[Gnso-epdp-team] On the proposed guidance

Steve Crocker steve at shinkuro.com
Thu Apr 15 13:36:25 UTC 2021 

Laureen,

Thanks for your note.  With respect to the details under legal person, we
believe the issue of consent should be moot.  Everyone who is named in a
role in a registration must have already been informed and consented to all
of the conditions involved in the role.  This is a prerequisite for having
a working system and is not specific to meeting a privacy regulation.  The
fact that this requirement is not specified in the existing contractual
documentation is an error and needs to be rectified.

Steve


On Thu, Apr 15, 2021 at 6:28 AM Kapin, Laureen via Gnso-epdp-team <
gnso-epdp-team at icann.org> wrote:

> I think we share common ground on many key issues and I would like to
> build on the many helpful inputs received as to what would be advisable.
>
>
>
> *Goal*: publish non-personal, non-protected data to the greatest extent
> permissible under the GDPR and within low legal risks to data controllers
> and processors.  Note, the description below does *not *fully detail the
> advised safeguards which B&B has documented and which we’ve adopted in our
> prior input because my impression is that we generally agree that the
> safeguards are prudent.  This description merely seeks to identify the key
> steps that must be taken to ensure that personal data is identified and
> protected and non-personal data is published.  I also highlight the
> addition of a potential additional safeguard – Confirmation.  I think this
> process incorporates what we’ve discussed and inputs received and could
> form a useful framework for discussion.
>
>
>
> *Note:*
>
>
>
> n  *New Registrations: *This process applies to new registrations (Steve
> C. has some useful thoughts on how to deal with existing Registrations)
>
> n  *Publish: *When I use the word “publish,” I mean made public directly;
> not via the SSAD.
>
> n  *Flexibility: *Based on input from our Registrar colleagues, we should
> permit flexibility for how these steps are implemented to account for the
> varied business models in place.
>
> n  *Timing: *All identifications need to take place at the time of
> registration or shortly thereafter (w/in the 13-day accuracy verification
> window) and no registration data should be published until the
> identification, consent, and confirmation process concludes
>
>
>
> *Process:*
>
> 1.   A threshold identification of the registrant as a natural or legal
> person;
>
> a.   If natural, registration info redacted
>
>
>
> b.   If legal, further inquiries and advisories (safeguards):
>
>                                          i.    if the legal person
> identifies that it has a protected status under the GDPR
>
> 1.   registration info redacted
>
>
>
>                                         ii.    If the legal person
> registration contains personal data, advise of consequences (publication)
>
> 1.   Obtain necessary consents
>
> 2.   *Possible additional safeguard*: *Ask Registrant to Confirm any
> identification that will result in publication of contact data *(akin to
> confirming a flight reservation or stock trade)
>
> a.   Publish
>
> 3.   If no consent
>
> a.   Redact
>
>
>
> 2.   Provide quick and easy opportunity to correct any mistakes
>
>
>
> I hope this is useful.
>
>
>
>
>
> Kind regards,
>
>
>
> Laureen Kapin
>
> Counsel for International Consumer Protection
>
> Federal Trade Commission
>
> (202) 326-3237
>
>
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Volker
> Greimann via Gnso-epdp-team
> *Sent:* Thursday, April 15, 2021 8:35 AM
> *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>
>
>
> I think we need to be cognisant of the current status quo and use that as
> the basis for our thoughts on the matter:
>
>
>
> 1) There is no differentiation between legal or natural contacts.
>
> 2) The redaction of all contacts is permitted and has become the de-facto
> standard.
>
> 3) We allow consent-based disclosure.
>
> 4) NIS 2 may at some point in the future require publication of
> non-personal information.
>
>
>
> This leads to two very simple follow-on questions:
>
> a) How do we identify such non-personal information? What is really
> necessary for this end?
>
> b) What would publication entail?
>
>
>
> For a) we and Twobirds identified voluntary self-declaration of the data
> submitted. As all data is redacted by default, the differentiation of the
> data subject category is irrelevant as it ultimately only boils down to the
> declaration of the data subject thatthe data contains no personal
> information.
>
>
>
> For b), the term "publish" is undefined. For all we know, it could mean
> publication in a physical print edition (it doesn't mean that though). But
> publication within SSAD can very well be sufficient for that definition.
> There is no reason whatsoever to assume differently.
>
>
>
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Oliver Fries and Robert Birkner
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
>
> This email and any files transmitted are confidential and intended only
> for the person(s) directly addressed. If you are not the intended
> recipient, any use, copying, transmission, distribution, or other forms of
> dissemination is strictly prohibited. If you have received this email in
> error, please notify the sender immediately and permanently delete this
> email with any files that may be attached.
>
>
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
> Virus-free. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
>
>
> On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via
> Gnso-epdp-team <gnso-epdp-team at icann.org> wrote:
>
> Dear Milton,
>
>
>
> Thank you for your constructive thoughts. I believe we have a lot to build
