<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div>Volker,</div><div><br></div><div>If the idea is to treat all registrations as if they must meet compliance under the GDPR. And, if the registrars are actively stating that they will collect less data under the GDPR. It then logically results in less overall data.</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> Volker Greimann <<a href="mailto:vgreimann@key-systems.net">vgreimann@key-systems.net</a>><br><span style="font-weight:bold">Date: </span> Thursday, February 15, 2018 at 4:44 PM<br><span style="font-weight:bold">To: </span> Paul Keating <<a href="mailto:paul@law.es">paul@law.es</a>>, <<a href="mailto:gnso-rds-pdp-wg@icann.org">gnso-rds-pdp-wg@icann.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards<br></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div text="#000000" bgcolor="#FFFFFF">
<p>That very much depends on who gets what access how. It may mean
less data but it need not.<br>
</p>
<br>
<div class="moz-cite-prefix">Am 15.02.2018 um 16:42 schrieb Paul
Keating:<br>
</div>
<blockquote type="cite" cite="mid:D6AB68A8.C07ED%25Paul@law.es">
<div>Volker,</div>
<div><br>
</div>
<div>The harm is to all those relying on the data to do other work
(like security). If the DC limits collection based on the
limited GDPR subset (individual EU residents), that means less
data available.</div>
<div><br>
</div>
<div>Paul</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg-bounces@icann.org</a>>
on behalf of Volker Greimann <<a href="mailto:vgreimann@key-systems.net" moz-do-not-send="true">vgreimann@key-systems.net</a>><br>
<span style="font-weight:bold">Date: </span> Thursday,
February 15, 2018 at 4:29 PM<br>
<span style="font-weight:bold">To: </span> <<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br>
<span style="font-weight:bold">Subject: </span> Re:
[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
backwards<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0
0 0 5;">
<div>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div text="#000000" bgcolor="#FFFFFF">
<p>Regardless of whom the GDPR applies to, we need to ask
ourselves the question whether the system we will be
designing should make that differentiation. It may be
beneficial and reduce user confusion if they do not have
to use two different methods to access registration
data depending on where in the world the registrant is
based, but only one universal system. And if they have
to jump through certain hoops (for example
pre-certification of the requester) anyways to get at EU
data subject data, where is the harm in using that same
hoop for all data? <br>
</p>
<p>Best,</p>
<p>Volker<br>
</p>
<br>
<div class="moz-cite-prefix">Am 15.02.2018 um 15:56
schrieb Paul Keating:<br>
</div>
<blockquote type="cite" cite="mid:D6AB5D84.C07D0%25Paul@law.es">
<div>Rubens,</div>
<div><br>
</div>
<div>You stated:</div>
<div><br>
</div>
<div>
<blockquote type="cite" class="" style="font-family:
-webkit-standard;">
<div class="">
<div dir="ltr" class="">
<div class="gmail_default">
<ul class="">
<li class=""><font class="" face="arial,helvetica,sans-serif" color="#444444">There is a limited set
of registrants that is entitled to GDPR
protection. There is a very large class
of registrants that is not entitled to
GDPR protection. There is disagreement
about where this line is, but this seems
to be something where consensus is
possible and there's an objectively,
legally correct answer."</font></li>
</ul>
</div>
</div>
</div>
</blockquote>
</div>
<div>And,</div>
<div><br>
</div>
<div><span id="OLK_SRC_BODY_SECTION">
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="padding: 0px 0px 0px 5px; margin: 0px 0px
0px 5px;">
<div class="" style="word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;">
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">
<div class="gmail_default">
<div class="">
<ol class="">
<li class="">The GDPR applies to,
and is intended to benefit, a
limited set of registrants. <br class="">
</li>
</ol>
</div>
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<span class="Apple-tab-span" style="white-space:pre"> </span>No,
no agreement with that state</div>
</blockquote>
</span>
<div><br>
</div>
</div>
<div><br>
</div>
<div>I completely disagree. The GDPR does in fact act
only to bind Data Collectors and Processors as to data
concerning a specific and limited set of people (EU
residents). That registrars may seek to apply it
across the board to all registrants is a matter of
convenience and risk avoidance given the potential
issues of properly identifying whether the registrant
is in fact one of the protected class. While I cannot
fault the registrars for wanting to limit risk, I do
object to the objective miss-statement of the law.</div>
<div><br>
</div>
<div>Paul Keating.</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium
none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP:
#b5c4df 1pt solid; BORDER-RIGHT: medium none;
PADDING-TOP: 3pt"><span style="font-weight:bold">From:
</span> gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg-bounces@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg-bounces@icann.org</a>>
on behalf of Rubens Kuhl <<a href="mailto:rubensk@nic.br" moz-do-not-send="true">rubensk@nic.br</a>><br>
<span style="font-weight:bold">Date: </span>
Wednesday, February 14, 2018 at 9:41 PM<br>
<span style="font-weight:bold">To: </span> John
Horton <<a href="mailto:john.horton@legitscript.com" moz-do-not-send="true">john.horton@legitscript.com</a>><br>
<span style="font-weight:bold">Cc: </span> RDS PDP
WG <<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>><br>
<span style="font-weight:bold">Subject: </span> Re:
[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS
Policy is backwards<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0
5; MARGIN:0 0 0 5;">
<div>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;" class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 14 Feb 2018, at 18:07, John
Horton via gnso-rds-pdp-wg <<a href="mailto:gnso-rds-pdp-wg@icann.org" class="" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;color:#444444">Thanks,
Chuck. I think whatever changes are
required by the GDPR can be
accomplished with changes that, in my
view, do not constitute a fundamental
change to Whois/RDS. Beyond what I
think are non-fundamental changes
relating to the GDPR, I do not believe
that any changes are a "must." As to
your question:</div>
<div class="gmail_default">
<ul class="">
<li class=""><font class="" face="arial,helvetica,sans-serif" color="#444444">There is a
limited set of registrants that
is entitled to GDPR protection.
