[Gnso-epdp-team] Further Input from the IPC/BC on Small Team #1 and #2 issues - the way forward

Hadia Abdelsalam Mokhtar EL miniawi Hadia at tra.gov.eg
Mon Nov 5 13:52:49 UTC 2018

Hi all,

With regard to the distinction between natural and legal persons I would like to start with some factual points

1.      The GDPR applies to the processing of personal data of natural persons and not to personal data that concerns legal persons;  recital 14 says " This regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons"

2.      We are not the ones who decided on this distinction  the GDPR did and ICANN is not in the business of making laws

3.      The CPs are concerned because

·         The information of legal persons might  as well be personal information of natural persons. (Which might put the CPs at risk)

·         The registrants might identify themselves incorrectly (Which might put the CPs at risk)

·         They are not sure about the practicality and  implementation of this distinction.
To address the concerns of the contracted parties

1.      Some registries are already making this distinction like EURid where the registrar agreement defines personal data as follows

" “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular, by reference or identification number or by one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity"  some other registries have also taken this approach.

Looking at all the red-lines and clean versions  provided by all groups with regard to the work of small team 1.  We all agree in the recommendations section on having the GDD staff commence a research on how currently ccTLDs and CPs make the distinction between the natural and legal persons. I assume that the research will not only tackle the implementation or the technological aspect of this but also the legal aspects and the risks associated

2.      Dianne, Thomas and others have suggested to try to get guidance from the DPAs or EC in this regard.
I believe that after we get the results of the above, we might be able to reach consensus on the matter.


From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Thomas Rickert
Sent: Monday, November 05, 2018 1:36 PM
To: Diane Plaut
Cc: Alex Deacon; Gnso-epdp-team; gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] Further Input from the IPC/BC on Small Team #1 and #2 issues

Hi Diane,
I am still waiting for a response from the EC. Will let all of you know once there is news to report.

All the best,

Am 05.11.2018 um 02:02 schrieb Plaut, Diane <Diane.Plaut at corsearch.com<mailto:Diane.Plaut at corsearch.com>>:

Dear Thomas-

Thank you for thoughtful analysis, as usual. I agree that we have to get further input from other DPAs, and I have told you that I very much want to support and be part of that effort (the meeting you offered to set up). This was a starting point to push this effort forward, and I believe a good starting point because the ICO is recognized as a source of moderate guidance.

Getting DPA guidance is an important and essential effort that we both know needs to happen to allow the EPDP to come up with practical solutions to the legal application of data protection laws, and specifically the GDPR, to answer the charter questions and advance a working DNS system.

Please let me know if you were able to make progress on setting up the meeting in November, as discussed.



On Nov 4, 2018, at 2:59 PM, Thomas Rickert <epdp at gdpr.ninja<mailto:epdp at gdpr.ninja>> wrote:
Hi Diane, all,
Thanks for doing research on this and sharing information from the ICO with the group.

This has sparked off quiet some discussion, which is good.

Reading all the e-mails I cannot help feeling that you are talking past each other, at least to a certain extent.

We are trying to answer the question whether a distinction between natural and legal persons should be made.

Some say that the distinction should not be made as there are risks when you make the distinction. If a legal person’s name is PII and if a contracted party then publishes that data, it will be in breach of the GDPR and potentially be at the risk of being fined.

The ICO on the other hand, says that information from the data subject can be trusted. What that means is that the registrar does not have to do validation.

Let’s say I mistype my name - that is nothing the registrar needs to investigate.

But that is different from a sole trader who gives his name and tags it legal person. I do not think the ICO would go as far as saying that the data subject’s potentially inaccurate submission of information would include the legal consequences of being put into the bucket of legal entities. In fact, that could mean that the individual would get its data disclosed and not be able to exercise rights under GDPR.

This is why I think we should try to get guidance from the DPAs or the EC. If they say the parties involved will not be sanctioned if they rely on the self-identification of a customer, that is fine. Absent such clarification, we need to continue the conversation….

I hope this helps.


