<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body>
    <p>As is often the case, I agree with everything Volker has said in
      recent posts.  I think that perhaps it might be helpful if I put
      down a few of my persistent questions that have not been answered:</p>
    <p>1.  Why are we talking about a draft directive that has not
      passed, will be implemented differently when each member state
      gets hold of it, and does not apply outside Europe?  We are
      supposed to be aiming at compliance with GDPR because it is the
      global standard at the moment, I sincerely doubt that other
      countries who are passing GDPR compliant privacy legislation are
      going to rush out and pass a directive modelled on this one.  We
      are supposed to be taking a harmonized, global approach, if you
      recall?<br>
    </p>
    <p>2.  Or are we hanging on to the WHOIS conflicts of law so that
      contracted parties will not be sanctioned for complying with
      national law?</p>
    <p>3.  As to the instrument of disclosure for legal persons' data <i>which
        is not protected under the GDPR</i><i>, </i>as I have tried to
      point out, that distinction requires considerable evaluation.  The
      draft directive in no way dictates to this organization how it
      should release this data, regardless of what the words say, (and I
      certainly agree with Volker's interpretation of what it says,
      remembering also that member states may attempt to clarify this in
      different ways when they go to pass their own regulations).  My
      question is, why on earth would we build a separate release
      mechanism for the data of legal persons?  Should we not
      authenticate those who ask for more data? Should we not audit
      compliance with law, e.g. whether or not the consent to disclose
      data of employees was properly obtained?  Is it cost effective to
      maintain two systems?  I see no benefit to this fragmentation,
      given that we have a distributed system anyway but with central
      policy control.  I see lots of risk.<br>
    </p>
    <p>4.  Where is the evidence that pre-emptive release of the data of
      legal persons is useful for the investigation of abuse?  Do
      criminals actually provide accurate data about their
      registrations?  have we measured how much this action will drive
      data theft?</p>
    <p>5.  What are the competitive issues that arise from forcing small
      business owners to disclose confidential data?</p>
    <p>6.  What controls will be placed on the private sector data
      scapers with respect to this data?  In the event that a "legal
      person" makes a mistake and registers a domain as a legal person
      when in fact they ought to have protected the data elements
      released as personal (e.g. in a home business or of employees who
      had data subject rights that were not respected) what efforts do
      the contracted parties have to make to enforce the right to be
      forgotten in third party data scrapers?</p>
    <p>I would like to have seven questions but I think that is enough
      for now.  I will return with more questions.</p>
    <p>cheers Stephanie Perrin<br>
    </p>
    <div class="moz-cite-prefix">On 2021-04-20 6:31 a.m., Volker
      Greimann via Gnso-epdp-team wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:CADgYC4XoWuECd0n7MpWPUKbVNpe3gKcPDCuMesU7pP6XYh9rNw@mail.gmail.com">
      
      <div style="font-size: 10pt; font-family: sans-serif; color:
        white; font-style: normal; font-weight: bold; padding: .2em;">
        <strong><span style="color: #c75000;">EXTERNAL EMAIL:</span></strong></div>
      <div>
        <div dir="ltr">
          <div>Dear Melina,</div>
          <div><br>
          </div>
          <div>thanks for your explanation. <br>
          </div>
          <div><br>
          </div>
          <div>I contend that the data contained in SSAD is publicly
            available, just as the data contained in the German trade
            register is publicly available, even though there may be a
            paywall. Hence publication can mean anything that provides
            for public access: A physical book, SSAD or RDAP. Anyone
            with a legitimate interest can apply for an SSAD account
            just like anyone can apply for an account with the online
            version of the German trade register. Data in SSAD is
            publicly available.</div>
          <div><br>
          </div>
          <div>If NIS 2 comes down on a different interpretation in
            Germany (although I do not see why it would if even the
            public trade register is behind a paywall), I would welcome
            that as well, as it provides me with a legal basis for
            publication. An obligation based in law to disclose data
            means there is no longer any risk attached to such
            disclosures, if done correctly. So when that law comes into
            effect in my jurisdiction, I will implement it. Before that
            time, the legal basis is missing and CPs bear the risk of
            wrongful disclosure. So lets meet again once the
            implementation data of NIS 2 draws near. Basing policy on
            non-existent law is premature.
            <br>
          </div>
          <div><br>
          </div>
          <div>"<span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">T<i>o come back to your other point, (i.e.,
                that you are not convinced that the availability of
                non-personal WHOIS data would contribute to the
              </i></span><i><span style="font-size:11pt;font-family:"Calibri",sans-serif">security,
                stability and resilience of the DNS), I  trust you are
                not implying that so many people from all over the world
                are intensively working on a problem which would be
                non-existent.
              </span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></i>
            <p class="MsoNormal" style="margin-left:108pt"><i><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></i></p>
            <p class="MsoNormal"><i><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Currently the vast majority of
                  registration data are not available and the majority
                  of requests from different organisations to access
                  such data remain unanswered.</span></i>"</p>
          </div>
          <div><br>
          </div>
          <div>This is an issue that SSAD was designed to solve. But the
            last three years have shown that it is less of a problem
            than people make it out to be.</div>
          <div><br>
          </div>
          <div>"<span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><i>According to a study published in January
                2021 by InterIsle Consulting Group, at present, (...)</i>"</span></div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><br>
            </span></div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">This is a statement of alleged fact, but it
              does not show why this necessarily is an issue.
            </span><br>
            <p class="MsoNormal" style="margin-left:108pt;text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
            <p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">"<i>Even
                  European government agency and law enforcement
                  requests for redacted WHOIS data have been denied.</i>
                (...)"</span></p>
            <p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif"><br>
              </span></p>
            <p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">I
                would imagine that this would only be the case if they
                were acting outside their legal remit, e.g. outside
                their jurisdiction. As Theoden said to Gandalf "You have
                no power here!". All requests with a proper legal basis,
                e.g. acting inside their own jurisdiction should be
                answered, and if not, compliance be called.
                <br>
              </span></p>
          </div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif"><br>
            </span></div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif">"<i>(...)
                where WHOIS data would have been critical to help combat
                online sexual child abuse cases. According to the
                complainants, the availability of more WHOIS data in
                public could help to find perpetrators on the internet.</i>"</span></div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif"><br>
            </span></div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif">And
              those perpetrators register domain names with existing
              legal entities as registrants? Because unless this is the
              case, the argument is irrelevant to the question at hand.</span></div>
          <div><span style="font-size:11pt;font-family:"Calibri",sans-serif"></span>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span><span style="font-size:11pt;font-family:"Calibri",sans-serif"></span></p>
            <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">"<i>According to a study published in 2021
                  by InterIsle Consulting Group, the data suggests that
                  only around 11.5% of domains may belong to natural
                  persons who are protected by GDPR. This 11.5% may be
                  the percentage of domains that is necessary to protect
                  under GDPR. In contrast, registrars and registry
                  operators have redacted contact data from 57.3% of all
                  domains, or five times the amount that may be
                  necessary.</i>"</span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><br>
              </span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">This statistic misses the point we are
                debating though as it does not in any way differentiate
                between legal entities whose data contains personal
                information, and those where it does not. If it is
                necessary to redact 100% of registration data or to put
                it inside the SSAD where access is controlled to protect
                even 1% of registrants, it is worth doing. Protection of
                the innocent always takes precedent.<br>
              </span></p>
            <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">"<i>It would be beneficial if you could
                  explain why non-personal data of legal persons have
                  been redacted and why you object to the effort of
                  having greater transparency while fully respecting
                  privacy of registrants.</i>"</span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Because blanket redaction of all data is
                the only way to safely and securely ensure that the
                personal data of data subjects is protected. There is a
                reason why even government controlled databases such as
                the car registration register are redacted. I have not
                seen a car register where the registration details of
                legal entities are published. Having that data publicly
                available might be beneficial for any number of causes.
                And those are registers that are being kept with a legal
                basis. <br>
              </span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"><br>
              </span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">"<i>In light of all the conversations, and
                  B&B advice received, it is clear that the argument
                  of potential liability risk due to inadvertent
                  disclosure of personal data does no longer hold value.</i>"
                <br>
              </span></p>
            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">I wonder which part of the advice we
                received allowed you to draw this conclusion as the
                advice always pointed out that risk remains.
                <br>
              </span></p>
          </div>
          <div><br>
          </div>
          <div>Please, come again once the demands you are raising are
            also implemented this way for all public registers in the
            various countries where you wish to see contracted parties
            to implement them.
            <br>
          </div>
          <div>Trade registers, car registers, gun ownership registers,
            sex offender registers, land registers, etc. None of them
            universally have the level of access you want for mere
            domain name registrations.
