<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>"only"? I think compliance with applicable laws is the bare
minimum. However, once that is agreed, we can start figuring out
what options there are for enabling legitimate uses within the
confines of these laws. <br>
</p>
<p>Volker<br>
</p>
<br>
<div class="moz-cite-prefix">Am 13.02.2018 um 15:36 schrieb Victoria
Sheckler:<br>
</div>
<blockquote type="cite"
cite="mid:CY4PR07MB35413788DC1F826435C8A610D5F60@CY4PR07MB3541.namprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \,serif";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:windowtext">Don’t at
least some registrars already insist on only complying with
their local laws?<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"
moz-do-not-send="true"><span style="color:windowtext"><o:p> </o:p></span></a></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span
style="color:windowtext"> gnso-rds-pdp-wg
[<a class="moz-txt-link-freetext" href="mailto:gnso-rds-pdp-wg-bounces@icann.org">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
<b>On Behalf Of </b>Volker Greimann<br>
<b>Sent:</b> Tuesday, February 13, 2018 8:58 AM<br>
<b>To:</b> Chuck <a class="moz-txt-link-rfc2396E" href="mailto:consult@cgomes.com"><consult@cgomes.com></a>; 'Michael
Palage' <a class="moz-txt-link-rfc2396E" href="mailto:michael@palage.com"><michael@palage.com></a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs.
lawful<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>I am afraid that if we create different policies for
different regions, we will break the model, encourage forum
shopping and encourage firewalling of entire geographic
sections of the net. I hope that is not what we are doing
here.
<o:p></o:p></p>
<p>GDPR will cause some breakage of this and I see it as our
mission to fix this breakage of the standard by proposing a
unified model once again.
<o:p></o:p></p>
<p>Ultimately, if this solution does what the EU has been asking
for, e.g. protect legitimate use cases of registration data as
well as the rights of the data subjects, there is no reason
why it should not be universally applicable.
<o:p></o:p></p>
<p>Best,<o:p></o:p></p>
<p>Volker<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Am 13.02.2018 um 00:04 schrieb Chuck:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Volker,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The WG could recommend policies that are
‘universally applicable to all registrations’ but I
seriously doubt that will happen in today’s world. That
would be much simpler than policies that vary by region and
users, but is it realistic?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Chuck<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> gnso-rds-pdp-wg [<a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
moz-do-not-send="true">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]
<b>On Behalf Of </b>Volker Greimann<br>
<b>Sent:</b> Monday, February 12, 2018 2:30 PM<br>
<b>To:</b> Michael Palage <a
href="mailto:michael@palage.com"
moz-do-not-send="true"><michael@palage.com></a><br>
<b>Cc:</b> <a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b> Re: [gnso-rds-pdp-wg] Legal basis vs.
lawful<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Michael is right. ICANN iOS based on the
thought of “One World; one Internet”. This also means that
the policies it creates should be universally applicable to
all registrations, if possible. IF we start creating policy
that diverges, that would only lead to further fragmentation
and undermine the founding ideal of ICANN itself. Our aim
should be to create one policy that can be applied to all or
most registrations and that can be implemented by all
registrars alike. <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">While we will likely have a certain
amount of fragmentation following May 25 as each
contracted party applies its own solution, it should be
our goal to overcome this and present a new unified policy
that works for all contracted parties. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Volker<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 12. Feb 2018, at 20:27,
Michael Palage <<a
href="mailto:michael@palage.com"
moz-do-not-send="true">michael@palage.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Greg/John,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I will respectfully push back
on your legal over simplification of the GDPR.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The exterritorial aspect of
the GDPR set forth in Article 3 is NOT just
limited to EU residents/citizens. As Michele
has noted in the past, the GDPR requires
BlackKnight as an Irish legal entity to protect
all of its customers data (EU/Non-EU) in
compliance with GDPR, as well as US entities
that target and conduct business within the EU.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Now your points about the
distinction between natural and legal persons is
a fair one and one that has been noted in EU and
