[gnso-rds-pdp-wg] Joint Controller / Article 26 / Hamilton Memo

Rubens Kuhl rubensk at nic.br
Sat Oct 28 15:15:01 UTC 2017 

Michael,

I'll add a bit of salt to that: since ICANN contracts open up to definitions from the community to control ICANN and contracted parties, thru the consensus policies, it might possible that for GDPR effects, that the community is also considered a controller, not only ICANN. So a GDPR fine might be in all of our futures.


Rubens









> On Oct 26, 2017, at 1:55 AM, michael at palage.com wrote:
> 
> Hello All,
> 
> I must admit it has been hard to keep up with the flood of recent list traffic.  However, I would like to interject a legal issue raised in the Hamilton Memo which I do not believe has been properly discussed to date. Specifically, Hamilton’s determination that both ICANN and Registration Authorities (Registries and Registrars) are Joint Controllers, see Paragraph 3.4.4 of Hamilton Memo.
> 
> Article 26 of the GDPR on the issue of Joint Controller states that “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.”  For the purpose of this analysis I will focus exclusively on Registries as well as the fact that there seems to have been a lot of list traffic in connection with the recent actions of .AMSTERDAM and .FRL.  Prior to ICANN, the legacy gTLDs were thin registries. Over the years ICANN has mandated through various RFPs/Applicant Guidebooks the requirement that a TLD be operated in a thick format.   But for a Consensus Policy mandating VeriSign to convert .COM and .NET from thin to thick there was no desire or need for Verisign to have access to this data. How can parties be “joint” controllers, when one party has the unilateral right to impose its will on the other?
> 
> I am puzzled why Hamilton made this legal determination and whether it knew of these historical data points. I am also puzzled why Hamilton believes that ICANN as a Joint Controller can unilaterally undertake a DPIA without consultation with the other joint controllers.  I would submit that history and this action, point toward ICANN being the sole Data Controller, and “most” registries being a Data Processor. As evidenced by VeriSign, most gTLD registries do not need thick data to perform their core business functions. They are only deemed a Joint Controller because ICANN has mandated that they collect and process the PII of registrants.
> 
> I would welcome any additional insight on this Article 26 issue.
> 
> Best regards,
> 
> Michael
> 
> 
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171028/902e7bd6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171028/902e7bd6/signature.asc>

More information about the gnso-rds-pdp-wg mailing list