[Gdd-gnso-ppsai-impl] Follow-Up on Yesterday's PP IRT Discussion
Volker Greimann
vgreimann at key-systems.net
Thu Sep 6 09:31:36 UTC 2018
Hi Steve,
thank you for your helpful comments.
> 3.3 -remove in its entirety - we never proposed a public access RDS
> system by privacy services in the WG. It is also unclear whom the
> license is supposed to be granted to.
>
> /SM comment: I don’t fully agree with Volker here. While some change
> to the provision might be needed, this is still useful as a statement
> of the subset of the data collected by Provider that would be subject
> to Disclosure, either under one of the Frameworks or otherwise. The
> reference to interactive, query-based access should be retained to
> make it clear that those registrars/registries not redacting the data
> of non-=EU registrations have a license to display it. Perhaps we
> should also add a reference to the items listed as being subject to
> Disclosure in accordance with this agreement. /
>
/The RDS is a registrar/registry obligation, PP services never had such
an obligatuion and we also never proposed that. This does not affect the
Relay or Disclosure obligations. Happy with replacing it with such a
reference, as proposed./
>
> //
>
> 3.5.3 Move information requirements to 3.8, unless a specific notice
> is absolutely required.
>
> /SM comment: Not sure I understand Volker’s proposal here. The data
> accuracy provisions need to be part of the accreditation agreement
> (and thus enforceable by ICANN) and not just part of the Terms of
> Service enforceable by the Provider (though they certainly could be
> there as well). But I might be missing what Volker is driving at here.
> /
>
/My main point is that ensuring data accuracy never is a responsibility
of a contracted party, it is the responsibility of the registrant. The
contracted party may have an obligation to verify upon receipt of a
complaint and to conduct cvertain operations regarding verification and
validation, but ultimately the responsibility lies with the registrant
and the contracted party may be required to enforce this obligation
against the registrant. Therefore the correct place for such notices is
the terms of service or the provider. Note that this obligation to
provide notice is still enforceable by ICANN. /
>
> //
>
> 3.5.3.3 <http://3.5.3.3> Replace by: Provider shall provide
> appropriate notice to a Customer upon each initial agreement regarding
> a Registered Name for which Provider is providing the Services. Such a
> notice should provide all legally required information in accordance
> with applicable data privacy laws (optional: which may include:
> 3.5.3.3.1, 3.5.3.3.2, 3.5.3.3.3, 3.5.3.3.4, 3.5.3.3.5, 3.5.3.3.6,
> 3.5.3.3.9, 3.5.3.3.10, 3.5.3.3.11, 3.5.3.3.13 (add: if applicable),
> 3.5.3.3.14.)
>
> /SM comment: Support this in principle, this is an example of where
> it would be inappropriate to import the Temp Spec into implementation
> of a consensus policy. Furthermore, some of these elements make
> little sense outside of the EU context, and there will continue to be
> Providers not subject to the GDPR, at least as to certain non-EU
> Customers.
> /
>
/Agreed. Non-EU registrars with non-EU customers will not be bound by
GDPR (but may be bound by the incoming Californian privacy laws, or
other such laws elsewhere). Hmm, come to think of it, ICANN is based in
California ;-)/
>
> //
>
> 3.5.3.4 <http://3.5.3.4> Remove completely, as this is invalid forced
> consent.
>
> /SM comment: I disagree. I am afraid Volker may be committing the
> error he has often warned us against of conflating a domain name
> registration service with the service provided by a P/P provider. In
> the latter case, the only subject matter of the contract itself
> involves the collection, processing and disclosure of data, not the
> provision of any other service, so it may be perfectly acceptable to
> rely upon consent for the processing activities, even if this legal
> basis is of less value in the case of a domain name registration
> service where the processing of e.g. contact data of the registrant is
> arguably more ancillary to the main point of the contract.
> /
>
/Hate to disagree, but forced consent is a no-go under the GDPR. Better
base such processing by the provider on the need of processing for
providing the service and to conclude a valid agreement./
>
> //
>
> 3.5.3.8 <http://3.5.3.8> Remove: Unnecessary as already included in
> registration agreements. No need for duplication of representation.
