<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p>As is often the case, I agree with everything Volker has said in
recent posts. I think that perhaps it might be helpful if I put
down a few of my persistent questions that have not been answered:</p>
<p>1. Why are we talking about a draft directive that has not
passed, will be implemented differently when each member state
gets hold of it, and does not apply outside Europe? We are
supposed to be aiming at compliance with GDPR because it is the
global standard at the moment, I sincerely doubt that other
countries who are passing GDPR compliant privacy legislation are
going to rush out and pass a directive modelled on this one. We
are supposed to be taking a harmonized, global approach, if you
recall?<br>
</p>
<p>2. Or are we hanging on to the WHOIS conflicts of law so that
contracted parties will not be sanctioned for complying with
national law?</p>
<p>3. As to the instrument of disclosure for legal persons' data <i>which
is not protected under the GDPR</i><i>, </i>as I have tried to
point out, that distinction requires considerable evaluation. The
draft directive in no way dictates to this organization how it
should release this data, regardless of what the words say, (and I
certainly agree with Volker's interpretation of what it says,
remembering also that member states may attempt to clarify this in
different ways when they go to pass their own regulations). My
question is, why on earth would we build a separate release
mechanism for the data of legal persons? Should we not
authenticate those who ask for more data? Should we not audit
compliance with law, e.g. whether or not the consent to disclose
data of employees was properly obtained? Is it cost effective to
maintain two systems? I see no benefit to this fragmentation,
given that we have a distributed system anyway but with central
policy control. I see lots of risk.<br>
</p>
<p>4. Where is the evidence that pre-emptive release of the data of
legal persons is useful for the investigation of abuse? Do
criminals actually provide accurate data about their
registrations? have we measured how much this action will drive
data theft?</p>
<p>5. What are the competitive issues that arise from forcing small
business owners to disclose confidential data?</p>
<p>6. What controls will be placed on the private sector data
scapers with respect to this data? In the event that a "legal
person" makes a mistake and registers a domain as a legal person
when in fact they ought to have protected the data elements
released as personal (e.g. in a home business or of employees who
had data subject rights that were not respected) what efforts do
the contracted parties have to make to enforce the right to be
forgotten in third party data scrapers?</p>
<p>I would like to have seven questions but I think that is enough
for now. I will return with more questions.</p>
<p>cheers Stephanie Perrin<br>
</p>
<div class="moz-cite-prefix">On 2021-04-20 6:31 a.m., Volker
Greimann via Gnso-epdp-team wrote:<br>
</div>
<blockquote type="cite" cite="mid:CADgYC4XoWuECd0n7MpWPUKbVNpe3gKcPDCuMesU7pP6XYh9rNw@mail.gmail.com">
<div style="font-size: 10pt; font-family: sans-serif; color:
white; font-style: normal; font-weight: bold; padding: .2em;">
<strong><span style="color: #c75000;">EXTERNAL EMAIL:</span></strong></div>
<div>
<div dir="ltr">
<div>Dear Melina,</div>
<div><br>
</div>
<div>thanks for your explanation. <br>
</div>
<div><br>
</div>
<div>I contend that the data contained in SSAD is publicly
available, just as the data contained in the German trade
register is publicly available, even though there may be a
paywall. Hence publication can mean anything that provides
for public access: A physical book, SSAD or RDAP. Anyone
with a legitimate interest can apply for an SSAD account
just like anyone can apply for an account with the online
version of the German trade register. Data in SSAD is
publicly available.</div>
<div><br>
</div>
<div>If NIS 2 comes down on a different interpretation in
Germany (although I do not see why it would if even the
public trade register is behind a paywall), I would welcome
that as well, as it provides me with a legal basis for
publication. An obligation based in law to disclose data
means there is no longer any risk attached to such
disclosures, if done correctly. So when that law comes into
effect in my jurisdiction, I will implement it. Before that
time, the legal basis is missing and CPs bear the risk of
wrongful disclosure. So lets meet again once the
implementation data of NIS 2 draws near. Basing policy on
non-existent law is premature.
<br>
</div>
<div><br>
</div>
<div>"<span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">T<i>o come back to your other point, (i.e.,
that you are not convinced that the availability of
non-personal WHOIS data would contribute to the
</i></span><i><span style="font-size:11pt;font-family:"Calibri",sans-serif">security,
stability and resilience of the DNS), I trust you are
not implying that so many people from all over the world
are intensively working on a problem which would be
non-existent.
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></i>
<p class="MsoNormal" style="margin-left:108pt"><i><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></i></p>
<p class="MsoNormal"><i><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Currently the vast majority of
registration data are not available and the majority
of requests from different organisations to access
such data remain unanswered.</span></i>"</p>
</div>
<div><br>
</div>
<div>This is an issue that SSAD was designed to solve. But the
last three years have shown that it is less of a problem
than people make it out to be.</div>
<div><br>
</div>
<div>"<span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><i>According to a study published in January
2021 by InterIsle Consulting Group, at present, (...)</i>"</span></div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><br>
</span></div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">This is a statement of alleged fact, but it
does not show why this necessarily is an issue.
</span><br>
<p class="MsoNormal" style="margin-left:108pt;text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">"<i>Even
European government agency and law enforcement
requests for redacted WHOIS data have been denied.</i>
(...)"</span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif"><br>
</span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">I
would imagine that this would only be the case if they
were acting outside their legal remit, e.g. outside
their jurisdiction. As Theoden said to Gandalf "You have
no power here!". All requests with a proper legal basis,
e.g. acting inside their own jurisdiction should be
answered, and if not, compliance be called.
