[Gnso-epdp-team] Legal vs Natural and Redactions

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Thu Nov 15 00:33:27 UTC 2018 

Excellent question Brian!  My first suggestion on improved language would be that these questions (h3-5)  are not in the right order.  As we have demonstrated during our discussions, we have different interpretations of what h4  means.  My Interpretation is not,  "does the GDPR regulate the data of legal person?"  It is, "does a legal basis exist in the registration data currently collected globally to satisfy current RDS  contractual obligations/" (because we really do not have a valid RDS policy).  Legal basis means in this situation, how can we know whether data submitted by a registrant pertains to a legal or natural person?  the short answer is we can't, so we do not in fact have a legal basis to make the determination.  so h4 = no.  H3 would then logically follow, and the short answer to that one is No.  H3 is a messy question combining two very separate ideas....should registrars be forced to determine, reliably as required by the privacy protections in the GDPR for natural persons, which is one question.....and then the second part of the question (which by the way assumes a negative answer to the first, in my view....) WHat mechanism would need to be established in order to reliably determine whether registrant data entered pertains to a legal person, or an individual, and if the latter, what consent or other mechanism needs to be implemented in order to mitigate risk?  SO in my view BEnedict has provided a proposal as to how to answer that last half of h3, but in my view the answer to the first half is no.  So out of scope.

Now turning to h5, which arguably should come before the second half of h3 because it seeks to enumerate the risks, that the mechanism defined in the latter half of h3 must provide (i.e. lets hear the risks before we elaborate the cure).  Now, in my view there are several risks, which I have brought up from time to time, also pointing out the fulsome discussion we had on this topic in the PPSAI working group.

I can enumerate those risks again if you like, but I think the answer to the first two questions is no so the elaboration of a new policy and new mechanism should be left to whenever we get the temp spec ratified or altered.  We are, as Cherine Chalaby points out in his letter to Drazek, running out of time......

cheers Stephanie


On 2018-11-14 17:58, King, Brian wrote:
Hi Stephanie,

I can clarify that this is in scope as we’re answering these charter questions:

h3) Should Contracted Parties be allowed or required to treat legal and natural persons differently, and what mechanism is needed to ensure reliable determination of status?
h4) Is there a legal basis for Contracted Parties to treat legal and natural persons differently?
h5) What are the risks associated with differentiation of registrant status as legal or natural persons across multiple jurisdictions? (See EDPB letter of 5 July 2018).
I would appreciate any suggestions you might have on ways to improve the proposed language?

Per Diane’s note, IPC supports as we think it is a reasonable approach that could garner consensus.

Brian J. King
Director of Internet Policy & Industry Affairs
MarkMonitor / Part of Clarivate Analytics
Phone: +1 (443) 761-3726
brian.king at markmonitor.com<mailto:brian.king at markmonitor.com>

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org><mailto:gnso-epdp-team-bounces at icann.org> On Behalf Of Stephanie Perrin
Sent: Wednesday, November 14, 2018 5:48 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] Legal vs Natural and Redactions


Given that Cherine Chalaby has just written to Keith Drazek (GNSO Council Chair) to express worry over whether we are going to finish this thing on time, perhaps we ought to stick to what is within scope.  It is not clear to me how a new policy requiring that a distinction be made between legal and natural persons is within scope.

Further to this general remark, I do not see any way a registrar or registry can evade responsibility for "accidently"  collecting personal information.  Consent has to be meaningful and informed.  On accuracy....read the RDS reveiw Team II report which is doubling down on accuracy.  I would certainly not sign on to this one, if I were a registrar.

It's a good try though!

STephanie Perrin
On 2018-11-14 16:06, Benedict Addis wrote:
Dear Alan, Hadia,

I’ve discussed this with SSAC colleagues, and propose the following compromise:

1. Introduction of policy requiring registrant to make a legal / natural person declaration.

2. Declaration would be mandatory for registrars to implement within a reasonable time.

3. No obligation for registrars to verify accuracy of declaration.

4. A declaration would only be required during ‘contact' with registrant, ie on registration, renewal, and transfer (by gaining registrar).

5. Registrar may make declaration on behalf of registrant if it has reasonable knowledge of registrant’s status.

6. Registrant may change their declaration at any time.

7. Fail safe: the absence of a declaration results in assumption that the registrant is a natural person; i.e. default redaction of data.