>
> /SM comment: Disagree, breach of this representation should be a
> basis for terminating the p/p service even if the registrar is not
> enforcing the obligation. In addition, as this provision has been in
> the draft PPAA since the beginning, and is not impacted by GDPR as far
> as I can tell, I question why it is being challenged at this point.
> Surely we should not be reopening issues that has already come to rest
> over the previous years…. /
>
/So basically you want the registrant to make the same (implicit)
representation twice? Once to the registrar when requesting the
registration and once to the privacy service provider? What is the added
benefit here?/
> //
>
> 3.17. add at the end: ...and to the extent permitted under applicable law.
>
> /SM comment: I don’t object to this in principle (and as applicable
> to Disclosures outside the context of the Disclosure Frameworks) but
> would defer until we get to discussing the proposed edits to these
> Disclosure Frameworks.
> /
>
/I'd prefer to settle this now and not push issues ahead for later to
avoid further delay, but I could live with it./
>
> //
>
> 3.18.2 Add: Provider shall not be required to allow transfers to
> registrars it has no agreement with as long as its data remains in the
> RDS at the time the transfer is requested.
>
> /SM comment: Would like to hear more about why this addition is
> needed and what relationship if any it bears to GDPR and its impact on
> RDS. (See above as to re-opening settled issues.)
> /
>
/No relation to RDS, but immense business and liability impact. If
registration is move to registrar with privacy data intact and the
privacy service has no agreement with that registrar, provider loses
control over registration where it still formally is registered name
holder. /
>
> //
>
> 7.2. Please add data processing equivalency language. Also remove the
> reference to the "specification in effect".
>
> /SM comment: Not sure what is being proposed here by Volker. /
>
/Basically, a reference to chatper 5 GDPR without spelling that out,
indicating that for disclosure to happen, requester should evidence or
represent that requester uses similar/equivalent data protection
measures when processing the data, indicating the duration of expected
processing, indicating whom the data would be provided to, etc. Required
due to corresponding responsibility of provider bound by GDPR to ensure
this.
And for the specification in effect thing, we could change it to "any
specification in effect binding upon providers" or similar. Current
wording is too broad.
/
>
> //
>
> Spec 2, Remove Sections 1.2.5, 1.3.1,1.3.2, 1.3.3, 1.3.5 - irrelevant
> for pp services.
>
> /SM comment: True but I assume this is simply the same boilerplate
> definition of Consensus Policies used in other contexts, and wouldn’t
> tinkering with it here raise unnecessary questions about whether
> certain topics are no longer within ICANN’s remit?
> /
>
/I would prefer the agreement to be tailored to the services at hand. It
is long enough as it is./
Best,
Volker
>
> Am 31.08.2018 um 21:09 schrieb Amy Bivins:
>
> Dear Colleagues,
>
> Following up on our discussion yesterday, I checked with the Legal
> team about a couple of items that were discussed.
>
> 1.With respect to the proposed edits to the PPAA that are related
> to data processing (see, e.g. Section 3.5.3 of the contract and
> the new draft Specification 8), provisions on these topics must be
> included in this contract, though these can be edited based on
> your feedback.
>
> If you have suggested edits to these new provisions, please send
> them to the list and we can discuss them on the call next week.
> If, as discussed yesterday, you believe the inclusion of these
> provisions raises more fundamental questions about status, in
> light of the pending ePDP on similar topics, we can also discuss that.
>
> As a reminder, the way the PPAA is drafted, any new ICANN Policy
> that is in conflict with current provisions (GDPR-related or
> otherwise) would supersede any conflicting provisions in this
> contract.
>
> 2.On the overall timeline, and additional deliverables, any
> additional GDPR-related changes will be based on IRT feedback. We
> have a couple of additional discussion topics that we didn’t reach
> last week, which could require additional PPAA changes. We’ll
> discuss these next week:
>
> a.Are the disclosure frameworks intended to give Providers limited
> or no discretion on disclosure if other requirements in the
> framework are met?