Art 29 communications. Could you please share
the basis of your proposition that 97% of all
domain name registrations are registered by
legal entities.<span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">As I have note previously the
long term viability of the ICANN
multi-stakeholder model is at risk as national
governments continue to pass national laws that
impact the operation of the Internet. However,
the European Union is NOT alone in advancing
Privacy Legislation, in fact data localization
is perhaps the next biggest lurking threat to
the domain name system. <span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Michael<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b>From:</b><span
class="apple-converted-space"> </span>gnso-rds-pdp-wg
[<a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
moz-do-not-send="true">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]<span
class="apple-converted-space"> </span><b>On
Behalf Of<span class="apple-converted-space"> </span></b>John
Horton via gnso-rds-pdp-wg<br>
<b>Sent:</b><span class="apple-converted-space"> </span>Monday,
February 12, 2018 1:22 PM<br>
<b>To:</b><span class="apple-converted-space"> </span>Greg
Aaron <<a href="mailto:gca@icginc.com"
moz-do-not-send="true">gca@icginc.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span><a
href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<b>Subject:</b><span
class="apple-converted-space"> </span>Re:
[gnso-rds-pdp-wg] Legal basis vs. lawful<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#444444">I
think Greg is right on. There's simply no
justification to force a law that is only
intended to apply to a) EU
residents/citizens that are b) natural
persons not using the domain name for
commercial purposes, to the
remaining...what? 97% - 99% of the world's
registrant population? That would be a
balanced way to implement all of this. </span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p
class="MsoNormal"><span
style="font-family:"Arial",sans-serif;color:#073763">John
Horton<br>
President and
CEO,
LegitScript</span><o:p></o:p></p>
</div>
<div>
<div>
<p
class="MsoNormal"><img
style="width:1.0in;height:.375in" id="_x0000_i1025"
src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ"
moz-do-not-send="true" height="36" width="96" border="0"><o:p></o:p></p>
</div>
<div>
<div>
<p
class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"><b><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#444444">Follow</span></b><b><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0B5394"> </span></b><b><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Legit</span></b><b><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0B5394">Script</span></b><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">: <a
href="http://www.linkedin.com/company/legitscript-com" target="_blank"
moz-do-not-send="true"><span
style="color:#CC0000">LinkedIn</span></a> | <a
href="https://www.facebook.com/LegitScript"
target="_blank" moz-do-not-send="true"><span style="color:#6AA84F">Facebook</span></a>
| <a
href="https://twitter.com/legitscript"
target="_blank" moz-do-not-send="true"><span style="color:#674EA7">Twitter</span></a>
| </span><u><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#FF9900"><a
href="http://blog.legitscript.com/" target="_blank"
moz-do-not-send="true"><span
style="color:#1155CC">Blog</span></a></span></u><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> |</span><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#FF9900"> <a
href="http://go.legitscript.com/Subscription-Management.html"
target="_blank"
moz-do-not-send="true"><span style="color:#FF9900">Newsletter</span></a></span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#FF9900"><img
style="width:.4791in;height:1.0in" id="_x0000_i1026"
src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png"
moz-do-not-send="true" height="96" width="46" border="0"><img
style="width:.493in;height:1.0138in"
id="_x0000_i1027"
src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ"
moz-do-not-send="true" height="97" width="47" border="0"></span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">On Mon, Feb 12, 2018 at
9:57 AM, Greg Aaron <<a
href="mailto:gca@icginc.com"
target="_blank" moz-do-not-send="true"><span
style="color:purple">gca@icginc.com</span></a>>
wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class="MsoNormal">I don’t know if we
arrive at the same place. <span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">GDPR is based on
one principle. It states what is
legal. It's explicit about what you
_are allowed to do_; granted there’s
some flexibility and room for
interpretation. It’s like saying
what’s inside a box.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">U.S. law is one
based on different principles. AFAIK
U.S. consumer protection law does not
enumerate specifically what is
lawful. Instead it tends to state
what is illegal, what you are _not
allowed to do_. It’s like saying
what’s outside the box. The U.S.
