[CPWG] [GTLD-WG] EPDP: Geographic distinction

Alan Greenberg alan.greenberg at mcgill.ca
Tue Oct 30 13:49:33 UTC 2018 

GDPR, in the context of WHOIS/RDS and ICANN applies only to gTLD Registrants' personal data and not all users.

The wider we allow redaction, the less access there is for cybersecurity and consumer protection/fraud issues.

Alan

At 30/10/2018 08:07 AM, Sebastien Bachollet wrote:
Hello,
I have questions:
If and when other GDPR like policies are developed in other part of the World do ICANN will need to enforce a policy for each « regime »?
Or as At-Large can’t we ask for a protection for all the (individual) (end) users?
And if we consider GDPR as a good step to protect (individual) (end) users privacy in Europe, why not for the others?

If we have to support distinction, it must be on the basis of the residence (the address in the Whois) and not the citizenship.

It must be also allow and possible if one want to publish their personal data to do so.

One world, one Internet, one privacy protection for all Internet individual end users ;)

All the best
SeB

Le 30 oct. 2018 à 07:43, Bastiaan Goslings < bastiaan.goslings at ams-ix.net<mailto:bastiaan.goslings at ams-ix.net>> a écrit :

Just a quick comment, also related to a comment Maureen made earlier ('with EU citizens working and living all over the world for various reasons and varying lengths of time, what is the actual definition for "resident of the EU”):

I’m not aware of the GDPR referring to either EU ‘citizens’ or ‘residents’.

See art 3 of the GDPR https://gdpr-info.eu/art-3-gdpr/ which sets the territorial scope.

So the GDPR is applicable to controllers and processors in the Union, regardless of whether the processing takes place in the Union (and regardless of whether the data subjects affected are in the Union), and to the processing of personal data of data subjects who are in the Union by controllers and processors not established in the Union.

(see also recitals 2 and 14 https://gdpr-info.eu/recitals/ )

Anyway, looking at the example mentioned below, any citizen living in the US, not just those from the EU, 'would get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU'.

-Bastiaan




On 30 Oct 2018, at 05:52, Greg Shatan <greg at isoc-ny.org<mailto:greg at isoc-ny.org>> wrote:

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg
On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg at isoc-ny.org<mailto:greg at isoc-ny.org>> wrote:
I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg
On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck at innovatorsnetwork.org<mailto:JZuck at innovatorsnetwork.org>> wrote:
I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces at atlarge-lists.icann.org<mailto:gtld-wg-bounces at atlarge-lists.icann.org> on behalf of alan.greenberg at mcgill.ca<mailto:alan.greenberg at mcgill.ca> > wrote:

   GDPR is applicable to residents of the EU by companies resident there
   and worldwide.

   One of the issues is whether contracted parties should be allowed or
   required to distinguish between those who are resident there and elsewhere.

   There is agreement that such distinction should be allowed, but EPDP
   is divided on whether it should be required. The GAC/BC/IPC want to
   see the distinction made, and at least one very large contracted
   party does already make the distinction. Other contracted parties are
   pushing back VERY strongly saying that there is virtually no way that
   the can or are willing to make the distinction.

   The current (confusing) state of the working document is attached.

   Which side should ALAC come down on?

   - Restrict application to those to whom GDPR applies?
   - Apply universally ignoring residence?

   As usual, quick replies requested.

   Alan

_______________________________________________
CPWG mailing list
CPWG at icann.org<mailto:CPWG at icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
GTLD-WG mailing list
GTLD-WG at atlarge-lists.icann.org
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs
_______________________________________________
CPWG mailing list
CPWG at icann.org
https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________
CPWG mailing list
CPWG at icann.org<mailto:CPWG at icann.org>
https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________
GTLD-WG mailing list
GTLD-WG at atlarge-lists.icann.org<mailto:GTLD-WG at atlarge-lists.icann.org>
https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20181030/66e0573a/attachment-0001.html>

More information about the CPWG mailing list