<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hello John, <div class=""><br class=""></div><div class="">I am not sure that this example it is correct.</div><div class=""><br class=""></div><div class="">There were some news about <a href="https://iapp.org/news/a/gdpr-matchup-japans-act-on-the-protection-of-personal-information/" class="">https://iapp.org/news/a/gdpr-matchup-japans-act-on-the-protection-of-personal-information/</a></div><div class=""><br class=""></div><div class="">And formally saying, GDPR also protects long term residents of EU (not only citizens), and since there is no way to </div><div class="">establish if the person is a resident or not using the contact info, it might be safer (for Registry/Registrar) to think about protection of all persons info in their system.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><span style="orphans: 2; text-align: -webkit-auto; widows: 2;" class="">Sincerely Yours,</span></div><div class=""><div class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant-ligatures: normal; font-variant-position: normal; font-variant-caps: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><span class="Apple-style-span" style="border-collapse: separate; font-variant-ligatures: normal; font-variant-position: normal; font-variant-numeric: normal; font-variant-alternates: normal; font-variant-east-asian: normal; line-height: normal; border-spacing: 0px;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class="">Maxim Alzoba<br class="">Special projects manager,<br class="">International Relations Department,<br class="">FAITID<br class=""><span style="text-align: -webkit-auto;" class=""><br class=""></span></div><div class=""><span style="text-align: -webkit-auto;" class="">Current UTC offset: +3.00 (.Moscow)</span></div></div></span></div></div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 12 Feb 2018, at 21:47, John Horton via gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg@icann.org" class="">gnso-rds-pdp-wg@icann.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;color:#444444">I think that sounds right. I mean, let's say that there's a registrant in Japan using his or her domain name to sell shoes, and he or she uses (pick your registrar) GoDaddy. Or GMO. Or Directi. (I'd even say an EU registrar.) Simply put, the GDPR isn't intended to protect that registrant. It was designed to protect natural persons in or who have citizenship the EU. </div></div><div class="gmail_extra"><br clear="all" class=""><div class=""><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><font color="#073763" face="arial, helvetica, sans-serif" class="">John Horton<br class="">President and CEO, LegitScript</font><div class=""><img src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ" width="96" height="36" class=""><br class=""><div class=""><div style="margin: 0px; font-style: normal; font-variant-caps: normal; font-weight: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><br class=""></div><div style="margin: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><b class=""><font color="#444444" class="">Follow</font><font color="#0b5394" class=""> </font><font class="">Legit</font><font color="#0b5394" class="">Script</font></b>: <a href="http://www.linkedin.com/company/legitscript-com" style="color:rgb(17,85,204)" target="_blank" class=""><font color="#cc0000" class="">LinkedIn</font></a> | <a href="https://www.facebook.com/LegitScript" style="color:rgb(17,85,204)" target="_blank" class=""><font color="#6aa84f" class="">Facebook</font></a> | <a href="https://twitter.com/legitscript" style="color:rgb(17,85,204)" target="_blank" class=""><font color="#674ea7" class="">Twitter</font></a> | <font color="#ff9900" class=""><u class=""><a href="http://blog.legitscript.com/" style="color:rgb(17,85,204)" target="_blank" class="">Blog</a></u></font> |<font color="#ff9900" class=""> <a href="http://go.legitscript.com/Subscription-Management.html" style="color:rgb(17,85,204)" target="_blank" class=""><font color="#ff9900" class="">Newsletter</font></a></font><br class=""></div><div style="margin: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><font color="#ff9900" class=""><br class=""></font></div><div style="text-align: left; margin: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-east-asian: normal; font-variant-position: normal; font-size: 12px; line-height: normal; font-family: Helvetica;" class=""><font color="#ff9900" class=""><img src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png" width="46" height="96" class=""><img src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ" width="47" height="96" class=""><br class=""></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br class=""><div class="gmail_quote">On Mon, Feb 12, 2018 at 10:42 AM, Silver, Bradley <span dir="ltr" class=""><<a href="mailto:Bradley.Silver@timewarner.com" target="_blank" class="">Bradley.Silver@timewarner.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple" class="">
<div class="m_4784271624117922382WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">I agree with both Greg and John regarding the need to ensure that the WG does not endorse principles that would extend positive legal prescriptions in one territory,
to another which has different laws. The proposed agreed statement, as highlighted below, contains an “if, then” qualifier. So unless I am misreading it, we are not saying that the positive obligations of the GDPR should be applied worldwide. Do we agree
