[Gnso-epdp-team] CENTR Survey: Whois status and impacts from GDPR
Volker Greimann
vgreimann at key-systems.net
Tue Oct 16 13:17:51 UTC 2018
Hi all,
ccTLDs and gTLDs cannot be viewed as the same as they are subject to
different regulatory regimes and fall under different models of
registration.
For example, in many of the listed ccTLDs, the registrant is assumed to
have a direct contractual relationship with the registry, so the ability
to collect and process data is different for such registries compared to
gTLD registries that have no such relationship.
While the topics you raise are important and worth further deliberation,
I would propose that these be postponed until after the ePDP concludes
and be included in subsequent, proper policy work as they are highly
contentious issues and focussing on these now has the potential to
derail or at least significantly delay our output. As we are on a strict
timeline, we should focus on the uncontentious issues first to ensure
the Temp Spec can be replaced in time.
The distinction between legal and natural personas is a red herring as
it does not solve any of the issues. Any data provided by legal persons
may still contain personal data of natural persons in many of the fields
that would be near impossible to detect for contracted parties.
Further, even if such a distinction were to be found to provide
additional benefits, making such a distinction may perhaps be possible
for new registrations going forward, but it is definitely near
impossible with regard to already existing registrations as it would
require receiving a whois update from all current registrants. Given the
high amount of reluctance in parts of the community to accept any form
of grandfathering or dual system as I have experienced in the Whois RT2
deliberations, such a dual system where domain names would be treated
different based on their registration gate, I cannot in good conscience
support this as a way forward either.
But I also have significant doubts that contracted parties could even
rely on such self-declarations of our customers without facing
additional liabilities for public disclosure.
As far as accuracy "verification" goes (which in many cases is closer to
the validation requirements currently included in the RAA), this is an
issue relegated entirely to the contracts of the contracted parties.
Work on this issue is currently ongoing between ICANN and registrars.
Opening this issue up here would create a double track and be in
violation of the process currently included in the contracts. Many of
the ccTLDs also do not face the same issue that most gTLDs face in that
they do not aspire to a global registrant base and can perform their
validation/verification on a national level, which naturally reduces
costs and provides better results. As soon as international
registrations enter into the picture, the accuracy of these verification
sources drops to unacceptable percentages. As one example, when Nominet
introduced their verification scheme, the numbers of "failed
verifications" for registrations of registrants outside the UK were
horrendous, and Nominet was quick to treat such registrations with much
more leeway than those inside the UK.
Additionally, in our experience higher requirements on data accuracy
usually lead to more incidents of identity theft since abusers of the
system will always find ways around. Just because a data set is accurate
that does not mean it actually belongs to the registrant.
Geographic distinction assumes that it is feasible for contracted
parties to differentiate accurately for each data set they receive which
data protection standards apply to that set. That determination cannot
simply be made based on the country code provided by the registrant
however. Further, for many registrars that process their data in other
jurisdictions, that distinction is pointless. It also places a
significant burden on contracted parties that would have to implement
and operate multiple systems of whois.
Data access: Just so we do not resort to cherry picking, we should also
look at how these registries handle requests for data access. These
registries provide access based on law enforcement, parties identified
in a court order and someone with legitimate interest. In case of the
latter, the legal department makes the judgement on that. This is
exactly what is already in the Temp Spec, where the registrar makes the
judgement regarding the purported legitimate interest and informs the
requester accordingly.
Best,
Volker
RrSG Alternate
Am 16.10.2018 um 00:29 schrieb Margie Milam:
>
> Hi-
>
> Thanks Georgios for sharing this document. This is really great
> information, and can help with several issues for the EPDP, including:
>
> * Legal/Natural person distinction
> * Geographic distinction
> * Accuracy
> *
>
> We would like to propose that Staff invite someone from Centr who can
> talk to us at Barcelona about these issues, to help inform our policy
> recommendations. We would also like to ensure that all of the issues
> that were “parked” at our F2F meeting are considered as part of our
> deliberations in Barcelona.
>
> Thanks,
>
> Margie
>
> *From: *Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of
> "Georgios.TSELENTIS at ec.europa.eu" <Georgios.TSELENTIS at ec.europa.eu>
> *Date: *Friday, October 12, 2018 at 1:33 AM
> *To: *"kurt at kjpritz.com" <kurt at kjpritz.com>,
> "gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
> *Subject: *[Gnso-epdp-team] CENTR Survey: Whois status and impacts
> from GDPR
>
> Dear Kurt, EPDP colleagues,
>
> Please find a recent survey among European ccTLDs on impacts from GDPR:
>
> The survey report can be found here:
> https://centr.org/library/library/survey-report/centr-report-whois-status-and-impacts-from-gdpr.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__centr.org_library_library_survey-2Dreport_centr-2Dreport-2Dwhois-2Dstatus-2Dand-2Dimpacts-2Dfrom-2Dgdpr.html&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=T4R_SFZkRFdOpZ15H9XgTW4ZlbBvQTBqJgwmkYtvT3E&e=>
>
>
> The presentation has been uploaded at:
> https://centr.org/library/library/external-event/whois-status-and-the-impact-of-gdpr.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__centr.org_library_library_external-2Devent_whois-2Dstatus-2Dand-2Dthe-2Dimpact-2Dof-2Dgdpr.html&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=Ul6EQT0lYlA4EMiD0i0hCdqJvk2hj0enVaKnc05XP2w&e=>
>
>
> The overview of data collected and published via the WHOIS is
> available at: https://stats.centr.org/pub_whois
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__stats.centr.org_pub-5Fwhois&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=GgicT8PChIKhcba_NAzGpxR4ZU1EINwS6_vooi-iNBk&e=>
>
> Best regards,
>
> Georgios
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH
T: +49 6894 9396901
F: +49 6894 9396851
W:www.key-systems.net
Key-systems is a company registered in Germany with Registration No.: HR B 18835 - Saarbruecken: CEO: Alexander Siffrin
Registered Offices: Im Oberen Werk 1, DE-66386 St. Ingbert, Germany
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Registered Offices: 35-39 Moorgate, London, EC2R 6AR.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181016/6050167f/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list