<br>
</span></p>
</div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif"><br>
</span></div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif">"<i>(...)
where WHOIS data would have been critical to help combat
online sexual child abuse cases. According to the
complainants, the availability of more WHOIS data in
public could help to find perpetrators on the internet.</i>"</span></div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif"><br>
</span></div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif">And
those perpetrators register domain names with existing
legal entities as registrants? Because unless this is the
case, the argument is irrelevant to the question at hand.</span></div>
<div><span style="font-size:11pt;font-family:"Calibri",sans-serif"></span>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span><span style="font-size:11pt;font-family:"Calibri",sans-serif"></span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">"<i>According to a study published in 2021
by InterIsle Consulting Group, the data suggests that
only around 11.5% of domains may belong to natural
persons who are protected by GDPR. This 11.5% may be
the percentage of domains that is necessary to protect
under GDPR. In contrast, registrars and registry
operators have redacted contact data from 57.3% of all
domains, or five times the amount that may be
necessary.</i>"</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><br>
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">This statistic misses the point we are
debating though as it does not in any way differentiate
between legal entities whose data contains personal
information, and those where it does not. If it is
necessary to redact 100% of registration data or to put
it inside the SSAD where access is controlled to protect
even 1% of registrants, it is worth doing. Protection of
the innocent always takes precedent.<br>
</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">"<i>It would be beneficial if you could
explain why non-personal data of legal persons have
been redacted and why you object to the effort of
having greater transparency while fully respecting
privacy of registrants.</i>"</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Because blanket redaction of all data is
the only way to safely and securely ensure that the
personal data of data subjects is protected. There is a
reason why even government controlled databases such as
the car registration register are redacted. I have not
seen a car register where the registration details of
legal entities are published. Having that data publicly
available might be beneficial for any number of causes.
And those are registers that are being kept with a legal
basis. <br>
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><br>
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">"<i>In light of all the conversations, and
B&B advice received, it is clear that the argument
of potential liability risk due to inadvertent
disclosure of personal data does no longer hold value.</i>"
<br>
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">I wonder which part of the advice we
received allowed you to draw this conclusion as the
advice always pointed out that risk remains.
<br>
</span></p>
</div>
<div><br>
</div>
<div>Please, come again once the demands you are raising are
also implemented this way for all public registers in the
various countries where you wish to see contracted parties
to implement them.
<br>
</div>
<div>Trade registers, car registers, gun ownership registers,
sex offender registers, land registers, etc. None of them
universally have the level of access you want for mere
domain name registrations.
<br>
</div>
<div><br>
</div>
<div>That said, if someone demonstrates a legitimate interest
with regard to any data, personal or non-personal, they will
receive prompt disclosure from us (after the balancing
test). If there is significant danger of harm to third
parties, we will even grant access even though the requestor
may be acting outside their jurisdiction, regardless of
whether the registrant is legal or natural. Because granting
such access is our moral obligation if a case for disclosure
is made.
<br>
</div>
<div><br>
</div>
<div>But please do not ask us to provide access levels that
even our own governments do not provide for much, much, much
more critical data.
<br>
</div>
<div><br>
</div>
<div>Best,<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><span lang="EN-US">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<b>KEY-SYSTEMS GMBH</b><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: </span><a href="http://www.key-systems.net/" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"><span lang="EN-US">www.key-systems.net</span></a><span lang="EN-US"><br>
<br>
Key-Systems GmbH is a company registered at the
local court of Saarbruecken, Germany with the
registration no. HR B 18835<br>
CEO: Oliver Fries and Robert Birkner<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a
company registered in England and Wales with
company number 8576358.<br>
<br>
</span><span style="font-family:Roboto,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(248,249,250)">This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended
recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.</span></div>
</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Apr 20, 2021 at
11:47 AM STROUNGI Melina <<a href="mailto:Melina.STROUNGI@ec.europa.eu" moz-do-not-send="true">Melina.STROUNGI@ec.europa.eu</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_5832361527529862212WordSection1">
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Dear Volker,</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Thank you for your comments.</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Let me come back to your previous email
of 15 April (attached) and your email below, in
order to hopefully address some of your concerns.</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Regarding your</span><span lang="EN-GB">
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">argument that ‘the interpretation of
the book is only valid if the text actually supports
that interpretation’, this is precisely the case
with NIS 2 text. The legislator’s intention behind
‘publication’ is explained in recital 62 of <a href="https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union" target="_blank" moz-do-not-send="true">
NIS 2 Proposal</a>, which explicitly clarifies
that “</span><i><span style="font-size:11pt;font-family:"Calibri",sans-serif">TLD
registries and the entities providing domain name
registration services for them
<u>should make publically available</u> domain
name registration data that fall outside the scope
of Union data protection rules, such as data that
concern legal persons</span></i><span style="font-size:11pt;font-family:"Calibri",sans-serif">.”
</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Given
the above context, the word ‘publication’
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">is doubtful to have any other
interpretation than the obvious one: ‘publication’
means ‘<i>making publically available’</i>.
Publically = to the public.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">I understand your wish to do otherwise,
but just to bear in mind that such wish is not
enough to override the actual wording of the text.
</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">We are doing our best to address
everyone’s individual concerns (including yours and
lots of your comments and suggestions have already
been taken into account), but at the same time we
need to ensure that contracted parties who wish to
differentiate between legal and natural entities and
wish to align their practices with the NIS2 proposal
are able to do so. We hope that, even if you do not
completely find the provisions to your liking, you
are willing to facilitate this group’s hard efforts
to make some progress before the May deadline.</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">To come back to your other point,
(i.e., that you are not convinced that the
availability of non-personal WHOIS data would
contribute to the
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif">security,
stability and resilience of the DNS), I trust you
are not implying that so many people from all over
the world are intensively working on a problem which
would be non-existent.
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">This is what the current situation
looks like:
</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Currently the vast majority of
registration data are not available and the majority
of requests from different organisations to access
such data remain unanswered.
</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">According to a study published in
January 2021 by InterIsle Consulting Group, at
present, only 13.5% of domains have an actual
registrant identified in WHOIS. Registrars and
registry operators have used ICANN’s post-GDPR
policy to redact contact data from 57.3% of all
domains. Adding proxy-protected domains, this means
that 86.5% of registrants cannot be identified via
WHOIS. According to statistics from Appdetex, during
the period January 1, 2020, through September 1,
2020, only 24.6% of 2,933 requests submitted to 158
ICANN-accredited registrars resulted in responses
that included registrant data. These statistics are
also consistent with the estimate of the PSWG within
ICANN that roughly 70% of requests are being denied
or ignored.</span></p>
<p class="MsoNormal" style="margin-left:108pt;text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Even
European government agency and law enforcement
requests for redacted WHOIS data have been denied.
As described in a May 2020 letter from the ICANN
President to the European Data Protection Board,
requests that have been made by European Data
Protection Authorities for access to redacted,
nonpublic WHOIS data to assist in their
investigations of potential privacy violations have
been denied by domain name registrars and
registries.</span></p>
<p class="MsoNormal" style="margin-left:108pt;text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">I
will not list all complaints and problems reported,
but just as an illustration, complaints from law
enforcement authorities have been brought to our
attention, where WHOIS data would have been critical
to help combat online sexual child abuse cases.
