<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"open sans";}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Yes, data subjects can request their data from a party that holds it; those kinds of GDPR requests are sometimes made through out-of-band methods and don’t require the data subjects to be system users with system accounts. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The operator must be able to respond to requests from data subjects… but for completeness, it must do so AFAIK ONLY IF the operator holds the data. Most models discussed so far don’t have the SSAD operator storing all the data – it could merely shuttle data back and forth. The group will no doubt discuss that design aspect more later. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>All best,<o:p></o:p></p><p class=MsoNormal>--Greg<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b>From:</b> Alan Woods <alan@donuts.email> <br><b>Sent:</b> Friday, June 7, 2019 11:06 AM<br><b>To:</b> Greg Aaron <greg@illumintel.com><br><b>Cc:</b> Sarah Wyld <swyld@tucows.com>; GNSO EPDP <gnso-epdp-team@icann.org><br><b>Subject:</b> Re: [Gnso-epdp-team] RrSG initial comment on SSAD Registrant user group<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Thank you Sarah.<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Greg just for completeness, an EU data subject will of course still be entitled to exercise their rights against the 'SSAD' also. If their data is processed within the SSAD then whoever is the guardian of that system, shall have to have <o:p></o:p></p></div><div><p class=MsoNormal>a) a viable and robust process for dealing with such requests directly themselves (assuming they are a controller), and/or<o:p></o:p></p></div><div><p class=MsoNormal> b) provide the necessary information and aid to other controllers dealing with such requests in this data processing ecosphere (especially Art 17). <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>But I do agree, expecting them to have to be a "subscribed" or "credentialed" user in order to exercise such rights is a <b><u>very</u></b> bad idea. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Alan<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p><div><div><div><div><div><div><div><div><div><div><div><table class=MsoNormalTable border=0 cellpadding=0><tr><td style='padding:0in 5.25pt 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in'><span style='color:windowtext'><a href="http://donuts.domains/" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=75 height=75 style='width:.7812in;height:.7812in' id="Picture_x0020_6" src="cid:image001.jpg@01D51F74.74916250" alt="Image removed by sender. Donuts Inc."></span></a><o:p></o:p></span></p></td><td style='padding:0in 5.25pt 0in 0in'><div><p class=MsoNormal style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:12.75pt'><b><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'>Alan Woods</span></b><b><span style='font-size:10.5pt;font-family:"Tahoma",sans-serif;color:windowtext'><o:p></o:p></span></b></p></div><div><p class=MsoNormal style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in'><span style='font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333'>Senior Compliance & Policy Manager, Donuts Inc.</span><span style='color:windowtext'> <o:p></o:p></span></p><div style='margin-top:7.5pt;margin-bottom:7.5pt'><div class=MsoNormal align=center style='text-align:center'><span style='color:windowtext'><hr size=2 width="100%" align=center></span></div></div><p class=MsoNormal style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in'><span style='font-size:8.5pt;font-family:"Arial",sans-serif;color:#333333'>The Victorians, </span><span style='color:windowtext'><o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in'><span style='font-size:8.5pt;font-family:"Arial",sans-serif;color:#333333'>15-18 Earlsfort Terrace<br>Dublin 2, County Dublin</span><span style='font-size:9.0pt;font-family:"open sans";color:#D6D6D6'><br></span><span style='font-size:8.5pt;font-family:"Arial",sans-serif;color:#333333'>Ireland</span><span style='color:windowtext'><br><br><a href="https://www.facebook.com/donutstlds" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_3" src="cid:~WRD228.jpg" alt="Image removed by sender."></span></a> <a href="https://twitter.com/DonutsInc" target="_blank"><span style='border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_4" src="cid:~WRD228.jpg" alt="Image removed by sender."></span></a> <a href="https://www.linkedin.com/company/donuts-inc" target="_blank"><span style='font-size:10.5pt;border:solid windowtext 1.0pt;padding:0in;text-decoration:none'><img border=0 width=100 height=100 style='width:1.0416in;height:1.0416in' id="Picture_x0020_5" src="cid:~WRD228.jpg" alt="Image removed by sender."></span></a><o:p></o:p></span></p></div></td></tr></table><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Cambria",serif'>Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.</span><o:p></o:p></p></div></div></div></div></div></div></div></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, Jun 7, 2019 at 3:33 PM Greg Aaron <<a href="mailto:greg@illumintel.com" target="_blank">greg@illumintel.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Agree. Registrants already have the appropriate means to view their own sensitive data fields and update their domain data: the registrar’s system. And that provides controlled, permissioned access for the registrants to see their data and theirs only. And registrants will have public access to RDS to see non-sensitive data about their domains.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>To offer registrants access to the SSAD System on top of that would be a nightmare from an access management view. (How would registrants get credentials into a SSAD, and how would that system know what records the registrant is allowed to see?) SSAD is for third parties who need to access non-public data.<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>All best,<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>--Greg<o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b> Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank">gnso-epdp-team-bounces@icann.org</a>> <b>On Behalf Of </b>Sarah Wyld<br><b>Sent:</b> Thursday, June 6, 2019 9:36 AM<br><b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank">gnso-epdp-team@icann.org</a><br><b>Subject:</b> [Gnso-epdp-team] RrSG initial comment on SSAD Registrant user group<o:p></o:p></p></div></div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p><p>Hello all,<o:p></o:p></p><p style='margin-bottom:12.0pt'>The RrSG has significant concerns with the inclusion of Registrants as a user group for the System for Standardized Disclosure of non-public gTLD registration data, and strongly recommends that this group be removed from the proposed list of users. We are curious as to the origin of these proposed user groups, and suggest that instead of working through this list we begin by reviewing the purposes for processing data (Recommendation 1) and assessing the potential user group applicable to each purpose. <br><br>Registrants already access their domains via their service provider (registrar or reseller)’s system, as required under the RAA. Having multiple interfaces to access the same information poses a significant risk of inappropriate data exposure; this unnecessary and unbalanced security risk is not compliant with data protection law. It also creates a confusing user experience for the registrant. For example, if a registrant uses the SSAD to review their domain data for the purpose of confirming that it is accurate, they would still need to work with their service provider to confirm that the data held in that system is also up to date. <br><br>The RrSG notes that a system used to access or disclose data is not also a system to modify that data. The EPDP team definitions of access and disclosure do not include any capability to modify the data, so this is a new addition to the requirements not grounded in any previously agreed-upon basis or definition. Modification of domains via the SSAD could easily result in synchronization issues and security risks, where the SSAD holds data that is different from what is in the registrar or reseller’s platform, or an unauthorized party could modify and even hijack a registered domain. This also represents a fundamental shift from the system in place for the past twenty years: EPP is one-directional, with data flowing from the reseller or registrar through to the registry, so any functionality for updating domain data would need to be created and implemented by thousands of service providers worldwide. <br><br>We look forward to discussing this important concern at today’s EPDP team call. Beyond these concerns about the “Registrants” group, we are also uncertain that “end users” is a valid group; this and the other groups should be discussed with the plenary team. <o:p></o:p></p><pre>-- <o:p></o:p></pre><pre>Sarah Wyld<o:p></o:p></pre><pre>Domains Product Team<o:p></o:p></pre><pre>Tucows<o:p></o:p></pre><pre>+1.416 535 0123 Ext. 1392<o:p></o:p></pre><pre> <o:p></o:p></pre><pre> <o:p></o:p></pre></div></div><p class=MsoNormal>_______________________________________________<br>Gnso-epdp-team mailing list<br><a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>_______________________________________________<br>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<o:p></o:p></p></blockquote></div></div></body></html>