on that? <u class=""></u><u class=""></u></span></p><span class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="m_4784271624117922382p2"><i class=""><span style="font-size: 11pt; font-family: Calibri, sans-serif;" class="">Possible agreement:
<b class=""><u class=""><span style="background:yellow" class="">If</span></u></b> applicable data protection laws require a legal basis for processing,
<b class=""><u class=""><span style="background:yellow" class="">then</span></u></b> any purpose must satisfy at least one legal basis for processing</span></i><i class=""><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class="">.<span class="m_4784271624117922382apple-converted-space"> </span></span></i><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"" class=""><u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u><u class=""></u></span></p>
</span><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">We know that data protection laws of countries like the US do NOT positively oblige processors to have a “legal basis”. So this statement should be inapplicable
as far as processing occurring in the jurisdiction of such countries. This makes the statement of limited use to us as a group, in my view. What is more useful, and where I think there would be broader consensus, is that any basis for processing should be
“lawful”, which would apply to both the US, and the EU. <u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">B<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> John Horton [mailto:<a href="mailto:john.horton@legitscript.com" target="_blank" class="">john.horton@<wbr class="">legitscript.com</a>]
<br class="">
<b class="">Sent:</b> Monday, February 12, 2018 1:22 PM<br class="">
<b class="">To:</b> Greg Aaron<br class="">
<b class="">Cc:</b> Silver, Bradley; <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class="">gnso-rds-pdp-wg@icann.org</a></span></p><div class=""><div class="h5"><br class="">
<b class="">Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs. lawful<u class=""></u><u class=""></u></div></div><div class=""><br class="webkit-block-placeholder"></div><div class=""><div class="h5"><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#444444" class="">I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain
name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. <u class=""></u><u class=""></u></span></p>
</div>
</div>
<div class=""><p class="MsoNormal"><br clear="all" class="">
<u class=""></u><u class=""></u></p>
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#073763" class="">John Horton<br class="">
President and CEO, LegitScript</span><u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><img width="96" height="36" id="m_4784271624117922382_x0000_i1025" src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ" class=""><u class=""></u><u class=""></u></p>
<div class=""><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><u class=""></u> <u class=""></u></span></div><div style="margin: 0in 0in 0.0001pt;" class=""><b class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#444444" class="">Follow</span></b><b class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#0b5394" class=""> </span></b><b class=""><span style="font-size: 9pt; font-family: Helvetica, sans-serif;" class="">Legit</span></b><b class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#0b5394" class="">Script</span></b><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class="">: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_legitscript-2Dcom&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=4jOBWVejnTmlgyONWdzSu2Ek5tvYfcx3b4MzTM_r6Ws&e=" target="_blank" class=""><span style="color:#cc0000" class="">LinkedIn</span></a>
| <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitScript&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=gZzZYUcbdo5WB87G9Kg2ujCuK0mEtjfzz4zjaqfaLtk&e=" target="_blank" class=""><span style="color:#6aa84f" class="">Facebook</span></a>
| <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=ueQIX47Y-zDVch-wXx84mvel1li7Ssq3p9uKbn2ZOuE&e=" target="_blank" class=""><span style="color:#674ea7" class="">Twitter</span></a>
| <u class=""><span style="color:#ff9900" class=""><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=7pxC_W3yu_Q0AwnnjKsWC_6pRjFzb_SuuIjcFidIYjk&e=" target="_blank" class=""><span style="color:#1155cc" class="">Blog</span></a></span></u> |<span style="color:#ff9900" class=""> <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subscription-2DManagement.html&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=SDgGtfFZXpJdwIPJgZrvhMY8cNoVy9K4FaniCXsGb24&e=" target="_blank" class=""><span style="color:#ff9900" class="">Newsletter</span></a></span><u class=""></u><u class=""></u></span></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><u class=""></u> <u class=""></u></span></div><div style="margin: 0in 0in 0.0001pt;" class=""><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif";color:#ff9900" class=""><img border="0" width="46" height="96" id="m_4784271624117922382_x0000_i1026" src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png" class=""><img border="0" width="47" height="96" id="m_4784271624117922382_x0000_i1027" src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ" class=""></span><span style="font-size:9.0pt;font-family:"Helvetica","sans-serif"" class=""><u class=""></u><u class=""></u></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <<a href="mailto:gca@icginc.com" target="_blank" class="">gca@icginc.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal">I don’t know if we arrive at the same place.
