<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body text="#000000" bgcolor="#FFFFFF">

<p><font size="+1"><font face="Lucida Grande">Given that Cherine Chalaby has just written to Keith Drazek (GNSO Council Chair) to express worry over whether we are going to finish this thing on time, perhaps we ought to stick to what is within scope.  It is

 not clear to me how a new policy requiring that a distinction be made between legal and natural persons is within scope. 

<br>

</font></font></p>

<p><font size="+1"><font face="Lucida Grande">Further to this general remark, I do not see any way a registrar or registry can evade responsibility for "accidently"  collecting personal information.  Consent has to be meaningful and informed.  On accuracy....read

 the RDS reveiw Team II report which is doubling down on accuracy.  I would certainly not sign on to this one, if I were a registrar.</font></font></p>

<p><font size="+1"><font face="Lucida Grande">It's a good try though!</font></font></p>

<p><font size="+1"><font face="Lucida Grande">STephanie Perrin</font></font><br>

</p>

<div class="moz-cite-prefix">On 2018-11-14 16:06, Benedict Addis wrote:<br>

</div>

<blockquote type="cite" cite="mid:6CECBD77-B99F-4B82-ACE7-08424277162B@theale.co.uk">

Dear Alan, Hadia,

<div class=""><br class="">

</div>

<div class="">I’ve discussed this with SSAC colleagues, and propose the following compromise:</div>

<div class=""><br class="">

</div>

<div class="">1. Introduction of policy requiring registrant to make a legal / natural person declaration.</div>

<div class=""><br class="">

</div>

<div class="">2. Declaration would be mandatory for registrars to implement within a reasonable time.</div>

<div class=""><br class="">

</div>

<div class="">3. No obligation for registrars to verify accuracy of declaration.</div>

<div class=""><br class="">

</div>

<div class="">4. A declaration would only be required during ‘contact' with registrant, ie on registration, renewal, and transfer (by gaining registrar).</div>

<div class=""><br class="">

</div>

<div class="">

<div class="">5. Registrar may make declaration on behalf of registrant if it has reasonable knowledge of registrant’s status.</div>

</div>

<div class=""><br class="">

</div>

<div class="">6. Registrant may change their declaration at any time.</div>

<div class=""><br class="">

</div>

<div class="">7. Fail safe: the absence of a declaration results in assumption that the registrant is a natural person; i.e. default redaction of data.</div>

<div class=""><br class="">

</div>

<div class="">8. No obligation to obtain retroactive declarations. (The average domain lifespan is 1.4 years so adoption will happen naturally.)</div>

<div class=""><br class="">

</div>

<div class="">9. "edge case" legal persons - for example those trading from home (like me!) or in certain protected categories (as suggested by Stephanie) - may additionally declare that the registration data contained personal or sensitive information, so

 that it may be redacted.</div>

<div class=""><br class="">

</div>

<div class="">10. False declarations will be subject to the normal whois inaccuracy complaint process.</div>

<div class=""><br class="">

</div>

<div class="">If the team thinks this proposal has merit, there may be an opportunity to run it past the EDPB for approval. Your thoughts welcome!</div>

<div class=""><br class="">

</div>

<div class="">Best,</div>

<div class="">Benedict.</div>

<div class=""><br class="">

</div>

<div class=""><br class="">

</div>

<div class="">

<div><br class="">

<blockquote type="cite" class="">

<div class="">On 14 Nov 2018, at 18:11, Alan Woods <<a href="mailto:alan@donuts.email" class="" moz-do-not-send="true">alan@donuts.email</a>> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div dir="ltr" class=""><span id="gmail-docs-internal-guid-821d4693-7fff-214a-35cb-9548289f5167" class="">

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Dear Team,  </span></div>

<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class=""></span></p>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Thank you, Hadia and Alan for

 your statements. As the Ry reps (supported by the registrars) have already explained we believe the mandatory policy is unsuitable noting our assessment as to the reasons grounding that position. I believe it would be beneficial to the team, if the ALAC could

 similarly provide us with your grounding reasoning as to why you believe such a mandatory policy is appropriate, given the risks we have already noted to both the Data Subject AND, the CPs, both of whom will be impacted to the greatest extent by such a recommendation.</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" id="gmail-docs-internal-guid-b6f2664b-7fff-b2c6-ba19-2a7488fb736f" class=""><br class="">

<br class="">

</b></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">To leadership Team:

</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">I think at this point, given

 the relatively small time left remaining in this process, that we need to set clear expectations for the provision of any such SO/AC/SG/C ‘recommendations’. At a minimum we should be insisting that SO/AC/SG/Cs who wish to make any recommendations must also

 provide their assessment/reasoning for such a conclusion, capable of grounding any such recommendation; more so specifically in cases such as this, where such views are at complete odds with strongly stated concerns and reservations of another SO/AC/SG/C already

 on record, of which they are reasonably aware of at the time of submission.</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

</b></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Using this recommendation as

 an example, and my apologies, this is not aimed specifically at ALAC, but it is the example to hand. I’m fully sure that Hadia and Alan have not come to this conclusion lightly.

