<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1508782750849_114561"><span id="yui_3_16_0_ym19_1_1508782750849_114562">@Michele,</span></div><div id="yui_3_16_0_ym19_1_1508782750849_114563"><br id="yui_3_16_0_ym19_1_1508782750849_114564"></div><div id="yui_3_16_0_ym19_1_1508782750849_114565"><span id="yui_3_16_0_ym19_1_1508782750849_114566">Thank you Michele for meeting me half way. It's difficult to understand and explain what is going on with DNS resolution, WHOIS and who is involved with whom based on what contract. </span></div><div id="yui_3_16_0_ym19_1_1508782750849_114567"><span id="yui_3_16_0_ym19_1_1508782750849_114568">We are in the process of launching a new website. We didn't know who the web hosting company was nor the identity of the registrant (there were so many volunteers who were handling website issues, that nobody knows who did what). Our new tech person looked up the information and found out the name of the web hosting company. </span></div><div id="yui_3_16_0_ym19_1_1508782750849_114569"><span id="yui_3_16_0_ym19_1_1508782750849_114570">But we don't know who the registrant is. This query was then sent to the web hosting company. Our tech person wanted to have both websites (the new one and the old) to show us the difference. </span></div><div dir="ltr" id="yui_3_16_0_ym19_1_1508782750849_114571"><span id="yui_3_16_0_ym19_1_1508782750849_114572">Does that make sense? Second question: Is this relevant to our work? :) </span></div><div></div><div id="yui_3_16_0_ym19_1_1508782750849_114613"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613">@All:</div><div id="yui_3_16_0_ym19_1_1508782750849_114613"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613">With regards to the process and treatment of consent, two US laws seem particularly relevant.</div><div id="yui_3_16_0_ym19_1_1508782750849_114613"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613">The Gramm-Leach-Bliley Act (GLBA) - the Financial Modernization Act of 1999, to govern the collection, disclosure and protection of the personal information gathered by financial institutions about their customers. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">3 sections: </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">1) Financial Privacy Rule (collection and disclosure)</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">2) Safeguards Rule (security program)<br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">3) Pretexting provisions (forbids looking up PPI on any pretext or to help out people = definition of purposes for looking up information, regulates human behavior) + financial institutions to give customers written privacy notices that explain their information-sharing practices. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">Privacy Policy Agreement between the company and the customer. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">The GLB Act provides no opt-out right in several situations: </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">- a financial institution shares information with outside companies that provide essential services like data processing or servicing accounts;</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">- the disclosure is legally required;</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">- a financial institution shares customer data with outside service providers that market the financial company's products or services </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">The Fair Credit Reporting Act (FCRA) is a federal law enacted to regulate the colection, dissemination and use of consummer info, including consummer credit information. It is responsible for the 'opt-out' option. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">Safeguards Rule = financial management must develop a written information security plan:</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">1) what information is non-public and confidential</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">2) what information is considered improper to release</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">3) what is considered a serious risk to the organization's interests or its security, or to its customers, employees or vendors. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">4) what the compliance implications would be according to the GLBA requirements. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"><br></div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">So, if we apply this legislation to WHOIS data, would safeguards developped by ICANN and other data processors/collectors suffice to solve the legitimate use problem, as affirmed by John Bambenek? Could the 'no opt-out' option be counterbalanced by a rigorous security information plan and even replace the need to obtain consent for each and every transaction? This would ensure stability and availability of the data, temper the effects of the 'right to be forgotten' on the availability of services and ensure technical continuity. </div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr">(I hope this is relevant. :)</div><div id="yui_3_16_0_ym19_1_1508782750849_114613" dir="ltr"> </div><div