<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s
like saying what’s inside a box.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what
you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically
say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.
<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like
the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.
<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering
a domain name if you are a registrant in the U.S.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">See
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explaining-2Dthe-2Dgdpr-2Dto-2Dan-2Damerican_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=qMWetjO0-0I3mCJ3uyEEW7eCgW9bhQfNbPJYH_r3fCk&e=" target="_blank" class="">
https://iapp.org/news/a/<wbr class="">explaining-the-gdpr-to-an-<wbr class="">american/</a> for more.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class="">
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class="">From:</b> gnso-rds-pdp-wg [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank" class="">mailto:gnso-rds-pdp-wg-<wbr class="">bounces@icann.org</a>]
<b class="">On Behalf Of </b>Silver, Bradley via gnso-rds-pdp-wg<br class="">
<b class="">Sent:</b> Friday, February 9, 2018 2:54 PM<br class="">
<b class="">To:</b> Volker Greimann <<a href="mailto:vgreimann@key-systems.net" target="_blank" class="">vgreimann@key-systems.net</a>>;
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class="">gnso-rds-pdp-wg@icann.org</a><u class=""></u><u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><br class="">
<b class="">Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs. lawful<u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div>
<div class="">
<div class=""><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="color:#1f497d" class="">It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive
at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul
of the law, and hence be unlawful? </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="color:#1f497d" class="">There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus
“lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?
</span><u class=""></u><u class=""></u></p><p class="MsoNormal"><span style="color:#1f497d" class=""> </span><u class=""></u><u class=""></u></p>
<div class="">
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> gnso-rds-pdp-wg [</span><a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank" class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">mailto:gnso-rds-pdp-wg-<wbr class="">bounces@icann.org</span></a><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">]
<b class="">On Behalf Of </b>Volker Greimann<br class="">
<b class="">Sent:</b> Friday, February 09, 2018 11:27 AM<br class="">
<b class="">To:</b> </span><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">gnso-rds-pdp-wg@icann.org</span></a><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""><br class="">
<b class="">Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs. lawful</span><u class=""></u><u class=""></u></p>
</div>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="">I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:<u class=""></u><u class=""></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class=""><p class="MsoNormal">Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be
processed and when, and kathy’s analysis overlooks that point.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class="">
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in" class=""><p class="MsoNormal"><b class="">From:</b> gnso-rds-pdp-wg [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank" class="">mailto:gnso-rds-pdp-wg-<wbr class="">bounces@icann.org</a>]
<b class="">On Behalf Of </b>Kathy Kleiman<br class="">
<b class="">Sent:</b> Thursday, February 8, 2018 7:07 PM<br class="">
<b class="">To:</b> <a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class="">gnso-rds-pdp-wg@icann.org</a><br class="">
<b class="">Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs. lawful<u class=""></u><u class=""></u></p>
</div>
</div><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within
ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.
<u class=""></u><u class=""></u></p><p class="">Specifically, GDPR Article 5(1)(b and c) states:<u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-bottom:12.0pt"><b class="">Personal data shall be:
<br class="">
2. "collected for <u class="">specified, explicit and legitimate purposes </u>and not further processed in a manner that is incompatible with those purposes"</b> (the "purpose limitation") AND
<b class=""><br class="">
3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"</b> (the "data minimisation" requirement). [underline added]<b class=""><br class="">
</b><br class="">
Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..<br class="">
<br class="">
Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.
<br class="">
<br class="">
"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which
are generally permissible and allowable.<br class="">
<br class="">
The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a
<i class="">valid legal basis</i> as expressly defined by data protection laws. <br class="">
<br class="">
Best regards, <br class="">
Kathy <br class="">
<br class="">
On 2/7/2018 10:53 AM, Sam Lanfranco wrote:<u class=""></u><u class=""></u></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt" class=""><p class="">Thanks Tapani,<u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-bottom:12.0pt">I will extract from your longer message.
