<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>A couple of pointers here for everyone and not directed at anyone
specifically. <br>
<br>
Eurid will update their Registrar agreement soon. So perhaps is
not handy to dig into some agreement. <br>
The agreement will state very clear who will be the data
controller (Registry) and the data processor (Registrar/Reseller).
As the all roles are defined and PII is not available through the
WHOIS no consent is required. <br>
<br>
Let's dive a little into consent and the organizational
"challenges."<br>
<br>
</p>
<ul>
<li>Be specific and granular. Vague or blanket consent is not
enough</li>
<li>Name any third parties who will rely on the consent</li>
<li>Make it easy for people to withdraw consent and tell them how</li>
</ul>
<p>Consent must specifically cover the controller’s name, the
purposes of the processing and the types of processing activity<br>
<br>
Okay? Let's dig a little deeper into consent. <br>
Consent will be needed for different processing operations
wherever appropriate – so you need to give granular options to
consent separately to separate purposes. <br>
<br>
So a registrant will have to consent to at least<br>
</p>
<ul>
<li>Escrow Registry to Escrow provider in country X</li>
<li>Escrow Registrar to Escrow provider in country X</li>
<li>Cross-border transfer of data to Registry in country X</li>
<li>ICANN staff USA under set conditions must have access to
Registry or Registrar RDE deposit</li>
<li>ICANN staff access for audits</li>
<li>Third parties selected by ICANN for audits</li>
<li>Place holder for all the other stuff I am forgetting<br>
</li>
</ul>
<p><br>
As the PII will be published in the WHOIS that will require
consent also. But you have to warn the Registrant, so it has to be
crystal clear what will happen as soon that data becomes public.
Spam, phone calls by folks trying to sell you stuff, i.e., the
good stuff we all know about and encounter on a daily basis and
much more. <br>
<i><br>
</i><i>In data protection, there is the fundamental principle
which is unchanged even in the age of Big Data.</i><i><br>
</i><i>The data subject has to be in control of her/his data,
which means for consent that you need consent for every each of
the data processing activities (even for minor changes in the
processing)</i><br>
<br>
Now picture a domain name registration flow here. <br>
We are talking over a thousand of TLD's here scattered all over
the world. <br>
This will not increase consumer trust for starters when it comes
to gTLDs. It will be one big click fest and registration
conversion will go down the drain. <br>
<br>
But let's assume we go this route. <br>
Right to be forgotten? How do we do that when the WHOIS is scraped
day and night by unknown third parties? I am not sure how we will
meet this GDPR requirement. Most likely consent was not "freely"
given. Perhaps part two will cover this so more. <br>
<br>
Withdrawal of consent, how do we envision this GDPR requirement?
I do not see how we will ever get this working if the current
status quo is not changing. <br>
<br>
Art 6.1(b) can be used for companies who have a very direct
customer relation on a small base. This is not a solution for
Registrars nor Registries when it comes to mass registrations that
happen on a daily basis. <br>
<br>
Thanks, <br>
<br>
Theo <br>
<br>
</p>
<br>
<div class="moz-cite-prefix">On 21-10-2017 02:41, John Bambenek via
gnso-rds-pdp-wg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CF3981C1-EF2B-4318-8CCF-AA16DD24D03C@bambenekconsulting.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
Not the last few items discussed, no. That said I have been
traveling from the past few weeks and need to read them side by
side for a definitive synthesis. That aside, my primary concern is
that said officials are not hearing enough from the anti-abuse and
security community on these tools to have a more fully informed
discussion. We are working to rectify that. <br>
<br>
<div id="AppleMailSignature">Sent from my iPad</div>
<div><br>
On Oct 21, 2017, at 2:35 AM, Ayden Férdeline <<a
href="mailto:icann@ferdeline.com" moz-do-not-send="true">icann@ferdeline.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>My apologies, John. It was not clear to me that you had
read the memo. I am glad to hear that you have. Particularly
in relation to consent, I thought the advice that the memo
contained (along with the Hamilton memo) was consistent with
the advice that we received from the European Data
Protection Commissioners earlier this year. Would you agree?<br>
</div>
<div><br>
</div>
<div>—Ayden<br>
</div>
<div class="protonmail_signature_block">
<div class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br>
</div>
</div>
<div><br>
</div>
<blockquote class="protonmail_quote" type="cite">
<div>-------- Original Message --------<br>
</div>
<div>Subject: Re: [gnso-rds-pdp-wg] another document that
might be of interest<br>
</div>
<div>Local Time: 21 October 2017 1:27 AM<br>
</div>
<div>UTC Time: 21 October 2017 00:27<br>
</div>
<div>From: <a href="mailto:jcb@bambenekconsulting.com"
moz-do-not-send="true">jcb@bambenekconsulting.com</a><br>
</div>
<div>To: Ayden Férdeline <<a
href="mailto:icann@ferdeline.com" moz-do-not-send="true">icann@ferdeline.com</a>><br>
</div>
<div>Victoria Sheckler <<a
href="mailto:vsheckler@riaa.com" moz-do-not-send="true">vsheckler@riaa.com</a>>,
GNSO RDS PDP <<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br>
</div>
<div><br>
</div>
<div>Yes, I believe I pointed out on this very list that
among other things, the notion the EU law should reign