According to the complainants, the availability of
more WHOIS data in public could help to find
perpetrators on the internet.
</span></p>
<p class="MsoNormal" style="margin-left:108pt"> </p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">The publication of domain name
registration data concerning legal entities is
expected to substantially increase the wealth of
information available to the public.
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif"></span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">According to a study published in 2021
by InterIsle Consulting Group, the data suggests
that only around 11.5% of domains may belong to
natural persons who are protected by GDPR. This
11.5% may be the percentage of domains that is
necessary to protect under GDPR. In contrast,
registrars and registry operators have redacted
contact data from 57.3% of all domains, or five
times the amount that may be necessary.</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">I trust that the above give a flavour
of the actual situation and problems.</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">It would be beneficial if you could
explain why non-personal data of legal persons have
been redacted and why you object to the effort of
having greater transparency while fully respecting
privacy of registrants. </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">In light of all the conversations, and
B&B advice received, it is clear that the
argument of potential liability risk due to
inadvertent disclosure of personal data does no
longer hold value. If you want to diminish this
risk, it is clear that you first have to distinguish
between natural and legal entities and then further
ensure that legal entities do not provide any
personal data (or, if they do provide personal data,
that they consent to publishing of such personal
data). Then in case of a mistake it will be up to
the registrant; not the contracted parties. So in
our view the liability argument cannot be used as a
justification for not taking action – especially
given the many problems that such inaction causes
and will continue to cause.</span></p>
<p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Best regards,</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Melina
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
<b>On Behalf Of </b>Volker Greimann via
Gnso-epdp-team<br>
<b>Sent:</b> Sunday, April 18, 2021 3:04 AM<br>
<b>To:</b> Stephanie E Perrin <<a href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank" moz-do-not-send="true">stephanie.perrin@mail.utoronto.ca</a>><br>
<b>Cc:</b> GNSO EPDP <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>><br>
<b>Subject:</b> Re: [Gnso-epdp-team] On the proposed
guidance</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">I think you both make good
points. Our starting point is the current status
quo, which I expect will continue on into the far
future: All registration data provided as a
registrant must be viewed as potential personal
information, in a Schroedingers Cat kind-of
situation. Until you look at it, you do not know
what it is, even though you can make certain
assumptions with varying likelihoods. The 2B memo
tells us nothing new in that regard.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">What it does tell us is that
the various methods of determination without
looking have risk of various degrees attached.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Miltons proposed
registrant-declaration is one of the lower risk
ones methods. Stephanie is also right that in a
highly competitive market with razor-thin margins,
corners will be cut at some point of the channel,
especially once you enter the realm of resellers.
So Stephanie is absolutely correct in her point
that the determination of whether contracted
parties can rely on the accuracy of any
declaration must be that of the contracted party
itself. The declaration of legal status of the
registrant ultimately does not help us make that
determination. The declaration of content of the
data goes a whole lot further in that regard.
Controlling the process where the declaration is
made helps even more (hence the requirement to
allow post-registration declarations).</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">As for publication vs.
disclosure, after having given this some thought,
I still tend to come out on the side of
disclosure, but with the following features:</p>
</div>
<div>
<p class="MsoNormal">- self-declared data sets would
be set to automated disclosure.</p>
</div>
<div>
<p class="MsoNormal">- public RDAP could contain a
marker/flag/label/something that shows that this
data set is available for automated disclosure in
SSAD</p>
</div>
<div>
<p class="MsoNormal">- Disclosure fees for such data
sets in SSAD could be priced lower than
non-automated data sets, say half-price</p>
</div>
<div>
<p class="MsoNormal">- Access levels for access to
such data sets could be lower for users of SSAD.
For example, if you just want to access
automated-disclosure sets, accreditation could be
voluntary, and a mere ID-check application process
and a statement of legitimate interest for each
request could be possible. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Advantages: </p>
</div>
<div>
<p class="MsoNormal">- Increased utility of SSAD</p>
</div>
<div>
<p class="MsoNormal">- SSAD User Fees would decrease
(higher query volumes overall, lower fees for some
queries)</p>
</div>
<div>
<p class="MsoNormal">- CP Risk would be limited</p>
</div>
<div>
<p class="MsoNormal">- CP handling times for
requests would be reduced in case they implement
that flag.
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I still need to hear what the
benefits of the differentiation of data sets and
better availability of non-personal information
really are, though. In my experience it is not
like cyber criminals are setting up legal entities
such as STEALATRADEMARK, Inc or VIOLATEACOPYRIGHT,
Ltd. left and right to register their domain
names. Those kinds of domains are usually
registered with perfectly accurate personal data
sets. If someone could really make the case of
what the perceived benefit to all parties
concerned is on this (something I have been asking
for from days 1), I'd be happy to hear them. The
common argument of security, stability and
resilience of the DNS went out of the window the
day the Temp Spec first came into effect after
all, as neither of the three has been affected by
the current vegetative state of the WHOIS (In the
sense that it is not quite dead yet, but almost.
Machines still keep it alive).
</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This also would solve the issue
of thick vs thin RDAP:</p>
</div>
<div>
<p class="MsoNormal">If RDAP only returns the basic
data set anyway and never any personal
information, there is no longer any need to
require registrars to provide RDAP services as
there no longer is any concern in supplying said
data to the registries for centralised
publication. Thick RDAP would be saved.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<b>KEY-SYSTEMS GMBH</b><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a href="https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxhKRwDSK$" target="_blank" moz-do-not-send="true"><span style="color:rgb(17,85,204)">www.key-systems.net</span></a><br>
<br>
Key-Systems GmbH is a company registered
at the local court of Saarbruecken,
Germany with the registration no. HR B
18835<br>
CEO: Oliver Fries and Robert Birkner<br>
<br>
Part of the CentralNic Group PLC (LON:
CNIC) a company registered in England
and Wales with company number 8576358.<br>
<br>
<span style="font-size:10.5pt;font-family:Roboto;background:rgb(248,249,250)
none repeat scroll 0% 0%">This email
and any files transmitted are
confidential and intended only for the
person(s) directly addressed. If you
are not the intended recipient, any
use, copying, transmission,
distribution, or other forms of
dissemination is strictly prohibited.