There is a very large class of
registrants that is not entitled
to GDPR protection. There is
disagreement about where this
line is, but this seems to be
something where consensus is
possible and there's an
objectively, legally correct
answer. </font></li>
</ul>
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
Nope, GDPR applies to all domain services
provided by a party that does business
targeting EEA. So there is no agreement in
limiting to whom GDPR applies to. You know
what is in the Hamilton memo that you disagree
with, and while it's your right to disagree,
you can't define things as having agreement
when there is no such thing. </div>
<div><br class="">
</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">
<div class="gmail_default">
<ul class="">
<li class=""><font class="" face="arial,helvetica,sans-serif" color="#444444">It is possible
to protect that subset of
registrants through (e.g.)
complimentary privacy
protection, as well as some
other limited policies granting
access to the data for a
legitimate purpose (etc.,
everything we've been
discussing). </font></li>
</ul>
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
Nope, that would only be valid for publishing
of data. For collection and processing of
data, private WHOIS as we know it might not be
enough to achieve compliance, depending on TLD
and ICANN requirements. </div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">
<div class="gmail_default">
<ul class="">
<li class=""><font class="" face="arial,helvetica,sans-serif" color="#444444">Whether a
registrant is, in fact, an
entity that is in the very
limited class entitled to GDPR
protection can be determined
during the registration process,
and ICANN policy can require
registrars to add these fields
to the registration process.
Existing registrants can be
asked to update their
information. </font></li>
<li class=""><font class="" face="arial,helvetica,sans-serif" color="#444444">Aside from the
policies requiring that those
additional data fields be
collected during the
registration process (e.g., are
you an EU citizen and other
relevant questions), and that if
certain answers are "TRUE" then
privacy protection is
automatically granted, Whois
would not change. Port 43 access
would continue as is, and so
on. </font></li>
</ul>
<div class=""><font class="" face="arial,helvetica,sans-serif" color="#444444">I guess I would
turn around and ask you and others
if everyone agrees with these two
statements:</font></div>
<div class="">
<ol class="">
<li class="">The GDPR applies to,
and is intended to benefit, a
limited set of registrants. <br class="">
</li>
</ol>
</div>
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
No, no agreement with that statement. </div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">
<div dir="ltr" class="">
<div class="gmail_default">
<div class="">
<ol class="" start="2">
<li class="">Registrar convenience
or business objectives is not a
valid basis to support a policy
change. </li>
</ol>
</div>
</div>
</div>
</div>
</blockquote>
<div><br class="">
</div>
<div><br class="">
</div>
That depends on level. If by business
objectives you mean deny service for whole
Europe, that's a pretty hard business hit.
It's something like 20% of world's GDP. </div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div><br class="">
</div>
<div>Rubens</div>
<div><br class="">
</div>
<div><br class="">
</div>
</div>
</div>
_______________________________________________
gnso-rds-pdp-wg mailing list <a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></blockquote>
</span> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
gnso-rds-pdp-wg mailing list
<a class="moz-txt-link-abbreviated" href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a><a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></pre>
</blockquote>
<br>
</div>
</div>
_______________________________________________
gnso-rds-pdp-wg mailing list
<a href="mailto:gnso-rds-pdp-wg@icann.org" moz-do-not-send="true">gnso-rds-pdp-wg@icann.org</a>
<a href="https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg</a></blockquote>
</span>
</blockquote>
<br>
</div></div></blockquote></span></body></html>