<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Folks<div><br></div><div>Could we please stop pretending that this is only about the GDPR and the EU. Yes, the GDPR is perhaps the most stringent on data protection. But increasingly, many other jurisdictions are enacting similar legislation. Just north of the US, Canada has very similar rules about data protection, or on the other side of the world, so does Australia (and many other countries in the Asia Pacific region as well). So increasingly, the US will be the odd man out on this issue. </div><div><br></div><div>And there are also concerns about legal vs natural persons. In some cases (not just a few), the registrant may be a legal entity - a small business, where the details for contact are those of the registrant - personal information. So the distinction, in such cases, could lead to the publication of personal information of the legal entity.</div><div><br></div><div>Finally, please draw a distinction between collection for legitimate purposes, and making that information public. There is no question that, particularly in many cases, registries/registrars need to contact registrants. Cases of misuse/abuse of the name are also situations where we all expect contact information will be accessible. But that is a long way from having all RDS data freely available to all, as is now the case.</div><div><br></div><div>Holly</div><div><br></div><div><br><div><div>On 13 Feb 2018, at 6:27 am, Michael Palage <<a href="mailto:michael@palage.com">michael@palage.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Verdana; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><div class="WordSection1" style="page: WordSection1;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Greg/John,<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">I will respectfully push back on your legal over simplification of the GDPR.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Best regards,<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Michael<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="Apple-converted-space"> </span>gnso-rds-pdp-wg [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" style="color: purple; text-decoration: underline;">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>John Horton via gnso-rds-pdp-wg<br><b>Sent:</b><span class="Apple-converted-space"> </span>Monday, February 12, 2018 1:22 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Greg Aaron <<a href="mailto:gca@icginc.com" style="color: purple; text-decoration: underline;">gca@icginc.com</a>><br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [gnso-rds-pdp-wg] Legal basis vs. lawful<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-family: Arial, sans-serif; color: rgb(68, 68, 68);">I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. <o:p></o:p></span></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br clear="all"><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-family: Arial, sans-serif; color: rgb(7, 55, 99);">John Horton<br>President and CEO, LegitScript</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><img width="96" height="36" id="_x0000_i1025" src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ" style="width: 1in; height: 0.375in;"><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt;"><span style="font-size: 9pt; font-family: Helvetica, sans-serif;"> </span></div><div style="margin: 0in 0in 0.0001pt;"><b><span style="font-size: 9pt; font-family: Helvetica, sans-serif; color: rgb(68, 68, 68);">Follow</span></b><b><span style="font-size: 9pt; font-family: Helvetica, sans-serif; color: rgb(11, 83, 148);"> </span></b><b><span style="font-size: 9pt; font-family: Helvetica, sans-serif;">Legit</span></b><b><span style="font-size: 9pt; font-family: Helvetica, sans-serif; color: rgb(11, 83, 148);">Script</span></b><span style="font-size: 9pt; font-family: Helvetica, sans-serif;">: <a href="http://www.linkedin.com/company/legitscript-com" target="_blank" style="color: purple; text-decoration: underline;"><span style="color: rgb(204, 0, 0);">LinkedIn</span></a> | <a href="https://www.facebook.com/LegitScript" target="_blank" style="color: purple; text-decoration: underline;"><span style="color: rgb(106, 168, 79);">Facebook</span></a> | <a href="https://twitter.com/legitscript" target="_blank" style="color: purple; text-decoration: underline;"><span style="color: rgb(103, 78, 167);">Twitter</span></a> | <u><span style="color: rgb(255, 153, 0);"><a href="http://blog.legitscript.com/" target="_blank" style="color: purple; text-decoration: underline;"><span style="color: rgb(17, 85, 204);">Blog</span></a></span></u> |<span style="color: rgb(255, 153, 0);"> <a href="http://go.legitscript.com/Subscription-Management.html" target="_blank" style="color: purple; text-decoration: underline;"><span style="color: rgb(255, 153, 0);">Newsletter</span></a></span><o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt;"><span style="font-size: 9pt; font-family: Helvetica, sans-serif;"> </span></div><div style="margin: 0in 0in 0.0001pt;"><span style="font-size: 9pt; font-family: Helvetica, sans-serif; color: rgb(255, 153, 0);"><img border="0" width="46" height="96" id="_x0000_i1026" src="https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png" style="width: 