[Gnso-epdp-legal] Question 1: | EPDP-Phase 2A - Legal Sub-team call | Tuesday, 02 February 2021 at 14:00 UTC

Thu Feb 4 00:50:16 UTC 2021

Thanks Laureen, I like how concise the rewrite is. My problem is twofold
however:
1) It still relies on the problematic differentiation of legal vs natural
which in my view does not confer an automatic benefit as the data
designated as legal entity data may still contain in it protected personal
information. We would be better served if we ensure the distinction is made
between what type of data is actually used.
2) By comparing a voluntary disclosure decision by the registrant with a
required differentiation, we are essentially comparing apples and oranges.
One is consent-based, voluntary and free, and the other is forced. That in
itself already leads to the obvious conclusion that both cannot easily be
compared, hence my proposal to allow for a voluntary confirmation of "no
personal data here" here as well.

My suggestion of shifting the disclosure to the SSAD serves two main
purposes:
1) It prevents harvesting and collection of the data and thereby abuse that
would evidently follow full disclosure in the RDS, thereby reducing legal
risks.
2) It strengthens the purpose of the SSAD by ensuring it remains a tool for
all RDS data sets.
3) It provides a potential path to more automation, thereby reducing
response times (and increasing reliability) for requesters and reducing
review times for CPs.

Best,
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for
the person(s) directly addressed. If you are not the intended recipient,
any use, copying, transmission, distribution, or other forms of
dissemination is strictly prohibited. If you have received this email in
error, please notify the sender immediately and permanently delete this
email with any files that may be attached.

On Wed, Feb 3, 2021 at 8:25 PM Kapin, Laureen <LKAPIN at ftc.gov> wrote:

> Thanks to Volker and Hadia and weighing in –
>
>
>
>   This question aims at obtaining a comparative assessment of the legal
> risks associated with granting consent to publish personal information with
> publishing registrant data after engaging in a series of protective steps
> with the registrant to educate and verify the election to identify the data
> as non-personal.  Volker’s proposal seems to introduce a separate policy
> issue for discussion rather than focusing the question more precisely.
>
>
>
>    Here’s my proposed rewrite:
>
>
>
>   Please compare the legal risks for contracted parties associated with
> providing a registrant the opportunity to consent to publication of their
> data with the requirement to identify itself as either an individual or
> organization (legal entity) assuming that the Registrar adopts the
> procedures outlined in Bird & Bird’s January 25, 2019 memo (i.e.,
> notify/explain; confirm; verify; opportunity to correct).
>
>
>
>   On a related note, it would be useful to get data on the amounts of
> fines assessed (if any) under comparable circumstances (disclosure of
> personal data after reasonable steps taken to guide registrant in making an
> election that may result in disclosure).
>
>
>
>   On a separate note, I think Volker’s proposal for automated disclosure
> by the SSAD is creative and warrants further discussion.  Because this
> mechanism would still shield information that is not protected by the GDPR,
> however, I would propose we also discuss a “quarantine” period to hold the
> data for a limited amount of time for verification prior to publication.
> This would reduce the risk of inadvertent disclosures of personal
> information.
>
>
>
> Kind regards,
>
>
>
> Laureen Kapin
>
> Counsel for International Consumer Protection
>
> Federal Trade Commission
>
> (202) 326-3237
>
>
>
> *From:* Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> *On Behalf Of
> *Volker Greimann
> *Sent:* Wednesday, February 3, 2021 12:17 PM
> *To:* Hadia El Miniawi <hadiaminiawi at yahoo.com>
> *Cc:* gnso-epdp-legal at icann.org
> *Subject:* Re: [Gnso-epdp-legal] Question 1: | EPDP-Phase 2A - Legal
> Sub-team call | Tuesday, 02 February 2021 at 14:00 UTC
>
>
>
> Thank you Hadia, for kicking this off.
>
>
>
> Here is my take on the question:
>
>
>
> Recommendation number 6 of EPDP phase one report will require registrars
> to provide the opportunity for the registered name holder to provide
> consent to publish their contact information as well as their email
> addresses in the RDS of the sponsoring registrar by means of a
> yet-to-be-defined process.
> Assuming the CPs were similarly required by ICANN policy to permit
> registered name holders to declare whether their registration data contains
> personal information or is strictly limited to non-personal information,
> along with implementing all the safeguards indicated in the Bird & Bird
> legal memo, such as providing a well-crafted notice in clear and plain
> language explaining the consequences of this declaration such as
> registration data declared as containing only non-personal information
> being subject to automated disclosure to requestors in the SSAD, requiring
> registered name holders to acknowledge the notice and the automated
> disclosure of their registration data in consequence of declaring their
> data as non-personal information, how then would the risk associated with
> the disclosure of the registration data in this case be different from the
> risk posed through the publication of the registration data based on the
> registrant’s consent?
>
>
>
> Rationale:
>
> We need to stop making the false differentiation between the legal nature
> of the registrant and start focussing on the nature of their information,
> hence the shift to personal vs non-personal information.
>
> Further, by shifting the focus from all-out publication to automated
> disclosure in the SSAD, more safeguards are in place against abuse and data
> harvesting.
>
>
>
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Oliver Fries and Robert Birkner
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
>
> This email and any files transmitted are confidential and intended only
> for the person(s) directly addressed. If you are not the intended
> recipient, any use, copying, transmission, distribution, or other forms of
> dissemination is strictly prohibited. If you have received this email in
> error, please notify the sender immediately and permanently delete this
> email with any files that may be attached.
>
>
>
>
>
> On Wed, Feb 3, 2021 at 10:33 AM Hadia El Miniawi <hadiaminiawi at yahoo.com>
> wrote:
>
> Hi All,
>
>
>
> Based on Beck's suggestion yesterday to rephrase the first question please
> find herewith my first attempt
>
>
>
> Recommendation number 6 of EPDP phase one report requires registrars to
> provide the opportunity for the registered name holder to provide consent
> to publish redacted contact information as well as the email addresses in
> the RDS of the sponsoring registrar. If the CPs require registered name
> holders to self-identify themselves as natural or legal persons, along with
> implementing all the safe guards indicated in the Bird & Bird legal memo,
> like providing a well-crafted note in clear and plain language explaining
> the consequences of self-identification and that the registration data of
> legal persons would be made public, requiring registrants to acknowledge
> the note and the publication of their registration data in consequence of
> self-identifying oneself as a legal person. How is the risk associated with
> the publication of the registration data in this case different from the
> risk posed through the publication of the registration data based on the
> registrant’s consent?
>
>
>
>
>
> Best
>
> Hadia
>
>
>
>
>
> On Tuesday, February 2, 2021, 05:31:12 PM GMT+2, Terri Agnew <
> terri.agnew at icann.org> wrote:
>
>
>
>
>
> *D*ear all,
>
>
>
> All recordings for the EPDP-Phase 2A - Legal Sub-team call held on *Tuesday,
> 02 February 2021 at 14:00 UTC *can be found on the agenda wiki page
> <https://community.icann.org/x/zwhACQ>(attendance included) and the GNSO
> Master Calendar <https://gnso.icann.org/en/group-activities/calendar>.
>
>
>
> These include:
>
>    - Attendance (please let me know if your name has been left off the
>    attendance list)
>    - Audio recording
>    - Zoom chat archive
>    - Zoom recording (including audio, visual, rough transcript)
>    - Transcript
>
>
>
> As a reminder only members or alternates replacing members as primary can
> join the call.
>
>
>
> For additional information, you may consult the mailing list archives
> <https://mm.icann.org/pipermail/gnso-epdp-legal/>and the main wiki page
> <https://community.icann.org/x/IYEpBQ>.
>
>
>
> Thank you.
>
> With kind regards,
>
>
>
> Terri
>
>
>
>
>
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20210204/e3acf66f/attachment-0001.html>