supreme globally even when it conflicts with local laws as
patently offensive, among other things. <br>
</div>
<div><br>
</div>
<div>Is there a particular outcome that you are trying to
achieve by insinuating that I am ignorant and not reading
the mounds of paperwork generated by this group? I mean
besides the continual, consistent, and vigorous disrespect
shown to those who work in anti-abuse or security?<br>
</div>
<div><br>
</div>
<div>And if you’d like an analysis of the legal memo it is
this: it is always better to take the word of the
regulators over merely that of some lawfirm. Which is what
I thought we were actually talking about in the first
place. <br>
</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div>
<div><br>
</div>
<div>
<div>--<br>
</div>
<div>John Bambenek<br>
</div>
</div>
<div>
<div><br>
</div>
<div>On Oct 20, 2017, at 19:10, Ayden Férdeline <<a
href="mailto:icann@ferdeline.com"
moz-do-not-send="true">icann@ferdeline.com</a>>
wrote:<br>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div>John,<br>
</div>
<div><br>
</div>
<div>Have you read the legal memo that we received
from Wilson Sonsini Goodrich & Rosati? <br>
</div>
<div><br>
</div>
<div>It states on page 14, "asking for consent
would not be simple, would not solve all data
protection issues, and would pose a number of
organizational challenges."<br>
</div>
</div>
<div><br>
</div>
<div>The rationale behind this statement is
contained within the memo.<br>
</div>
<div><br>
</div>
<div>—Ayden<br>
</div>
<div class="protonmail_signature_block">
<div class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br>
</div>
</div>
<div><br>
</div>
<blockquote type="cite" class="protonmail_quote">
<div>-------- Original Message --------<br>
</div>
<div>Subject: Re: [gnso-rds-pdp-wg] another
document that might be of interest<br>
</div>
<div>Local Time: 21 October 2017 1:06 AM<br>
</div>
<div>UTC Time: 21 October 2017 00:06<br>
</div>
<div>From: <a
href="mailto:jcb@bambenekconsulting.com"
moz-do-not-send="true">jcb@bambenekconsulting.com</a><br>
</div>
<div>To: Ayden Férdeline <<a
href="mailto:icann@ferdeline.com"
moz-do-not-send="true">icann@ferdeline.com</a>><br>
</div>
<div>Victoria Sheckler <<a
href="mailto:vsheckler@riaa.com"
moz-do-not-send="true">vsheckler@riaa.com</a>>,
GNSO RDS PDP <<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br>
</div>
<div><br>
</div>
<div>So, in short, if we create a consent system,
we are fine. <br>
</div>
<div><br>
</div>
<div>
<div>Am I missing something?<br>
</div>
<div><br>
</div>
<div>
<div>--<br>
</div>
<div>John Bambenek<br>
</div>
</div>
<div>
<div><br>
</div>
<div>On Oct 20, 2017, at 17:31, Ayden
Férdeline <<a
href="mailto:icann@ferdeline.com"
moz-do-not-send="true">icann@ferdeline.com</a>>
wrote:<br>
</div>
</div>
<blockquote type="cite">
<div>
<div>I would like to flag two extracts from
this Regulation that may be relevant to
our work:<br>
</div>
<ul>
<li>"The Registry should also comply with
the relevant data protection rules,
principles, guidelines and best
practices, notably concerning the amount
and type of data displayed in the WHOIS
database." (page 3)<br>
</li>
<li>"The WHOIS database shall contain
information about the holder of a domain
name that is relevant and not excessive
in relation to the purpose of the
database. In as far as the information
is not strictly necessary in relation to
the purpose of the database, and <b>if
the domain name holder is a natural
person, the information that is to be
made publicly available shall be
subject to the unambiguous consent of
the domain name holder</b>." (page 10
- emphasis added)<br>
</li>
</ul>
<div>Thank you, <br>
</div>
<div><br>
</div>
<div>Ayden Férdeline<br>
</div>
<div><br>
</div>
<div class="protonmail_signature_block">
<div
class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br>
</div>
</div>
<div><br>
</div>
<blockquote class="protonmail_quote"
type="cite">
<div>-------- Original Message --------<br>
</div>
<div>Subject: [gnso-rds-pdp-wg] another
document that might be of interest<br>
</div>
<div>Local Time: 20 October 2017 10:47 PM<br>
</div>
<div>UTC Time: 20 October 2017 21:47<br>
</div>
<div>From: <a
href="mailto:vsheckler@riaa.com"
moz-do-not-send="true">vsheckler@riaa.com</a><br>
</div>
<div>To: GNSO RDS PDP <<a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div class="WordSection1">
<p class="MsoNormal">I think we missed
this document when we were reviewing
documents for this WG back in the day,
and thought some of you might find it
of interest given our current
discussions on GDPR<br>
</p>
<p class="MsoNormal"> <br>
</p>
<p class="MsoNormal">COMMISSION
REGULATION (EC) No 874/2004 of 28
April 2004 laying down public policy
rules concerning the implementation
and functions of the .eu Top Level
Domain and the principles governing
registration, available at <a
href="http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF"
moz-do-not-send="true">
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF</a><br>
</p>
</div>
</blockquote>
<div><br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div>
<div><span>_______________________________________________</span><br>
</div>
<div><span>gnso-rds-pdp-wg mailing list</span><br>
</div>
<div><span><a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a></span><br>
</div>
<div><span><a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span><br>
</div>
</div>
</blockquote>
</div>
</blockquote>
<div><br>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
<div><br>
</div>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>