If you have received this email in
error, please notify the sender
immediately and permanently delete
this email with any files that may be
attached.</span></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Sat, Apr 17, 2021 at 12:19
AM Stephanie E Perrin via Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
wrote:</p>
</div>
<blockquote style="border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204);border-style:none none none
solid;border-width:medium medium medium
1pt;padding:0cm 0cm 0cm
6pt;margin-left:4.8pt;margin-right:0cm">
<div>
<p>Bird and Bird is offering arguments for
protection in the event of complaint. While
that protection is welcome and reassuring in
terms of risk, I am not certain that we have
adequately explained to 2Birds how registration
actually takes place. It would have been
beneficial to walk them through a range of
different ways to register a domain name. As we
have discussed in the calls, very often
non-savvy non-commercial users or small
business/home workers use resellers of various
kinds to register their domains. Additional
risk creeps in here, WRT whether or not a
positive consent has been obtained from relevant
employees. Further risk creeps in when we look
at automatic renewals, where the contact data
may not be updated. If updated, have the steps
been taken to get consent from new employees?
To me this is key, non-savvy users, and I count
myself among them, are not likely to check what
an intermediary is doing with respect to the
domain renewal or updating.</p>
<p>Now, of course the argument is that they SHOULD
be more diligent and they SHOULD pay attention
to the accuracy requirements, but lets deal in
facts here.....are they? As the data controller
who is pre-emptively disclosing personal data,
allegedly with consent, to unknown (to the
contracted party) third parties, the
responsibility still rests with the controller.
As I have mentioned, a Facebook or a Google or a
Microsoft can get away with treading roughshod
over their consent arrangements....not too many
folks are going to give up free or necessary
services over quibbles in a consent form, even
if it is 75 pages long. However the registrars
(and to a lesser extent, the registries) are
operating in a highly competitive market. Once
losing my trust, perhaps over a trifling
inattention to the accuracy of my data, and I am
transferring my domains to another company.
Policing a complex reseller market is also
rather a difficult matter that we have not
discussed at length in our debates on this
issue. I know that the data commissioners as a
group do not understand how the accountability
for the handling of personal information is
transferred in that market, and it would not be
surprising if 2Birds did not either. Bottom
line: accredited registrars are shouldering the
risk here, it is their risk, and they would know
best whether they can trust the accuracy of the
designation of legal personhood. This is why I
think that this designation, in my opinion,
should always permit an override by the
contracted parties to treat the data as
personal. I have suggested many many times that
commercial organizations should operate on an
accreditation basis and be linked to their
official registration numbers (business,
corporation, municipal licence etc). Noone ever
responds to that idea....if it is totally
ridiculous I would certainly like to know why, I
am offering it in good faith and I think it
would do something useful to stop fraudulent
registrations in their names. However, small
business and non-commercial organizations, even
if incorporated or in possession of a
registration # of some kind have different needs
and circumstances, and they are frequently
treated differently under data protection law.
</p>
<p>One final point that I have raised a few
times.....we tend to focus on enforcement fines
and Court costs. Even if noone ever complains
to a DPA or takes a case to Court, where the
advice of 2 Birds gives us some comfort that the
risk is manageable, and the results would
exonerate the contracted parties.....what about
reputational damage in the meantime? Court
costs? Who actually wants to have customers
complaining about the practices? Employee
morale, if it is employees who are objecting to
the practices?</p>
<p>I support focusing on whether the data
submitted is personal or not, with a fulsome
definition and description of same, and full
flexibility for contracted parties to err on the
side of caution and consider the possibility of
some data being personal after all. After all,
much data is still being disclosed, and noone
has adduced strong evidence that the delay in
requesting the data (as opposed to getting it
from the published data) will have huge
repercussions. What is actually at play here is
who is doing the extra work....the requesting
party, or the data controller.</p>
<p>Stephanie Perrin</p>
<p> </p>
<div>
<p class="MsoNormal">On 2021-04-15 10:42 p.m.,
Mueller, Milton L via Gnso-epdp-team wrote:</p>
</div>
<blockquote style="margin-top:5pt;margin-bottom:5pt">
<div>
<p class="MsoNormal"><strong><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(199,80,0)">EXTERNAL
EMAIL:</span></strong><b><span style="font-size:10pt;font-family:"Arial",sans-serif;color:white"></span></b></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Further
legal support from TwoBirds</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p style="margin-left:19.5pt"><span lang="EN-GB">14.2</span><span style="font-size:7pt" lang="EN-GB">
</span><span lang="EN-GB">If personal data
is erroneously included in published
Registration Data, it would in this
scenario occur despite substantial (VSC)
steps taken by the Contracted Parties,
and would be primarily attributable to
the actions/omissions of the
Registrant. This is likely to be taken
into account by data subjects, data
protection supervisory authorities, and
courts.</span></p>
<p style="margin-left:19.5pt"><span lang="EN-GB">14.3</span><span style="font-size:7pt" lang="EN-GB">
</span><span lang="EN-GB">The data in
question is likely to be low
sensitivity. The scenario being
envisaged here (mistaken inclusion of
personal data in published Registration
Data) seems to be most likely to occur
when a legal entity (e.g. a company or
non-profit organisation) is registering
/ maintaining its own domains. In those
scenarios, we assume the personal data
that could be disclosed would ordinarily
relate to an employee’s work details
(e.g. a company email address), not an
individual’s private life. Although the
GDPR confers protection even in the
workplace, the data in question here may
arguably be less capable of causing harm
to an individual than data relating to
the data subject’s private life.<a name="m_5832361527529862212_m_2854865445665285661__ftnref1" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftn1" moz-do-not-send="true"><span><span style="font-size:11pt;font-family:"Georgia",serif">[1]</span></span><span></span></a><span></span>
</span></p>
<p style="margin-left:19.5pt"><span lang="EN-GB">14.4</span><span style="font-size:7pt" lang="EN-GB">
</span><span lang="EN-GB">In more
sensitive cases (e.g. disclosing that a
person works for a company in a
sensitive or “embarrassing” sector), a
Registrant would be putting itself at
serious risk of complaints from its own
employees. Registrants are therefore
already incentivised to avoid errors
that could have serious consequences for
their own staff.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<div>
<div style="border-style:solid none
none;border-width:1pt medium
medium;padding:3pt 0cm
0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
Mueller, Milton L
<br>
<b>Sent:</b> Thursday, April 15,
2021 10:34 PM<br>
<b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> RE: [Gnso-epdp-team]
On the proposed guidance</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Some
legal support for my argument below from
Bird & Bird:</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal" style="text-indent:36pt"><a name="m_5832361527529862212_m_2854865445665285661__Ref68112068" moz-do-not-send="true">There may even be
an argument, based on EU Court of
Justice (“CJEU”) caselaw, that this is a
situation where Contracted Parties
should generally only be liable should
they fail to properly address a
complaint about the data – i.e. only
once they are put on notice about the
alleged illegality and thereby have an
opportunity to “verify” the merits of
the complaint.</a><a name="m_5832361527529862212_m_2854865445665285661__ftnref2" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftn2" moz-do-not-send="true"><span>[1]</span><span></span></a><span></span>
This bears some parallels to other EU
liability regimes for operators of
services online that process – unwittingly
– content that violates EU law.<a name="m_5832361527529862212_m_2854865445665285661__ftnref3" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftn3" moz-do-not-send="true"><span>[2]</span><span></span></a><span></span>
As discussed at footnote 6 below, this is
arguably recognised in (at least some)
decisions of GDPR supervisory authorities.</p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">In
other words, if personal data finds its
way into a published registration record
that should not be there, an objection
can be lodged with the registrar and
they can verify the merits and remove
the data. </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Dr.
