[Gnso-epdp-team] Purpose C

Marika Konings marika.konings at icann.org
Mon Oct 15 12:52:12 UTC 2018 

As you further deliberate on this topic, here is the EDPB advice from the 5 July letter in this regard:

“The EDPB considers that registrants should in principle not be required to provide personal data directly identifying individual employees (or third parties) fulfilling the administrative or technical functions on behalf of the registrant. Instead, registrants should be provided with the option of providing contact details for persons other than themselves if they wish to delegate these functions and facilitate direct communication with the persons concerned. It should therefore be made clear, as part of the registration process, that the registrant is free to (1) designate the same person as the registrant (or its representative) as the administrative or technical contact; or (2) provide contact information which does not directly identify the administrative or technical contact person concerned (e.g. For the avoidance of doubt, the EDPB recommends explicitly clarifying this within future updates of the Temporary Specification[1]”.

As such, staff had translated this into the following preliminary recommendation in the draft Initial Report pending finalization of the deliberations on this topic:

In addition, the EPDP Team recommends that the following data elements may, but are not required, to be provided by the registered name holder. Furthermore, per the EDPB advice, registrars are to advise the registered name holder at the time of registration that the registered name holder is free to (1) designate the same person as the registrant (or its representative) as the administrative or technical contact; or (2) provide contact information which does not directly identify the administrative or technical contact person concerned. [In which case registrars must ensure that the necessary consent is obtained from an administrative or technical contact person, in the case this is not the registered name holder with whom the registrar has a direct contractual relationship].

Best regards,

Caitlin, Berry and Marika

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Ayden Férdeline <icann at ferdeline.com>
Reply-To: Ayden Férdeline <icann at ferdeline.com>
Date: Monday, October 15, 2018 at 2:53 AM
To: Alan Greenberg <alan.greenberg at mcgill.ca>
Cc: EPDP <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] Purpose C

I have concerns regarding this purpose.

The provision of admin and tech contact data is not necessary in order to perform the registration of a domain name.

So, I disagree that these fields “should be mandatory with instructions to the registrants on options for filling them out as implied in the EDPB letter of 05 July 2018.” I did not read the EDPB letter as insinuating that.

Under item 9, it now says, “2) If the fields are not filled in, either they need to default to the Registrant Contact information or we need an access process that defaults back to the registrant’s info when there are admin/tech requests. In either case, the registrant should be clearly informed.”

If I am understanding this correctly, I do not agree that the admin and tech contact fields should be pre-filled with registrant contact data. This is inconsistent with the principles of data minimisation enshrined within the GDPR, as the ICANN v EPAG Domainservices case has shown, and which is cited in the 5 July 2018 EDPB letter referenced below.

I note that within the current scope of their contracts, registrars must be able to contact their customers, so if the goal of this purpose is to “enable communication or notification to the Registered Name Holder … of technical and/or administrative issues with a Registered Name,” this should be possible without a third party having direct access to their personal data. This could be fulfilled by way of a contact form or message relay system, for instance.

I am increasingly skeptical that there is a need to release personal information directly to third parties (though in certain circumstances this might be necessary). I ordered an Uber last week, and when I called the driver, the Uber app masked my number and theirs, and now connected the call through some kind of relay system (like eBay uses for emails between buyer and seller) to prevent the disclosure of our phone numbers and to protect both of our privacy rights.

If this technology is being deployed by others, perhaps we can avail of it too.

Kind regards,

Ayden Férdeline



On 15 Oct 2018, at 04:50, Alan Greenberg <alan.greenberg at mcgill.ca<mailto:alan.greenberg at mcgill.ca>> wrote:

I have updated Purpose C and a copy is attached.

1. I deleted the various "stream of consciousness dialogue" and tried
to just leave in the final conclusions.

2. Under item 9, I further discussed the issue of whether the
administrative and technical contact fields are in fact optional (and
must either default to the registrant contact information, or have
that registrant contact information delivered in lieu of the blank
fields when data is made available as later agreed during access
discussions) or whether it should be mandatory with instructions to
the registrants on options for filling them out as implied in the
EDPB letter of 05 July 2018.

Alan_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team<Purpose C - Data_Elements_Processing_Workbook_v0.4.5-ag.docx>


________________________________

[1] See https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181015/f69d6766/attachment.html>

More information about the Gnso-epdp-team mailing list