[CPWG] [registration-issues-wg] Draft EPDP Response to the Interim Report

Alan Greenberg alan.greenberg at mcgill.ca
Mon Dec 10 06:35:52 UTC 2018 

Thanks Holly.

The only time I find I cannot post a comment is when Confluence has logged me out. It happens so rarely that I never notice it has happened until I go to edit or comment. Perhaps that is the case with you.

I will post your message and my reply as a comment later today (if staff does not get there first).

I agree that we should be drafting something more specific that just for GDPR, but we are where we are and time constraints do not give us that luxury. But local law may well be more stringent than GDPR, or less so. And ultimately local law wins. Hopefully various laws do not conflict (such as if one country were to rule that ALL registrations were to be made public).

ICANN entered into this with the intent of being 100% GDPR (or ultimately other law) compliant, but keeping as  much of what we were doing before as is compliant. The draft statement is aligned with that. So yes, a contracted party MUST be able to comply with whatever laws apply. That is not their "choice". What we are talking about is whether they should be allowed to make up new rules that are not law and ICANN should  simply say "sure, go ahead". THAT I feel is what we are saying no to.

Regarding "Perhaps reword, but accept that contracted parties may well be subject to their own privacy laws in jurisdictions outside of the EU.", I think that is aGREAT addition to our comment, not just for this particular question, but as an over-riding principle that we need to remember. I think there is a place to put it and I will!

Alan


At 09/12/2018 08:08 PM, Holly Raiche wrote:
Hi Alan

For some reason, I wasn’t able to comment on the wiki. So this is what I would have said:

My one word of caution is back to first principles.  WE are so focussed on the GDPR that we forget that other jurisdictions also have privacy legislation that  could well oblige the registrar/reseller to not publish personal information/some personal information of the registrant.  So I”d rather stay with a position that allows all registrars/resellers - in whatever jurisdiction globally - to respect their national privacy legislation - as is currently allowed under the RAA - the ability to comply with national laws.  So that comes close to the view originally agreed upon as you penned it: ‘those who felt that a contracted party could decide whether to do it or not’.  Perhaps reword, but accept that contracted parties may well be subject to their own privacy laws in jurisdictions outside of the EU.

Holly

On Dec 10, 2018, at 8:44 AM, Cheryl Langdon-Orr <langdonorr at gmail.com<mailto:langdonorr at gmail.com>> wrote:

Thanks for this Alan, and I am specifically pleased to see the clarification on 'subjectability' to GDPR of so many of the Contracted Parties now clarified by the EU Data Protection Board.

C<http://about.me/cheryl.LangdonOrr> heryl L angdon- O rr ...  (CLO)

about.me/cheryl.LangdonOrr

<http://about.me/cheryl.LangdonOrr>


On Mon, 10 Dec 2018 at 07:24, Alan Greenberg <alan.greenberg at mcgill.ca<mailto:alan.greenberg at mcgill.ca> > wrote:

The first draft of the EPDP Response is now uploaded. It is essentially the same as that presented on the CPWG call on 28 Nov 2018.

One point on which there was significant discussion on the call was whether we should support geographic differentiation - that is, only apply redaction if the geographic location of the registrar/registry and the registrant warrant it or allow contracted parties ot redact for all registrations. When this was previously discussed, there was quite a divide between those who felt we should differentiate, and those who felt that a contracted party could decide whether to do it or not (ie a registrar, for instance) could decide to treat all registrants as if they were in the EU, and similarly a registrar outside of the EU (with no connection there) could also redact all data.

One of the things that has changed is that the European Data Protection Board has recently issued a document making it clear that an organization with NO presence or processing in the EU, offering services through the web, could have EU-based customers and not be subject to the GDPR - IF they do not explicitly target EU customers. Simple availability of a website in the EU does not constitute targeting. That take a large number of contracted parties who many of us had thought would be subject to the GDPR out of the game. See  Guidelines 3/2018 on the territorial scope of the GDPR<https://community.icann.org/download/attachments/99484375/edpb_guidelines_3_2018_territorial_scope_en.pdf?version=1&modificationDate=1544386236959&api=v2>.

On the CPWG when the question as ask about supporting geographic differentiation (oe Registrars/Registries should only redact when GDPR requires it, the overwhelming number agree (via check marks or voiced comments). This position is reflected in answers 86 and 89.

Please add your comments on any of the replies to the wiki - https://community.icann.org/x/1wLuBQ.

Alan
_______________________________________________
CPWG mailing list
CPWG at icann.org<mailto:CPWG at icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
registration-issues-wg mailing list
registration-issues-wg at atlarge-lists.icann.org<mailto:registration-issues-wg at atlarge-lists.icann.org>
https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________
CPWG mailing list
CPWG at icann.org<mailto:CPWG at icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
registration-issues-wg mailing list
registration-issues-wg at atlarge-lists.icann.org
https://mm.icann.org/mailman/listinfo/registration-issues-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20181210/503e7cd8/attachment-0001.html>

More information about the CPWG mailing list