Milton L Mueller</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Georgia
Institute of Technology</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">School
of Public Policy</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"><a href="https://urldefense.com/v3/__https:/internetgovernance.org/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxoPMR176$" target="_blank" moz-do-not-send="true"><span style="color:rgb(5,99,193)">Internet
Governance Project</span></a> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<div>
<div style="border-style:solid none
none;border-width:1pt medium
medium;padding:3pt 0cm
0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
Mueller, Milton L
<br>
<b>Sent:</b> Thursday, April 15,
2021 9:14 PM<br>
<b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> FW: [Gnso-epdp-team]
On the proposed guidance</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">>" Everyone who is
named in a role in a registration must
have already been informed
</p>
<p class="MsoNormal">> and consented to
all of the conditions involved in the
role. " This is the ideal. Sadly, this
ideal
</p>
<p class="MsoNormal">> is very often not
the case.</p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Whoa.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Of
course, Volker, it is possible that a
person making a registration for a legal
person won’t do it properly. But it is
absurd to expect a registrar to be
legally responsible for that. How can
the registrar be liable for privacy
breaches made by the registrant? Indeed,
I can’t understand why gaining the
consent of the administrative assistant
of the xyz department to have their name
listed in the whois is a matter for
DNS/ICANN policy at all. ICANN policy
simply needs to inform registrants that
under certain conditions the data will
be published.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Let’s
take an extreme case – suppose a nasty
IT manager in a major corporation puts
the name, email address and (what the
heck) a revenge porn photo of her
ex-husband in her company’s registration
record. Are you telling me the registrar
would be considered responsible for that
breach of privacy? Not the nasty IT
manager?
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Show
me a legal case in which that kind of
liability has been assigned. I doubt you
can, but I await the data from CP
lawyers who have been involved in these
cases. I do know of several cases in
which agents for a corporation wrongly
listed themselves as the technical and
administrative contact, making it
possible for them to hijack the name.
The registrar was NEVER held liable for
that.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Reminder:
We had to reform Whois/RDS policy
because ICANN,
<b>as a matter of contractual
obligation, required registrars to
publish sensitive PII of any and every
Registrant</b>. Once we have removed
that obligation, and once we have given
registrants knowledge of the conditions
under which the data in the record
should be published, I don’t see why
registrars need to worry about some
corporation listing the personal email
address of someone in their IT
department.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">So
if this alleged risk is being cited to
scare us away from allowing registrants
to self-designate as legal or natural,
it is a pretty weak case, imho.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">--MM
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
<b>On Behalf Of </b>Volker Greimann via
Gnso-epdp-team<br>
<b>Sent:</b> Thursday, April 15, 2021
10:10 AM<br>
<b>To:</b> Steve Crocker <<a href="mailto:steve@shinkuro.com" target="_blank" moz-do-not-send="true">steve@shinkuro.com</a>><br>
<b>Cc:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> Re: [Gnso-epdp-team] On
the proposed guidance</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">Employees are named
by other employees without their
knowledge, or remain named long after
they leave. From the experience as a
registrar dealing with registrants
every day, this ideal is an assumption
that does not survive contact with
reality. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">-- <br>
Volker A. Greimann<br>
General Counsel and Policy
Manager<br>
<b>KEY-SYSTEMS GMBH</b><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a href="https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxhKRwDSK$" target="_blank" moz-do-not-send="true"><span style="color:rgb(17,85,204)">www.key-systems.net</span></a><br>
<br>
Key-Systems GmbH is a company
registered at the local court
of Saarbruecken, Germany with
the registration no. HR B
18835<br>
CEO: Oliver Fries and Robert
Birkner<br>
<br>
Part of the CentralNic Group
PLC (LON: CNIC) a company
registered in England and
Wales with company number
8576358.<br>
<br>
<span style="font-size:10.5pt;font-family:Roboto;background:rgb(248,249,250)
none repeat scroll 0% 0%">This
email and any files
transmitted are confidential
and intended only for the
person(s) directly
addressed. If you are not
the intended recipient, any
use, copying, transmission,
distribution, or other forms
of dissemination is strictly
prohibited. If you have
received this email in
error, please notify the
sender immediately and
permanently delete this
email with any files that
may be attached.</span></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu, Apr 15,
2021 at 3:36 PM Steve Crocker via
Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
wrote:</p>
</div>
<blockquote style="border-style:none none
none solid;border-width:medium medium
medium 1pt;padding:0cm 0cm 0cm
6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif">Laureen,</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif">Thanks
for your note. With respect to
the details under legal person,
we believe the issue of consent
should be moot. Everyone who is
named in a role in a
registration must have already
been informed and consented to
all of the conditions involved
in the role. This is a
prerequisite for having a
working system and is not
specific to meeting a privacy
regulation. The fact that this
requirement is not specified in
the existing contractual
documentation is an error and
needs to be rectified.</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif"> </span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif">Steve</span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif"> </span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu, Apr 15,
2021 at 6:28 AM Kapin, Laureen via
Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
wrote:</p>
</div>
<blockquote style="border-style:none
none none solid;border-width:medium
medium medium 1pt;padding:0cm 0cm
0cm 6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">I
think we share common ground
on many key issues and I
would like to build on the
many helpful inputs received
as to what would be
advisable.
