<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Theo,<div class=""><br class=""></div><div class="">I get your point and understand this fully and effectively it is there. I came across another assessment or self assessment tool from Microsoft which is quite interesting and has the right questions. </div><div class=""><br class=""></div><div class=""><a href="https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx" class="">https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx</a></div><div class=""><br class=""></div><div class="">This may be something we may need to rethink for sure but any self assessment is worth and may perhaps help us redefine the move ahead.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 21, 2017, at 19:54, theo geurts <<a href="mailto:gtheo@xs4all.nl" class="">gtheo@xs4all.nl</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class=""><p class="">A couple of pointers here for everyone and not directed at anyone
specifically. <br class="">
<br class="">
Eurid will update their Registrar agreement soon. So perhaps is
not handy to dig into some agreement. <br class="">
The agreement will state very clear who will be the data
controller (Registry) and the data processor (Registrar/Reseller).
As the all roles are defined and PII is not available through the
WHOIS no consent is required. <br class="">
<br class="">
Let's dive a little into consent and the organizational
"challenges."<br class="">
<br class="">
</p>
<ul class="">
<li class="">Be specific and granular. Vague or blanket consent is not
enough</li>
<li class="">Name any third parties who will rely on the consent</li>
<li class="">Make it easy for people to withdraw consent and tell them how</li>
</ul><p class="">Consent must specifically cover the controller’s name, the
purposes of the processing and the types of processing activity<br class="">
<br class="">
Okay? Let's dig a little deeper into consent. <br class="">
Consent will be needed for different processing operations
wherever appropriate – so you need to give granular options to
consent separately to separate purposes. <br class="">
<br class="">
So a registrant will have to consent to at least<br class="">
</p>
<ul class="">
<li class="">Escrow Registry to Escrow provider in country X</li>
<li class="">Escrow Registrar to Escrow provider in country X</li>
<li class="">Cross-border transfer of data to Registry in country X</li>
<li class="">ICANN staff USA under set conditions must have access to
Registry or Registrar RDE deposit</li>
<li class="">ICANN staff access for audits</li>
<li class="">Third parties selected by ICANN for audits</li>
<li class="">Place holder for all the other stuff I am forgetting<br class="">
</li>
</ul><p class=""><br class="">
As the PII will be published in the WHOIS that will require
consent also. But you have to warn the Registrant, so it has to be
crystal clear what will happen as soon that data becomes public.
Spam, phone calls by folks trying to sell you stuff, i.e., the
good stuff we all know about and encounter on a daily basis and
much more. <br class="">
<i class=""><br class="">
</i><i class="">In data protection, there is the fundamental principle
which is unchanged even in the age of Big Data.</i><i class=""><br class="">
</i><i class="">The data subject has to be in control of her/his data,
which means for consent that you need consent for every each of
the data processing activities (even for minor changes in the
processing)</i><br class="">
<br class="">
Now picture a domain name registration flow here. <br class="">
We are talking over a thousand of TLD's here scattered all over
the world. <br class="">
This will not increase consumer trust for starters when it comes
to gTLDs. It will be one big click fest and registration
conversion will go down the drain. <br class="">
<br class="">
But let's assume we go this route. <br class="">
Right to be forgotten? How do we do that when the WHOIS is scraped
day and night by unknown third parties? I am not sure how we will
meet this GDPR requirement. Most likely consent was not "freely"
given. Perhaps part two will cover this so more. <br class="">
<br class="">
Withdrawal of consent, how do we envision this GDPR requirement?
I do not see how we will ever get this working if the current
status quo is not changing. <br class="">
<br class="">
Art 6.1(b) can be used for companies who have a very direct
customer relation on a small base. This is not a solution for
Registrars nor Registries when it comes to mass registrations that
happen on a daily basis. <br class="">
<br class="">
Thanks, <br class="">
<br class="">
Theo <br class="">
<br class="">
</p>
<br class="">
<div class="moz-cite-prefix">On 21-10-2017 02:41, John Bambenek via
gnso-rds-pdp-wg wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:CF3981C1-EF2B-4318-8CCF-AA16DD24D03C@bambenekconsulting.com" class="">
<meta http-equiv="content-type" content="text/html; charset=utf-8" class="">
Not the last few items discussed, no. That said I have been
traveling from the past few weeks and need to read them side by
side for a definitive synthesis. That aside, my primary concern is
that said officials are not hearing enough from the anti-abuse and
security community on these tools to have a more fully informed
discussion. We are working to rectify that. <br class="">
<br class="">
<div class="">Sent from my iPad</div>
<div class=""><br class="">
On Oct 21, 2017, at 2:35 AM, Ayden Férdeline <<a href="mailto:icann@ferdeline.com" moz-do-not-send="true" class="">icann@ferdeline.com</a>>
wrote:<br class="">
<br class="">
</div>
<blockquote type="cite" class="">
<div class="">
<div class="">My apologies, John. It was not clear to me that you had