0.4791in; height: 1in;"><img border="0" width="47" height="97" id="_x0000_i1027" src="https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ" style="width: 0.493in; height: 1.0069in;"></span><span style="font-size: 9pt; font-family: Helvetica, sans-serif;"><o:p></o:p></span></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <<a href="mailto:gca@icginc.com" target="_blank" style="color: purple; text-decoration: underline;">gca@icginc.com</a>> wrote:<o:p></o:p></div><blockquote style="border-style: none none none solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding: 0in 0in 0in 6pt; margin-left: 4.8pt; margin-right: 0in;"><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">I don’t know if we arrive at the same place. <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">See<span class="Apple-converted-space"> </span><a href="https://iapp.org/news/a/explaining-the-gdpr-to-an-american/" target="_blank" style="color: purple; text-decoration: underline;">https://iapp.org/news/a/explaining-the-gdpr-to-an-american/</a> for more.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div><div style="border-style: solid none none; border-top-color: rgb(225, 225, 225); border-top-width: 1pt; padding: 3pt 0in 0in;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="Apple-converted-space"> </span>gnso-rds-pdp-wg [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank" style="color: purple; text-decoration: underline;">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Silver, Bradley via gnso-rds-pdp-wg<br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, February 9, 2018 2:54 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Volker Greimann <<a href="mailto:vgreimann@key-systems.net" target="_blank" style="color: purple; text-decoration: underline;">vgreimann@key-systems.net</a>>;<span class="Apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [gnso-rds-pdp-wg] Legal basis vs. lawful<o:p></o:p></div></div></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: rgb(31, 73, 125);">It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? </span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: rgb(31, 73, 125);">There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? </span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></div><div><div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif;"><span class="Apple-converted-space"> </span>gnso-rds-pdp-wg [</span><a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank" style="color: purple; text-decoration: underline;"><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">mailto:gnso-rds-pdp-wg-bounces@icann.org</span></a><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Volker Greimann<br><b>Sent:</b><span class="Apple-converted-space"> </span>Friday, February 09, 2018 11:27 AM<br><b>To:</b><span class="Apple-converted-space"> </span></span><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" style="color: purple; text-decoration: underline;"><span style="font-size: 10pt; font-family: Tahoma, sans-serif;">gnso-rds-pdp-wg@icann.org</span></a><span style="font-size: 10pt; font-family: Tahoma, sans-serif;"><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [gnso-rds-pdp-wg] Legal basis vs. lawful</span><o:p></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><p>I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.<o:p></o:p></p><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:<o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div><div style="border-style: solid none none; border-top-color: rgb(225, 225, 225); border-top-width: 1pt; padding: 3pt 0in 0in;"><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b>From:</b><span class="Apple-converted-space"> </span>gnso-rds-pdp-wg [<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" target="_blank" style="color: purple; text-decoration: underline;">mailto:gnso-rds-pdp-wg-bounces@icann.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Kathy Kleiman<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, February 8, 2018 7:07 PM<br><b>To:</b><span class="Apple-converted-space"> </span><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [gnso-rds-pdp-wg] Legal basis vs. lawful<o:p></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.<o:p></o:p></div><p>Specifically, GDPR Article 5(1)(b and c) states:<o:p></o:p></p><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><b>Personal data shall be:<span class="Apple-converted-space"> </span><br>2. "collected for<span class="Apple-converted-space"> </span><u>specified, explicit and legitimate purposes<span class="Apple-converted-space"> </span></u>and not further processed in a manner that is incompatible with those purposes"</b><span class="Apple-converted-space"> </span>(the "purpose limitation") AND<span class="Apple-converted-space"> </span><b><br>3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"</b><span class="Apple-converted-space"> </span>(the "data minimisation" requirement). [underline added]<b><br></b><br>Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..<br><br>Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.<span class="Apple-converted-space"> </span><br><br>"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.