[gnso-rds-pdp-wg] CIRCL - Luxembourg CERT Statement on WHOIS

Greg Shatan gregshatanipc at gmail.com
Fri Apr 13 22:02:00 UTC 2018 

The publication cites GDPR exactly twice.  The citation to “recital 32” is
actually to Article 32. (If one actually looks at the recitals, one will
see that recital 32 deals with “consent.”). So, while the statement that
the piece only cites GDPR recitals is superficially correct, it’s
substantively incorrect.  (The citation to “recital 49” is a citation to
Recital 49, so to be charitable, it’s half-correct.).

I assume this was the basis for the statement the publication is “dependent
on ... the GDPR’s recitals.”  Having established that this basis gone, I’ll
go on to assume that this statement is similarly invalid, unless there is
some actual substantive analysis that shows that the publication is only
“dependent” on the GDPR recitals and not its Articles.

Implicitly, I think this dismissiveness underplays the importance of the
Recitals.  Recital 49 is instrumental in interpreting Article 6 (Lawfulness
of Processing); an interpretation of Article 6 that failed to take into
account Recital 49 to the extent applicable would be incorrect and
inappropriate.

It will be interesting to see if use of the recitals to interpret the
articles is similarly dismissed in other circumstances, regardless of the
outcome.

I find the idea that one cannot interpret the GDPR without conducting a
Human Rights Impact Assessment to be both amusing and troubling.  An HRIA
is a major, multi-step undertaking, typically involving an identification
phase, an extensive stakeholder engagement phase, an assessment phase, and
the issuance of a report.  One I grabbed at random on the Internet was 23
pages long, replete with charts and graphs, reflecting a great deal of
underlying effort.  Another I couldn’t look at because it was 16MB zip file
and it was blocked by my firewall.  Conducting an HRIA can’t be the
“minimum buy-in” to discuss GDPR.  *Claiming* that it is, however, is a
convenient way of dismissing someone’s analysis without actually dealing
with that analysis.

Perhaps I’m looking at this too rigidly.  It’s possible that what was meant
was not a formal HRIA, but a simpler “seat-of-the-pants” exercise of trying
to figure out the human rights impacts of a given data processing
activity.  Iif that’s all that was meant, the term human rights impact
assessment should not be invoked and abused in this manner.

Or maybe what was meant was a Data Protection Impact Assessment under
Article 35 — a completely different Impact Assessment.  I suppose this
confusion could be forgiven.  This seems most likely, since the
“assessment” seems to be limited to “the privacy rights of a domain name
registrant”, which roughly parallels Article 35.7(c).  An HRIA, in
contrast, would look at human rights impacts across all stakeholders
(including those affected by the “claimed” security risks (which would
likely include the registrant)) and across all relevant human rights.

Predicting the outcome of an HRIA (or DPIA, if that’s what was meant)
without conducting one would be folly.  It would be interesting to know
what, other than a “belief in human rights”, provided the confidence in the
particular cited outcome.  (It would also be interesting to know what
Impact Assessment was being referred to....)

And it would be *extremely* interesting to conduct an HRIA (or less formal
analysis) of the *human rights impacts of substantially crippling WHOIS*.
We’ve had the last two decades to conduct a “field exercise” in the
“claimed” human rights impacts of WHOIS.  I don’t know if there is a
rigorous and comprehensive analysis of the human rights impacts of losing
most of WHOIS — but I’m afraid that we will soon be engaged in a “field
exercise” on that impact without that understanding.  That strikes me as a
huge and reckless risk to take, especially since so much of what is in the
“Interim Model” is outside the scope and reach of GDPR.

Greg




On Fri, Apr 13, 2018 at 4:20 PM Ayden Férdeline <icann at ferdeline.com> wrote:

> This publication is dependent on, and only cites, the GDPR's recitals.
> While the recitals may inform the interpretation of the GDPR's articles,
> they are not legally binding. Only the GDPR's articles are binding
> instruments. I would also like to note that no human rights impact
> assessment appears to have been conducted in the preparation of this
> publication. If one had been, I am confident we would have seen that the
> protection of the privacy rights of a domain name registrant outweigh the
> claimed security risks.
>
> Ayden Férdeline
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 12 April 2018 7:47 PM, John Bambenek via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
> A good read from a European entity on why open and free access to whois
> data is both essential AND legal under GDPR. And its coming from a state
> sponsored entity.
>
> https://www.circl.lu/pub/tr-53/
>
> --
> John Bambenek
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180413/b876105d/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list