            <br>
          </div>
          <div><br>
          </div>
          <div>That said, if someone demonstrates a legitimate interest
            with regard to any data, personal or non-personal, they will
            receive prompt disclosure from us (after the balancing
            test). If there is significant danger of harm to third
            parties, we will even grant access even though the requestor
            may be acting outside their jurisdiction, regardless of
            whether the registrant is legal or natural. Because granting
            such access is our moral obligation if a case for disclosure
            is made.
            <br>
          </div>
          <div><br>
          </div>
          <div>But please do not ask us to provide access levels that
            even our own governments do not provide for much, much, much
            more critical data.
            <br>
          </div>
          <div><br>
          </div>
          <div>Best,<br>
          </div>
          <div><br>
          </div>
          <div>
            <div>
              <div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
                <div dir="ltr">
                  <div>
                    <div dir="ltr"><span lang="EN-US">-- <br>
                        Volker A. Greimann<br>
                        General Counsel and Policy Manager<br>
                        <b>KEY-SYSTEMS GMBH</b><br>
                        <br>
                        T: +49 6894 9396901<br>
                        M: +49 6894 9396851<br>
                        F: +49 6894 9396851<br>
                        W: </span><a href="http://www.key-systems.net/" style="color:rgb(17,85,204)" target="_blank" moz-do-not-send="true"><span lang="EN-US">www.key-systems.net</span></a><span lang="EN-US"><br>
                        <br>
                        Key-Systems GmbH is a company registered at the
                        local court of Saarbruecken, Germany with the
                        registration no. HR B 18835<br>
                        CEO: Oliver Fries and Robert Birkner<br>
                        <br>
                        Part of the CentralNic Group PLC (LON: CNIC) a
                        company registered in England and Wales with
                        company number 8576358.<br>
                        <br>
                      </span><span style="font-family:Roboto,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(248,249,250)">This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended
 recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.</span></div>
                  </div>
                </div>
              </div>
            </div>
            <br>
          </div>
        </div>
        <br>
        <div class="gmail_quote">
          <div dir="ltr" class="gmail_attr">On Tue, Apr 20, 2021 at
            11:47 AM STROUNGI Melina <<a href="mailto:Melina.STROUNGI@ec.europa.eu" moz-do-not-send="true">Melina.STROUNGI@ec.europa.eu</a>>
            wrote:<br>
          </div>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div lang="EN-US">
              <div class="gmail-m_5832361527529862212WordSection1">
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Dear Volker,</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Thank you for your comments.</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Let me come back to your previous email
                    of 15 April (attached) and your email below, in
                    order to hopefully address some of your concerns.</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Regarding your</span><span lang="EN-GB">
                  </span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">argument that ‘the interpretation of
                    the book is only valid if the text actually supports
                    that interpretation’,  this is precisely the case
                    with NIS 2 text. The legislator’s intention behind
                    ‘publication’ is explained in recital 62 of <a href="https://digital-strategy.ec.europa.eu/en/library/proposal-directive-measures-high-common-level-cybersecurity-across-union" target="_blank" moz-do-not-send="true">
                      NIS 2 Proposal</a>, which explicitly clarifies
                    that “</span><i><span style="font-size:11pt;font-family:"Calibri",sans-serif">TLD
                      registries and the entities providing domain name
                      registration services for them
                      <u>should make publically available</u> domain
                      name registration data that fall outside the scope
                      of Union data protection rules, such as data that
                      concern legal persons</span></i><span style="font-size:11pt;font-family:"Calibri",sans-serif">.”
                  </span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Given
                    the above context, the word ‘publication’
                  </span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">is doubtful to have any other
                    interpretation than the obvious one: ‘publication’
                    means ‘<i>making publically available’</i>.
                    Publically = to the public.</span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">I understand your wish to do otherwise,
                    but just to bear in mind that such wish is not
                    enough to override the actual wording of the text.
                  </span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">We are doing our best to address
                    everyone’s individual concerns (including yours and
                    lots of your comments and suggestions have already
                    been taken into account), but at the same time we
                    need to ensure that contracted parties who wish to
                    differentiate between legal and natural entities and
                    wish to align their practices with the NIS2 proposal
                    are able to do so. We hope that, even if you do not
                    completely find the provisions to your liking, you
                    are willing to facilitate this group’s hard efforts
                    to make some progress before the May deadline.</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">To come back to your other point,
                    (i.e., that you are not convinced that the
                    availability of non-personal WHOIS data would
                    contribute to the
                  </span><span style="font-size:11pt;font-family:"Calibri",sans-serif">security,
                    stability and resilience of the DNS), I  trust you
                    are not implying that so many people from all over
                    the world are intensively working on a problem which
                    would be non-existent.
                  </span><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"></span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">This is what the current situation
                    looks like:
                  </span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Currently the vast majority of
                    registration data are not available and the majority
                    of requests from different organisations to access
                    such data remain unanswered.
                  </span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
                <p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">According to a study published in
                    January 2021 by InterIsle Consulting Group, at
                    present, only 13.5% of domains have an actual
                    registrant identified in WHOIS. Registrars and
                    registry operators have used ICANN’s post-GDPR
                    policy to redact contact data from 57.3% of all
                    domains. Adding proxy-protected domains, this means
                    that 86.5% of registrants cannot be identified via
                    WHOIS. According to statistics from Appdetex, during
                    the period January 1, 2020, through September 1,
                    2020, only 24.6% of 2,933 requests submitted to 158
                    ICANN-accredited registrars resulted in responses
                    that included registrant data. These statistics are
                    also consistent with the estimate of the PSWG within
                    ICANN that roughly 70% of requests are being denied
                    or ignored.</span></p>
                <p class="MsoNormal" style="margin-left:108pt;text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">Even
                    European government agency and law enforcement
                    requests for redacted WHOIS data have been denied.
                    As described in a May 2020 letter from the ICANN
                    President to the European Data Protection Board,
                    requests that have been made by European Data
                    Protection Authorities for access to redacted,
                    nonpublic WHOIS data to assist in their
                    investigations of potential privacy violations have
                    been denied by domain name registrars and
                    registries.</span></p>
                <p class="MsoNormal" style="margin-left:108pt;text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
                <p class="MsoNormal" style="text-align:justify"><span style="font-size:11pt;font-family:"Calibri",sans-serif">I
                    will not list all complaints and problems reported,
                    but just as an illustration, complaints from law
                    enforcement authorities have been brought to our
                    attention, where WHOIS data would have been critical
                    to help combat online sexual child abuse cases.
                    According to the complainants, the availability of
                    more WHOIS data in public could help to find
                    perpetrators on the internet.
                  </span></p>
                <p class="MsoNormal" style="margin-left:108pt"> </p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">The publication of domain name
                    registration data concerning legal entities is
                    expected to substantially increase the wealth of
                    information available to the public.
                  </span><span style="font-size:11pt;font-family:"Calibri",sans-serif"></span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">According to a study published in 2021
                    by InterIsle Consulting Group, the data suggests
                    that only around 11.5% of domains may belong to
                    natural persons who are protected by GDPR. This
                    11.5% may be the percentage of domains that is
                    necessary to protect under GDPR. In contrast,
                    registrars and registry operators have redacted
                    contact data from 57.3% of all domains, or five
                    times the amount that may be necessary.</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">I trust that the above give a flavour
                    of the actual situation and problems.</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">It would be beneficial if you could
                    explain why non-personal data of legal persons have
                    been redacted and why you object to the effort of
                    having greater transparency while fully respecting
                    privacy of registrants. </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">In light of all the conversations, and
                    B&B advice received, it is clear that the
                    argument of potential liability risk due to
                    inadvertent disclosure of personal data does no
                    longer hold value. If you want to diminish this
                    risk, it is clear that you first have to distinguish
                    between natural and legal entities and then further
                    ensure that legal entities do not provide any
                    personal data (or, if they do provide personal data,
                    that they consent to publishing of such personal
                    data). Then in case of a mistake it will be up to
                    the registrant; not the contracted parties. So in
                    our view the liability argument cannot be used as a
                    justification for not taking action – especially
                    given the many problems that such inaction causes
                    and will continue to cause.</span></p>
                <p class="MsoNormal" style="margin-left:108pt"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Best regards,</span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif" lang="EN-GB">Melina
                  </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                <p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
                    Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
                    <b>On Behalf Of </b>Volker Greimann via
                    Gnso-epdp-team<br>
                    <b>Sent:</b> Sunday, April 18, 2021 3:04 AM<br>
                    <b>To:</b> Stephanie E Perrin <<a href="mailto:stephanie.perrin@mail.utoronto.ca" target="_blank" moz-do-not-send="true">stephanie.perrin@mail.utoronto.ca</a>><br>
                    <b>Cc:</b> GNSO EPDP <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>><br>
                    <b>Subject:</b> Re: [Gnso-epdp-team] On the proposed
                    guidance</span></p>
                <p class="MsoNormal"> </p>
                <div>
                  <div>
                    <p class="MsoNormal">I think you both make good
                      points. Our starting point is the current status
                      quo, which I expect will continue on into the far
                      future: All registration data provided as a
                      registrant must be viewed as potential personal
                      information, in a Schroedingers Cat kind-of
                      situation. Until you look at it, you do not know
                      what it is, even though you can make certain
                      assumptions with varying likelihoods. The 2B memo
                      tells us nothing new in that regard.