doesn’t have something like GDPR that
spells out legal bases for collecting
data, i.e. the enumerated allowable
reasons. Instead the trade and
consumer protection laws basically
say: entities have the right to form
contracts between themselves, they
should live up to the contract, don’t
surprise people, don’t do certain
dishonest things. <span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Here's the problem:
if one makes the GDPR principle the
ICANN standard and you apply it to all
registrations, then practices that are
allowable in one place under the law
(like the U.S.) would no longer be
allowed there by ICANN policy. ICANN
would be choosing one legal approach
or regime for everyone in the world. <span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The alternative is
to apply the GDRP only to those that
it is designed to protect:
registrants in the EU.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">For example,
there’s nothing in U.S. law that
prohibits a U.S. registrar from having
a contract that says publication of
full contact data in WHOIS is a
condition of registering a domain name
if you are a registrant in the U.S.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">See<span
class="apple-converted-space"> </span><a
href="https://iapp.org/news/a/explaining-the-gdpr-to-an-american/"
target="_blank"
moz-do-not-send="true"><span
style="color:purple">https://iapp.org/news/a/explaining-the-gdpr-to-an-american/</span></a>
for more.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in 0in
0in">
<div>
<p class="MsoNormal"><b>From:</b><span
class="apple-converted-space"> </span>gnso-rds-pdp-wg
[<a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank"
moz-do-not-send="true"><span
style="color:purple">mailto:gnso-rds-pdp-wg-bounces@icann.org</span></a>]<span
class="apple-converted-space"> </span><b>On
Behalf Of<span
class="apple-converted-space"> </span></b>Silver,
Bradley via gnso-rds-pdp-wg<br>
<b>Sent:</b><span
class="apple-converted-space"> </span>Friday,
February 9, 2018 2:54 PM<br>
<b>To:</b><span
class="apple-converted-space"> </span>Volker
Greimann <<a
href="mailto:vgreimann@key-systems.net"
target="_blank"
moz-do-not-send="true"><span
style="color:purple">vgreimann@key-systems.net</span></a>>;<span
class="apple-converted-space"> </span><a
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank"
moz-do-not-send="true"><span
style="color:purple">gnso-rds-pdp-wg@icann.org</span></a><o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<b>Subject:</b><span
class="apple-converted-space"> </span>Re:
[gnso-rds-pdp-wg] Legal basis
vs. lawful<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D">It is true
that the GDPR is prescriptive,
although also rather open-ended
(hence our current pickle). But
regardless of the term we use,
don’t we arrive at the same
place: which is that if
something that requires a legal
basis is done without one, it
will be unlawful? Using Kathy’s
example, if data is processed
without complying with
minimization or purpose
principles, will such processing
not run afoul of the law, and
hence be unlawful? <span
class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D">There are
important distinctions between
the meaning of “legal basis”
which implies that a law
requires something to be
affirmatively present, versus
“lawful”, which means that
something is not prohibited by
law. Ultimately though, isn’t
“lawfulness”, the same end
point, regardless? <span
class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div
style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt 0in
0in 0in">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span
class="apple-converted-space"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> </span></span><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif">gnso-rds-pdp-wg
[</span><a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:purple">mailto:gnso-rds-pdp-wg-bounces@icann.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif">]<span
