[CPWG] [registration-issues-wg] [GTLD-WG] EPDP: Geographic distinction

Greg Shatan greg at isoc-ny.org
Wed Oct 31 18:26:37 UTC 2018 

Hadia and all,

First, I think we must assume that registries/registrars know whether they
are located (or “established,” to use GDPR terminology) in the European
Union.  At the least, we must assume that they are capable of making that
determination.

For registries and registrars located in the EU, a distinction based on the
geographic location of the registrant is irrelevant, since the
registry/registrar must comply with GDPR regarding the personal data of all
natural person data subjects.  So, the EPDP cannot even discuss the
application of geographic distinctions by EU registries/registrars, because
these registries/registrars have no use for that distinction.

Therefore, this discussion in the EPDP should be limited to non-EU
registries/registrars.  The question then becomes whether non-EU registry
operators and registrars should be permitted or required to differentiate
between registrants based on the their geographic location.  These
registries/registrars are under no obligation to extend GDPR protections to
non-EU registrants.  They are, however, under a contractual obligation to
collect and publish WHOIS data to the extent allowed by applicable law.
These registries/registrars need to follow their obligations, which are
unchanged regarding all who are not EU data subjects.

The GDPR’s extraterritorial effect needs to be appropriately interpreted
and respected.  Its limits also need to be respected.  Applying a law where
that law does not apply is not applying the law at all.  For ICANN, it is
pure policy-making, not legal compliance.  I’m fairly sure the EPDP does
not have a mandate to undo WHOIS/RDS policy and make new data protection
policy.   (Arguably, the RDS WG did, but that ship has sailed (or more
accurately, that ship has sunk).). Nor does the EPDP have a mandate to
extend the reach of GDPR beyond its legal bounds.

Taken in tandem with ALAC’s long-standing commitments to WHOIS access and
to the interest of the end-users (the vast, vast majority of whom are not
registrants), I think the choice is so clear, it is not even a choice.
Non-EU registrars/registrars should be required to make the geographic
distinction.

Of course, there is a complicating case, where an EU reseller is a reseller
for a non-EU registrar, and the reseller collects data of non-EU data
subject.  The issues raised by the reseller case should be resolved for
that particular case, and should not be used as an excuse to apply GDPR
beyond its legal and geographic boundaries.

Best regards,

Greg



On Wed, Oct 31, 2018 at 6:26 AM Hadia Abdelsalam Mokhtar EL miniawi <
Hadia at tra.gov.eg> wrote:

>
> Hi All,
>
> So going back to the EPDP team charter question if registry operators and
> registrars should be permitted or required  to differentiate between
> registrants based on the geographic location, I am of the opinion that no
> distinction should be made based on the geographic location of the
> registrant and the reason is that whether the GDPR applies or not does not
> only depend on the location of the registrant but it also depends on the
> location of the controller and processor, that is  the registry, registrars
> and resellers  and any other related processors. The regulation has this
> nature of extended territory, as I see it the impact of this distinction
> will be mainly on the industry, so registrants might choose a reseller in
> Europe over a reseller or a registrar outside of the EU  or vice versa
> just to be protected or not protected by the GDPR . I cannot see the merit
> of the registries and registrars differentiating between the registrants
> based on their geographic location, where registrants not residing in the
> EU will be treated in accordance to the GDPR if their reseller or registrar
> is in the EU, the distinction based only on the geographic location of the
> registrant is already not possible according to the GDPR.
>
> Kindest Regards
> Hadia
>
> -----Original Message-----
> From: CPWG [mailto:cpwg-bounces at icann.org] On Behalf Of gtheo
> Sent: Tuesday, October 30, 2018 9:47 AM
> To: Greg Shatan
> Cc: Jonathan Zuck; CPWG
> Subject: Re: [CPWG] [registration-issues-wg] [GTLD-WG] EPDP: Geographic
> distinction
>
> As an EU Registrar I need to comply with the GDPR (obvious), as such I
> need to apply the GDPR to all my international customers or I would not
> be compliant (maybe not so obvious).
>
> You could perhaps make a distinction between EU vs non EU Registrars?
> But how do you mix in the other 126 data protection laws that keep
> growing in numbers? The EPDP team needs to factor that in also.
> Ultimately the distinction will almost not work.
> https://iapp.org/news/privacy-tracker/
>
> Thanks,
>
> Theo Geurts
>
>
>
>
>
>
>
> Greg Shatan schreef op 2018-10-30 05:52 AM:
> > Alan,
> >
> > One slight caveat: an EU Citizen living in the US would still get the
> > benefit of GDPR when the Controller or Processor with their data is
> > “established” in the EU. But they get that benefit only because the
> > Controller or Processor’s covered by GDPR.
> >
> > Greg
> > On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg at isoc-ny.org> wrote:
> >
> >> I also think it should be restricted to what GDPR requires. Anything
> >> beyond that essentially puts ICANN into the business of making privacy
> >> policy without a basis in law, which is beyond the remit of the EPDP.
> >>
> >> There may be an interesting discussion to be had about whether ICANN
> >> should change WHOIS for policy reasons, but the EPDP is not the place
> >> for
> >> that conversation.
> >>
> >> Greg
> >> On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck <
> >> JZuck at innovatorsnetwork.org> wrote:
> >>
> >>> I'm inclined to say restricted if for no other reason than we'll
> >>> eventually have a bunch of GDPRs that are slightly different.
> >>>
> >>> On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" <
> >>> gtld-wg-bounces at atlarge-lists.icann.org on behalf of
> >>> alan.greenberg at mcgill.ca> wrote:
> >>>
> >>>     GDPR is applicable to residents of the EU by companies resident
> >>> there
> >>>     and worldwide.
> >>>
> >>>     One of the issues is whether contracted parties should be allowed
> >>> or
> >>>     required to distinguish between those who are resident there and
> >>> elsewhere.
> >>>
> >>>     There is agreement that such distinction should be allowed, but
> >>> EPDP
> >>>     is divided on whether it should be required. The GAC/BC/IPC want
> >>> to
> >>>     see the distinction made, and at least one very large contracted
> >>>     party does already make the distinction. Other contracted parties
> >>> are
> >>>     pushing back VERY strongly saying that there is virtually no way
> >>> that
> >>>     the can or are willing to make the distinction.
> >>>
> >>>     The current (confusing) state of the working document is
> >>> attached.
> >>>
> >>>     Which side should ALAC come down on?
> >>>
> >>>     - Restrict application to those to whom GDPR applies?
> >>>     - Apply universally ignoring residence?
> >>>
> >>>     As usual, quick replies requested.
> >>>
> >>>     Alan
> >>>
> >>> _______________________________________________
> >>> CPWG mailing list
> >>> CPWG at icann.org
> >>> https://mm.icann.org/mailman/listinfo/cpwg
> >>> _______________________________________________
> >>> GTLD-WG mailing list
> >>> GTLD-WG at atlarge-lists.icann.org
> >>> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg
> >>>
> >>> Working Group direct URL:
> >>> https://community.icann.org/display/atlarge/New+GTLDs
> >>
> >>
> >
> > _______________________________________________
> > CPWG mailing list
> > CPWG at icann.org
> > https://mm.icann.org/mailman/listinfo/cpwg
> >
> > _______________________________________________
> > registration-issues-wg mailing list
> > registration-issues-wg at atlarge-lists.icann.org
> > https://mm.icann.org/mailman/listinfo/registration-issues-wg
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20181031/7f158573/attachment-0001.html>

More information about the CPWG mailing list