                    </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal">What it does tell us is that
                      the various methods of determination without
                      looking have risk of various degrees attached.
                    </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal">Miltons proposed
                      registrant-declaration is one of the lower risk
                      ones methods. Stephanie is also right that in a
                      highly competitive market with razor-thin margins,
                      corners will be cut at some point of the channel,
                      especially once you enter the realm of resellers.
                      So Stephanie is absolutely correct in her point
                      that the determination of whether contracted
                      parties can rely on the accuracy of any
                      declaration must be that of the contracted party
                      itself. The declaration of legal status of the
                      registrant ultimately does not help us make that
                      determination. The declaration of content of the
                      data goes a whole lot further in that regard. 
                      Controlling the process where the declaration is
                      made helps even more (hence the requirement to
                      allow post-registration declarations).</p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal">As for publication vs.
                      disclosure, after having given this some thought,
                      I still tend to come out on the side of
                      disclosure, but with the following features:</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- self-declared data sets would
                      be set to automated disclosure.</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- public RDAP could contain a
                      marker/flag/label/something that shows that this
                      data set is available for automated disclosure in
                      SSAD</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- Disclosure fees for such data
                      sets in SSAD could be priced lower than
                      non-automated data sets, say half-price</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- Access levels for access to
                      such data sets could be lower for users of SSAD.
                      For example, if you just want to access
                      automated-disclosure sets, accreditation could be
                      voluntary, and a mere ID-check application process
                      and a statement of legitimate interest for each
                      request could be possible. </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal">Advantages: </p>
                  </div>
                  <div>
                    <p class="MsoNormal">- Increased utility of SSAD</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- SSAD User Fees would decrease
                      (higher query volumes overall, lower fees for some
                      queries)</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- CP Risk would be limited</p>
                  </div>
                  <div>
                    <p class="MsoNormal">- CP handling times for
                      requests would be reduced in case they implement
                      that flag.
                    </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal">I still need to hear what the
                      benefits of the differentiation of data sets and
                      better availability of non-personal information
                      really are, though. In my experience it is not
                      like cyber criminals are setting up legal entities
                      such as STEALATRADEMARK, Inc or VIOLATEACOPYRIGHT,
                      Ltd. left and right to register their domain
                      names. Those kinds of domains are usually
                      registered with perfectly accurate personal data
                      sets. If someone could really make the case of
                      what the perceived benefit to all parties
                      concerned is on this (something I have been asking
                      for from days 1), I'd be happy to hear them. The
                      common argument of security, stability and
                      resilience of the DNS went out of the window the
                      day the Temp Spec first came into effect after
                      all, as neither of the three has been affected by
                      the current vegetative state of the WHOIS (In the
                      sense that it is not quite dead yet, but almost.
                      Machines still keep it alive).
                    </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal">This also would solve the issue
                      of thick vs thin RDAP:</p>
                  </div>
                  <div>
                    <p class="MsoNormal">If RDAP only returns the basic
                      data set anyway and never any personal
                      information, there is no longer any need to
                      require registrars to provide RDAP services as
                      there no longer is any concern in supplying said
                      data to the registries for centralised
                      publication. Thick RDAP would be saved.</p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <p class="MsoNormal"> </p>
                  </div>
                  <div>
                    <div>
                      <div>
                        <div>
                          <div>
                            <div>
                              <p class="MsoNormal">-- <br>
                                Volker A. Greimann<br>
                                General Counsel and Policy Manager<br>
                                <b>KEY-SYSTEMS GMBH</b><br>
                                <br>
                                T: +49 6894 9396901<br>
                                M: +49 6894 9396851<br>
                                F: +49 6894 9396851<br>
                                W: <a href="https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxhKRwDSK$" target="_blank" moz-do-not-send="true"><span style="color:rgb(17,85,204)">www.key-systems.net</span></a><br>
                                <br>
                                Key-Systems GmbH is a company registered
                                at the local court of Saarbruecken,
                                Germany with the registration no. HR B
                                18835<br>
                                CEO: Oliver Fries and Robert Birkner<br>
                                <br>
                                Part of the CentralNic Group PLC (LON:
                                CNIC) a company registered in England
                                and Wales with company number 8576358.<br>
                                <br>
                                <span style="font-size:10.5pt;font-family:Roboto;background:rgb(248,249,250)
                                  none repeat scroll 0% 0%">This email
                                  and any files transmitted are
                                  confidential and intended only for the
                                  person(s) directly addressed. If you
                                  are not the intended recipient, any
                                  use, copying, transmission,
                                  distribution, or other forms of
                                  dissemination is strictly prohibited.
                                  If you have received this email in
                                  error, please notify the sender
                                  immediately and permanently delete
                                  this email with any files that may be
                                  attached.</span></p>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                    <p class="MsoNormal"> </p>
                  </div>
                </div>
                <p class="MsoNormal"> </p>
                <div>
                  <div>
                    <p class="MsoNormal">On Sat, Apr 17, 2021 at 12:19
                      AM Stephanie E Perrin via Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
                      wrote:</p>
                  </div>
                  <blockquote style="border-color:currentcolor
                    currentcolor currentcolor
                    rgb(204,204,204);border-style:none none none
                    solid;border-width:medium medium medium
                    1pt;padding:0cm 0cm 0cm
                    6pt;margin-left:4.8pt;margin-right:0cm">
                    <div>
                      <p>Bird and Bird is offering arguments for
                        protection in the event of complaint.  While
                        that protection is welcome and reassuring in
                        terms of risk, I am not certain that we have
                        adequately explained to 2Birds how registration
                        actually takes place.  It would have been
                        beneficial to walk them through a range of
                        different ways to register a domain name.  As we
                        have discussed in the calls, very often
                        non-savvy non-commercial users or small
                        business/home workers use resellers of various
                        kinds to register their domains.  Additional
                        risk creeps in here, WRT whether or not a
                        positive consent has been obtained from relevant
                        employees.  Further risk creeps in when we look
                        at automatic renewals, where the contact data
                        may not be updated.  If updated, have the steps
                        been taken to get consent from new employees? 
                        To me this is key, non-savvy users, and I count
                        myself among them, are not likely to check what
                        an intermediary is doing with respect to the
                        domain renewal or updating.</p>
                      <p>Now, of course the argument is that they SHOULD
                        be more diligent and they SHOULD pay attention
                        to the accuracy requirements, but lets deal in
                        facts here.....are they?  As the data controller
                        who is pre-emptively disclosing personal data,
                        allegedly with consent, to unknown (to the
                        contracted party) third parties, the
                        responsibility still rests with the controller. 
                        As I have mentioned, a Facebook or a Google or a
                        Microsoft can get away with treading roughshod
                        over their consent arrangements....not too many
                        folks are going to give up free or necessary
                        services over quibbles in a consent form, even
                        if it is 75 pages long.  However the registrars
                        (and to a lesser extent, the registries) are
                        operating in a highly competitive market.  Once
                        losing my trust, perhaps over a trifling
                        inattention to the accuracy of my data, and I am
                        transferring my domains to another company.
                        Policing a complex reseller market is also
                        rather a difficult matter that we have not
                        discussed at length in our debates on this
                        issue.  I know that the data commissioners as a
                        group do not understand how the accountability
                        for the handling of personal information is
                        transferred in that market, and it would not be
                        surprising if 2Birds did not either.  Bottom
                        line:  accredited registrars are shouldering the
                        risk here, it is their risk, and they would know
                        best whether they can trust the accuracy of the
                        designation of legal personhood.  This is why I
                        think that this designation, in my opinion,
                        should always permit an override by the 
                        contracted parties to treat the data as
                        personal.  I have suggested many many times that
                        commercial organizations should operate on an
                        accreditation basis and be linked to their
                        official registration numbers (business,
                        corporation, municipal licence etc).  Noone ever
                        responds to that idea....if it is totally
                        ridiculous I would certainly like to know why, I
                        am offering it in good faith and I think it
                        would do something useful to stop fraudulent
                        registrations in their names.  However, small
                        business and non-commercial organizations, even
                        if incorporated or in possession of a
                        registration # of some kind have different needs
                        and circumstances, and they are frequently
                        treated differently under data protection law.