class="apple-converted-space"> </span><b>On Behalf Of<span
class="apple-converted-space"> </span></b>Volker
Greimann<br>
<b>Sent:</b><span
class="apple-converted-space"> </span>Friday,
February 09, 2018 11:27 AM<br>
<b>To:</b><span
class="apple-converted-space"> </span></span><a
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank"
moz-do-not-send="true"><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif;color:purple">gnso-rds-pdp-wg@icann.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><br>
<b>Subject:</b><span
class="apple-converted-space"> </span>Re:
[gnso-rds-pdp-wg] Legal
basis vs. lawful</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">I
do not see how. Kathy's analysis
seems sound. The flexibility
within the GDPR still only
allows processing in very
specific cicumstances, all of
which are listed in the GDPR.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Am 09.02.2018
um 16:45 schrieb Victoria
Sheckler:<o:p></o:p></p>
</div>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Kathy’s
analysis breaks down on a
practical level when one looks
at the GDPR and what it says
about when data can be
processed. The GDPR allows for
flexibility for what can be
processed and when, and kathy’s
analysis overlooks that point.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div
style="border:none;border-top:solid
#E1E1E1 1.0pt;padding:3.0pt 0in
0in 0in">
<div>
<p class="MsoNormal"><b>From:</b><span
class="apple-converted-space"> </span>gnso-rds-pdp-wg [<a
href="mailto:gnso-rds-pdp-wg-bounces@icann.org"
target="_blank"
moz-do-not-send="true"><span
style="color:purple">mailto:gnso-rds-pdp-wg-bounces@icann.org</span></a>]<span
class="apple-converted-space"> </span><b>On Behalf Of<span
class="apple-converted-space"> </span></b>Kathy
Kleiman<br>
<b>Sent:</b><span
class="apple-converted-space"> </span>Thursday,
February 8, 2018 7:07 PM<br>
<b>To:</b><span
class="apple-converted-space"> </span><a
href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank"
moz-do-not-send="true"><span
style="color:purple">gnso-rds-pdp-wg@icann.org</span></a><br>
<b>Subject:</b><span
class="apple-converted-space"> </span>Re:
[gnso-rds-pdp-wg] Legal
basis vs. lawful<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Tx for the
invitation to join, Chuck, and
following up on the discussion
of Sam and Tapani, let me add
that criteria for processing
must be clearer than something
broadly within ICANN's mission
statement and something
permissible somewhere. The
requirements under law are
express and concrete.<span
class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Specifically,
GDPR Article 5(1)(b and c)
states:</span><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b>Personal
data shall be:<span
class="apple-converted-space"> </span><br>
2. "collected for<span
class="apple-converted-space"> </span><u>specified,
explicit and legitimate
purposes<span
class="apple-converted-space"> </span></u>and
not further processed in a
manner that is incompatible with
those purposes"</b><span
class="apple-converted-space"> </span>(the
"purpose limitation") AND<span
class="apple-converted-space"> </span><b><br>
3. "adequate, relevant and
limited to what is necessary in
relation to the purposes for
which they are processed"</b><span
class="apple-converted-space"> </span>(the
"data minimisation" requirement).
[underline added]<b><br>
</b><br>
Thus, our first criteria of
"consistent with ICANN's mission,"
is only the first step and we need
to go further than even the 3
criteria we are discussing..<br>
<br>
Second, lawful and legal enter us
into a debate over words and I
have to agree with Sam and
Tapani's analysis and let me add
some of my own.<span
class="apple-converted-space"> </span><br>
<br>
"Legal" is the term we use for
actions expressly allowed under
law. How we process personal data
under the GDRP falls into this
category -- of processing
expressly allowed under law.
