<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:inherit;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Art. 5 GDPR Principles relating to processing of personal data<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#333333;background:white'>2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”</span><span style='font-size:11.0pt'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>There has been discussion in legal and GDPR compliance communities that the above means all of these:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>All best,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>--Greg<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <b>On Behalf Of </b>Mueller, Milton L<br><b>Sent:</b> Saturday, May 25, 2019 9:18 AM<br><b>To:</b> Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org<br><b>Cc:</b> gnso-epdp-team@icann.org<br><b>Subject:</b> Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Dear Georgios and colleagues:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>I think the questions related to accuracy below are not worth sending to the lawyers. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _<i>of the data subject</i>_, not a right of third parties to accurate data about the data subject. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Article 18, Right to restriction of processing:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>-----------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F4E79;background:white'>“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the </span><span style='font-size:11.0pt;color:#1F4E79;border:none windowtext 1.0pt;padding:0in;background:#FAF5E1'>accuracy</span><span style='font-size:11.0pt;color:#1F4E79;background:white'> of the personal data is contested by the data subject, for a period enabling the controller to verify the </span><span style='font-size:11.0pt;color:#1F4E79;border:none windowtext 1.0pt;padding:0in;background:#FAF5E1'>accuracy</span><span style='font-size:11.0pt;color:#1F4E79;background:white'> of the personal data;” </span><span style='font-size:10.0pt;color:#1F4E79'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:12.0pt;margin-right:0in;margin-bottom:12.0pt;margin-left:0in;background:white;vertical-align:baseline'><span style='font-size:11.0pt;color:#1F497D'>Article 82 says “</span><span style='font-size:11.0pt;color:#1F4E79'>Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. </span><span style='font-family:inherit;color:#333333'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Dr. Milton L Mueller<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>Georgia Institute of Technology<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'>School of Public Policy<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org">gnso-epdp-team-bounces@icann.org</a>> <b>On Behalf Of </b><a href="mailto:Georgios.TSELENTIS@ec.europa.eu">Georgios.TSELENTIS@ec.europa.eu</a><br><b>Sent:</b> Friday, May 24, 2019 7:02 PM<br><b>To:</b> <a href="mailto:caitlin.tubergen@icann.org">caitlin.tubergen@icann.org</a><br><b>Cc:</b> <a href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><br><b>Subject:</b> Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Dear Caitlin, colleagues,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Please find below questions on the topics of the legal memos from the GAC:<o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Accuracy<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Natural or non-natural persons<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Technical contact <o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>General question:<o:p></o:p></span></b></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Apologies again for the delay of our submission.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'>Georgios Tselentis (GAC-EPDP)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:11.0pt;color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-left:.5in'><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org">gnso-epdp-team-bounces@icann.org</a>> <b>On Behalf Of </b>Caitlin Tubergen<br><b>Sent:</b> Wednesday, May 22, 2019 5:22 PM<br><b>To:</b> <a href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><br><b>Subject:</b> [Gnso-epdp-team] For your review - Clarifying Legal Questions Table<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Dear EPDP Team,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Thank you.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Best regards,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Marika, Berry, and Caitlin<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><o:p> </o:p></p></div></body></html>