8. No obligation to obtain retroactive declarations. (The average domain lifespan is 1.4 years so adoption will happen naturally.)

9. "edge case" legal persons - for example those trading from home (like me!) or in certain protected categories (as suggested by Stephanie) - may additionally declare that the registration data contained personal or sensitive information, so that it may be redacted.

10. False declarations will be subject to the normal whois inaccuracy complaint process.

If the team thinks this proposal has merit, there may be an opportunity to run it past the EDPB for approval. Your thoughts welcome!

Best,
Benedict.




On 14 Nov 2018, at 18:11, Alan Woods <alan at donuts.email<mailto:alan at donuts.email>> wrote:

Dear Team,
Thank you, Hadia and Alan for your statements. As the Ry reps (supported by the registrars) have already explained we believe the mandatory policy is unsuitable noting our assessment as to the reasons grounding that position. I believe it would be beneficial to the team, if the ALAC could similarly provide us with your grounding reasoning as to why you believe such a mandatory policy is appropriate, given the risks we have already noted to both the Data Subject AND, the CPs, both of whom will be impacted to the greatest extent by such a recommendation.

To leadership Team:
I think at this point, given the relatively small time left remaining in this process, that we need to set clear expectations for the provision of any such SO/AC/SG/C ‘recommendations’. At a minimum we should be insisting that SO/AC/SG/Cs who wish to make any recommendations must also provide their assessment/reasoning for such a conclusion, capable of grounding any such recommendation; more so specifically in cases such as this, where such views are at complete odds with strongly stated concerns and reservations of another SO/AC/SG/C already on record, of which they are reasonably aware of at the time of submission.

Using this recommendation as an example, and my apologies, this is not aimed specifically at ALAC, but it is the example to hand. I’m fully sure that Hadia and Alan have not come to this conclusion lightly.

That being said, if I may illustrate the point however by highlighting why grounding reasons are so vital in this particular recommendation. In my consideration of the proposal I would pose the following questions which immediately spring to mind.


  *

  *   WHY
  *   is minimum mandatory policy considered suitable, given the concerns raised? What factors were considered that seem to outweigh such concerns?

  *
  *


  *

  *   Given
  *   the representations on record as to the inability to implement a mandatory policy, how is the recommendation made compatible with Art 25 of the GDPR?

  *
  *


  *

  *   Given
  *   that representations on record as to concerns regarding the security of personal data, should a mandatory policy be implemented?

  *
  *

     *

     *   At
     *   the very least, any such recommendation must be accompanied by an assessment under Art 32?
     *

     *
·
·         Art
·          32 (2) requires an assessment as to security and the preventive methods against breaches be undertaken. The ePDP recommendation must ultimately also include such an assessment, therefore for clarity, any party who makes such a recommendation, should also provide
·          a grounding assessment as to such a recommendation.
·
·
·         Again
·          this assessment must
·          take into account matters such as risk of breach, with due deference to the helpful headings as provided by Art 32 (1). It must also provide acceptable answers or at least provide reasons for dismissing to concerns raised.
·
·
·         So
·          given the strongly stated concerns the CPs have raised regarding the likelihood of a higher risk of breach of data, were a mandatory policy to be imposed, it is incumbent on those suggesting to disregard such a concern, to provide their reasoning for such
·          a decision.
·

I appreciate we all have viewpoints (strong ones) on this, but without providing a reasoned supported argument for a certain recommendation to the group, we cannot possibly fairly assess such a recommendation. I must therefore urge and request leadership to be insistent going forward, that any such recommendations made by any SO/AC/SG/C (Registries included of course) MUST be accompanied by a full statement of the reasons grounding the recommendation, including, as we are talking about data subject rights, an assessment as to the impact the proposed policy recommendation may have on the privacy rights of the individual, or indeed on the ability of the CPs to implement.

Kind regards,
Alan Woods

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=rolD3tX41Ai1EOS1JrRTv6L5OrwvVrZf3YfALTFtIDM&s=TdWPeOiRPzppZQoG9VYYGMWfhTzc7SfWOq9dN8wJBp4&e=>




_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>

https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=rolD3tX41Ai1EOS1JrRTv6L5OrwvVrZf3YfALTFtIDM&s=TdWPeOiRPzppZQoG9VYYGMWfhTzc7SfWOq9dN8wJBp4&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181115/765d7570/attachment-0001.html>

More information about the Gnso-epdp-team mailing list