>
> b.What should requirements be for a Provider’s logging of
> disclosure requests from third parties?
>
> We are continuing to review the contract for any copy-editing
> related issues, and I expect we will finish with those in the next
> week or so.
>
> I hope this is helpful. Please continue to consider these issues
> and share any feedback you have on-list. We can pick up on these
> issues next week.
>
> Thanks, and have a great weekend!
>
> Amy
>
> *Amy E. Bivins*
>
> Registrar Services and Engagement Senior Manager
>
> Registrar Services and Industry Relations
>
> Internet Corporation for Assigned Names and Numbers (ICANN)
>
> Direct: +1 (202) 249-7551
>
> Fax: +1 (202) 789-0104
>
> Email: amy.bivins at icann.org <mailto:amy.bivins at icann.org>
>
> www.icann.org <http://www.icann.org>
>
>
>
> _______________________________________________
>
> Gdd-gnso-ppsai-impl mailing list
>
> Gdd-gnso-ppsai-impl at icann.org <mailto:Gdd-gnso-ppsai-impl at icann.org>
>
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
>
> --
> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
> Mit freundlichen Grüßen,
> Volker A. Greimann
> - Rechtsabteilung -
> Key-Systems GmbH
> Im Oberen Werk 1
> 66386 St. Ingbert
> Tel.: +49 (0) 6894 - 9396 901
> Fax.: +49 (0) 6894 - 9396 851
> Email: vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>
> Web: www.key-systems.net <http://www.key-systems.net> /
> www.RRPproxy.net <http://www.RRPproxy.net>
> www.domaindiscount24.com <http://www.domaindiscount24.com> /
> www.BrandShelter.com <http://www.BrandShelter.com>
> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
> www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>
> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
> Geschäftsführer: Alexander Siffrin
> Handelsregister Nr.: HR B 18835 - Saarbruecken
> Umsatzsteuer ID.: DE211006534
> Member of the KEYDRIVE GROUP
> www.keydrive.lu <http://www.keydrive.lu>
> Der Inhalt dieser Nachricht ist vertraulich und nur für den
> angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe,
> Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist
> unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so
> bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung
> zu setzen.
> --------------------------------------------
> Should you have any further questions, please do not hesitate to
> contact us.
> Best regards,
> Volker A. Greimann
> - legal department -
> Key-Systems GmbH
> Im Oberen Werk 1
> 66386 St. Ingbert
> Tel.: +49 (0) 6894 - 9396 901
> Fax.: +49 (0) 6894 - 9396 851
> Email: vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>
> Web: www.key-systems.net <http://www.key-systems.net> /
> www.RRPproxy.net <http://www.RRPproxy.net>
> www.domaindiscount24.com <http://www.domaindiscount24.com> /
> www.BrandShelter.com <http://www.BrandShelter.com>
> Follow us on Twitter or join our fan community on Facebook and stay
> updated:
> www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>
> www.twitter.com/key_systems <http://www.twitter.com/key_systems>
> CEO: Alexander Siffrin
> Registration No.: HR B 18835 - Saarbruecken
> V.A.T. ID.: DE211006534
> Member of the KEYDRIVE GROUP
> www.keydrive.lu <http://www.keydrive.lu>
> This e-mail and its attachments is intended only for the person to
> whom it is addressed. Furthermore it is not permitted to publish any
> content of this email. You must not use, disclose, copy, print or rely
> on this e-mail. If an addressing or transmission error has misdirected
> this e-mail, kindly notify the author by replying to this e-mail or
> contacting us by telephone.
>
>
> _______________________________________________
> Gdd-gnso-ppsai-impl mailing list
> Gdd-gnso-ppsai-impl at icann.org <mailto:Gdd-gnso-ppsai-impl at icann.org>
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
>
>
>
> _______________________________________________
> Gdd-gnso-ppsai-impl mailing list
> Gdd-gnso-ppsai-impl at icann.org
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20180906/34e606a5/attachment-0001.html>
More information about the Gdd-gnso-ppsai-impl
mailing list