                      </p>
                      <p>One final point that I have raised a few
                        times.....we tend to focus on enforcement fines
                        and Court costs.  Even if noone ever complains
                        to a DPA or takes a case to Court, where the
                        advice of 2 Birds gives us some comfort that the
                        risk is manageable, and the results would
                        exonerate the contracted parties.....what about
                        reputational damage in the meantime?  Court
                        costs?  Who actually wants to have customers
                        complaining about the practices?  Employee
                        morale, if it is employees who are objecting to
                        the practices?</p>
                      <p>I support focusing on whether the data
                        submitted is personal or not, with a fulsome
                        definition and description of same, and full
                        flexibility for contracted parties to err on the
                        side of caution and consider the possibility of 
                        some data being personal after all.  After all,
                        much data is still being disclosed, and noone
                        has adduced strong evidence that the delay in
                        requesting the data (as opposed to getting it
                        from the published data) will have huge
                        repercussions.  What is actually at play here is
                        who is doing the extra work....the requesting
                        party, or the data controller.</p>
                      <p>Stephanie Perrin</p>
                      <p> </p>
                      <div>
                        <p class="MsoNormal">On 2021-04-15 10:42 p.m.,
                          Mueller, Milton L via Gnso-epdp-team wrote:</p>
                      </div>
                      <blockquote style="margin-top:5pt;margin-bottom:5pt">
                        <div>
                          <p class="MsoNormal"><strong><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(199,80,0)">EXTERNAL
                                EMAIL:</span></strong><b><span style="font-size:10pt;font-family:"Arial",sans-serif;color:white"></span></b></p>
                        </div>
                        <div>
                          <div>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Further
                                legal support from TwoBirds</span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p style="margin-left:19.5pt"><span lang="EN-GB">14.2</span><span style="font-size:7pt" lang="EN-GB">          
                              </span><span lang="EN-GB">If personal data
                                is erroneously included in published
                                Registration Data, it would in this
                                scenario occur despite substantial (VSC)
                                steps taken by the Contracted Parties,
                                and would be primarily attributable to
                                the actions/omissions of the
                                Registrant.  This is likely to be taken
                                into account by data subjects, data
                                protection supervisory authorities, and
                                courts.</span></p>
                            <p style="margin-left:19.5pt"><span lang="EN-GB">14.3</span><span style="font-size:7pt" lang="EN-GB">          
                              </span><span lang="EN-GB">The data in
                                question is likely to be low
                                sensitivity.  The scenario being
                                envisaged here (mistaken inclusion of
                                personal data in published Registration
                                Data) seems to be most likely to occur
                                when a legal entity (e.g. a company or
                                non-profit organisation) is registering
                                / maintaining its own domains.  In those
                                scenarios, we assume the personal data
                                that could be disclosed would ordinarily
                                relate to an employee’s work details
                                (e.g. a company email address), not an
                                individual’s private life.  Although the
                                GDPR confers protection even in the
                                workplace, the data in question here may
                                arguably be less capable of causing harm
                                to an individual than data relating to
                                the data subject’s private life.<a name="m_5832361527529862212_m_2854865445665285661__ftnref1" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftn1" moz-do-not-send="true"><span><span style="font-size:11pt;font-family:"Georgia",serif">[1]</span></span><span></span></a><span></span>  
                              </span></p>
                            <p style="margin-left:19.5pt"><span lang="EN-GB">14.4</span><span style="font-size:7pt" lang="EN-GB">          
                              </span><span lang="EN-GB">In more
                                sensitive cases (e.g. disclosing that a
                                person works for a company in a
                                sensitive or “embarrassing” sector), a
                                Registrant would be putting itself at
                                serious risk of complaints from its own
                                employees.  Registrants are therefore
                                already incentivised to avoid errors
                                that could have serious consequences for
                                their own staff.
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <div>
                              <div style="border-style:solid none
                                none;border-width:1pt medium
                                medium;padding:3pt 0cm
                                0cm;border-color:currentcolor">
                                <p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
                                    Mueller, Milton L
                                    <br>
                                    <b>Sent:</b> Thursday, April 15,
                                    2021 10:34 PM<br>
                                    <b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
                                    <b>Subject:</b> RE: [Gnso-epdp-team]
                                    On the proposed guidance</span></p>
                              </div>
                            </div>
                            <p class="MsoNormal"> </p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Some
                                legal support for my argument below from
                                Bird & Bird:</span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal" style="text-indent:36pt"><a name="m_5832361527529862212_m_2854865445665285661__Ref68112068" moz-do-not-send="true">There may even be
                                an argument, based on EU Court of
                                Justice (“CJEU”) caselaw, that this is a
                                situation where Contracted Parties
                                should generally only be liable should
                                they fail to properly address a
                                complaint about the data – i.e. only
                                once they are put on notice about the
                                alleged illegality and thereby have an
                                opportunity to “verify” the merits of
                                the complaint.</a><a name="m_5832361527529862212_m_2854865445665285661__ftnref2" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftn2" moz-do-not-send="true"><span>[1]</span><span></span></a><span></span> 
                              This bears some parallels to other EU
                              liability regimes for operators of
                              services online that process – unwittingly
                              – content that violates EU law.<a name="m_5832361527529862212_m_2854865445665285661__ftnref3" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftn3" moz-do-not-send="true"><span>[2]</span><span></span></a><span></span> 
                              As discussed at footnote 6 below, this is
                              arguably recognised in (at least some)
                              decisions of GDPR supervisory authorities.</p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">In
                                other words, if personal data finds its
                                way into a published registration record
                                that should not be there, an objection
                                can be lodged with the registrar and
                                they can verify the merits and remove
                                the data. </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Dr.
                                Milton L Mueller</span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Georgia
                                Institute of Technology</span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">School
                                of Public Policy</span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"><a href="https://urldefense.com/v3/__https:/internetgovernance.org/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxoPMR176$" target="_blank" moz-do-not-send="true"><span style="color:rgb(5,99,193)">Internet
                                    Governance Project</span></a> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <div>
                              <div style="border-style:solid none
                                none;border-width:1pt medium
                                medium;padding:3pt 0cm
                                0cm;border-color:currentcolor">
                                <p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
                                    Mueller, Milton L
                                    <br>
                                    <b>Sent:</b> Thursday, April 15,
                                    2021 9:14 PM<br>
                                    <b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
                                    <b>Subject:</b> FW: [Gnso-epdp-team]
                                    On the proposed guidance</span></p>
                              </div>
                            </div>
                            <p class="MsoNormal"> </p>
                            <p class="MsoNormal"> </p>
                            <p class="MsoNormal">>" Everyone who is
                              named in a role in a registration must
                              have already been informed
                            </p>
                            <p class="MsoNormal">> and consented to
                              all of the conditions involved in the
                              role. " This is the ideal. Sadly, this
                              ideal
                            </p>
                            <p class="MsoNormal">> is very often not
                              the case.</p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Whoa.
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Of
                                course, Volker, it is possible that a
                                person making a registration for a legal
                                person won’t do it properly. But it is
                                absurd to expect a registrar to be
                                legally responsible for that. How can
                                the registrar be liable for privacy
                                breaches made by the registrant? Indeed,
                                I can’t understand why gaining the
                                consent of the administrative assistant
                                of the xyz department to have their name
                                listed in the whois is a matter for
                                DNS/ICANN policy at all. ICANN policy
                                simply needs to inform registrants that
                                under certain conditions the data will
                                be published.
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Let’s
                                take an extreme case – suppose a nasty
                                IT manager in a major corporation puts
                                the name, email address and (what the
                                heck) a revenge porn photo of her
                                ex-husband in her company’s registration
                                record. Are you telling me the registrar
                                would be considered responsible for that
                                breach of privacy? Not the nasty IT
                                manager?
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Show
                                me a legal case in which that kind of
                                liability has been assigned. I doubt you
                                can, but I await the data from CP
                                lawyers who have been involved in these
                                cases. I do know of several cases in
                                which agents for a corporation wrongly
                                listed themselves as the technical and
                                administrative contact, making it
                                possible for them to hijack the name.
                                The registrar was NEVER held liable for
                                that.
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Reminder:
                                We had to reform Whois/RDS policy
                                because ICANN,
                                <b>as a matter of contractual
                                  obligation, required registrars to
                                  publish sensitive PII of any and every
                                  Registrant</b>. Once we have removed
                                that obligation, and once we have given
                                registrants knowledge of the conditions
                                under which the data in the record
                                should be published, I don’t see why
                                registrars need to worry about some
                                corporation listing the personal email
                                address of someone in their IT
                                department.
