<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>I do not see how. Kathy's analysis seems sound. The flexibility
within the GDPR still only allows processing in very specific
cicumstances, all of which are listed in the GDPR.<br>
</p>
<br>
<div class="moz-cite-prefix">Am 09.02.2018 um 16:45 schrieb Victoria
Sheckler:<br>
</div>
<blockquote type="cite"
cite="mid:CY4PR07MB3541D53E27B05F1FBB0D7A00D5F20@CY4PR07MB3541.namprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Kathy’s
analysis breaks down on a practical level when one looks at
the GDPR and what it says about when data can be processed.
The GDPR allows for flexibility for what can be processed
and when, and kathy’s analysis overlooks that point.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"
moz-do-not-send="true"><span style="color:windowtext"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> gnso-rds-pdp-wg
[<a class="moz-txt-link-freetext" href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
<b>On Behalf Of </b>Kathy Kleiman<br>
<b>Sent:</b> Thursday, February 8, 2018 7:07 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs.
lawful<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Tx for the invitation to join, Chuck, and
following up on the discussion of Sam and Tapani, let me add
that criteria for processing must be clearer than something
broadly within ICANN's mission statement and something
permissible somewhere. The requirements under law are express
and concrete. <o:p></o:p></p>
<p>Specifically, GDPR Article 5(1)(b and c) states:<o:p></o:p></p>
<p class="MsoNormal"><b>Personal data shall be: <br>
2. "collected for <u>specified, explicit and legitimate
purposes </u>and not further processed in a manner that
is incompatible with those purposes"</b> (the "purpose
limitation") AND
<b><br>
3. "adequate, relevant and limited to what is necessary
in relation to the purposes for which they are processed"</b>
(the "data minimisation" requirement). [underline added]<b><br>
</b><br>
Thus, our first criteria of "consistent with ICANN's mission,"
is only the first step and we need to go further than even the
3 criteria we are discussing..<br>
<br>
Second, lawful and legal enter us into a debate over words and
I have to agree with Sam and Tapani's analysis and let me add
some of my own.
<br>
<br>
"Legal" is the term we use for actions expressly allowed under
law. How we process personal data under the GDRP falls into
this category -- of processing expressly allowed under law.
Whereas the term lawful is used for a much broader category of
actions which are generally permissible and allowable.<br>
<br>
The term "legal" is much more consistent with our criteria
statement because the processing of personal data by ICANN
must clearly have a
<i>valid legal basis</i> as expressly defined by data
protection laws. <br>
<br>
Best regards, <br>
Kathy <br>
<br>
On 2/7/2018 10:53 AM, Sam Lanfranco wrote:<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>Thanks Tapani,<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">I will
extract from your longer message.
<br>
I deliberately kept my brief and less technical.<br>
I think we are in agreement here and I support your
position.<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="color:#660000">On 2/7/2018
1:07 AM, Tapani Tarvainen wrote:<br>
<br>
The key distinction, as I understand it, is that
"lawful" would be<br>
defined by the negative, everything that some law does
not prohibit, </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#660000">where as
"legal basis" is defined by the positive, only things
whose
<br>
justification can be explicitly derived from law. <br>
<br>
<......><br>
<br>
So I would prefer "legal basis" specifically in this
sense: that any processing<br>
would have to be explicitly based on one of the criteria,
or bases, as listed <br>
in GDPR Article 6, or similar explicit justification in
other data protection legislation.
<br>
<br>
</span><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>gnso-rds-pdp-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><o:p></o:p></pre>
<pre><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</body>
</html>