[Gnso-epdp-legal] Updated text: consent and legal/natural persons
Tara Whalen
tjwhalen at gmail.com
Mon Oct 14 14:00:19 UTC 2019
Hello all,
As a follow-up to SSAC's previously-proposed question on legal/natural
persons: we revised our original question in light of the recent memo from
Bird & Bird, to ensure it focused on specific unaddressed issues involving
consent. See full text below. We propose that our new version replace the
old one entirely.
Thanks for your consideration,
Tara Whalen
---
[NEW VERSION]
LEGAL VERSUS NATURAL PERSONS:
Registration data submitted by legal person registrants may contain the
data of natural persons. A Phase 1 memo stated that registrars can rely on
a registrant's self-identification as legal or natural person, especially
if risk is mitigated by taking further steps to ensure the accuracy of the
registrant's designation.
As a follow-up to that memo: what are the consent issues and requirements
related to such designations? Can registrars state that it is the
responsibility of a legal person registrant to obtain consent from any
natural person whose data it submits?
As part of the analysis, please examine the GDPR policies and practices of
the Internet protocol (IP address) registries RIPE NCC (the registry in
Europe, based in the Netherlands) and ARIN (the registry in North America,
which has customer contacts in Europe). These registries publish the data
of natural person contacts who are subject to the GDPR, publicly via their
WHOIS services, by placing the choice and responsibility on their
registrants, who are legal persons. These IP address registries state
mission justifications and collection purposes similar to those in ICANN's
Temporary Specification.
Please see:
1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data
Processing and the RIPE Database”:
https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
2) “How We're Implementing the GDPR: The RIPE Database”:
https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
3) "Personal Data Privacy Considerations At ARIN":
https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/
5) ARIN Registration Services Agreement, paragraph 3:
https://www.arin.net/about/corporate/agreements/rsa.pdf
6) ARIN Privacy Policy: https://www.arin.net/about/privacy/
[OLD VERSION]
LEGAL VERSUS NATURAL PERSONS:
Registration data submitted by legal person registrants may contain the
data of natural persons. For example the contact data they provide may
include a natural person's name and email address. Legal person registrants
also have the ability to publish non-personally identifiable contact data ("
admin at companyname.com") should they desire.
If registrants are required to self-identify as either a natural or legal
person, then:
a. Can registrars rely on that self-identification?
b. Can registrars make the contact data submitted by legal
person registrants publicly available in RDS (WHOIS), by stating that it is
the responsibility of a legal person registrant to obtain consent from any
natural person whose data it submits?
Please state any considerations, such as the ability of the registrant to
correct its data.
As part of the analysis, please examine the policies of the Internet
protocol (IP address) registries RIPE NCC (the registry in Europe, based in
the Netherlands) and ARIN (the registry in North America, which has
customer contacts in Europe). These registries publish the data of natural
persons who are subject to the GDPR, publicly via their WHOIS services, by
placing the choice and responsibility on their registrants, who are legal
persons. IP addresses and domain names are two sides of the same coin, and
these IP address registries state mission justifications and collection
purposes similar to those in ICANN's Temporary Specification. See:
1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data
Processing and the RIPE Database”:
https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
2) “How We're Implementing the GDPR: The RIPE Database”:
https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
3) "Personal Data Privacy Considerations At ARIN":
https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/
5) ARIN Registration Services Agreement, paragraph 3:
https://www.arin.net/about/corporate/agreements/rsa.pdf
6) ARIN Privacy Policy: https://www.arin.net/about/privacy/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191014/35cc8dbb/attachment.html>
More information about the Gnso-epdp-legal
mailing list