[CPWG] [registration-issues-wg] [GTLD-WG] Next possible move related to GDPR

Olivier MJ Crépin-Leblond ocl at gih.com
Tue Sep 4 15:51:35 UTC 2018 

Hello all,

first of all, I am very glad to see this flurry of emails on the CPWG
about this very topic. Yes, it is a topic that has been resurging every
now and then, indeed whenever we have a discussion about WHOIS, and this
is what makes the At-Large community different from every other
community out there in ICANN.

There is no "pro" or "against" privacy in this debate. There is a
conflict of needs, all of them being legitimate in their own way.

I think that Bastiaan has explained the situation rather well.

But I would also like to somehow frame the discussion again: in the
current instance of the debate, we have a new element, which is the
framework that is caused by the GDPR, promoting stronger privacy
protection for Registrants. It is there. We can't even argue this. If
Registrars and Registries do NOT follow the GDPR they are practically
assured of receiving a penalty, so I can completely understand that, a
business holders, they cannot afford this risk.

And we have a counter framework that might well be put forward by the
United States, which is to have a strong consumer protection for people
using Web sites which means a strong means of identification. If you
read this proposition, some of it is diametrically opposed to GDPR.

So we are somehow in the middle. The question we should be asking
ourselves, is whether there is a solution that satisfies both sides of
the debate? A solution that provides consumer protection, whilst at the
same time complies with GDPR?

Kindest regards,

Olivier

On 04/09/2018 10:54, Bastiaan Goslings wrote:
> Unless I am mistaken I do not think we have to make a ‘decision that will favour either the protection of registrants OR the protection of end users’.
>
> Following this thread I am probably somewhat in the middle here: I definitely agree with the call for ‘balance’ but also think we have to be pragmatic and therefor need to establish what this required ’balance’ means in practical terms in order to help our EPDP members and alternates form a position.
>
> (Fyi I am somewhat allergic to statements like ‘we as end users advocates are morally bound to prioritize the interests of the majority’. Personally I automatically tend to go for the underdog position, I am not going to elaborate on how minority groups everywhere suffer from apparent political, religious and/or commercial majority viewpoints. No need to respond to that, it just a personal thing)
>
> In this case I don’t think are fundamentally disagreeing though, I think it is more a matter of tone. It does seem as if we are continuously emphasising that certain third parties should have access to non-public WHOIS data in the public interest, as if that is the only concern and it is bad enough that GDPR and the like make gated access even a requirement in the first place. Like, who cares about privacy, that is just a ‘minority’ interest. The false security versus privacy paradigma I referred to before, combined with a ‘there are many more users than registrants’ rationale. And I know we hat is not what we think and/or are saying, but in terms of tone that is what sticks, at least with me.
>
> I am of the opinion that a more balanced approach is indeed necessary. In practical terms I think we can do so by on the one hand seeing to it that ICANN becomes compliant with applicable data protection legislation like the GDPR, which in my opinion is not ‘a given’ looking at the current Temp Spec, advise from the EDPB, and what certain stakeholders within the EPDP are striving for. Of course I also am convinced that third party access based on legitimate interests are a no brainer. But even if that is the case, we need to see to it that WHOIS data are ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’ as art 5.1 (b) of the GDPR says. If that is not taken care of properly then we might be looking at a future scenario where e.g. LEAs with certified access to non-public WHOIS data will not be able to get all the data required as they’ll no longer be collected…
>
> -Bastiaan
>
>
>> On 4 Sep 2018, at 10:02, Evan Leibovitch <evanleibovitch at gmail.com> wrote:
>>
>> Hi Tijani,
>>
>> When nuance is possible, I have faith in our people to understand and work with that. Ideally we want both domain owners and domain users to be free from abuse. However, when there are decisions that will favour either the protection of registrants OR the protection of end users, our scale is balanced 98 to 2. Such hard choices - such as the very definitions of "harm" or "abuse"- will not be avoidable and we cannot shirk from that.
>>
>> Cheers,
>> Evan
>>
>> PS: I am not sure that AFNIC/.fr is a good example, since well-run ccTLDs with residency requirements are typically not sources of significant end-user abuse. Were ICANN run like AFNIC or CIRA it's likely that gTLDs might not be such sources of abuse and this debate would be unnecessary.
>> _______________________________________________
>> CPWG mailing list
>> CPWG at icann.org
>> https://mm.icann.org/mailman/listinfo/cpwg
>
>
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/cpwg/attachments/20180904/a5b6e9c3/attachment-0001.html>

More information about the CPWG mailing list