class="signature" id="yui_3_16_0_ym19_1_1508782750849_114679">Nathalie </div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Monday, October 23, 2017 11:15 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div dir="ltr">+1. This is truth. <br clear="none"><br clear="none">--<br clear="none">John Bambenek<br clear="none"><div class="yqt4207071189" id="yqtfd57282"><br clear="none">> On Oct 23, 2017, at 09:53, Paul Keating <<a shape="rect" ymailto="mailto:Paul@law.es" href="mailto:Paul@law.es">Paul@law.es</a>> wrote:<br clear="none">> <br clear="none">> The only thing I can agree with in this email is that DPAs indeed are<br clear="none">> behind the curve and struggling to understand the scope of the GDPR. They<br clear="none">> are only now starting to entertain comments from businesses impacted by<br clear="none">> the regulation. They are trying to understand but are understaffed.<br clear="none">> <br clear="none">> Paul<br clear="none">> <br clear="none">> On 10/22/17, 5:41 PM, "Rubens Kuhl" <<a shape="rect" ymailto="mailto:gnso-rds-pdp-wg-bounces@icann.org" href="mailto:gnso-rds-pdp-wg-bounces@icann.org">gnso-rds-pdp-wg-bounces@icann.org</a> on<br clear="none">> behalf of <a shape="rect" ymailto="mailto:rubensk@nic.br" href="mailto:rubensk@nic.br">rubensk@nic.br</a>> wrote:<br clear="none">> <br clear="none">>> <br clear="none">>>> On Oct 22, 2017, at 11:38 AM, John Bambenek via gnso-rds-pdp-wg<br clear="none">>>> <<a shape="rect" ymailto="mailto:gnso-rds-pdp-wg@icann.org" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>> wrote:<br clear="none">>>> <br clear="none">>>> I would argue that their views are uninformed on other points of view<br clear="none">>>> or other changes that could be made that would satisfy their objectives<br clear="none">>>> which is similar but has important differences. So I disagree we are at<br clear="none">>>> the point we are violating EU law.<br clear="none">>> <br clear="none">>> Unfortunately we are already violating EU law. We are only not been<br clear="none">>> sanctioned for it, because the law specify an adjusting period. Just read<br clear="none">>> all the legal memos we already got.<br clear="none">>> <br clear="none">>>> EU DPAs may never change their mind.<br clear="none">>> <br clear="none">>> EU courts are a viable way to make government officials change their<br clear="none">>> mind, if you think that's a matter of interpretation.<br clear="none">>> <br clear="none">>>> I¹ll just get US law changed so that US entities offering domains have<br clear="none">>>> to list ownership information which means most if not all of the gTLDs I<br clear="none">>>> care about if not ICANN also.<br clear="none">>> <br clear="none">>> You know that Verisign, Facebook and Amazon already have subsidiaries in<br clear="none">>> EU, right ? And they can move their contracts there if being in the US<br clear="none">>> becomes a competitive handicap ?<br clear="none">>> <br clear="none">>>> We aren¹t there yet because the DPAs are only starting to hear from us.<br clear="none">>>> Until now these discussions were populated by ICANN and<br clear="none">>>> registrars/registries who want whois to go away anyway.<br clear="none">>> <br clear="none">>> Frankly, registries and registrars couldn't care less about WHOIS. It's<br clear="none">>> just a cost of doing business. The real battle here is between<br clear="none">>> registrants in one side, and affected parties in the other. The balance<br clear="none">>> always favoured affected parties from the beginning, and people got used<br clear="none">>> to it; now that new laws are moving the needle towards registrants, there<br clear="none">>> is resistance among those that got used to being favoured.<br clear="none">>> <br clear="none">>> <br clear="none">>>> <br clear="none">>>> This solitary focus on EU law presupposes that people believe that of<br clear="none">>>> the laws of the ~200 countries in the world, it is EU law that should be<br clear="none">>>> the controlling force of internet governance. Is that what you are<br clear="none">>>> saying?<br clear="none">>> <br clear="none">>> <br clear="none">>> EU privacy law is just the first of many laws pointing in a similar<br clear="none">>> direction, so it's not just a matter of following one jurisdiction, is<br clear="none">>> about following a trend.<br clear="none">>> <br clear="none">>> <br clear="none">>> Rubens<br clear="none">>> <br clear="none">>> _______________________________________________<br clear="none">>> gnso-rds-pdp-wg mailing list<br clear="none">>> <a shape="rect" ymailto="mailto:gnso-rds-pdp-wg@icann.org" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br clear="none">>> <a shape="rect" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br clear="none">> <br clear="none">> <br clear="none"><br clear="none">_______________________________________________<br clear="none">gnso-rds-pdp-wg mailing list<br clear="none"><a shape="rect" ymailto="mailto:gnso-rds-pdp-wg@icann.org" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br clear="none"><a shape="rect" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div></div><br><br></div> </div> </div> </div></div></body></html>