<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>This is my interpretation of the accuracy principle of the GDPR
as well. As most of the GDPR, it is designed with the rights of
and protections for the data subject in mind and must be
interpreted under that premise. <br>
</p>
<p>Volker<br>
</p>
<div class="moz-cite-prefix">Am 25.05.2019 um 15:17 schrieb Mueller,
Milton L:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR07MB4575A3FDADE84FFD3ADD7230A1030@SN6PR07MB4575.namprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:inherit;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:192038701;
mso-list-template-ids:-1786486808;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Dear Georgios and
colleagues:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">I think the questions
related to accuracy below are not worth sending to the
lawyers.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">They are based on a
fundamental misconception, one which we have identified many
times. Accuracy in GDPR and other data protection law is a
right _<i>of the data subject</i>_, not a right of third
parties to accurate data about the data subject. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">To prove this, beyond
a shadow of the doubt, let me note that the word “accuracy”
appears in GDPR in only two places, in Art 18. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Article 18, Right to
restriction of processing:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">-----------------------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%;background:white">“The
data subject shall have the right to obtain from the
controller restriction of processing where one of the
following applies: the </span><span
style="font-size:11.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%;border:none
windowtext 1.0pt;padding:0in;background:#FAF5E1">accuracy</span><span
style="font-size:11.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%;background:white"> of
the personal data is contested by the data subject, for a
period enabling the controller to verify the </span><span
style="font-size:11.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%;border:none
windowtext 1.0pt;padding:0in;background:#FAF5E1">accuracy</span><span
style="font-size:11.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%;background:white"> of
the personal data;” </span><span
style="font-size:10.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">So data subjects can
contest the accuracy of data about them, or require
controllers to verify its accuracy. There is NO OTHER
reference to accuracy in the entire GDPR.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Georgios’s questions
are based on the assumption that third parties have a right
to accurate contact data about the data subject. That
assumption was embedded in the old Whois and pre-GDPR Whois
accuracy policies, all of which were predicated on
indiscriminate publication of the contact data to any and
all third parties. That regime is gone. And it’s recognized
even by the most militant pro-surveillance interests that
such indiscriminate disclosure is illegal. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Likewise, Georgios
asks about liability under Article 82 of GDPR. Again all we
need to do is actually read Art 82 to find the answer:
<o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white;vertical-align:baseline"><span
style="font-size:11.0pt;color:#1F497D">Article 82 says “</span><span
style="font-size:11.0pt;color:#1F4E79;mso-style-textfill-fill-color:#1F4E79;mso-style-textfill-fill-alpha:100.0%">Any
person who has suffered material or non-material damage as a
result of an infringement of this Regulation shall have the
right to receive compensation from the controller or
processor for the damage suffered.” So this is a right of
PERSONS (data subjects) to compensation based on illegal
acts of controllers and processors of THEIR data. It is not
a right of third parties to accurate information about the
data subject, and it certainly creates no liability for
controllers or processors for the inaccuracy of the
registrants’ data.
</span><span
style="font-family:"inherit",serif;color:#333333"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Dr. Milton L Mueller<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">Georgia Institute of
Technology<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D">School of Public
Policy<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Gnso-epdp-team
<a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><gnso-epdp-team-bounces@icann.org></a>
<b>On Behalf Of </b><a class="moz-txt-link-abbreviated" href="mailto:Georgios.TSELENTIS@ec.europa.eu">Georgios.TSELENTIS@ec.europa.eu</a><br>
<b>Sent:</b> Friday, May 24, 2019 7:02 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:caitlin.tubergen@icann.org">caitlin.tubergen@icann.org</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> Re: [Gnso-epdp-team] For your review -
Clarifying Legal Questions Table<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Dear
Caitlin, colleagues,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Please
find below questions on the topics of the legal memos from
the GAC:<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Accuracy<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
If current verification statistics provide that a large
number of data is inaccurate isn't that a metric to deduce
that the accuracy principle is not served in a reasonable
manner as demanded by the GDPR?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
According to the GDPR all personal data are processed based
on the principle that they are necessary for the purpose for
which they are collected. If those data are necessary, how
can the purpose be served while the data are inaccurate? <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
Can you provide an analysis on the third-parties mentioned
in para 19 on which "ICANN and the relevant parties may rely
on to confirm the accuracy of personal data if it is
reasonable to do so"? Do they become in such a scenario data
processors? <o:p>
</o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
How does the accuracy principle in connection to the
parties' liability has to be understood in light of the
accountability principle of the GDPR? What are the
responsibilities of ICANN and the contracted parties (who
are subject to the GDPR) under Chapter IV pf the GDPR? If
the contracted parties (as data controllers) engage third
entities as processors (e.g. to provide data back-up
services), what are the responsibilities of these entities?
What does this mean in terms of liabilities (in light of
Art. 82 GDPR)?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
While in the first place it is up to the registrants to
provide accurate details about themselves and it is up to
the registrants not to mistakenly identify themselves as
natural or legal persons, the Memo on "Natural vs Legal
persons" provides interesting ideas/suggestions for the
contracted parties to proactively ensuring the reliability
of information provided, including through measures to
independently verify the data. Could similar mechanisms be
identified also for ensuring the reliability of the contact
details of the registrant? Can best practices be drawn from
the ccTLD?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Natural
or non-natural persons<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
How is the (inaccurate or accurate) designation by the
registrant about her status as non-natural person considered
personal data information? If it's not is the analysis about
whether the accuracy principle applies relevant?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
How would the analysis provided take into account the
possibility for registrants who are natural persons to
"opt-in" for a full publication of their personal data?
Indeed it might be the case that some of these registrants
might wish to ensure their details are available on WHOIS.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Technical
contact
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Most of
the issue for not allowing this seems to be around the
inability to verify if the RNH has obtained consent from the
technical contact. When the CP's verify the email address
could consent also be confirmed for the term of the
registration? <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">General
question:<o:p></o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">.
How could anonymisatio/pseudonymisation techniques be of
help in complying with the GDPR while also allowing for
additional disclosure of certain data elements? E.g. use of
anonymised/pseudonymised emails and names, in particular in
the context of registrations by legal persons.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Apologies
again for the delay of our submission.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB">Georgios
Tselentis (GAC-EPDP)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;color:#1F497D" lang="EN-GB"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:11.0pt">From:</span></b><span
style="font-size:11.0pt"> Gnso-epdp-team <<a
href="mailto:gnso-epdp-team-bounces@icann.org"
moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
<b>On Behalf Of </b>Caitlin Tubergen<br>
<b>Sent:</b> Wednesday, May 22, 2019 5:22 PM<br>
<b>To:</b> <a href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> [Gnso-epdp-team] For your review -
Clarifying Legal Questions Table<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt">Dear EPDP Team,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt">Following up on an action item from
our last meeting, please find attached a table which
organizes the clarifying legal questions received to date.
We will discuss the table during our next meeting.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt">Please note that the deadline for
submitting additional clarifying questions is before 14:00
UTC on Thursday, 23 May. If additional questions come in
before the deadline, we will update the table accordingly.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt">Thank you.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt">Marika, Berry, and Caitlin<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:"Times New
Roman",serif;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>