read the memo. I am glad to hear that you have. Particularly
in relation to consent, I thought the advice that the memo
contained (along with the Hamilton memo) was consistent with
the advice that we received from the European Data
Protection Commissioners earlier this year. Would you agree?<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">—Ayden<br class="">
</div>
<div class="protonmail_signature_block">
<div class=" protonmail_signature_block-proton
protonmail_signature_block-empty"><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<blockquote class="protonmail_quote" type="cite">
<div class="">-------- Original Message --------<br class="">
</div>
<div class="">Subject: Re: [gnso-rds-pdp-wg] another document that
might be of interest<br class="">
</div>
<div class="">Local Time: 21 October 2017 1:27 AM<br class="">
</div>
<div class="">UTC Time: 21 October 2017 00:27<br class="">
</div>
<div class="">From: <a href="mailto:jcb@bambenekconsulting.com" moz-do-not-send="true" class="">jcb@bambenekconsulting.com</a><br class="">
</div>
<div class="">To: Ayden Férdeline <<a href="mailto:icann@ferdeline.com" moz-do-not-send="true" class="">icann@ferdeline.com</a>><br class="">
</div>
<div class="">Victoria Sheckler <<a href="mailto:vsheckler@riaa.com" moz-do-not-send="true" class="">vsheckler@riaa.com</a>>,
GNSO RDS PDP <<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a>><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Yes, I believe I pointed out on this very list that
among other things, the notion the EU law should reign
supreme globally even when it conflicts with local laws as
patently offensive, among other things. <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Is there a particular outcome that you are trying to
achieve by insinuating that I am ignorant and not reading
the mounds of paperwork generated by this group? I mean
besides the continual, consistent, and vigorous disrespect
shown to those who work in anti-abuse or security?<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">And if you’d like an analysis of the legal memo it is
this: it is always better to take the word of the
regulators over merely that of some lawfirm. Which is what
I thought we were actually talking about in the first
place. <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">
<div class="">--<br class="">
</div>
<div class="">John Bambenek<br class="">
</div>
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">On Oct 20, 2017, at 19:10, Ayden Férdeline <<a href="mailto:icann@ferdeline.com" moz-do-not-send="true" class="">icann@ferdeline.com</a>>
wrote:<br class="">
</div>
</div>
<blockquote type="cite" class="">
<div class="">
<div class="">
<div class="">John,<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Have you read the legal memo that we received
from Wilson Sonsini Goodrich & Rosati? <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">It states on page 14, "asking for consent
would not be simple, would not solve all data
protection issues, and would pose a number of
organizational challenges."<br class="">
</div>
</div>
<div class=""><br class="">
</div>
<div class="">The rationale behind this statement is
contained within the memo.<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">—Ayden<br class="">
</div>
<div class="protonmail_signature_block">
<div class=" protonmail_signature_block-proton
protonmail_signature_block-empty"><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<blockquote type="cite" class="protonmail_quote">
<div class="">-------- Original Message --------<br class="">
</div>
<div class="">Subject: Re: [gnso-rds-pdp-wg] another
document that might be of interest<br class="">
</div>
<div class="">Local Time: 21 October 2017 1:06 AM<br class="">
</div>
<div class="">UTC Time: 21 October 2017 00:06<br class="">
</div>
<div class="">From: <a href="mailto:jcb@bambenekconsulting.com" moz-do-not-send="true" class="">jcb@bambenekconsulting.com</a><br class="">
</div>
<div class="">To: Ayden Férdeline <<a href="mailto:icann@ferdeline.com" moz-do-not-send="true" class="">icann@ferdeline.com</a>><br class="">
</div>
<div class="">Victoria Sheckler <<a href="mailto:vsheckler@riaa.com" moz-do-not-send="true" class="">vsheckler@riaa.com</a>>,
GNSO RDS PDP <<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a>><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">So, in short, if we create a consent system,
we are fine. <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">Am I missing something?<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">--<br class="">
</div>
<div class="">John Bambenek<br class="">
</div>
</div>
<div class="">
<div class=""><br class="">
</div>
<div class="">On Oct 20, 2017, at 17:31, Ayden
Férdeline <<a href="mailto:icann@ferdeline.com" moz-do-not-send="true" class="">icann@ferdeline.com</a>>
wrote:<br class="">
</div>
</div>
<blockquote type="cite" class="">
<div class="">
<div class="">I would like to flag two extracts from
this Regulation that may be relevant to
our work:<br class="">
</div>
<ul class="">
<li class="">"The Registry should also comply with
the relevant data protection rules,
principles, guidelines and best
practices, notably concerning the amount
and type of data displayed in the WHOIS
database." (page 3)<br class="">
</li>
<li class="">"The WHOIS database shall contain
information about the holder of a domain
name that is relevant and not excessive
in relation to the purpose of the
database. In as far as the information
is not strictly necessary in relation to
the purpose of the database, and <b class="">if
the domain name holder is a natural
person, the information that is to be
made publicly available shall be
subject to the unambiguous consent of
the domain name holder</b>." (page 10