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">So
                                if this alleged risk is being cited to
                                scare us away from allowing registrants
                                to self-designate as legal or natural,
                                it is a pretty weak case, imho.</span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">--MM
                              </span></p>
                            <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                            <p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
                                Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
                                <b>On Behalf Of </b>Volker Greimann via
                                Gnso-epdp-team<br>
                                <b>Sent:</b> Thursday, April 15, 2021
                                10:10 AM<br>
                                <b>To:</b> Steve Crocker <<a href="mailto:steve@shinkuro.com" target="_blank" moz-do-not-send="true">steve@shinkuro.com</a>><br>
                                <b>Cc:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
                                <b>Subject:</b> Re: [Gnso-epdp-team] On
                                the proposed guidance</span></p>
                            <p class="MsoNormal"> </p>
                            <div>
                              <div>
                                <p class="MsoNormal">Employees are named
                                  by other employees without their
                                  knowledge, or remain named long after
                                  they leave. From the experience as a
                                  registrar dealing with registrants
                                  every day, this ideal is an assumption
                                  that does not survive contact with
                                  reality. </p>
                              </div>
                              <div>
                                <p class="MsoNormal"> </p>
                              </div>
                              <div>
                                <p class="MsoNormal"> </p>
                              </div>
                              <div>
                                <div>
                                  <div>
                                    <div>
                                      <div>
                                        <p class="MsoNormal">-- <br>
                                          Volker A. Greimann<br>
                                          General Counsel and Policy
                                          Manager<br>
                                          <b>KEY-SYSTEMS GMBH</b><br>
                                          <br>
                                          T: +49 6894 9396901<br>
                                          M: +49 6894 9396851<br>
                                          F: +49 6894 9396851<br>
                                          W: <a href="https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxhKRwDSK$" target="_blank" moz-do-not-send="true"><span style="color:rgb(17,85,204)">www.key-systems.net</span></a><br>
                                          <br>
                                          Key-Systems GmbH is a company
                                          registered at the local court
                                          of Saarbruecken, Germany with
                                          the registration no. HR B
                                          18835<br>
                                          CEO: Oliver Fries and Robert
                                          Birkner<br>
                                          <br>
                                          Part of the CentralNic Group
                                          PLC (LON: CNIC) a company
                                          registered in England and
                                          Wales with company number
                                          8576358.<br>
                                          <br>
                                          <span style="font-size:10.5pt;font-family:Roboto;background:rgb(248,249,250)
                                            none repeat scroll 0% 0%">This
                                            email and any files
                                            transmitted are confidential
                                            and intended only for the
                                            person(s) directly
                                            addressed. If you are not
                                            the intended recipient, any
                                            use, copying, transmission,
                                            distribution, or other forms
                                            of dissemination is strictly
                                            prohibited. If you have
                                            received this email in
                                            error, please notify the
                                            sender immediately and
                                            permanently delete this
                                            email with any files that
                                            may be attached.</span></p>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                              <p class="MsoNormal"> </p>
                            </div>
                            <p class="MsoNormal"> </p>
                            <div>
                              <div>
                                <p class="MsoNormal">On Thu, Apr 15,
                                  2021 at 3:36 PM Steve Crocker via
                                  Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
                                  wrote:</p>
                              </div>
                              <blockquote style="border-style:none none
                                none solid;border-width:medium medium
                                medium 1pt;padding:0cm 0cm 0cm
                                6pt;margin:5pt 0cm 5pt
                                4.8pt;border-color:currentcolor
                                currentcolor currentcolor
                                rgb(204,204,204)">
                                <div>
                                  <div>
                                    <p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif">Laureen,</span></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif"> </span></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif">Thanks
                                        for your note.  With respect to
                                        the details under legal person,
                                        we believe the issue of consent
                                        should be moot.  Everyone who is
                                        named in a role in a
                                        registration must have already
                                        been informed and consented to
                                        all of the conditions involved
                                        in the role.  This is a
                                        prerequisite for having a
                                        working system and is not
                                        specific to meeting a privacy
                                        regulation.  The fact that this
                                        requirement is not specified in
                                        the existing contractual
                                        documentation is an error and
                                        needs to be rectified.</span></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif"> </span></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif">Steve</span></p>
                                  </div>
                                  <div>
                                    <p class="MsoNormal"><span style="font-size:18pt;font-family:"Garamond",serif"> </span></p>
                                  </div>
                                </div>
                                <p class="MsoNormal"> </p>
                                <div>
                                  <div>
                                    <p class="MsoNormal">On Thu, Apr 15,
                                      2021 at 6:28 AM Kapin, Laureen via
                                      Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
                                      wrote:</p>
                                  </div>
                                  <blockquote style="border-style:none
                                    none none solid;border-width:medium
                                    medium medium 1pt;padding:0cm 0cm
                                    0cm 6pt;margin:5pt 0cm 5pt
                                    4.8pt;border-color:currentcolor
                                    currentcolor currentcolor
                                    rgb(204,204,204)">
                                    <div>
                                      <div>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">I
                                            think we share common ground
                                            on many key issues and I
                                            would like to build on the
                                            many helpful inputs received
                                            as to what would be
                                            advisable.
                                          </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Goal</span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">:
                                            publish non-personal,
                                            non-protected data to the
                                            greatest extent permissible
                                            under the GDPR and within
                                            low legal risks to data
                                            controllers and processors. 
                                            Note, the description below
                                            does
                                            <i>not </i>fully detail the
                                            advised safeguards which
                                            B&B has documented and
                                            which we’ve adopted in our
                                            prior input because my
                                            impression is that we
                                            generally agree that the
                                            safeguards are prudent. 
                                            This description merely
                                            seeks to identify the key
                                            steps that must be taken to
                                            ensure that personal data is
                                            identified and protected and
                                            non-personal data is
                                            published.  I also highlight
                                            the addition of a potential
                                            additional safeguard –
                                            Confirmation.  I think this
                                            process incorporates what
                                            we’ve discussed and inputs
                                            received and could form a
                                            useful framework for
                                            discussion. </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Note:</span></b></p>
                                        <p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></b></p>
                                        <p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)"> 
                                          </span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">New
                                              Registrations:
                                            </span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">This
                                            process applies to new
                                            registrations (Steve C. has
                                            some useful thoughts on how
                                            to deal with existing
                                            Registrations)
                                          </span></p>
                                        <p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)"> 
                                          </span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Publish:
                                            </span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">When
                                            I use the word “publish,” I
                                            mean made public directly;
                                            not via the SSAD. 
                                          </span></p>
                                        <p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)"> 
                                          </span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Flexibility:
                                            </span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Based
                                            on input from our Registrar
                                            colleagues, we should permit
                                            flexibility for how these
                                            steps are implemented to
                                            account for the varied
                                            business models in place. 
                                          </span></p>
                                        <p><span style="font-size:14pt;font-family:Wingdings;color:rgb(0,32,96)">n</span><span style="font-size:7pt;color:rgb(0,32,96)"> 
                                          </span><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Timing:
                                            </span></b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">All
                                            identifications need to take
                                            place at the time of
                                            registration or shortly
                                            thereafter (w/in the 13-day
                                            accuracy verification
                                            window) and no registration
                                            data should be published
                                            until the identification,
                                            consent, and confirmation
                                            process concludes</span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><b><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Process:</span></b></p>
                                        <p><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">1.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">A
                                            threshold identification of
                                            the registrant as a natural
                                            or legal person;</span></p>
                                        <p style="margin-left:72pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">a.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
                                            natural, registration info
                                            redacted</span></p>
                                        <p style="margin-left:72pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p style="margin-left:72pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">b.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
                                            legal, further inquiries and
                                            advisories (safeguards):</span></p>
                                        <p style="margin-left:108pt"><span style="font-size:7pt;color:rgb(0,32,96)">                                        
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">i.</span><span style="font-size:7pt;color:rgb(0,32,96)">   
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">if
                                            the legal person identifies
                                            that it has a protected
                                            status under the GDPR</span></p>
                                        <p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">1.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">registration
                                            info redacted</span></p>
                                        <p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p style="margin-left:108pt"><span style="font-size:7pt;color:rgb(0,32,96)">                                       
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">ii.</span><span style="font-size:7pt;color:rgb(0,32,96)">   
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
                                            the legal person
                                            registration contains
                                            personal data, advise of
                                            consequences (publication)</span></p>
                                        <p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">1.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Obtain
                                            necessary consents</span></p>
                                        <p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">2.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><i><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Possible
                                              additional safeguard</span></i><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">:
                                            <i>Ask Registrant to Confirm
                                              any identification that
                                              will result in publication
                                              of contact data
                                            </i>(akin to confirming a
                                            flight reservation or stock
                                            trade)</span></p>
                                        <p style="margin-left:180pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">a.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Publish
                                          </span></p>
                                        <p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">3.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">If
                                            no consent</span></p>
                                        <p style="margin-left:180pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">a.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Redact</span></p>
                                        <p style="margin-left:144pt"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">2.</span><span style="font-size:7pt;color:rgb(0,32,96)">  
                                          </span><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">Provide
                                            quick and easy opportunity
                                            to correct any mistakes</span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)">I
                                            hope this is useful.
