[Gnso-epdp-team] ICANN Org Response to question re. Organization field

Mueller, Milton L milton at gatech.edu
Tue Nov 20 13:54:36 UTC 2018

I have to agree with Ayden that the answer to the first part of this question isn’t correct. The EDPB has shown concern about situations in which one-person organizations would reveal the identity of a natural person. We understand fully that legal person data doesn’t normally raise any privacy concerns. That’s not what we were asking about. We were trying to address the specific case of one person orgs.

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Marika Konings
Sent: Monday, November 19, 2018 8:38 PM
To: gnso-epdp-team at icann.org
Subject: [Gnso-epdp-team] ICANN Org Response to question re. Organization field

Dear EPDP Team,

Hereby the ICANN Org response to the following question:

Question: 1.) Has ICANN given any thought to scenarios where the „Organization“ field might contain personal information? 2.) As the Organization field shall be populated on an optional basis, has ICANN given any thought to a consent requirement or, where another legal basis than Art. 6 I a GDPR was considered, what legal basis shall be applicable based on what rationale?

Response:  The organization field, which is an optional field, was one of the topics of discussion among the community during the development of the Cookbook. See sections 5.4 and 5.5 of the Cookbook<https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf>.

Additionally, the 5 July 2018 letter<https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf> from the European Data Protection Board states: “The GDPR does not apply to the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.” Recital 14 of the GDPR states: “This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.”

Registrars have always been obligated to inform and obtain consent from the registrants regarding what data elements are collected, what data elements are  published, what data elements are optional, and the intended uses and recipients of the data. (See for example Section II.J.7.b<https://www.icann.org/resources/unthemed-pages/raa-1999-11-10-en#IIJ7b> in the 1999 RAA and Section<https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#> of the 2013 RAA.)

The Temporary Specification relies on 6(1)(f) as the legal basis for the mandatory publication of certain fields, including registrant organization. As noted in our original response, the registrant organization field refers to a legal person and not a natural person. The registrant may give consent for publication of additional fields, for example, the registrant name field.

In considering the applicability of the possible legal bases and after consultations with the community, it was determined that 6(1)(f) was the most appropriate legal basis to support the stated goal of complying with the GDPR while maintaining the existing WHOIS to the greatest extent possible.

This response will get added to the Q&A section on the wiki: https://community.icann.org/x/ahppBQ.

Best regards,

Caitlin, Berry and Marika

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181120/f2251ac6/attachment-0001.html>

More information about the Gnso-epdp-team mailing list