</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Goal</span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">:
publish non-personal,
non-protected data to the
greatest extent permissible
under the GDPR and within
low legal risks to data
controllers and processors.
Note, the description below
does
<i>not </i>fully detail the
advised safeguards which
B&B has documented and
which we’ve adopted in our
prior input because my
impression is that we
generally agree that the
safeguards are prudent.
This description merely
seeks to identify the key
steps that must be taken to
ensure that personal data is
identified and protected and
non-personal data is
published. I also highlight
the addition of a potential
additional safeguard –
Confirmation. I think this
process incorporates what
we’ve discussed and inputs
received and could form a
useful framework for
discussion. </span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Note:</span></b></p>
<p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></b></p>
<p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">New
Registrations:
</span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">This
process applies to new
registrations (Steve C. has
some useful thoughts on how
to deal with existing
Registrations)
</span></p>
<p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Publish:
</span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">When
I use the word “publish,” I
mean made public directly;
not via the SSAD.
</span></p>
<p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Flexibility:
</span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Based
on input from our Registrar
colleagues, we should permit
flexibility for how these
steps are implemented to
account for the varied
business models in place.
</span></p>
<p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Timing:
</span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">All
identifications need to take
place at the time of
registration or shortly
thereafter (w/in the 13-day
accuracy verification
window) and no registration
data should be published
until the identification,
consent, and confirmation
process concludes</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Process:</span></b></p>
<p><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">1.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">A
threshold identification of
the registrant as a natural
or legal person;</span></p>
<p style="margin-left:72pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">a.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
natural, registration info
redacted</span></p>
<p style="margin-left:72pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p style="margin-left:72pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">b.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
legal, further inquiries and
advisories (safeguards):</span></p>
<p style="margin-left:108pt"><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">i.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">if
the legal person identifies
that it has a protected
status under the GDPR</span></p>
<p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">1.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">registration
info redacted</span></p>
<p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p style="margin-left:108pt"><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">ii.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
the legal person
registration contains
personal data, advise of
consequences (publication)</span></p>
<p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">1.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Obtain
necessary consents</span></p>
<p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">2.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><i><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Possible
additional safeguard</span></i><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">:
<i>Ask Registrant to Confirm
any identification that
will result in publication
of contact data
</i>(akin to confirming a
flight reservation or stock
trade)</span></p>
<p style="margin-left:180pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">a.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Publish
</span></p>
<p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">3.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
no consent</span></p>
<p style="margin-left:180pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">a.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Redact</span></p>
<p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">2.</span><span style="font-size:7pt;color:rgb(0,32,96)">
</span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Provide
quick and easy opportunity
to correct any mistakes</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">I
hope this is useful.
</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Kind
regards,</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)"> </span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Laureen
Kapin</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Counsel
for International Consumer
Protection</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Federal
Trade Commission</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">(202)
326-3237
</span></p>
<p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
<b>On Behalf Of </b>Volker
Greimann via Gnso-epdp-team<br>
<b>Sent:</b> Thursday, April
15, 2021 8:35 AM<br>
<b>To:</b> Hadia Abdelsalam
Mokhtar EL miniawi <<a href="mailto:Hadia@tra.gov.eg" target="_blank" moz-do-not-send="true">Hadia@tra.gov.eg</a>><br>
<b>Cc:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> Re:
[Gnso-epdp-team] On the
proposed guidance</span></p>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">I think
we need to be cognisant of
the current status quo and
use that as the basis for
our thoughts on the
matter:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">1)
There is no
differentiation between
legal or natural contacts.</p>
</div>
<div>
<p class="MsoNormal">2) The
redaction of all contacts
is permitted and has
become the de-facto
standard.</p>
</div>
<div>
<p class="MsoNormal">3) We
allow consent-based
disclosure. </p>
</div>
<div>
<p class="MsoNormal">4) NIS
2 may at some point in the
future require publication
of non-personal
information.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This
leads to two very simple
follow-on questions:</p>
</div>
<div>
<p class="MsoNormal">a) How
do we identify such
non-personal information?
What is really necessary
for this end?</p>
</div>
<div>
<p class="MsoNormal">b) What
would publication entail?</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For a)
we and Twobirds identified
voluntary self-declaration
of the data submitted. As
all data is redacted by
default, the
differentiation of the
data subject category is
irrelevant as it
ultimately only boils down
to the declaration of the
data subject thatthe data
contains no personal
information. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">For b),
the term "publish" is
undefined. For all we
know, it could mean
publication in a physical
print edition (it doesn't
mean that though). But
publication within SSAD
can very well be
sufficient for that
definition. There is no
reason whatsoever to
assume differently. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal">-- <br>
Volker A.
Greimann<br>
General Counsel
and Policy
Manager<br>
<b>KEY-SYSTEMS
GMBH</b><br>
<br>
T: +49 6894
9396901<br>
M: +49 6894
9396851<br>
F: +49 6894
9396851<br>
W: <a href="https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxhKRwDSK$" target="_blank" moz-do-not-send="true"><span style="color:rgb(17,85,204)">www.key-systems.net</span></a><br>
<br>
Key-Systems GmbH
is a company
registered at
the local court
of Saarbruecken,
Germany with the
registration no.
HR B 18835<br>
CEO: Oliver
Fries and Robert
Birkner<br>
<br>
Part of the
CentralNic Group
PLC (LON: CNIC)
a company
registered in
England and
Wales with
company number
8576358.<br>
<br>
<span style="font-size:10.5pt;font-family:Roboto;background:rgb(248,249,250)
none repeat
scroll 0% 0%">This
email and any
files
transmitted
are
confidential
and intended
only for the
person(s)
directly
addressed. If
you are not
the intended
recipient, any
use, copying,
transmission,
distribution,
or other forms
of
dissemination
is strictly
prohibited. If
you have
received this
email in
error, please
notify the
sender
immediately
and
permanently
delete this
email with any
files that may
be attached.</span></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
<div id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">
<p class="MsoNormal"> </p>
<table style="border-style:solid
none none;border-width:1pt
medium
medium;border-color:currentcolor" cellspacing="3" cellpadding="0" border="1">
<tbody>
<tr>
<td style="width:41.25pt;border:medium
none;padding:9.75pt
0.75pt 0.75pt" width="56">
<p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true"><span style="text-decoration:none"><img style="width: 0.4791in; height:
0.3055in;" id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829_x005f_x0000_i1025" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" moz-do-not-send="true" width="46" height="29" border="0"></span></a></p>
</td>
<td style="width:352.5pt;border:medium
none;padding:9pt
0.75pt 0.75pt" width="388">
<p class="MsoNormal" style="line-height:13.5pt"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(65,66,78)">Virus-free.