                                          </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Kind
                                            regards,</span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)"> </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Laureen
                                            Kapin</span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Counsel
                                            for International Consumer
                                            Protection</span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">Federal
                                            Trade Commission</span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Helvetica",sans-serif;color:rgb(88,0,176)">(202)
                                            326-3237
                                          </span></p>
                                        <p class="MsoNormal"><span style="font-size:14pt;font-family:"Arial",sans-serif;color:rgb(0,32,96)"> </span></p>
                                        <p class="MsoNormal"><b><span style="font-size:11pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11pt;font-family:"Calibri",sans-serif">
                                            Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
                                            <b>On Behalf Of </b>Volker
                                            Greimann via Gnso-epdp-team<br>
                                            <b>Sent:</b> Thursday, April
                                            15, 2021 8:35 AM<br>
                                            <b>To:</b> Hadia Abdelsalam
                                            Mokhtar EL miniawi <<a href="mailto:Hadia@tra.gov.eg" target="_blank" moz-do-not-send="true">Hadia@tra.gov.eg</a>><br>
                                            <b>Cc:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
                                            <b>Subject:</b> Re:
                                            [Gnso-epdp-team] On the
                                            proposed guidance</span></p>
                                        <p class="MsoNormal"> </p>
                                        <div>
                                          <div>
                                            <p class="MsoNormal">I think
                                              we need to be cognisant of
                                              the current status quo and
                                              use that as the basis for
                                              our thoughts on the
                                              matter:</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"> </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">1)
                                              There is no
                                              differentiation between
                                              legal or natural contacts.</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">2) The
                                              redaction of all contacts
                                              is permitted and has
                                              become the de-facto
                                              standard.</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">3) We
                                              allow consent-based
                                              disclosure. </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">4) NIS
                                              2 may at some point in the
                                              future require publication
                                              of non-personal
                                              information.</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"> </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">This
                                              leads to two very simple
                                              follow-on questions:</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">a) How
                                              do we identify such
                                              non-personal information?
                                              What is really necessary
                                              for this end?</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">b) What
                                              would publication entail?</p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"> </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">For a)
                                              we and Twobirds identified
                                              voluntary self-declaration
                                              of the data submitted. As
                                              all data is redacted by
                                              default, the
                                              differentiation of the
                                              data subject category is
                                              irrelevant as it
                                              ultimately only boils down
                                              to the declaration of the
                                              data subject thatthe data
                                              contains no personal
                                              information. </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"> </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal">For b),
                                              the term "publish" is
                                              undefined. For all we
                                              know, it could mean
                                              publication in a physical
                                              print edition (it doesn't
                                              mean that though). But
                                              publication within SSAD
                                              can very well be
                                              sufficient for that
                                              definition. There is no
                                              reason whatsoever to
                                              assume differently. </p>
                                          </div>
                                          <div>
                                            <p class="MsoNormal"> </p>
                                          </div>
                                          <div>
                                            <div>
                                              <div>
                                                <div>
                                                  <div>
                                                    <div>
                                                      <p class="MsoNormal">-- <br>
                                                        Volker A.
                                                        Greimann<br>
                                                        General Counsel
                                                        and Policy
                                                        Manager<br>
                                                        <b>KEY-SYSTEMS
                                                          GMBH</b><br>
                                                        <br>
                                                        T: +49 6894
                                                        9396901<br>
                                                        M: +49 6894
                                                        9396851<br>
                                                        F: +49 6894
                                                        9396851<br>
                                                        W: <a href="https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxhKRwDSK$" target="_blank" moz-do-not-send="true"><span style="color:rgb(17,85,204)">www.key-systems.net</span></a><br>
                                                        <br>
                                                        Key-Systems GmbH
                                                        is a company
                                                        registered at
                                                        the local court
                                                        of Saarbruecken,
                                                        Germany with the
                                                        registration no.
                                                        HR B 18835<br>
                                                        CEO: Oliver
                                                        Fries and Robert
                                                        Birkner<br>
                                                        <br>
                                                        Part of the
                                                        CentralNic Group
                                                        PLC (LON: CNIC)
                                                        a company
                                                        registered in
                                                        England and
                                                        Wales with
                                                        company number
                                                        8576358.<br>
                                                        <br>
                                                        <span style="font-size:10.5pt;font-family:Roboto;background:rgb(248,249,250)
                                                          none repeat
                                                          scroll 0% 0%">This
                                                          email and any
                                                          files
                                                          transmitted
                                                          are
                                                          confidential
                                                          and intended
                                                          only for the
                                                          person(s)
                                                          directly
                                                          addressed. If
                                                          you are not
                                                          the intended
                                                          recipient, any
                                                          use, copying,
                                                          transmission,
                                                          distribution,
                                                          or other forms
                                                          of
                                                          dissemination
                                                          is strictly
                                                          prohibited. If
                                                          you have
                                                          received this
                                                          email in
                                                          error, please
                                                          notify the
                                                          sender
                                                          immediately
                                                          and
                                                          permanently
                                                          delete this
                                                          email with any
                                                          files that may
                                                          be attached.</span></p>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                            <p class="MsoNormal"> </p>
                                          </div>
                                        </div>
                                        <div id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">
                                          <p class="MsoNormal"> </p>
                                          <table style="border-style:solid
                                            none none;border-width:1pt
                                            medium
                                            medium;border-color:currentcolor" cellspacing="3" cellpadding="0" border="1">
                                            <tbody>
                                              <tr>
                                                <td style="width:41.25pt;border:medium
                                                  none;padding:9.75pt
                                                  0.75pt 0.75pt" width="56">
                                                  <p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true"><span style="text-decoration:none"><img style="width: 0.4791in; height:
                                                          0.3055in;" id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829_x005f_x0000_i1025" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" moz-do-not-send="true" width="46" height="29" border="0"></span></a></p>
                                                </td>
                                                <td style="width:352.5pt;border:medium
                                                  none;padding:9pt
                                                  0.75pt 0.75pt" width="388">
                                                  <p class="MsoNormal" style="line-height:13.5pt"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(65,66,78)">Virus-free.
                                                      <a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true">
                                                        <span style="color:rgb(68,83,234)">www.avast.com</span></a>
                                                    </span></p>
                                                </td>
                                              </tr>
                                            </tbody>
                                          </table>
                                        </div>
                                        <p class="MsoNormal"> </p>
                                        <div>
                                          <div>
                                            <p class="MsoNormal">On Thu,
                                              Apr 15, 2021 at 1:52 PM
                                              Hadia Abdelsalam Mokhtar
                                              EL miniawi via
                                              Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a>>
                                              wrote:</p>
                                          </div>
                                          <blockquote style="border-style:none
                                            none none
                                            solid;border-width:medium
                                            medium medium
                                            1pt;padding:0cm 0cm 0cm
                                            6pt;margin:5pt 0cm 5pt
                                            4.8pt;border-color:currentcolor
                                            currentcolor currentcolor
                                            rgb(204,204,204)">
                                            <div>
                                              <div>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Dear
                                                    Milton,</span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Thank
                                                    you for your
                                                    constructive
                                                    thoughts. I believe
                                                    we have a lot to
                                                    build on. In
                                                    relation to
                                                    principle one, I
                                                    think we all agree
                                                    that some legal data
                                                    subjects would want
                                                    to publish their
                                                    data in the RDDS,
                                                    but without your
                                                    first principle they
                                                    can only do this
                                                    through consent. The
                                                    legal memo received
                                                    lately from Bird
                                                    & Bird explains
                                                    that if CPs publish
                                                    the data of legal
                                                    persons based on
                                                    consent they are at
                                                    a higher risk than
                                                    if they publish the
                                                    data of legal
                                                    persons based on
                                                    self-designation. In
                                                    the latter case CPs
                                                    might only be liable
                                                    if they fail to
                                                    address a complaint.
                                                    So the question
                                                    always was: what is
                                                    the benefit of
                                                    labeling the data as
                                                    belonging to a
                                                    natural or legal
                                                    person? Of course we
                                                    all know that GDPR
                                                    protects the data of
                                                    natural persons and
                                                    not legal persons,
                                                    but the important
                                                    answer now is that
                                                    the distinction
                                                    significantly
                                                    reduces the
                                                    liability of CPs. In
                                                    addition, the
                                                    distinction is
                                                    helpful in
                                                    performing the
                                                    balancing test in
                                                    case the data is not
                                                    published and I am
                                                    sure if we look into
                                                    individual use cases
                                                    we can find much
                                                    more benefits.