<br class="">
I deliberately kept my brief and less technical.<br class="">
I think we are in agreement here and I support your position.<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal"><span style="color:#660000" class="">On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:<br class="">
<br class="">
The key distinction, as I understand it, is that "lawful" would be<br class="">
defined by the negative, everything that some law does not prohibit, </span><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:#660000" class="">where as "legal basis" is defined by the positive, only things whose
<br class="">
justification can be explicitly derived from law. <br class="">
<br class="">
<......><br class="">
<br class="">
So I would prefer "legal basis" specifically in this sense: that any processing<br class="">
would have to be explicitly based on one of the criteria, or bases, as listed <br class="">
in GDPR Article 6, or similar explicit justification in other data protection legislation.
<br class="">
<br class="">
</span><br class="">
<br class="">
<u class=""></u><u class=""></u></p>
<pre class="">______________________________<wbr class="">_________________<u class=""></u><u class=""></u></pre>
<pre class="">gnso-rds-pdp-wg mailing list<u class=""></u><u class=""></u></pre>
<pre class=""><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class="">gnso-rds-pdp-wg@icann.org</a><u class=""></u><u class=""></u></pre>
<pre class=""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=" target="_blank" class="">https://mm.icann.org/mailman/<wbr class="">listinfo/gnso-rds-pdp-wg</a><u class=""></u><u class=""></u></pre>
</blockquote><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal" style="margin-bottom:12.0pt"> <u class=""></u><u class=""></u></p>
<pre class="">______________________________<wbr class="">_________________<u class=""></u><u class=""></u></pre>
<pre class="">gnso-rds-pdp-wg mailing list<u class=""></u><u class=""></u></pre>
<pre class=""><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class="">gnso-rds-pdp-wg@icann.org</a><u class=""></u><u class=""></u></pre>
<pre class=""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=" target="_blank" class="">https://mm.icann.org/mailman/<wbr class="">listinfo/gnso-rds-pdp-wg</a><u class=""></u><u class=""></u></pre>
</blockquote><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center" class="">
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:red" class=""><br class="">
<b class=""><i class=""><br class="">
Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at
<a href="tel:(212)%20484-6000" target="_blank" class="">212.484.6000</a> or via email at </i>
</b></span><a href="mailto:ITServices@timewarner.com" target="_blank" class=""><b class=""><i class="">ITServices@timewarner.com</i></b></a><b class=""><i class=""><span style="color:red" class="">
</span></i></b><u class=""></u><u class=""></u></p>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center" class="">
</div><p class="MsoNormal">This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message
is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking
of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender,
and delete the original message and any copies from your computer or storage system. Thank you.<u class=""></u><u class=""></u></p>
</div>
</div>
</div>
</div><p class="MsoNormal"><br class="">
______________________________<wbr class="">_________________<br class="">
gnso-rds-pdp-wg mailing list<br class="">
<a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" class="">gnso-rds-pdp-wg@icann.org</a><br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=a3wK_oYnrMMM6zmkjHi9ig0--bYonIPfppoujjsTmgM&e=" target="_blank" class="">https://mm.icann.org/mailman/<wbr class="">listinfo/gnso-rds-pdp-wg</a><u class=""></u><u class=""></u></p>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center" class="">
</div><p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:red" class=""><br class="">
<b class=""><i class=""><br class="">
Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at <a href="tel:(212)%20484-6000" value="+12124846000" target="_blank" class="">212.484.6000</a> or
via email at <a href="mailto:ITServices@timewarner.com" target="_blank" class="">ITServices@timewarner.com</a>
<br class="">
<br class="">
</i></b></span><u class=""></u><u class=""></u></p>
</div></div></div>
</div>
</blockquote></div><br class=""></div>
_______________________________________________<br class="">gnso-rds-pdp-wg mailing list<br class=""><a href="mailto:gnso-rds-pdp-wg@icann.org" class="">gnso-rds-pdp-wg@icann.org</a><br class="">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</div></blockquote></div><br class=""></div></body></html>