
>
> 2) In case yours and Sarah’s proposal to distinguish only between
> personal and non-personal data is still valid:
> i. Would you consider making such distinction a requirement or still
> voluntary?
>
> ii. How exactly would you envisage doing such a distinction in practice?
> Would you for instance ask the registrants to specify which data are
> personal or not? Would you have a dedicated team checking manually all
> data? Any other way?
>
>
>
> Thanks for clarifying these points as it would be very useful in view of
> our today’s EDPP plenary meeting.
>
>
>
> Best,
>
> Melina
>
>
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Volker
> Greimann via Gnso-epdp-team
> *Sent:* Wednesday, March 24, 2021 10:07 PM
> *To:* King, Brian <Brian.King at markmonitor.com>
> *Cc:*
> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>
>
>
> Hi Brian,
>
>
>
> That approach is actually very compliant with data protection law.
> Overprotection is not an issue. If you simply protect all data equally in a
> way that would be compliant, you do not need to differentiate.
>
>
>
> Accuracy is shown by demonstrating that the data is unchanged from the
> time it was created and how it was created, by showing that the data
> subject has contractually agreed to only provide accurate data (and correct
> if outdated), and has been provided with an annual opportunity to review
> the data. That is the level accuracy that is relevant under the accuracy
> principle of the GDPR, after all.
>
>
>
> On top of that (Bonus round for extra points here) the data collection
> process ensured that only properly formatted data was collected and the
> registrant has been required to verify his email address.
>
>
>
> So reasonable steps to ensure the accuracy have been taken, the data
> subject can request a correction at any time and we will take action on any
> indication of inaccuracy of the data.
>
>
>
> But the real problem isn't actually inaccurate data, in our experience. It
> is accurate data of the wrong data subject.
>
>
>
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
> <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$>
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Oliver Fries and Robert Birkner
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
>
> This email and any files transmitted are confidential and intended only
> for the person(s) directly addressed. If you are not the intended
> recipient, any use, copying, transmission, distribution, or other forms of
> dissemination is strictly prohibited. If you have received this email in
> error, please notify the sender immediately and permanently delete this
> email with any files that may be attached.
>
>
>
>
>
> On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King at markmonitor.com>
> wrote:
>
> Hey Volker,
>
>
>
> I suppose my point (and I think I’m also paraphrasing an intervention made
> by Melina previously) is that approach is not likely to be compliant with
> data protection law.
>
>
>
> I accept that the concept of accuracy as a policy matter is not within our
> remit, but let’s use accuracy as a data protection principle – how could a
> controller reasonably demonstrate to a DPA that the controller’s data is
> accurate, for example, if the controller has not even assessed whether the
> data is personal data?
>
>
>
>
>
> *Brian J. King*
> *He/Him/His*
>
> Head of Policy and Advocacy, Intellectual Property Group
>
>
> T +1 443 761 3726
>
> Time zone: US Eastern Time
>
>
>
> clarivate.com
> <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$>
> | Accelerating innovation
>
> Follow us on LinkedIn
> <https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>,
> Twitter
> <https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>,
> Facebook
> <https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$>
> and Instagram
> <https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$>
>
>
>
> *From:* Volker Greimann <vgreimann at key-systems.net>
> *Sent:* Wednesday, March 24, 2021 3:58 PM
> *To:* King, Brian <Brian.King at markmonitor.com>
> *Cc:* Mueller, Milton L <milton at gatech.edu>; gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>
>
>
> Hi Brian,
>
>
>
> the easiest way to comply with data protection law is to simply treat all
> registration data as if it were personal data. No chance of ever running
> afoul data protection law if you do that correctly and it is pretty easy to
> demonstrate as well.
>
>
>
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=>
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Oliver Fries and Robert Birkner
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
>
> This email and any files transmitted are confidential and intended only
> for the person(s) directly addressed. If you are not the intended
> recipient, any use, copying, transmission, distribution, or other forms of
> dissemination is strictly prohibited. If you have received this email in
> error, please notify the sender immediately and permanently delete this
> email with any files that may be attached.
>
>
>
>
>
> On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <
> gnso-epdp-team at icann.org> wrote:
>
> Hi Milton,
>
>
>
> Thank you for the constructive intervention. Your point is well taken, and
> I can certainly see that from the RNH perspective.
>
>
>
> One feature of data protection law related to your point is that it
> requires data controllers and processors to be able to demonstrate
> compliance with the law. A controller or processor could doubtfully
> demonstrate compliance with data protection law if they had not determined
> whether they were actually processing personal data. In fact, data
> protection professionals will tell you that you absolutely must determine
> what personal data you’re processing as the first step toward compliance
> with data protection law. It seems the policy question is: what, if
> anything, should contracted parties be required to do based on the status
> of the data? Is that right?
>
>
>
> As always, we’re happy to work with you and look forward to finding
> consensus.
>
>
>
>
>
> *Brian J. King*
> *He/Him/His*
>
> Head of Policy and Advocacy, Intellectual Property Group
>
>
> T +1 443 761 3726
>
> Time zone: US Eastern Time
>
>
>
> clarivate.com
> <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$>
> | Accelerating innovation
>
> Follow us on LinkedIn
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>,
> Twitter
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>,
> Facebook
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=>
> and Instagram
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=>
>
>
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Mueller,
> Milton L via Gnso-epdp-team
> *Sent:* Wednesday, March 24, 2021 11:13 AM
> *To:* gnso-epdp-team at icann.org
> *Subject:* [Gnso-epdp-team] On the proposed guidance
>
>
>
> I was reading through two documents setting out in detail the proposed
> guidance on legal/natural.
>
> There seems to be more than one Google doc on this and I am not sure which
> one is the latest or most official, though I suspect it is the one with
> various people’s comments crawling all over it.
>
>
>
> I was pretty supportive of the Guidance overall. I had one problem with
> it, though.
>
> I liked the description of HOW the differentiation needed to take place.
> But in describing WHEN differentiation takes place and WHO would do it, it
> sets out 3 “high level scenarios”.
>
> The first two are ok. The third scenario (listed as #5 in the document) is
> that the Registrar does it for the RNH, based on “inferences.”
>
>
>
> That option just doesn’t fly for those of us representing RNH’s in this
> process. We cannot have a registrant’s disclosure status or person type
> determined FOR them by someone else. If we can strike that part of the
> guidance, I think we can be on our way to a much broader consensus.
>
>
>
> Dr. Milton L Mueller
>
> Georgia Institute of Technology
>
> School of Public Policy
>
> [image: IGP_logo_gold block]
>
>
>
> Confidentiality note: This e-mail may contain confidential information
> from Clarivate. If you are not the intended recipient, be aware that any
> disclosure, copying, distribution or use of the contents of this e-mail is
> strictly prohibited. If you have received this e-mail in error, please
> delete this e-mail and notify the sender immediately.
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>)
> and the website Terms of Service (https://www.icann.org/privacy/tos
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>).
> You can visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
> Confidentiality note: This e-mail may contain confidential information
> from Clarivate. If you are not the intended recipient, be aware that any
> disclosure, copying, distribution or use of the contents of this e-mail is
> strictly prohibited. If you have received this e-mail in error, please
> delete this e-mail and notify the sender immediately.
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210414/cf7c1f52/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11497 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210414/cf7c1f52/image001-0001.png>
More information about the Gnso-epdp-team
mailing list