                                                    Moreover, it could
                                                    prove to be useful
                                                    regarding possible
                                                    upcoming
                                                    regulations. I would
                                                    also add that the
                                                    level of protection
                                                    assigned to the data
                                                    elements suggested
                                                    by Steve provides
                                                    additional safe
                                                    guards and
                                                    flexibility in the
                                                    implementation.
                                                  </span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Finally,
                                                    I join you in being
                                                    optimistic about our
                                                    ability to finish
                                                    this.</span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Kind
                                                    regards</span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Hadia
                                                  </span></p>
                                                <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                <div>
                                                  <div style="border-style:solid
                                                    none
                                                    none;border-width:1pt
                                                    medium
                                                    medium;padding:3pt
                                                    0cm
                                                    0cm;border-color:currentcolor">
                                                    <p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10pt;font-family:"Tahoma",sans-serif">
                                                        Gnso-epdp-team
                                                        [mailto:<a href="mailto:gnso-epdp-team-bounces@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>]
                                                        <b>On Behalf Of
                                                        </b>Mueller,
                                                        Milton L via
                                                        Gnso-epdp-team<br>
                                                        <b>Sent:</b>
                                                        Wednesday, April
                                                        14, 2021 10:12
                                                        PM<br>
                                                        <b>To:</b> <a href="mailto:gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
                                                        <b>Subject:</b>
                                                        Re:
                                                        [Gnso-epdp-team]
                                                        On the proposed
                                                        guidance</span></p>
                                                  </div>
                                                </div>
                                                <p class="MsoNormal"> </p>
                                                <div>
                                                  <div>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Colleagues:</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
                                                        have only gotten
                                                        time to review
                                                        the latest
                                                        Guidance
                                                        document and the
                                                        surrounding
                                                        debate today.
                                                        Apologies, but
                                                        there is a lot
                                                        going on in my
                                                        day job.
                                                      </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
                                                        am disappointed
                                                        to see that we
                                                        seem to be going
                                                        backwards. I see
                                                        divergence
                                                        rather than
                                                        convergence on
                                                        the way we are
                                                        approaching the
                                                        problem.</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
                                                        see no point in
                                                        adding more
                                                        noise to the
                                                        current document
                                                        via the Comments
                                                        function. What I
                                                        would like to
                                                        try to do is
                                                        articulate some
                                                        broad principles
                                                        about how to
                                                        deal with the
                                                        legal/natural
                                                        distinction. If
                                                        we can agree on
                                                        those
                                                        principles, it
                                                        will be
                                                        relatively easy
                                                        to complete the
                                                        document. If we
                                                        cannot/do not
                                                        agree on those
                                                        principles,
                                                        additional
                                                        wordsmithing and
                                                        debates over
                                                        terms will not
                                                        get us anywhere.
                                                      </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">So
                                                        here are the
                                                        broad principles
                                                        that I would
                                                        offer up for
                                                        debate:
                                                      </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">1.</span><span style="font-size:7pt;color:rgb(31,73,125)">      
                                                      </span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">The
                                                        legal/natural
                                                        distinction is
                                                        relevant and we
                                                        need to find a
                                                        way make it in
                                                        RDDS without
                                                        compromising
                                                        privacy rights.
                                                      </span></p>
                                                    <p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">2.</span><span style="font-size:7pt;color:rgb(31,73,125)">      
                                                      </span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Registrants
                                                        should be able
                                                        to
                                                        self-designate
                                                        as legal or
                                                        natural, with no
                                                        burden of
                                                        authentication
                                                        placed on
                                                        registrars or
                                                        registries</span></p>
                                                    <p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">3.</span><span style="font-size:7pt;color:rgb(31,73,125)">      
                                                      </span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">To
                                                        protect small
                                                        home offices or
                                                        NGOs who are
                                                        technically
                                                        Legal persons
                                                        but whose
                                                        registration
                                                        data may include
                                                        Personal data,
                                                        we need an
                                                        additional check
                                                        in the process.</span></p>
                                                    <p><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">4.</span><span style="font-size:7pt;color:rgb(31,73,125)">      
                                                      </span><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">As
                                                        long as they
                                                        conform with the
                                                        above 3
                                                        principles,
                                                        registrars/ries
                                                        (CPs) should be
                                                        given maximum
                                                        flexibility to
                                                        choose the way
                                                        to
                                                        differentiate.
                                                      </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
                                                        1 discussion:</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">If
                                                        we cannot agree
                                                        on this (or
                                                        agree to abandon
                                                        this principle),
                                                        _<i>nothing else
                                                          will fall into
                                                          place</i>_.
                                                        Ever. So let’s
                                                        settle that.
                                                        Steve and Volker
                                                        I suspect will
                                                        disagree with
                                                        this principle.
                                                        Steve has argued
                                                        that the L/N
                                                        distinction is
                                                        “not a central
                                                        concern” and all
                                                        that matters is
                                                        whether the
                                                        registrant’s
                                                        data is to be
                                                        made available
                                                        to anyone. If he
                                                        is right, we can
                                                        discard the
                                                        guidance
                                                        altogether,
                                                        because we
                                                        already have a
                                                        recommendation
                                                        to allow the RNH
                                                        to consent to
                                                        the publication
                                                        of their data.
                                                        Volker has also
                                                        suggested that
                                                        it is personal
                                                        data we need to
                                                        differentiate,
                                                        not L/N . I
                                                        disagree with
                                                        Steve and Volker
                                                        on this and so
                                                        do most of the
                                                        rest of the
                                                        group. L/N
                                                        distinction is a
                                                        central concern
                                                        to certain
                                                        stakeholder
                                                        groups in the
                                                        EPDP, because a)
                                                        GDPR and other
                                                        data protection
                                                        laws do not
                                                        protect it and
                                                        this process is
                                                        all about
                                                        bringing RDS
                                                        into compliance
                                                        with privacy
                                                        law; b) Legal
                                                        person data
                                                        could be
                                                        published and it
                                                        would provide
                                                        easier access to
                                                        their
                                                        registration
                                                        data. As a NCSG
                                                        member I can
                                                        find no basis
                                                        for objecting to
                                                        the publication
                                                        of WalMart’s,
                                                        Kroger’s or the
                                                        local hardware
                                                        store’s
                                                        registration
                                                        data. Any
                                                        concerns about
                                                        PII are
                                                        addressed by
                                                        principles 2 and
                                                        3. Steve is
                                                        approaching this
                                                        as an engineer,
                                                        but this is a
                                                        policy process,
                                                        and we will not
                                                        obtain agreement
                                                        on a solution
                                                        unless certain
                                                        stakeholders are
                                                        satisfied. If
                                                        they think it is
                                                        a central
                                                        concern, it’s a
                                                        central concern,
                                                        that’s how
                                                        policy/politics
                                                        work.</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
                                                        2 discussion</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">This
                                                        is the key
                                                        principle that
                                                        keeps NCSG and
                                                        CPH satisfied.
                                                        Registrants are
                                                        in control of
                                                        how they are
                                                        designated. Yes,
                                                        this means that
                                                        some people will
                                                        lie. That is
                                                        just something
                                                        we will have to
                                                        accept. One
                                                        cannot erase
                                                        that possibility
                                                        without creating
                                                        a system that is
                                                        too burdensome
                                                        and costly as to
                                                        outweigh any
                                                        benefits.
                                                      </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
                                                        3 discussion</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">This
                                                        is something
                                                        everyone seems
                                                        to agree on
                                                        already. But it
                                                        is good to make
                                                        it explicit,
                                                        then we can work
                                                        out how specific
                                                        our guidance can
                                                        get, so as to
                                                        conform to …</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Principle
                                                        4</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">Avoid
                                                        being overly
                                                        prescriptive,
                                                        but ensure that
                                                        the other 3
                                                        principles are
                                                        honored. So yes,
                                                        Volker, we give
                                                        you maximum
                                                        flexibility to
                                                        implement in
                                                        accordance with
                                                        different
                                                        business models,
                                                        but you can NOT
                                                        make a
                                                        designation for
                                                        a RNH, because
                                                        it violates
                                                        principle 2.
