[Gnso-epdp-team] For your review - Clarifying Legal Questions Table

Volker Greimann vgreimann at key-systems.net
Mon May 27 13:59:07 UTC 2019

This is my interpretation of the accuracy principle of the GDPR as well. 
As most of the GDPR, it is designed with the rights of and protections 
for the data subject in mind and must be interpreted under that premise.


Am 25.05.2019 um 15:17 schrieb Mueller, Milton L:
> Dear Georgios and colleagues:
> I think the questions related to accuracy below are not worth sending 
> to the lawyers.
> They are based on a fundamental misconception, one which we have 
> identified many times. Accuracy in GDPR and other data protection law 
> is a right _/of the data subject/_, not a right of third parties to 
> accurate data about the data subject.
> To prove this, beyond a shadow of the doubt, let me note that the word 
> “accuracy” appears in GDPR in only two places, in Art 18.
> Article 18, Right to restriction of processing:
> -----------------------------------------------------------
> “The data subject shall have the right to obtain from the controller 
> restriction of processing where one of the following applies: the 
> accuracy of the personal data is contested by the data subject, for a 
> period enabling the controller to verify the accuracy of the personal 
> data;”
> So data subjects can contest the accuracy of data about them, or 
> require controllers to verify its accuracy. There is NO OTHER 
> reference to accuracy in the entire GDPR.
> Georgios’s questions are based on the assumption that third parties 
> have a right to accurate contact data about the data subject. That 
> assumption was embedded in the old Whois and pre-GDPR Whois accuracy 
> policies, all of which were predicated on indiscriminate publication 
> of the contact data to any and all third parties. That regime is gone. 
> And it’s recognized even by the most militant pro-surveillance 
> interests that such indiscriminate disclosure is illegal.
> Likewise, Georgios asks about liability under Article 82 of GDPR. 
> Again all we need to do is actually read Art 82 to find the answer:
> Article 82 says “Any person who has suffered material or non-material 
> damage as a result of an infringement of this Regulation shall have 
> the right to receive compensation from the controller or processor for 
> the damage suffered.” So this is a right of PERSONS (data subjects) to 
> compensation based on illegal acts of controllers and processors of 
> THEIR data. It is not a right of third parties to accurate information 
> about the data subject, and it certainly creates no liability for 
> controllers or processors for the inaccuracy of the registrants’ data.
> Dr. Milton L Mueller
> Georgia Institute of Technology
> School of Public Policy
> *From:*Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of 
> *Georgios.TSELENTIS at ec.europa.eu
> *Sent:* Friday, May 24, 2019 7:02 PM
> *To:* caitlin.tubergen at icann.org
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal 
> Questions Table
> Dear Caitlin, colleagues,
> Please find below questions on the topics of the legal memos from the GAC:
> *Accuracy*
> . If current verification statistics provide that a large number of 
> data is inaccurate isn't that a metric to deduce that the accuracy 
> principle is not served in a reasonable manner as demanded by the GDPR?
> . According to the GDPR all personal data are processed based on the 
> principle that they are necessary for the purpose for which they are 
> collected. If those data are necessary, how can the purpose be served 
> while the data are inaccurate?
> . Can you provide an analysis on the third-parties mentioned in para 
> 19 on which "ICANN and the relevant parties may rely on to confirm the 
> accuracy of personal data if it is reasonable to do so"? Do they 
> become in such a scenario data processors?
> . How does the accuracy principle in connection to the parties' 
> liability has to be understood in light of the accountability 
> principle of the GDPR? What are the responsibilities of ICANN and the 
> contracted parties (who are subject to the GDPR) under Chapter IV pf 
> the GDPR? If the contracted parties (as data controllers) engage third 
> entities as processors (e.g. to provide data back-up services), what 
> are the responsibilities of these entities? What does this mean in 
> terms of liabilities (in light of Art. 82 GDPR)?
> . While in the first place it is up to the registrants to provide 
> accurate details about themselves and it is up to the registrants not 
> to mistakenly identify themselves as natural or legal persons, the 
> Memo on "Natural vs Legal persons" provides interesting 
> ideas/suggestions for the contracted parties to proactively ensuring 
> the reliability of information provided, including through measures to 
> independently verify the data. Could similar mechanisms be identified 
> also for ensuring the reliability of the contact details of the 
> registrant? Can best practices be drawn from the ccTLD?
> *Natural or non-natural persons*
> . How is the (inaccurate or accurate) designation by the registrant 
> about her status as non-natural person considered personal data 
> information? If it's not is the analysis about whether the accuracy 
> principle applies relevant?
> . How would the analysis provided take into account the possibility 
> for registrants who are natural persons to "opt-in" for a full 
> publication of their personal data? Indeed it might be the case that 
> some of these registrants might wish to ensure their details are 
> available on WHOIS.
> *Technical contact *
> Most of the issue for not allowing this seems to be around the 
> inability to verify if the RNH has obtained consent from the technical 
> contact. When the CP's verify the email address could consent also be 
> confirmed for the term of the registration?
> *General question:*
> . How could anonymisatio/pseudonymisation techniques be of help in 
> complying with the GDPR while also allowing for additional disclosure 
> of certain data elements? E.g. use of anonymised/pseudonymised emails 
> and names, in particular in the context of registrations by legal persons.
> Apologies again for the delay of our submission.
> Georgios Tselentis (GAC-EPDP)
> *From:*Gnso-epdp-team <gnso-epdp-team-bounces at icann.org 
> <mailto:gnso-epdp-team-bounces at icann.org>> *On Behalf Of *Caitlin Tubergen
> *Sent:* Wednesday, May 22, 2019 5:22 PM
> *To:* gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>
> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal 
> Questions Table
> Dear EPDP Team,
> Following up on an action item from our last meeting, please find 
> attached a table which organizes the clarifying legal questions 
> received to date. We will discuss the table during our next meeting.
> Please note that the deadline for submitting additional clarifying 
> questions is before 14:00 UTC on Thursday, 23 May. If additional 
> questions come in before the deadline, we will update the table 
> accordingly.
> Thank you.
> Best regards,
> Marika, Berry, and Caitlin
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190527/3a42c795/attachment-0001.html>

More information about the Gnso-epdp-team mailing list