[CPWG] [registration-issues-wg] [GTLD-WG] Next possible move related to GDPR

Hadia Abdelsalam Mokhtar EL miniawi Hadia at tra.gov.eg
Wed Sep 5 15:07:10 UTC 2018 

Hi all,

With regard to Olivier's question on the call 
" what is the maximum and minimum amount of data that the GDPR allows in  WHOIS?"

What I basically said on the phone bridge was that we need to differentiate between data collection and data access, with regard to data collection as long as we have a legitimate purpose for the collection then we are fine. I then referred to Alan's example about the technical contact and I said that I tend to believe that this is not a third party requirement but rather an ICANN requirement because the technical contact is required to maintain a reliable DNS, which is part of ICANN's mission. As for the access I said that basically access will be granted to any stakeholder group with legitimate interest, however how and how quick is the issue.

I add here two matters
The GDPR does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. (Article 2)

We are currently not discussing access

Best
Hadia

-----Original Message-----
From: CPWG [mailto:cpwg-bounces at icann.org] On Behalf Of Holly Raiche
Sent: Tuesday, September 04, 2018 1:58 PM
To: Bastiaan Goslings
Cc: Carlton Samuels; Evan Leibovitch; cpwg at icann.org
Subject: Re: [CPWG] [registration-issues-wg] [GTLD-WG] Next possible move related to GDPR

Folks

First - Carlton, while I almost always agree with you, I"m afraid that, this time, I think Bastiaan has made a very good argument and I agree with his statement - which is even more impressive since English is not his first language.  Well done Bastiaan.

And for Carlton - I still think we are on the same page - or close to.  

And to borrow from a presentation I recently attended:  the issue isn't privacy versus security; it is really an issue of one aspect of security versus another - both are necessary.

Holly
On 4 Sep 2018, at 8:43 pm, Bastiaan Goslings <bastiaan.goslings at ams-ix.net> wrote:

> 
>> On 4 Sep 2018, at 12:22, Carlton Samuels <carlton.samuels at gmail.com> wrote:
>> 
>> Bastiaan:
>> You seem adept at destroying context to feed your allergy.
> 
> 
> I 'seem adept at destroying'?
> 
> Ok, thank you... I am not an English native speaker so I had to look it up just to confirm what you might mean. You have a talent for ('seem adept at') phrasing your sentences quite archaically ;-)
> 
> Anyway, perception is of course in the eye of the beholder, which I'll have to respect and therefore cannot comment on. Suffice to say I completely disagree, I have no intention whatsoever to consciously destroy anything, I could have easily quoted someone else to make my point. One that still stands btw.
> 
> 
>> My phrasing was in context of defining what I meant by majority. Your interpretation blithely ignored the contextual meaning..There  is a word for that I cannot recall at the minute.
>> 
>> Kindly,
>> -Carlton
> 
> 
> Right. Not very 'kind' from where I sit, but I am not going to take offence here.
> 
> -Bastiaan
> 
> 
> 
> 
> 
>> 
>> On Tue, 4 Sep 2018, 3:54 am Bastiaan Goslings, <bastiaan.goslings at ams-ix.net> wrote:
>> Unless I am mistaken I do not think we have to make a 'decision that will favour either the protection of registrants OR the protection of end users'.
>> 
>> Following this thread I am probably somewhat in the middle here: I definitely agree with the call for 'balance' but also think we have to be pragmatic and therefor need to establish what this required 'balance' means in practical terms in order to help our EPDP members and alternates form a position.
>> 
>> (Fyi I am somewhat allergic to statements like 'we as end users advocates are morally bound to prioritize the interests of the majority'. Personally I automatically tend to go for the underdog position, I am not going to elaborate on how minority groups everywhere suffer from apparent political, religious and/or commercial majority viewpoints. No need to respond to that, it just a personal thing)
>> 
>> In this case I don't think are fundamentally disagreeing though, I think it is more a matter of tone. It does seem as if we are continuously emphasising that certain third parties should have access to non-public WHOIS data in the public interest, as if that is the only concern and it is bad enough that GDPR and the like make gated access even a requirement in the first place. Like, who cares about privacy, that is just a 'minority' interest. The false security versus privacy paradigma I referred to before, combined with a 'there are many more users than registrants' rationale. And I know we hat is not what we think and/or are saying, but in terms of tone that is what sticks, at least with me.
>> 
>> I am of the opinion that a more balanced approach is indeed necessary. In practical terms I think we can do so by on the one hand seeing to it that ICANN becomes compliant with applicable data protection legislation like the GDPR, which in my opinion is not 'a given' looking at the current Temp Spec, advise from the EDPB, and what certain stakeholders within the EPDP are striving for. Of course I also am convinced that third party access based on legitimate interests are a no brainer. But even if that is the case, we need to see to it that WHOIS data are 'collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes' as art 5.1 (b) of the GDPR says. If that is not taken care of properly then we might be looking at a future scenario where e.g. LEAs with certified access to non-public WHOIS data will not be able to get all the data required as they'll no longer be collected...
>> 
>> -Bastiaan
>> 
>> 
>>> On 4 Sep 2018, at 10:02, Evan Leibovitch <evanleibovitch at gmail.com> wrote:
>>> 
>>> Hi Tijani,
>>> 
>>> When nuance is possible, I have faith in our people to understand and work with that. Ideally we want both domain owners and domain users to be free from abuse. However, when there are decisions that will favour either the protection of registrants OR the protection of end users, our scale is balanced 98 to 2. Such hard choices - such as the very definitions of "harm" or "abuse"- will not be avoidable and we cannot shirk from that.
>>> 
>>> Cheers,
>>> Evan
>>> 
>>> PS: I am not sure that AFNIC/.fr is a good example, since well-run ccTLDs with residency requirements are typically not sources of significant end-user abuse. Were ICANN run like AFNIC or CIRA it's likely that gTLDs might not be such sources of abuse and this debate would be unnecessary.
>>> _______________________________________________
>>> CPWG mailing list
>>> CPWG at icann.org
>>> https://mm.icann.org/mailman/listinfo/cpwg
>> 
> 
> _______________________________________________
> CPWG mailing list
> CPWG at icann.org
> https://mm.icann.org/mailman/listinfo/cpwg
> _______________________________________________
> registration-issues-wg mailing list
> registration-issues-wg at atlarge-lists.icann.org
> https://mm.icann.org/mailman/listinfo/registration-issues-wg

_______________________________________________
CPWG mailing list
CPWG at icann.org
https://mm.icann.org/mailman/listinfo/cpwg

More information about the CPWG mailing list