<a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true">
<span style="color:rgb(68,83,234)">www.avast.com</span></a>
</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal">On Thu,
Apr 15, 2021 at 1:52 PM
Hadia Abdelsalam Mokhtar
EL miniawi via
Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
wrote:</p>
</div>
<blockquote style="border-style:none
none none
solid;border-width:medium
medium medium
1pt;padding:0cm 0cm 0cm
6pt;margin:5pt 0cm 5pt
4.8pt;border-color:currentcolor
currentcolor currentcolor
rgb(204,204,204)">
<div>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Dear
Milton,</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Thank
you for your
constructive
thoughts. I believe
we have a lot to
build on. In
relation to
principle one, I
think we all agree
that some legal data
subjects would want
to publish their
data in the RDDS,
but without your
first principle they
can only do this
through consent. The
legal memo received
lately from Bird
& Bird explains
that if CPs publish
the data of legal
persons based on
consent they are at
a higher risk than
if they publish the
data of legal
persons based on
self-designation. In
the latter case CPs
might only be liable
if they fail to
address a complaint.
So the question
always was: what is
the benefit of
labeling the data as
belonging to a
natural or legal
person? Of course we
all know that GDPR
protects the data of
natural persons and
not legal persons,
but the important
answer now is that
the distinction
significantly
reduces the
liability of CPs. In
addition, the
distinction is
helpful in
performing the
balancing test in
case the data is not
published and I am
sure if we look into
individual use cases
we can find much
more benefits.
Moreover, it could
prove to be useful
regarding possible
upcoming
regulations. I would
also add that the
level of protection
assigned to the data
elements suggested
by Steve provides
additional safe
guards and
flexibility in the
implementation.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Finally,
I join you in being
optimistic about our
ability to finish
this.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Kind
regards</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Hadia
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<div>
<div style="border-style:solid
none
none;border-width:1pt
medium
medium;padding:3pt
0cm
0cm;border-color:currentcolor">
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10pt;font-family:"Tahoma",sans-serif">
Gnso-epdp-team
[mailto:<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>]
<b>On Behalf Of
</b>Mueller,
Milton L via
Gnso-epdp-team<br>
<b>Sent:</b>
Wednesday, April
14, 2021 10:12
PM<br>
<b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b>
Re:
[Gnso-epdp-team]
On the proposed
guidance</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Colleagues:</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
have only gotten
time to review
the latest
Guidance
document and the
surrounding
debate today.
Apologies, but
there is a lot
going on in my
day job.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
am disappointed
to see that we
seem to be going
backwards. I see
divergence
rather than
convergence on
the way we are
approaching the
problem.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
see no point in
adding more
noise to the
current document
via the Comments
function. What I
would like to
try to do is
articulate some
broad principles
about how to
deal with the
legal/natural
distinction. If
we can agree on
those
principles, it
will be
relatively easy
to complete the
document. If we
cannot/do not
agree on those
principles,
additional
wordsmithing and
debates over
terms will not
get us anywhere.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">So
here are the
broad principles
that I would
offer up for
debate:
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">1.</span><span style="font-size:7pt;color:rgb(31,73,125)">
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">The
legal/natural
distinction is
relevant and we
need to find a
way make it in
RDDS without
compromising
privacy rights.
</span></p>
<p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">2.</span><span style="font-size:7pt;color:rgb(31,73,125)">
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Registrants
should be able
to
self-designate
as legal or
natural, with no
burden of
authentication
placed on
registrars or
registries</span></p>
<p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">3.</span><span style="font-size:7pt;color:rgb(31,73,125)">
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">To
protect small
home offices or
NGOs who are
technically
Legal persons
but whose
registration
data may include
Personal data,
we need an
additional check
in the process.</span></p>
<p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">4.</span><span style="font-size:7pt;color:rgb(31,73,125)">
</span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">As
long as they
conform with the
above 3
principles,
registrars/ries
(CPs) should be
given maximum
flexibility to
choose the way
to
differentiate.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
1 discussion:</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">If
we cannot agree
on this (or
agree to abandon
this principle),
_<i>nothing else
will fall into
place</i>_.
Ever. So let’s
settle that.
Steve and Volker
I suspect will
disagree with
this principle.
Steve has argued
that the L/N
distinction is
“not a central
concern” and all
that matters is
whether the
registrant’s
data is to be
made available
to anyone. If he
is right, we can
discard the
guidance
altogether,
because we
already have a
recommendation
to allow the RNH
to consent to
the publication
of their data.
Volker has also
suggested that
it is personal
data we need to
differentiate,
not L/N . I
disagree with
Steve and Volker
on this and so
do most of the
rest of the
group. L/N
distinction is a
central concern
to certain
stakeholder
groups in the
EPDP, because a)
GDPR and other
data protection
laws do not
protect it and
this process is
all about
bringing RDS
into compliance
with privacy
law; b) Legal
person data
could be
published and it
would provide
easier access to
their
registration
data. As a NCSG
member I can
find no basis
for objecting to
the publication
of WalMart’s,
Kroger’s or the
local hardware
store’s
registration
data. Any
concerns about
PII are
addressed by
principles 2 and
3. Steve is
approaching this
as an engineer,
but this is a
policy process,
and we will not
obtain agreement
on a solution
unless certain
stakeholders are
satisfied. If
they think it is
a central
concern, it’s a
central concern,
that’s how
policy/politics
work.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
2 discussion</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">This
is the key
principle that
keeps NCSG and
CPH satisfied.
