[Gnso-epdp-legal] Proposed Agenda - Legal Committee Meeting #13 - Tuesday, 7 Jan 2020 15:00 UTC

Mon Jan 6 21:12:53 UTC 2020

Happy New Year!
Here is my re-drafted question for discussion tomorrow, re: legal/natural
persons. As requested, I reviewed the Technical Contact memo but did not
conclude that it led to any significant changes in the specific question
below; the memo spoke to the question of whether consent must be obtained
from technical contact, versus providing notice. This new question is
about the methods/responsibilities of obtaining said consent and
demonstrating that it has been obtained (using a real-world use case to
illustrate a possible solution).
Apart from that task, the question was shortened and elements were
highlighted from supplementary materials. We can discuss tomorrow whether
the "if time permits" element (at the end) needs to be retained.

**Revised question**

Registration data submitted by legal person registrants may contain the
data of natural persons.  A Phase 1 memo stated that registrars can rely on
a registrant's self-identification as legal or natural person if risk is
mitigated by taking further steps to ensure the accuracy of the
registrant's designation.

As a follow-up to that memo: what are the consent options and requirements
related to such designations?  Specifically: can data controllers state
that it is the responsibility of a legal person registrant to obtain
consent from any natural person who will act as a contact, and whose data
may be displayed publicly in RDS?

As part of your analysis, please consult the GDPR policies and practices of
the Internet protocol (IP address) registry RIPE-NCC (the registry for
Europe, based in the Netherlands).  RIPE-NCC’s customers (registrants) are
legal persons, usually corporations.  Natural persons can serve as their
contacts, resulting in the data of natural persons being displayed publicly
in WHOIS.  RIPE-NCC places the responsibility on its legal-person
registrants to obtain permission from those natural persons, and provides
procedures and safeguards for that.  RIPE-NCC states mission justifications
and data collection purposes similar to those in ICANN's Temporary
Specification.  Could similar policies and procedures be used at ICANN?

Please see these specific references:

1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data
Processing and the RIPE Database”:

https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database

2)  “How We're Implementing the GDPR: The RIPE Database”:
https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database

If time permits, also see the policies of ARIN, the IP address registry for
North America.  ARIN has some customers located in the EU.  ARIN also
publishes the data of natural persons in its WHOIS output.  ARIN’s
customers are natural persons, who submit the data of natural person
contacts.

3) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/

4) ARIN Registration Services Agreement, paragraph 3:
https://www.arin.net/about/corporate/agreements/rsa.pdf

"Personal Data Privacy Considerations At ARIN":
https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
especially the first two paragraphs

 --------

>
> 2. Tara to rephrase the SSAC Legal v. Natural question to rephrase the
> issue regarding transferring consent. Tara to review the Technical
> Contact memo from Phase 1
> <https://community.icann.org/pages/viewpage.action?pageId=105386422>.
> Additionally, Tara to refer to specific excerpts of guidance from the cited
> sources.
>
> Previously-worded question:
>
>
>
> Registration data submitted by legal person registrants may contain the
> data of natural persons.  A Phase 1 memo stated that registrars can rely on
> a registrant's self-identification as legal or natural person, especially
> if risk is mitigated by taking further steps to ensure the accuracy of the
> registrant's designation.
>
>
>
> As a follow-up to that memo: what are the consent issues and requirements
> related to such designations?  Can registrars state that it is the
> responsibility of a legal person registrant to obtain consent from any
> natural person whose data it submits?
>
>
>
> As part of the analysis, please examine the GDPR policies and practices of
> the Internet protocol (IP address) registries RIPE NCC (the registry in
> Europe, based in the Netherlands) and ARIN (the registry in North America,
> which has customer contacts in Europe).  These registries publish the data
> of natural person contacts who are subject to the GDPR, publicly via their
> WHOIS services, by placing the choice and responsibility on their
> registrants, who are legal persons.  These IP address registries state
> mission justifications and collection purposes similar to those in ICANN's
> Temporary Specification.
>
>
>
> Please see:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
> [labs.ripe.net]
>
> 2)  “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
> [labs.ripe.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.ripe.net_Members_Athina_how-2Dwe-2Dre-2Dimplementing-2Dthe-2Dgdpr-2Dthe-2Dripe-2Ddatabase&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=MHkNDZD5npTHhFCww7h37jH0dZVXjP3J6gC_3_MlKMA&e=>
>
> 3) "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
> [teamarin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__teamarin.net_2018_03_20_personal-2Ddata-2Dprivacy-2Dconsiderations-2Dat-2Darin_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=pk0huv2aNSfvLj6S90UIZ4QJUIpAr9Ht-yJyf7pEC2g&e=>
>
> 4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/
> [arin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_reference_materials_accuracy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=ckReulFNZOhT8xWNRFYx6OBfLxsYr0RaqxOEgr_Em6c&e=>
>
> 5) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf
> [arin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_corporate_agreements_rsa.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=A__4cvbv8CN_aWnGqBhNkF9hSAUmtHzIDL2uiGtMtLI&e=>
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_privacy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=99xt1m5gH1mu0-Pt3ERCRTLchE2_nxsr0OLfK-0uyls&e=>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200106/25271820/attachment.html>