Whereas the term lawful is used
for a much broader category of
actions which are generally
permissible and allowable.<br>
<br>
The term "legal" is much more
consistent with our criteria
statement because the processing
of personal data by ICANN must
clearly have a<span
class="apple-converted-space"> </span><i>valid
legal basis</i><span
class="apple-converted-space"> </span>as
expressly defined by data
protection laws.<span
class="apple-converted-space"> </span><br>
<br>
Best regards,<span
class="apple-converted-space"> </span><br>
Kathy<span
class="apple-converted-space"> </span><br>
<br>
On 2/7/2018 10:53 AM, Sam
Lanfranco wrote:<o:p></o:p></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Thanks
Tapani,</span><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">I
will extract from your longer
message.<span
class="apple-converted-space"> </span><br>
I deliberately kept my brief and
less technical.<br>
I think we are in agreement here
and I support your position.<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="color:#660000">On
2/7/2018 1:07 AM, Tapani
Tarvainen wrote:<br>
<br>
The key distinction, as I
understand it, is that
"lawful" would be<br>
defined by the negative,
everything that some law
does not prohibit,<span
class="apple-converted-space"> </span></span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="color:#660000">where as
"legal basis" is defined by
the positive, only things
whose<span
class="apple-converted-space"> </span><br>
justification can be
explicitly derived from law.<span
class="apple-converted-space"> </span><br>
<br>
<......><br>
<br>
So I would prefer "legal
basis" specifically in this
sense: that any processing<br>
would have to be explicitly
based on one of the criteria,
or bases, as listed<span
class="apple-converted-space"> </span><br>
in GDPR Article 6, or similar
explicit justification in
other data protection
legislation.<span
class="apple-converted-space"> </span><br>
<br>
</span><br>
<br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>gnso-rds-pdp-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" moz-do-not-send="true"><span style="color:purple">gnso-rds-pdp-wg@icann.org</span></a><o:p></o:p></pre>
<pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=" target="_blank" moz-do-not-send="true"><span style="color:purple">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</span></a><o:p></o:p></pre>
</blockquote>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:12.0pt;font-family:"Times New Roman
,serif",serif"> </span><o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>gnso-rds-pdp-wg mailing list<o:p></o:p></pre>
<pre><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" moz-do-not-send="true"><span style="color:purple">gnso-rds-pdp-wg@icann.org</span></a><o:p></o:p></pre>
<pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=" target="_blank" moz-do-not-send="true"><span style="color:purple">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</span></a><o:p></o:p></pre>
</blockquote>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times
New Roman ,serif",serif"> </span><o:p></o:p></p>
</div>
<div class="MsoNormal"
style="text-align:center"
align="center"><span
style="font-size:12.0pt;font-family:"Times
New Roman ,serif",serif">
<hr size="2" align="center"
width="100%">
</span></div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"><br>
<b><i><br>
Reminder: Any email that
requests your login
credentials or that asks you
to click on a link could be a
phishing attack. If you have
any questions regarding the
authenticity of this email or
its sender, please contact the
IT Service Desk at<span
class="apple-converted-space"> </span><a
href="tel:%28212%29%20484-6000" target="_blank" moz-do-not-send="true"><span
style="color:purple">212.484.6000</span></a><span
class="apple-converted-space"> </span>or via email at<span
class="apple-converted-space"> </span></i></b></span><a
href="mailto:ITServices@timewarner.com" target="_blank"
moz-do-not-send="true"><b><i><span
style="font-size:12.0pt">ITServices@timewarner.com</span></i></b></a><o:p></o:p></p>
<div class="MsoNormal"
style="text-align:center"
align="center">
<hr size="2" align="center"
width="100%">
</div>
<div>
<p class="MsoNormal">This message is
the property of Time Warner Inc.
and is intended only for the use
of the addressee(s) and may be
legally privileged and/or
confidential. If the reader of
this message is not the intended
recipient, or the employee or
agent responsible to deliver it to
the intended recipient, he or she
