[Gnso-epdp-team] CENTR Survey: Whois status and impacts from GDPR

Tue Oct 16 13:17:51 UTC 2018

Hi all,

ccTLDs and gTLDs cannot be viewed as the same as they are subject to 
different regulatory regimes and fall under different models of 
registration.

For example, in many of the listed ccTLDs, the registrant is assumed to 
have a direct contractual relationship with the registry, so the ability 
to collect and process data is different for such registries compared to 
gTLD registries that have no such relationship.

While the topics you raise are important and worth further deliberation, 
I would propose that these be postponed until after the ePDP concludes 
and be included in subsequent, proper policy work as they are highly 
contentious issues and focussing on these now has the potential to 
derail or at least significantly delay our output. As we are on a strict 
timeline, we should focus on the uncontentious issues first to ensure 
the Temp Spec can be replaced in time.

The distinction between legal and natural personas is a red herring as 
it does not solve any of the issues. Any data provided by legal persons 
may still contain personal data of natural persons in many of the fields 
that would be near impossible to detect for contracted parties.

Further, even if such a distinction were to be found to provide 
additional benefits,  making such a distinction may perhaps be possible 
for new registrations going forward, but it is definitely near 
impossible with regard to already existing registrations as it would 
require receiving a whois update from all current registrants. Given the 
high amount of reluctance in parts of the community to accept any form 
of grandfathering or dual system as I have experienced in the Whois RT2 
deliberations, such a dual system where domain names would be treated 
different based on their registration gate, I cannot in good conscience 
support this as a way forward either.

But I also have significant doubts that contracted parties could even 
rely on such self-declarations of our customers without facing 
additional liabilities for public disclosure.

As far as accuracy "verification" goes (which in many cases is closer to 
the validation requirements currently included in the RAA), this is an 
issue relegated entirely to the contracts of the contracted parties. 
Work on this issue is currently ongoing between ICANN and registrars. 
Opening this issue up here would create a double track and be in 
violation of the process currently included in the contracts. Many of 
the ccTLDs also do not face the same issue that most gTLDs face in that 
they do not aspire to a global registrant base and can perform their 
validation/verification on a national level, which naturally reduces 
costs and provides better results. As soon as international 
registrations enter into the picture, the accuracy of these verification 
sources drops to unacceptable percentages. As one example, when Nominet 
introduced their verification scheme, the numbers of "failed 
verifications" for registrations of registrants outside the UK were 
horrendous, and Nominet was quick to treat such registrations with much 
more leeway than those inside the UK.

Additionally, in our experience higher requirements on data accuracy 
usually lead to more incidents of identity theft since abusers of the 
system will always find ways around. Just because a data set is accurate 
that does not mean it actually belongs to the registrant.

Geographic distinction assumes that it is feasible for contracted 
parties to differentiate accurately for each data set they receive which 
data protection standards apply to that set. That determination cannot 
simply be made based on the country code provided by the registrant 
however. Further, for many registrars that process their data in other 
jurisdictions, that distinction is pointless. It also places a 
significant burden on contracted parties that would have to implement 
and operate multiple systems of whois.

Data access: Just so we do not resort to cherry picking, we should also 
look at how these registries handle requests for data access. These 
registries provide access based on law enforcement, parties identified 
in a court order and someone with legitimate interest. In case of the 
latter, the legal department makes the judgement on that. This is 
exactly what is already in the Temp Spec, where the registrar makes the 
judgement regarding the purported legitimate interest and informs the 
requester accordingly.

Best,

Volker

RrSG Alternate

Am 16.10.2018 um 00:29 schrieb Margie Milam:
>
> Hi-
>
> Thanks Georgios for sharing this document.  This is really great 
> information, and can help with several issues for the EPDP, including:
>
>   * Legal/Natural person distinction
>   * Geographic distinction
>   * Accuracy
>  *
>
> We would like to propose that Staff  invite someone from Centr who can 
> talk to us at Barcelona about these issues, to help inform our policy 
> recommendations.   We would also like to ensure that all of the issues 
> that were “parked” at our F2F meeting are considered as part of our 
> deliberations in Barcelona.
>
> Thanks,
>
> Margie
>
> *From: *Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of 
> "Georgios.TSELENTIS at ec.europa.eu" <Georgios.TSELENTIS at ec.europa.eu>
> *Date: *Friday, October 12, 2018 at 1:33 AM
> *To: *"kurt at kjpritz.com" <kurt at kjpritz.com>, 
> "gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
> *Subject: *[Gnso-epdp-team] CENTR Survey: Whois status and impacts 
> from GDPR
>
> Dear Kurt, EPDP colleagues,
>
> Please find a recent survey among European ccTLDs on impacts from GDPR:
>
> The survey report can be found here: 
> https://centr.org/library/library/survey-report/centr-report-whois-status-and-impacts-from-gdpr.html 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__centr.org_library_library_survey-2Dreport_centr-2Dreport-2Dwhois-2Dstatus-2Dand-2Dimpacts-2Dfrom-2Dgdpr.html&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=T4R_SFZkRFdOpZ15H9XgTW4ZlbBvQTBqJgwmkYtvT3E&e=> 
>
>
> The presentation has been uploaded at: 
> https://centr.org/library/library/external-event/whois-status-and-the-impact-of-gdpr.html 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__centr.org_library_library_external-2Devent_whois-2Dstatus-2Dand-2Dthe-2Dimpact-2Dof-2Dgdpr.html&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=Ul6EQT0lYlA4EMiD0i0hCdqJvk2hj0enVaKnc05XP2w&e=> 
>
>
> The overview of data collected and published via the WHOIS is 
> available at: https://stats.centr.org/pub_whois 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__stats.centr.org_pub-5Fwhois&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=Ejr1s_swhOOMZ6A6MK3kgcxX6M2N-iDRXSbdeBz88Uw&s=GgicT8PChIKhcba_NAzGpxR4ZU1EINwS6_vooi-iNBk&e=>
>
> Best  regards,
>
> Georgios
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

-- 
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
F: +49 6894 9396851
W:www.key-systems.net

Key-systems is a company registered in Germany with Registration No.: HR B 18835 - Saarbruecken: CEO: Alexander Siffrin
Registered Offices: Im Oberen Werk 1, DE-66386 St. Ingbert, Germany

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Registered Offices: 35-39 Moorgate, London, EC2R 6AR.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181016/6050167f/attachment-0001.html>