> on. In relation to principle one, I think we all agree that some legal data
> subjects would want to publish their data in the RDDS, but without your
> first principle they can only do this through consent. The legal memo
> received lately from Bird & Bird explains that if CPs publish the data of
> legal persons based on consent they are at a higher risk than if they
> publish the data of legal persons based on self-designation. In the latter
> case CPs might only be liable if they fail to address a complaint. So the
> question always was: what is the benefit of labeling the data as belonging
> to a natural or legal person? Of course we all know that GDPR protects the
> data of natural persons and not legal persons, but the important answer now
> is that the distinction significantly reduces the liability of CPs. In
> addition, the distinction is helpful in performing the balancing test in
> case the data is not published and I am sure if we look into individual use
> cases we can find much more benefits. Moreover, it could prove to be useful
> regarding possible upcoming regulations. I would also add that the level of
> protection assigned to the data elements suggested by Steve provides
> additional safe guards and flexibility in the implementation.
>
>
>
> Finally, I join you in being optimistic about our ability to finish this.
>
>
>
> Kind regards
>
> Hadia
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] *On
> Behalf Of *Mueller, Milton L via Gnso-epdp-team
> *Sent:* Wednesday, April 14, 2021 10:12 PM
> *To:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>
>
>
> Colleagues:
>
> I have only gotten time to review the latest Guidance document and the
> surrounding debate today. Apologies, but there is a lot going on in my day
> job.
>
>
>
> I am disappointed to see that we seem to be going backwards. I see
> divergence rather than convergence on the way we are approaching the
> problem.
>
>
>
> I see no point in adding more noise to the current document via the
> Comments function. What I would like to try to do is articulate some broad
> principles about how to deal with the legal/natural distinction. If we can
> agree on those principles, it will be relatively easy to complete the
> document. If we cannot/do not agree on those principles, additional
> wordsmithing and debates over terms will not get us anywhere.
>
>
>
> So here are the broad principles that I would offer up for debate:
>
>
>
> 1.       The legal/natural distinction is relevant and we need to find a
> way make it in RDDS without compromising privacy rights.
>
> 2.       Registrants should be able to self-designate as legal or
> natural, with no burden of authentication placed on registrars or registries
>
> 3.       To protect small home offices or NGOs who are technically Legal
> persons but whose registration data may include Personal data, we need an
> additional check in the process.
>
> 4.       As long as they conform with the above 3 principles,
> registrars/ries (CPs) should be given maximum flexibility to choose the way
> to differentiate.
>
>
>
> Principle 1 discussion:
>
> If we cannot agree on this (or agree to abandon this principle), _*nothing
> else will fall into place*_. Ever. So let’s settle that. Steve and Volker
> I suspect will disagree with this principle. Steve has argued that the L/N
> distinction is “not a central concern” and all that matters is whether the
> registrant’s data is to be made available to anyone. If he is right, we can
> discard the guidance altogether, because we already have a recommendation
> to allow the RNH to consent to the publication of their data. Volker has
> also suggested that it is personal data we need to differentiate, not L/N .
> I disagree with Steve and Volker on this and so do most of the rest of the
> group. L/N distinction is a central concern to certain stakeholder groups
> in the EPDP, because a) GDPR and other data protection laws do not protect
> it and this process is all about bringing RDS into compliance with privacy
> law; b) Legal person data could be published and it would provide easier
> access to their registration data. As a NCSG member I can find no basis for
> objecting to the publication of WalMart’s, Kroger’s or the local hardware
> store’s registration data. Any concerns about PII are addressed by
> principles 2 and 3. Steve is approaching this as an engineer, but this is a
> policy process, and we will not obtain agreement on a solution unless
> certain stakeholders are satisfied. If they think it is a central concern,
> it’s a central concern, that’s how policy/politics work.
>
>
>
> Principle 2 discussion
>
> This is the key principle that keeps NCSG and CPH satisfied. Registrants
> are in control of how they are designated. Yes, this means that some people
> will lie. That is just something we will have to accept. One cannot erase
> that possibility without creating a system that is too burdensome and
> costly as to outweigh any benefits.
>
>
>
> Principle 3 discussion
>
> This is something everyone seems to agree on already. But it is good to
> make it explicit, then we can work out how specific our guidance can get,
> so as to conform to …
>
>
>
> Principle 4
>
> Avoid being overly prescriptive, but ensure that the other 3 principles
> are honored. So yes, Volker, we give you maximum flexibility to implement
> in accordance with different business models, but you can NOT make a
> designation for a RNH, because it violates principle 2.
>
>
>
> I truly believe that if we can come to agreement on these 4 principles and
> use them as the basis for drafting guidance, we can actually finish this.
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
> Virus-free. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210415/aa64f1d8/attachment-0001.html>

More information about the Gnso-epdp-team mailing list