                                                      </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)">I
                                                        truly believe
                                                        that if we can
                                                        come to
                                                        agreement on
                                                        these 4
                                                        principles and
                                                        use them as the
                                                        basis for
                                                        drafting
                                                        guidance, we can
                                                        actually finish
                                                        this.</span></p>
                                                    <p class="MsoNormal"><span style="font-size:11pt;font-family:"Calibri",sans-serif;color:rgb(31,73,125)"> </span></p>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                            <p class="MsoNormal">_______________________________________________<br>
                                              Gnso-epdp-team mailing
                                              list<br>
                                              <a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
                                              <a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
                                              By submitting your
                                              personal data, you consent
                                              to the processing of your
                                              personal data for purposes
                                              of subscribing to this
                                              mailing list accordance
                                              with the ICANN Privacy
                                              Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
                                              and the website Terms of
                                              Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
                                              You can visit the Mailman
                                              link above to change your
                                              membership status or
                                              configuration, including
                                              unsubscribing, setting
                                              digest-style delivery or
                                              disabling delivery
                                              altogether (e.g., for a
                                              vacation), and so on.</p>
                                          </blockquote>
                                        </div>
                                        <div id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">
                                          <p class="MsoNormal"> </p>
                                          <table style="border-style:solid
                                            none none;border-width:1pt
                                            medium
                                            medium;border-color:currentcolor" cellspacing="3" cellpadding="0" border="1">
                                            <tbody>
                                              <tr>
                                                <td style="width:41.25pt;border:medium
                                                  none;padding:9.75pt
                                                  0.75pt 0.75pt" width="56">
                                                  <p class="MsoNormal"><a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true"><span style="text-decoration:none"><img style="width: 0.4791in; height:
                                                          0.3055in;" id="gmail-m_5832361527529862212gmail-m_2854865445665285661gmail-m_-3565268638294194630gmail-m_7094575180366425829_x005f_x0000_i1026" src="https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif" moz-do-not-send="true" width="46" height="29" border="0"></span></a></p>
                                                </td>
                                                <td style="width:352.5pt;border:medium
                                                  none;padding:9pt
                                                  0.75pt 0.75pt" width="388">
                                                  <p class="MsoNormal" style="line-height:13.5pt"><span style="font-size:10pt;font-family:"Arial",sans-serif;color:rgb(65,66,78)">Virus-free.
                                                      <a href="https://urldefense.com/v3/__https:/www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxiSlynfH$" target="_blank" moz-do-not-send="true">
                                                        <span style="color:rgb(68,83,234)">www.avast.com</span></a>
                                                    </span></p>
                                                </td>
                                              </tr>
                                            </tbody>
                                          </table>
                                          <p class="MsoNormal"> </p>
                                        </div>
                                      </div>
                                    </div>
                                    <p class="MsoNormal">_______________________________________________<br>
                                      Gnso-epdp-team mailing list<br>
                                      <a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
                                      <a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
                                      By submitting your personal data,
                                      you consent to the processing of
                                      your personal data for purposes of
                                      subscribing to this mailing list
                                      accordance with the ICANN Privacy
                                      Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
                                      and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
                                      You can visit the Mailman link
                                      above to change your membership
                                      status or configuration, including
                                      unsubscribing, setting
                                      digest-style delivery or disabling
                                      delivery altogether (e.g., for a
                                      vacation), and so on.</p>
                                  </blockquote>
                                </div>
                                <p class="MsoNormal">_______________________________________________<br>
                                  Gnso-epdp-team mailing list<br>
                                  <a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
                                  <a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
                                  By submitting your personal data, you
                                  consent to the processing of your
                                  personal data for purposes of
                                  subscribing to this mailing list
                                  accordance with the ICANN Privacy
                                  Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
                                  and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
                                  You can visit the Mailman link above
                                  to change your membership status or
                                  configuration, including
                                  unsubscribing, setting digest-style
                                  delivery or disabling delivery
                                  altogether (e.g., for a vacation), and
                                  so on.</p>
                              </blockquote>
                            </div>
                            <div>
                              <p class="MsoNormal"><br clear="all">
                              </p>
                              <div>
                                <div class="MsoNormal">
                                  <hr width="33%" size="1" align="left">
                                </div>
                              </div>
                            </div>
                          </div>
                          <div>
                            <p class="MsoNormal"><br clear="all">
                            </p>
                            <div class="MsoNormal">
                              <hr width="33%" size="1" align="left">
                            </div>
                            <div id="gmail-m_5832361527529862212gmail-m_2854865445665285661ftn1">
                              <p><a name="m_5832361527529862212_m_2854865445665285661__ftn1" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftnref1" moz-do-not-send="true"><span><span style="font-size:8pt;font-family:"Georgia",serif">[1]</span></span><span></span></a><span></span>
                                As explained above, we have understood
                                this question to be asking about
                                scenarios where Registrants are legal
                                persons, as per the EDPB quote at
                                paragraph 1.  In respect of individual
                                (natural person) Registrants, the issues
                                will be largely similar: if a natural
                                person incorrectly states that their
                                data is not personal data, then (i) the
                                verification measures should prevent the
                                data from being published, since they
                                will give the data subject an
                                opportunity to correct their mistake;
                                (ii) the mitigating factors and legal
                                arguments described at paragraphs 11.7
                                and 11.8 and paragraphs 14.1 - 14.6
                                here, should confer reasonable legal
                                protection for Contracted Parties.</p>
                            </div>
                            <div id="gmail-m_5832361527529862212gmail-m_2854865445665285661ftn2">
                              <p><a name="m_5832361527529862212_m_2854865445665285661__ftn2" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftnref2" moz-do-not-send="true"><span><span lang="EN-GB">[1]</span></span><span></span></a><span></span><span lang="EN-GB"> In its judgement in Case
                                  C‑136/17
                                  <i>GC and Others</i>, the CJEU
                                  explained that GDPR obligations
                                  relating to an erasure (“Right to Be
                                  Forgotten”) request apply “<i>to the
                                    operator of a search engine in the
                                    context of his responsibilities,
                                    powers and capabilities as the
                                    controller of the processing carried
                                    out in connection with the activity
                                    of the search engine, on the
                                    occasion of a verification performed
                                    by that operator, under the
                                    supervision of the competent
                                    national authorities, following a
                                    request by the data subject”</i>. 
                                  As the Advocate General explained in
                                  that case, “<i>such an operator can
                                    act only within the framework of its
                                    responsibilities, powers and
                                    capabilities. In other words, such
                                    an operator may be incapable of
                                    ensuring the full effect of the
                                    provisions of [EU data protection
                                    law], precisely because of its
                                    limited responsibilities, powers and
                                    capabilities. . . An ex ante control
                                    of internet pages which are
                                    referenced as the result of a search
                                    does not fall within the
                                    responsibilities or the capabilities
                                    of a search engine</i>.”  It could
                                  not know, from the moment it indexed a
                                  webpage, that the content of that page
                                  was (for example) out of date (as in
                                  the original
                                  <i>Google Spain / Costeja</i> ruling),
                                  or (in the <i>GC and Others</i> case<i>)
                                  </i>
                                  “special category” or “criminal
                                  offence” data for which it required
                                  consent.</span></p>
                            </div>
                            <div id="gmail-m_5832361527529862212gmail-m_2854865445665285661ftn3">
                              <p><a name="m_5832361527529862212_m_2854865445665285661__ftn3" moz-do-not-send="true"></a><a href="#m_5832361527529862212_m_2854865445665285661__ftnref3" moz-do-not-send="true"><span><span lang="EN-GB">[2]</span></span><span></span></a><span></span><span lang="EN-GB"> See, for example,
                                  <a href="https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32000L0031" target="_blank" moz-do-not-send="true">
                                    Article 14</a> of the e-Commerce
                                  Directive 2000/31/EC and its
                                  transposition into the national laws
                                  of EU/EEA Member States and the UK.
                                </span></p>
                            </div>
                          </div>
                        </div>
                        <p class="MsoNormal"> </p>
                        <pre>_______________________________________________</pre>
                        <pre>Gnso-epdp-team mailing list</pre>
                        <pre><a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a></pre>
                        <pre><a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></pre>
                        <pre>_______________________________________________</pre>
                        <pre>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
                      </blockquote>
                    </div>
                    <p class="MsoNormal">_______________________________________________<br>
                      Gnso-epdp-team mailing list<br>
                      <a href="mailto:Gnso-epdp-team@icann.org" target="_blank" moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br>
                      <a href="https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxghxMAOY$" target="_blank" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
                      _______________________________________________<br>
                      By submitting your personal data, you consent to
                      the processing of your personal data for purposes
                      of subscribing to this mailing list accordance
                      with the ICANN Privacy Policy (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxl5BDJwa$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/policy</a>)
                      and the website Terms of Service (<a href="https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!XSywrkEovOjOF-WmOAPUMVqsao1Zv9b2rUkkdL1O1jXYaDTpt6eZXsc9LSp2ncroxn6b_CGX$" target="_blank" moz-do-not-send="true">https://www.icann.org/privacy/tos</a>).
                      You can visit the Mailman link above to change
                      your membership status or configuration, including
                      unsubscribing, setting digest-style delivery or
                      disabling delivery altogether (e.g., for a
                      vacation), and so on.</p>
                  </blockquote>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
    </blockquote>
  </body>
</html>