<br><br>The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a<span class="Apple-converted-space"> </span><i>valid legal basis</i><span class="Apple-converted-space"> </span>as expressly defined by data protection laws.<span class="Apple-converted-space"> </span><br><br>Best regards,<span class="Apple-converted-space"> </span><br>Kathy<span class="Apple-converted-space"> </span><br><br>On 2/7/2018 10:53 AM, Sam Lanfranco wrote:<o:p></o:p></p><blockquote style="margin-top: 5pt; margin-bottom: 5pt;"><p>Thanks Tapani,<o:p></o:p></p><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;">I will extract from your longer message.<span class="Apple-converted-space"> </span><br>I deliberately kept my brief and less technical.<br>I think we are in agreement here and I support your position.<o:p></o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: rgb(102, 0, 0);">On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:<br><br>The key distinction, as I understand it, is that "lawful" would be<br> defined by the negative, everything that some law does not prohibit,</span><o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="color: rgb(102, 0, 0);">where as "legal basis" is defined by the positive, only things whose<span class="Apple-converted-space"> </span><br>justification can be explicitly derived from law.<span class="Apple-converted-space"> </span><br><br> <......><br><br>So I would prefer "legal basis" specifically in this sense: that any processing<br> would have to be explicitly based on one of the criteria, or bases, as listed<span class="Apple-converted-space"> </span><br>in GDPR Article 6, or similar explicit justification in other data protection legislation.<span class="Apple-converted-space"> </span><br><br></span><br><br><o:p></o:p></p><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';">_______________________________________________<o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';">gnso-rds-pdp-wg mailing list<o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';"><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=" target="_blank" style="color: purple; text-decoration: underline;">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></pre></blockquote><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"> <o:p></o:p></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 12pt; font-family: 'Times New Roman', serif;"> </span><o:p></o:p></p><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';">_______________________________________________<o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';">gnso-rds-pdp-wg mailing list<o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';"><a href="mailto:gnso-rds-pdp-wg@icann.org" target="_blank" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New';"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=" target="_blank" style="color: purple; text-decoration: underline;">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></pre></blockquote><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 12pt; font-family: 'Times New Roman', serif;"> </span><o:p></o:p></div><div class="MsoNormal" align="center" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; text-align: center;"><span style="font-size: 12pt; font-family: 'Times New Roman', serif;"><hr size="2" width="100%" align="center"></span></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><span style="font-size: 12pt; font-family: 'Times New Roman', serif; color: red;"><br><b><i><br>Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at<span class="Apple-converted-space"> </span><a href="tel:(212)%20484-6000" target="_blank" style="color: purple; text-decoration: underline;">212.484.6000</a><span class="Apple-converted-space"> </span>or via email at<span class="Apple-converted-space"> </span></i></b></span><a href="mailto:ITServices@timewarner.com" target="_blank" style="color: purple; text-decoration: underline;"><b><i><span style="font-size: 12pt; font-family: 'Times New Roman', serif;">ITServices@timewarner.com</span></i></b></a><b><i><span style="font-size: 12pt; font-family: 'Times New Roman', serif; color: red;"></span></i></b><o:p></o:p></p><div class="MsoNormal" align="center" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; text-align: center;"><hr size="2" width="100%" align="center"></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.<o:p></o:p></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br>_______________________________________________<br>gnso-rds-pdp-wg mailing list<br><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" target="_blank" style="color: purple; text-decoration: underline;">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a><o:p></o:p></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;"><o:p> </o:p></div></div></div>_______________________________________________<br>gnso-rds-pdp-wg mailing list<br><a href="mailto:gnso-rds-pdp-wg@icann.org" style="color: purple; text-decoration: underline;">gnso-rds-pdp-wg@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" style="color: purple; text-decoration: underline;">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></div></blockquote></div><br></div></body></html>