<div>Thank you for this, Kathy. I find this explanation very helpful and agree with your analysis.<br></div><div><br></div><div>Best wishes,</div><div><br></div><div class="protonmail_signature_block"><div class="protonmail_signature_block-user"><div>Ayden FĂ©rdeline <br></div></div><div class="protonmail_signature_block-proton protonmail_signature_block-empty"><br></div></div><div><br></div><div>-------- Original Message --------<br></div><div> On 9 February 2018 1:06 AM, Kathy Kleiman <kathy@kathykleiman.com> wrote:<br></div><div> <br></div><blockquote class="protonmail_quote" type="cite"><div>Tx for the invitation to join, Chuck, and following up on the
discussion of Sam and Tapani, let me add that criteria for
processing must be clearer than something broadly within ICANN's
mission statement and something permissible somewhere. The
requirements under law are express and concrete. <br></div><p>Specifically, GDPR Article 5(1)(b and c) states:<br></p><div><b>Personal data shall be: </b><b><br> </b><b>2. "collected for <u>specified, explicit and legitimate
purposes </u>and not further processed in a manner that is
incompatible with those purposes"</b> (the "purpose limitation")
AND <b><br> </b><b>3. "adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed"</b> (the
"data minimisation" requirement). [underline added]<b><br> </b></div><div> Thus, our first criteria of "consistent with ICANN's mission," is
only the first step and we need to go further than even the 3
criteria we are discussing..<br></div><div> <br></div><div> Second, lawful and legal enter us into a debate over words and I
have to agree with Sam and Tapani's analysis and let me add some of
my own. <br></div><div> <br></div><div> "Legal" is the term we use for actions expressly allowed under law.
How we process personal data under the GDRP falls into this category
-- of processing expressly allowed under law. Whereas the term
lawful is used for a much broader category of actions which are
generally permissible and allowable.<br></div><div> <br></div><div> The term "legal" is much more consistent with our criteria statement
because the processing of personal data by ICANN must clearly have a <i>valid legal basis</i> as expressly defined by data protection
laws. <br></div><div> <br></div><div> Best regards, <br></div><div> Kathy<br></div><div> <br></div><div> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:<br></div><div> <br></div><blockquote type="cite"><p>Thanks Tapani,<br></p><div>I will extract from your longer message.<br></div><div> I deliberately kept my brief and less technical.<br></div><div> I think we are in agreement here and I support your position.<br></div><div> <br></div><div> <br></div><div class="moz-cite-prefix"><span class="colour" style="color:#660000">On 2/7/2018
1:07 AM, Tapani Tarvainen wrote:<br> <br> The key distinction, as I understand it, is that "lawful"
would be<br> </span><span class="colour" style="color:#660000">defined by the negative,
everything that some law does not prohibit, </span></div><div><span class="colour" style="color:#660000">where as "legal basis" is defined by the
positive, only things whose <br> justification can be explicitly derived from law. <br> <br> <......><br> <br> So I would prefer "legal basis" specifically in this sense: that
any processing<br> would have to be explicitly based on one of the criteria, or
bases, as listed <br> in GDPR Article 6, or similar explicit justification in other
data protection legislation. <br> <br> </span></div><div> <br></div><div> <br></div><div> <br></div><pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a href="mailto:gnso-rds-pdp-wg@icann.org" class="moz-txt-link-abbreviated">gnso-rds-pdp-wg@icann.org</a>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" class="moz-txt-link-freetext">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><br></pre></blockquote></blockquote><div><br></div>