[Gnso-epdp-legal] Updated text: consent and legal/natural persons

Mon Oct 14 14:36:24 UTC 2019

Before asking any further questions on this topic we should - in 
accordance with the Phase 1 Rec 17 - wait for the study by ICANN Org to 
be completed as this study would likely duplicate some, if not most of 
the work to be done to answer the proposed question below. This study 
was clearly outlines as a pre-requesite of any further work on this 
topic and until that time, part 1 of the phase 1 rec should a be 
sufficient solution for this issue.

I therefore propose that this question be tabled until after the 
completion of the study and then re-visited  to see if the study leaves 
any open questions.

Best,

Volker Greimann

Am 14.10.2019 um 16:00 schrieb Tara Whalen:
>
> Hello all,
>
>
> As a follow-up to SSAC's previously-proposed question on legal/natural 
> persons: we revised our original question in light of the recent memo 
> from Bird & Bird, to ensure it focused on specific unaddressed issues 
> involving consent. See full text below. We propose that our new 
> version replace the old one entirely.
>
>
> Thanks for your consideration,
>
> Tara Whalen
>
> ---
>
> [NEW VERSION]
>
> LEGAL VERSUS NATURAL PERSONS:
>
> Registration data submitted by legal person registrants may contain 
> the data of natural persons.  A Phase 1 memo stated that registrars 
> can rely on a registrant's self-identification as legal or natural 
> person, especially if risk is mitigated by taking further steps to 
> ensure the accuracy of the registrant's designation.
>
> As a follow-up to that memo: what are the consent issues and 
> requirements related to such designations? Can registrars state that 
> it is the responsibility of a legal person registrant to obtain 
> consent from any natural person whose data it submits?
>
> As part of the analysis, please examine the GDPR policies and 
> practices of the Internet protocol (IP address) registries RIPE NCC 
> (the registry in Europe, based in the Netherlands) and ARIN (the 
> registry in North America, which has customer contacts in Europe).  
> These registries publish the data of natural person contacts who are 
> subject to the GDPR, publicly via their WHOIS services, by placing the 
> choice and responsibility on their registrants, who are legal 
> persons.  These IP address registries state mission justifications and 
> collection purposes similar to those in ICANN's Temporary Specification.
>
> Please see:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal 
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
>
> 2)  “How We're Implementing the GDPR: The RIPE Database”: 
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
>
> 3) "Personal Data Privacy Considerations At ARIN": 
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
>
> 4) ARIN "Data Accuracy": 
> https://www.arin.net/reference/materials/accuracy/
>
> 5) ARIN Registration Services Agreement, paragraph 3: 
> https://www.arin.net/about/corporate/agreements/rsa.pdf
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/
>
> [OLD VERSION]
>
> LEGAL VERSUS NATURAL PERSONS:
>
> Registration data submitted by legal person registrants may contain 
> the data of natural persons.  For example the contact data they 
> provide may include a natural person's name and email address. Legal 
> person registrants also have the ability to publish non-personally 
> identifiable contact data ("admin at companyname.com 
> <mailto:admin at companyname.com>") should they desire.
>
> If registrants are required to self-identify as either a natural or 
> legal person, then:
>
> a.            Can registrars rely on that self-identification?
>
> b.            Can registrars make the contact data submitted by legal 
> person registrants publicly available in RDS (WHOIS), by stating that 
> it is the responsibility of a legal person registrant to obtain 
> consent from any natural person whose data it submits?
>
> Please state any considerations, such as the ability of the registrant 
> to correct its data.
>
> As part of the analysis, please examine the policies of the Internet 
> protocol (IP address) registries RIPE NCC (the registry in Europe, 
> based in the Netherlands) and ARIN (the registry in North America, 
> which has customer contacts in Europe).  These registries publish the 
> data of natural persons who are subject to the GDPR, publicly via 
> their WHOIS services, by placing the choice and responsibility on 
> their registrants, who are legal persons.  IP addresses and domain 
> names are two sides of the same coin, and these IP address registries 
> state mission justifications and collection purposes similar to those 
> in ICANN's Temporary Specification. See:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal 
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
>
> 2)  “How We're Implementing the GDPR: The RIPE Database”: 
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
>
> 3) "Personal Data Privacy Considerations At ARIN": 
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
>
> 4) ARIN "Data Accuracy": 
> https://www.arin.net/reference/materials/accuracy/
>
> 5) ARIN Registration Services Agreement, paragraph 3: 
> https://www.arin.net/about/corporate/agreements/rsa.pdf
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191014/1c1b4da0/attachment-0001.html>