[gnso-rds-pdp-wg] @EXT: RE: IMPORTANT: Invitation for Poll from 9 January Meeting

Paul Keating paul at law.es
Tue Jan 16 16:51:53 UTC 2018 

Greg

I agree with a distinction that is apparent at the point of collection. 

At the point of collection the CONTROLLER must satisfy the legitimacy test both as to the informAtion obtained and the reason for obtaining it. 

The reason must be determined at this point and as between the controller and customer. 

The fact that data may be of use to a third party is not itself a legitimate reason for collection.  There needs to be more. 

This is the reason that I am pushing for a modification of the contractual basis here. ICANN can (and should) obligate collection for the purposes of security (certification investigation, etc). This should be in the ICANN registry agreements and incorporate a downstream obligation all the way to the registrar. 

This in turn forma the basis for finding a legitimate interest in collection by the controller. The data can then be made available to third parties as long as their use is consistent with a legitimate interest. 

ICANN can and should obtain pre-clearance for this so there is no doubt in the future AND so that collection of the data becomes obligatory and not voluntary in the part of the registrars. 

Sincerely,
Paul Keating, Esq.

> On Jan 16, 2018, at 5:19 PM, Mounier wrote:
> 
> Hi Nathalie,
>  
> I see what you are trying to achieve but I still think that there is no need to distinguish between primary and secondary purposes for the reason that the GDPR does not make this distinction. It only states that processing of personal data is lawful if the processing is necessary for the purposes of the legitimate interests pursued by the controller.
>  
> Identifying the legitimate purposes of personal data processing is by nature a political process (this is exactly what the NGRDS WG is doing) and does not need to stem from a contract. Processing can also have multiple purposes, as long as consent is given for all of them. So if the NGRDS WG comes to the conclusion that the WHOIS system has 5 or 6 clearly identified legitimate purposes, as long as these different legitimate purposes are 1) clearly and explicitly set out in the WHOIS policy rules that apply to the processing of WHOIS data, and 2) that registrants are informed in a clear and easily understandable manner about these purposes, then the collection of such data will be lawful for those 5 or 6 legitimate purposes. The risk of coming up with a distinction between primary and secondary purposes is that DPAs will rule that collecting WHOIS data for secondary purposes is unlawful.  
>  
> If according to ICANN’s Bylaws, one of the legitimate purposes of the WHOIS system is to address issues involving domain name registrations and to ensure the stability of the DNS, which includes law enforcement, anti-abuse, and anti-IP-infringement activity, then these are legitimate purposes for requiring the collection of registration data. Nothing to hide here.
>  
> There is no need to make a distinction between primary and secondary purposes or purposes directly or indirectly based on the contract. Registrants need domain names, they will continue to buy them even when they are informed about all the purposes for which their information is collected.
>  
> Greg
>  
>  
> From: nathalie coupet [mailto:nathaliecoupet at yahoo.com] 
> Sent: 15 January 2018 22:38
> To: Mounier, Grégory; 'Chuck'; 'gnso-rds-pdp-wg at icann.org'
> Subject: Re: [gnso-rds-pdp-wg] @EXT: RE: IMPORTANT: Invitation for Poll from 9 January Meeting
>  
> Hi Gregory,
>  
> I was expecting this objection be raised by law enforcement. But, in a spirit of compromise, let's remember a resolution a member made earlier about the implementation of GDPR: we were going to distinguish between primary purpose and secondary purpose (those not directly based on the contract between the registrant and the registrar) and beef up 'secondary purposes'. While this might seem unnatural, it allows us to apply the GDPR's distinction while preserving the use of WHOIS for law enforcement and abuse mitigation people. 
> This is important when submitting the WG's and ultimately ICANN's rationale to the DPA's review: let's not increase the attack surface. We can make sure that despite this use not being granted full legitimate status for collection, there will be enough data available for this use by allowing additional collection, if need be. 
> The fact that a purpose is direct or indirect based on the contract between the reigstrant and the registrar - the initial consent of the registrant being the cirteria for determining which purpose is primary (a.k.a 'legitimate') and which one is not (i.e 'secondary') - could really alleviate our quest for a compromise and still protect ICANN and registrars. 
> I fear we'll still be here discussing this until we all turn blue and still not get anywhere. I'm sure no one in the group believes your work is less important, and we'll protect your access to information as much as we can. 
> We just need to create this little artifice to protect registrars and ICANN, so DPA's wont breathe down our necks.  
>  
> Why not give it a try?  