- emphasis added)<br class="">
</li>
</ul>
<div class="">Thank you, <br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Ayden Férdeline<br class="">
</div>
<div class=""><br class="">
</div>
<div class="protonmail_signature_block">
<div class=" protonmail_signature_block-proton
protonmail_signature_block-empty"><br class="">
</div>
</div>
<div class=""><br class="">
</div>
<blockquote class="protonmail_quote" type="cite">
<div class="">-------- Original Message --------<br class="">
</div>
<div class="">Subject: [gnso-rds-pdp-wg] another
document that might be of interest<br class="">
</div>
<div class="">Local Time: 20 October 2017 10:47 PM<br class="">
</div>
<div class="">UTC Time: 20 October 2017 21:47<br class="">
</div>
<div class="">From: <a href="mailto:vsheckler@riaa.com" moz-do-not-send="true" class="">vsheckler@riaa.com</a><br class="">
</div>
<div class="">To: GNSO RDS PDP <<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a>><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="WordSection1"><p class="MsoNormal">I think we missed
this document when we were reviewing
documents for this WG back in the day,
and thought some of you might find it
of interest given our current
discussions on GDPR<br class="">
</p><p class="MsoNormal"> <br class="">
</p><p class="MsoNormal">COMMISSION
REGULATION (EC) No 874/2004 of 28
April 2004 laying down public policy
rules concerning the implementation
and functions of the .eu Top Level
Domain and the principles governing
registration, available at <a href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF" moz-do-not-send="true" class="">
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF</a><br class="">
</p>
</div>
</blockquote>
<div class=""><br class="">
</div>
</div>
</blockquote>
<blockquote type="cite" class="">
<div class="">
<div class=""><span class="">_______________________________________________</span><br class="">
</div>
<div class=""><span class="">gnso-rds-pdp-wg mailing list</span><br class="">
</div>
<div class=""><span class=""><a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true" class="">gnso-rds-pdp-wg@icann.org</a></span><br class="">
</div>
<div class=""><span class=""><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true" class="">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span><br class="">
</div>
</div>
</blockquote>
</div>
</blockquote>
<div class=""><br class="">
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
</div>
</blockquote>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">gnso-rds-pdp-wg mailing list<br class=""><a href="mailto:gnso-rds-pdp-wg@icann.org" class="">gnso-rds-pdp-wg@icann.org</a><br class="">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</div></blockquote></div><br class=""><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="Apple-interchange-newline"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><br class="Apple-interchange-newline"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class="">Kris Seeburn</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><a href="mailto:seeburn.k@gmail.com" class="">seeburn.k@gmail.com</a></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><ul style="margin: 0px; padding: 0px 0px 8px; border: 0px; outline: 0px; font-family: Helvetica, Arial, sans-serif; vertical-align: baseline; list-style: none; line-height: 17px; display: table-cell; width: 504px; color: rgb(51, 51, 51);" class=""><li style="margin: 0px; padding: 8px 12px 2px 0px; border: 0px; outline: 0px; font-style: inherit; font-size: 11px; font-family: inherit; vertical-align: baseline; font-variant-ligatures: inherit; font-variant-position: inherit; font-variant-caps: inherit; font-variant-numeric: inherit; font-variant-alternates: inherit; font-variant-east-asian: inherit; line-height: 1.2em;" class=""><dl class="public-profile" style="margin: 0px; padding: 0px; border: 0px; outline: 0px; font-style: inherit; font-family: inherit; vertical-align: baseline; font-variant-ligatures: inherit; font-variant-position: inherit; font-variant-caps: inherit; font-variant-numeric: inherit; font-variant-alternates: inherit; font-variant-east-asian: inherit; line-height: inherit; word-wrap: break-word;"><dd style="margin: 0px; padding: 2px 9px 1px 0px; border: 0px; outline: 0px; font-style: inherit; font-family: inherit; vertical-align: top; font-variant-ligatures: inherit; font-variant-position: inherit; font-variant-caps: inherit; font-variant-numeric: inherit; font-variant-alternates: inherit; font-variant-east-asian: inherit; line-height: inherit; display: inline-block; zoom: 1;" class=""><a href="http://www.linkedin.com/in/kseeburn/" title="View public profile" name="webProfileURL" style="margin: 0px 10px 0px 0px; padding: 0px 0px 0px 19px; border: 0px; outline: 0px; font-style: inherit; font-family: inherit; vertical-align: middle; text-decoration: none; color: rgb(102, 102, 102); font-variant-ligatures: inherit; font-variant-position: inherit; font-variant-caps: inherit; font-variant-numeric: inherit; font-variant-alternates: inherit; font-variant-east-asian: inherit; line-height: inherit; display: inline-block; zoom: 1; background-image: url(http://s.c.lnkd.licdn.com/scds/common/u/images/apps/profile/sprite/sprite_profile_top_card_v8.png); background-position: 0px -249px; background-repeat: no-repeat no-repeat;" class="">www.linkedin.com/in/kseeburn/</a></dd></dl></li></ul></div></div></div></div></div></div></div><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px;"><span><span><br class="Apple-interchange-newline"><span><img apple-inline="yes" id="CCE3F195-4D0D-40BF-938C-78ECC2FC233D" src="cid:2B3C052F-D6B4-4773-9116-D703ACE1C1A9" class=""></span>
</span></span></span></div>
<br class=""></div></body></html>