is hereby notified that any
dissemination, distribution,
printing, forwarding, or any
method of copying of this
information, and/or the taking of
any action in reliance on the
information herein is strictly
prohibited except by the intended
recipient or those to whom he or
she intentionally distributes this
message. If you have received this
communication in error, please
immediately notify the sender, and
delete the original message and
any copies from your computer or
storage system. Thank you.<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><br>
_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true"><span
style="color:purple">gnso-rds-pdp-wg@icann.org</span></a><br>
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
target="_blank" moz-do-not-send="true"><span
style="color:purple">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
gnso-rds-pdp-wg mailing list<br>
<a href="mailto:gnso-rds-pdp-wg@icann.org"
moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><br>
<a
href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg"
moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">-- <br>
Bei weiteren Fragen stehen wir Ihnen gerne zur
Verfügung.<br>
<br>
Mit freundlichen Grüßen,<br>
<br>
Volker A. Greimann<br>
- Rechtsabteilung -<br>
<br>
Key-Systems GmbH<br>
Im Oberen Werk 1<br>
66386 St. Ingbert<br>
Tel.: +49 (0) 6894 - 9396 901<br>
Fax.: +49 (0) 6894 - 9396 851<br>
<a href="mailto:vgreimann@key-systems.net"
moz-do-not-send="true">Email: vgreimann@key-systems.net</a><br>
<br>
Web: <a href="http://www.key-systems.net"
moz-do-not-send="true">www.key-systems.net</a> / <a
href="http://www.RRPproxy.net"
moz-do-not-send="true">www.RRPproxy.net</a><br>
<a href="http://www.domaindiscount24.com"
moz-do-not-send="true">www.domaindiscount24.com</a> / <a
href="http://www.BrandShelter.com"
moz-do-not-send="true">www.BrandShelter.com</a><br>
<br>
Folgen Sie uns bei Twitter oder werden Sie unser
Fan bei Facebook:<br>
<a href="http://www.facebook.com/KeySystems"
moz-do-not-send="true">www.facebook.com/KeySystems</a><br>
<a href="http://www.twitter.com/key_systems"
moz-do-not-send="true">www.twitter.com/key_systems</a><br>
<br>
Geschäftsführer: Alexander Siffrin<br>
Handelsregister Nr.: HR B 18835 - Saarbruecken<br>
Umsatzsteuer ID.: DE211006534<br>
<br>
Member of the KEYDRIVE GROUP<br>
<a href="http://www.keydrive.lu"
moz-do-not-send="true">www.keydrive.lu</a><br>
<br>
Der Inhalt dieser Nachricht ist vertraulich und
nur für den angegebenen Empfänger bestimmt. Jede
Form der Kenntnisgabe, Veröffentlichung oder
Weitergabe an Dritte durch den Empfänger ist
unzulässig. Sollte diese Nachricht nicht für Sie
bestimmt sein, so bitten wir Sie, sich mit uns per
E-Mail oder telefonisch in Verbindung zu setzen.<br>
<br>
--------------------------------------------<br>
<br>
Should you have any further questions, please do
not hesitate to contact us.<br>
<br>
Best regards,<br>
<br>
Volker A. Greimann<br>
- legal department -<br>
<br>
Key-Systems GmbH<br>
Im Oberen Werk 1<br>
66386 St. Ingbert<br>
Tel.: +49 (0) 6894 - 9396 901<br>
Fax.: +49 (0) 6894 - 9396 851<br>
Email: <a href="mailto:vgreimann@key-systems.net"
moz-do-not-send="true">vgreimann@key-systems.net</a><br>
<br>
Web: <a href="http://www.key-systems.net"
moz-do-not-send="true">www.key-systems.net</a> / <a
href="http://www.RRPproxy.net"
moz-do-not-send="true">www.RRPproxy.net</a><br>
<a href="http://www.domaindiscount24.com"
moz-do-not-send="true">www.domaindiscount24.com</a> / <a
href="http://www.BrandShelter.com"
moz-do-not-send="true">www.BrandShelter.com</a><br>
<br>
Follow us on Twitter or join our fan community on
Facebook and stay updated:<br>
<a href="http://www.facebook.com/KeySystems"
moz-do-not-send="true">www.facebook.com/KeySystems</a><br>
<a href="http://www.twitter.com/key_systems"
moz-do-not-send="true">www.twitter.com/key_systems</a><br>
<br>
CEO: Alexander Siffrin<br>
Registration No.: HR B 18835 - Saarbruecken<br>
V.A.T. ID.: DE211006534<br>
<br>
Member of the KEYDRIVE GROUP<br>
<a href="http://www.keydrive.lu"
moz-do-not-send="true">www.keydrive.lu</a><br>
<br>
This e-mail and its attachments is intended only
for the person to whom it is addressed.
Furthermore it is not permitted to publish any
content of this email. You must not use, disclose,
copy, print or rely on this e-mail. If an
addressing or transmission error has misdirected
this e-mail, kindly notify the author by replying
to this e-mail or contacting us by telephone.</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<br>
</body>
</html>