Registrants are
in control of
how they are
designated. Yes,
this means that
some people will
lie. That is
just something
we will have to
accept. One
cannot erase
that possibility
without creating
a system that is
too burdensome
and costly as to
outweigh any
benefits.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
3 discussion</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">This
is something
everyone seems
to agree on
already. But it
is good to make
it explicit,
then we can work
out how specific
our guidance can
get, so as to
conform to …</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
4</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Avoid
being overly
prescriptive,
but ensure that
the other 3
principles are
honored. So yes,
Volker, we give
you maximum
flexibility to
implement in
accordance with
different
business models,
but you can NOT
make a
designation for
a RNH, because
it violates
principle 2.
</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
truly believe
that if we can
come to
agreement on
these 4
principles and
use them as the
basis for
drafting
guidance, we can
actually finish
this.</span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Gnso-epdp-team mailing
list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
<a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your
personal data, you consent
to the processing of your
personal data for purposes
of subscribing to this
mailing list accordance
with the ICANN Privacy
Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
and the website Terms of
Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
You can visit the Mailman
link above to change your
membership status or
configuration, including
unsubscribing, setting
digest-style delivery or
disabling delivery
altogether (e.g., for a
vacation), and so on.</p>
</blockquote>
</div>
<div id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">
<p class="MsoNormal"> </p>
<table style="border-style:solid
none none;border-width:1pt
medium
medium;border-color:currentcolor" cellspacing="3" cellpadding="0" border="1">
<tbody>
<tr>
<td style="width:41.25pt;border:medium
none;padding:9.75pt
0.75pt 0.75pt" width="56">
<p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true"><span style="text-decoration:none"><img style="width: 0.4791in; height:
0.3055in;" id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829_x005f_x0000_i1026" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" moz-do-not-send="true" width="46" height="29" border="0"></span></a></p>
</td>
<td style="width:352.5pt;border:medium
none;padding:9pt
0.75pt 0.75pt" width="388">
<p class="MsoNormal" style="line-height:13.5pt"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(65,66,78)">Virus-free.
<a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true">
<span style="color:rgb(68,83,234)">www.avast.com</span></a>
</span></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
<a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data,
you consent to the processing of
your personal data for purposes of
subscribing to this mailing list
accordance with the ICANN Privacy
Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
You can visit the Mailman link
above to change your membership
status or configuration, including
unsubscribing, setting
digest-style delivery or disabling
delivery altogether (e.g., for a
vacation), and so on.</p>
</blockquote>
</div>
<p class="MsoNormal">_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
<a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data, you
consent to the processing of your
personal data for purposes of
subscribing to this mailing list
accordance with the ICANN Privacy
Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
You can visit the Mailman link above
to change your membership status or
configuration, including
unsubscribing, setting digest-style
delivery or disabling delivery
altogether (e.g., for a vacation), and
so on.</p>
</blockquote>
</div>
<div>
<p class="MsoNormal"><br clear="all">
</p>
<div>
<div class="MsoNormal">
<hr width="33%" size="1" align="left">
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><br clear="all">
</p>
<div class="MsoNormal">
<hr width="33%" size="1" align="left">
</div>
<div id="gmail-m_5832361527529862212gmail-m_2854865445665285661ftn1">
<p><a name="m_5832361527529862212_m_2854865445665285661__ftn1" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftnref1" moz-do-not-send="true"><span><span style="font-size:8pt;font-family:"Georgia",serif">[1]</span></span><span></span></a><span></span>
As explained above, we have understood
this question to be asking about
scenarios where Registrants are legal
persons, as per the EDPB quote at
paragraph 1. In respect of individual
(natural person) Registrants, the issues
will be largely similar: if a natural
person incorrectly states that their
data is not personal data, then (i) the
verification measures should prevent the
data from being published, since they
will give the data subject an
opportunity to correct their mistake;
(ii) the mitigating factors and legal
arguments described at paragraphs 11.7
and 11.8 and paragraphs 14.1 - 14.6
here, should confer reasonable legal
protection for Contracted Parties.</p>
</div>
<div id="gmail-m_5832361527529862212gmail-m_2854865445665285661ftn2">
<p><a name="m_5832361527529862212_m_2854865445665285661__ftn2" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftnref2" moz-do-not-send="true"><span><span lang="EN-GB">[1]</span></span><span></span></a><span></span><span lang="EN-GB"> In its judgement in Case
C‑136/17
<i>GC and Others</i>, the CJEU
explained that GDPR obligations
relating to an erasure (“Right to Be
Forgotten”) request apply “<i>to the
operator of a search engine in the
context of his responsibilities,
powers and capabilities as the
controller of the processing carried
out in connection with the activity
of the search engine, on the
occasion of a verification performed
by that operator, under the
supervision of the competent
national authorities, following a
request by the data subject”</i>.
As the Advocate General explained in
that case, “<i>such an operator can
act only within the framework of its
responsibilities, powers and
capabilities. In other words, such
an operator may be incapable of
ensuring the full effect of the
provisions of [EU data protection
law], precisely because of its
limited responsibilities, powers and
capabilities. . . An ex ante control
of internet pages which are
referenced as the result of a search
does not fall within the
responsibilities or the capabilities
of a search engine</i>.” It could
not know, from the moment it indexed a
webpage, that the content of that page
was (for example) out of date (as in
the original
<i>Google Spain / Costeja</i> ruling),
or (in the <i>GC and Others</i> case<i>)
</i>
“special category” or “criminal
offence” data for which it required
consent.</span></p>
</div>
<div id="gmail-m_5832361527529862212gmail-m_2854865445665285661ftn3">
<p><a name="m_5832361527529862212_m_2854865445665285661__ftn3" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftnref3" moz-do-not-send="true"><span><span lang="EN-GB">[2]</span></span><span></span></a><span></span><span lang="EN-GB"> See, for example,
<a href="https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32000L0031" target="_blank" moz-do-not-send="true">
Article 14</a> of the e-Commerce
Directive 2000/31/EC and its
transposition into the national laws
of EU/EEA Member States and the UK.
</span></p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
<pre>_______________________________________________</pre>
<pre>Gnso-epdp-team mailing list</pre>
<pre><a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a></pre>
<pre><a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></pre>
<pre>_______________________________________________</pre>
<pre>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
</div>
<p class="MsoNormal">_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
<a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data, you consent to
the processing of your personal data for purposes
of subscribing to this mailing list accordance
with the ICANN Privacy Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
You can visit the Mailman link above to change
your membership status or configuration, including
unsubscribing, setting digest-style delivery or
disabling delivery altogether (e.g., for a
vacation), and so on.</p>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
</body>
</html>