>  
> Nathalie 
>  
> 
> On Monday, January 15, 2018 8:30 AM, "Mounier, Grégory" <gregory.mounier at europol.europa.eu> wrote:
>  
> 
> Dear all,
>  
> I will not be able to join the call tomorrow so I thought that I should drop an email to the list to explain why I voted against the proposed possible WG Agreement according to which “Criminal Activity/DNS Abuse – Investigation is NOT a legitimate purpose for requiring collection of registration data, but maybe a legitimate purpose of using some data collected for other purposes.”
> I think that there are a number of rationales/grounds - including in ICANN’s Bylaws - to argue that in fact, investigating criminal activity and DNS Abuse IS a legitimate purpose for requiring the collection of registration data.
> Some of these rationales have been mentioned during the discussion on the mailing list and during the call on 9th January. Unfortunately, I think that the proposed possible WG agreement does not take into consideration these rationales. I specifically disagree with the assumption that we should make a distinction between 1) the purpose of collecting the data and 2) the purpose for using the data collected for other purposes (manage domain registrations).
> The reason why I disagree with making this distinction is that it leads to artificially reduce the importance of a valid and legitimate purpose of the WHOIS system, acknowledged by ICANN Bylaws: addressing malicious abuse of the DNS and providing a framework to address appropriate law enforcement needs. (ICANN’s mandate is to “ensure the stable and secure operation of the internet’s unique identifier systems”[1] + WHOIS data is essential for “the legitimate needs of law enforcement” and for “promoting consumer trust.”[2]  ). In its document on the three compliance models issued last Friday[3], ICANN has explicitly included: addressing the needs of law enforcement, investigation of cybercrime and DNS abuse as legitimate purposes of the WHOIS system.
> If one of the purpose of the WHOIS system is to support a framework to address issues involving domain name registrations, including investigation of cybercrime and DNS abuse, it can be argued that investigating criminal activity and DNS abuse IS a legitimate purpose for requiring the collection of registration data. Likewise, I think that requiring collection of registration data to prevent crime is NOT beyond ICANN's mandate because this data is essential for ICANN to fulfil its mandate.
> I have attached a list of relevant references supporting this point of view taken from ICANN’s Bylaws and the GDPR.
>  
> I hope that you’ll find this contribution helpful and I’m looking forward to reading the transcript of the next call J.
>  
> Best,
> Greg
>  
> Gregory Mounier
> Europol
> European Cybercrime Centre
> +31 6 55782743
>  
> From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Chuck
> Sent: 12 January 2018 15:21
> To: gnso-rds-pdp-wg at icann.org
> Subject: [gnso-rds-pdp-wg] FW: IMPORTANT: Invitation for Poll from 9 January Meeting
> Importance: High
>  
> The response to this week’s poll is particularly low so I strongly encourage more members to respond so that we have enough data to help us in our meeting next week.  Thanks to those who have already responded.
>  
> Chuck
>  
> From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Marika Konings
> Sent: Wednesday, January 10, 2018 7:27 AM
> To: gnso-rds-pdp-wg at icann.org
> Subject: [gnso-rds-pdp-wg] IMPORTANT: Invitation for Poll from 9 January Meeting
>  
> Dear all,
>  
> In follow-up to this week’s WG meeting, all RDS PDP WG Members are encouraged to participate in the following poll:
>  
> https://www.surveymonkey.com/r/VM6S8YK
>  
> Responses should be submitted through the above URL. For offline reference, a PDF of poll questions can also be found at:
>  
>               https://community.icann.org/download/attachments/74580034/Poll-from-9January-Call.pdf?version=1&modificationDate=1515544361000&api=v2
>  
> This poll will close at COB Saturday 13 January. 
>  
> Please note that you must be a WG Member to participate in polls. If you are a WG Observer wishing to participate in polls, you must first contact gnso-secs at icann.org to upgrade to WG Member.
>  
> Best regards,
>  
> Marika
>  
> Marika Konings
> Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) 
> Email: marika.konings at icann.org  
>  
> Follow the GNSO via Twitter @ICANN_GNSO
> Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages. 
>  
> 
> [1] ICANN Bylaws Article One, Section 1.1, Mission.  
> [2] ICANN Bylaws, Registration Directory Services Review, §4.6(e).
> [3] https://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf
> *******************
> 
> DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
> Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
> 
> *******************
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> 
> *******************
> 
> DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
> Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.
> 
> *******************
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180116/19f7c778/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list