</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

</b></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">That being said, if I may illustrate

 the point however by highlighting why grounding reasons are so vital in this particular recommendation. In my consideration of the proposal I would pose the following questions which immediately spring to mind.

</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

</b></div>

<ul style="margin-top:0pt;margin-bottom:0pt" class="">

<li dir="ltr" style="list-style-type:disc;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">WHY

 is minimum mandatory policy considered suitable, given the concerns raised? What factors were considered that seem to outweigh such concerns?

</span></div>

</li></ul>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

</b></div>

<ul style="margin-top:0pt;margin-bottom:0pt" class="">

<li dir="ltr" style="list-style-type:disc;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Given

 the representations on record as to the inability to implement a mandatory policy, how is the recommendation made compatible with Art 25 of the GDPR?</span><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">

</span></div>

</li></ul>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

</b></div>

<ul style="margin-top:0pt;margin-bottom:0pt" class="">

<li dir="ltr" style="list-style-type:disc;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Given

 that representations on record as to concerns regarding the security of personal data, should a mandatory policy be implemented?

</span></div>

</li></ul>

<ul style="margin-top:0pt;margin-bottom:0pt" class="">

<ul style="margin-top:0pt;margin-bottom:0pt" class="">

<li dir="ltr" style="list-style-type:circle;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">At

 the very least, any such recommendation must be accompanied by an assessment under Art 32?

</span><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class=""> </span><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class=""> </span></div>

</li></ul>

</ul>

<ul style="margin-top:0pt;margin-bottom:0pt" class="">

<li dir="ltr" style="list-style-type:disc;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left:36pt" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Art

 32 (2) requires an assessment as to security and the preventive methods against breaches be undertaken. The ePDP recommendation must ultimately also include such an assessment, therefore for clarity, any party who makes such a recommendation, should also provide

 a grounding assessment as to such a recommendation.</span></div>

</li><li dir="ltr" style="list-style-type:disc;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left:36pt" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Again

 this assessment </span><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:700;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">must</span><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">

 take into account matters such as risk of breach, with due deference to the helpful headings as provided by Art 32 (1). It must also provide acceptable answers or at least provide reasons for dismissing to concerns raised.</span></div>

</li><li dir="ltr" style="list-style-type:disc;font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;margin-left:36pt" class="">

<div style="line-height: 1.38; margin-top: 0pt; margin-bottom: 0pt;" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">So

 given the strongly stated concerns the CPs have raised regarding the likelihood of a higher risk of breach of data, were a mandatory policy to be imposed, it is incumbent on those suggesting to disregard such a concern, to provide their reasoning for such

 a decision.</span></div>

</li></ul>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

<br class="">

</b></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">I appreciate we all have viewpoints

 (strong ones) on this, but without providing a reasoned supported argument for a certain recommendation to the group, we cannot possibly fairly assess such a recommendation.

</span><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">I must therefore urge

 and request leadership to be insistent going forward, that any such recommendations made by any SO/AC/SG/C (Registries included of course) MUST be accompanied by a full statement of the reasons grounding the recommendation, including, as we are talking about

 data subject rights, an assessment as to the impact the proposed policy recommendation may have on the privacy rights of the individual, or indeed on the ability of the CPs to implement.

</span></div>

<p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt" class=""><span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class=""></span></p>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<b style="font-weight:normal" class=""><br class="">

</b></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Kind regards,</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<span style="font-size:10pt;font-family:Arial;color:rgb(34,34,34);background-color:rgb(255,255,255);font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre-wrap" class="">Alan Woods

</span></div>

<div style="line-height: 1.38; margin-top: 0pt;

                    margin-bottom: 0pt;" class="">

<br class="gmail-Apple-interchange-newline">

</div>

</span></div>

_______________________________________________<br class="">

Gnso-epdp-team mailing list<br class="">

<a href="mailto:Gnso-epdp-team@icann.org" class="" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br class="">

<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></div>

</blockquote>

</div>

<br class="">

</div>

<br>

<fieldset class="mimeAttachmentHeader"></fieldset>

<pre class="moz-quote-pre" wrap="">_______________________________________________

Gnso-epdp-team mailing list

<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>

<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></pre>

</blockquote>

</body>

</html>