Am 03.11.2018 um 02:28 schrieb Plaut, Diane <Diane.Plaut at corsearch.com<mailto:Diane.Plaut at corsearch.com>>:

Dear EPDP Team-

In our efforts to overcome a significant hurdle through our EPDP work – that CPs have expressed they cannot rely on the accuracy of Registrant input and, therefore, are hesitant to distinguish between legal and natural persons or count on country information input by Registrant’s because if it is not accurate, they are concerned they will be liable for identifying the person incorrectly or determining the applicable law incorrectly.  We have discussed in the EPDP the prospect of trying to get input from DPAs to confirm that it is reasonable to count on Registrant input. Thomas Rickert has most recently proposed in Barcelona, setting up a meeting with the EDPB and I have expressed my support and desire to partake in this and the legal effort. In the meanwhile, I think it is beneficial for us to try to do our own research and show DPA insight on this topic. To this end, I provide below, guidance from the ICO on this topic. The IPC/BC wishes to add this to the Small Team #1and #2 comments in support of our positions on the issues of supporting the distinction of legal and natural persons and applying relevant country laws.
The Accuracy of information provided by data subjects
Article 5(1)(d)/(2) GDPR provides that controllers have an obligation to demonstrate compliance with the requirement that:
Personal data shall be…accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
According to the ICO, this means that controllers must take all reasonable steps to ensure that the personal data they hold is not incorrect or misleading as to any matter of fact. However, the GDPR does not explicitly distinguish between personal data provided by the data subject, provided by a third party or created by the controller – the same obligation applies in each such case.
As to whether it is possible to rely on the data subject for the accuracy of the information, the ICO has confirmed in its guidance that this is possible. In particular, the ICO states that: “In some cases it is reasonable to rely on the individual to tell you when their personal data has changed, such as when they change address or other contact details. It may be sensible to periodically ask individuals to update their own details, but you do not need to take extreme measures to ensure your records are up to date, unless there is a corresponding privacy risk which justifies this.” However, if the controller learns that information is no longer accurate/up to date (either from the data subject or from other information which comes to light), the controller should update its records accordingly.
The ICO also recognizes that it may be impractical to check the accuracy of personal data someone else provides. In such cases, the ICO suggests that controllers must:
·         accurately record the information provided;
·         accurately record the source of the information;
·         take “reasonable steps” in the circumstances to ensure the accuracy of the information; and
·         carefully consider any challenges to the accuracy of the information.
Given that the data subject itself inputs and supplies the data registration information (elements) in issue, there is a strong argument that under the above guidance by the ICO, it is reasonable to reply on the accuracy of this information for purposes of distinguishing between legal and natural persons and for purposes of correct geographical information in relation to applicable law purposes.

Moreover, in addition to and to support the above, the IPC and BC further strongly support the following legal recommendation be added to both Small Team #1 and Small Team #2 input that contractual provisions be added to agreements so that overall accuracy standards are achieved, stating: The above-identified Registrant represents and warrants that the data provided herein is true, complete and accurate.  It could even go one step further and expressly say that Registrar is entitled to rely on this data in making legal determinations including, without limitation, those related to GDPR and relevant data protection laws. Nothing in the above, limits the application of the ICO guidance from supporting greater accuracy required by all parties.



Diane Plaut
General Counsel and Privacy Officer
Direct +1 646-899-2806<tel:+1%20646-899-2806> 
diane.plaut at corsearch.com<mailto:diane.plaut at corsearch.com>

220 West 42nd Street, 11th Floor, New York, NY 10036, United States
Join Corsearch on   Twitter<https://twitter.com/corsearch>  Linkedin<https://www.linkedin.com/company/2593860/>  Trademarks + Brands<http://trademarksandbrands.corsearch.com/>
Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241<tel:1%20800%20732%207241>)
Corsearch.USCustomerService at corsearch.com<mailto:Corsearch.USCustomerService at corsearch.com>

Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.

Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181105/89ca86a5/attachment-0001.html>

More information about the Gnso-epdp-team mailing list