[Gnso-epdp-legal] Updated text: consent and legal/natural persons
Caitlin Tubergen
caitlin.tubergen at icann.org
Mon Oct 14 14:50:28 UTC 2019
Hi Tara,
Thank you for the updated question.
EPDP Support Staff has updated the Priority 2 – Legal vs. Natural worksheet to include the updated question.
We would propose reviewing this updated question in conjunction with the other proposed legal questions in relation to the legal vs. natural issue. The Legal Committee is scheduled to begin the review of Priority 2 questions once it has completed review of Priority 1 questions.
Thank you.
Best regards,
Marika, Berry, and Caitlin
From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> on behalf of Tara Whalen <tjwhalen at gmail.com>
Date: Monday, October 14, 2019 at 7:01 AM
To: "gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
Subject: [Gnso-epdp-legal] Updated text: consent and legal/natural persons
Hello all,
As a follow-up to SSAC's previously-proposed question on legal/natural persons: we revised our original question in light of the recent memo from Bird & Bird, to ensure it focused on specific unaddressed issues involving consent. See full text below. We propose that our new version replace the old one entirely.
Thanks for your consideration,
Tara Whalen
---
[NEW VERSION]
LEGAL VERSUS NATURAL PERSONS:
Registration data submitted by legal person registrants may contain the data of natural persons. A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person, especially if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation.
As a follow-up to that memo: what are the consent issues and requirements related to such designations? Can registrars state that it is the responsibility of a legal person registrant to obtain consent from any natural person whose data it submits?
As part of the analysis, please examine the GDPR policies and practices of the Internet protocol (IP address) registries RIPE NCC (the registry in Europe, based in the Netherlands) and ARIN (the registry in North America, which has customer contacts in Europe). These registries publish the data of natural person contacts who are subject to the GDPR, publicly via their WHOIS services, by placing the choice and responsibility on their registrants, who are legal persons. These IP address registries state mission justifications and collection purposes similar to those in ICANN's Temporary Specification.
Please see:
1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:
https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]
2) “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]
3) "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]
4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]
5) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]
6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]
[OLD VERSION]
LEGAL VERSUS NATURAL PERSONS:
Registration data submitted by legal person registrants may contain the data of natural persons. For example the contact data they provide may include a natural person's name and email address. Legal person registrants also have the ability to publish non-personally identifiable contact data ("admin at companyname.com") should they desire.
If registrants are required to self-identify as either a natural or legal person, then:
a. Can registrars rely on that self-identification?
b. Can registrars make the contact data submitted by legal person registrants publicly available in RDS (WHOIS), by stating that it is the responsibility of a legal person registrant to obtain consent from any natural person whose data it submits?
Please state any considerations, such as the ability of the registrant to correct its data.
As part of the analysis, please examine the policies of the Internet protocol (IP address) registries RIPE NCC (the registry in Europe, based in the Netherlands) and ARIN (the registry in North America, which has customer contacts in Europe). These registries publish the data of natural persons who are subject to the GDPR, publicly via their WHOIS services, by placing the choice and responsibility on their registrants, who are legal persons. IP addresses and domain names are two sides of the same coin, and these IP address registries state mission justifications and collection purposes similar to those in ICANN's Temporary Specification. See:
1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:
https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]
2) “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]
3) "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]
4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]
5) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]
6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191014/7291fef6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191014/7291fef6/smime-0001.p7s>
More information about the Gnso-epdp-legal
mailing list