[Gnso-epdp-team] Legal guidance - consent

Fri Mar 13 17:57:00 UTC 2020

Dear EPDP Team:

Please find attached the latest memo from Bird & Bird in response to the following question:

Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. 

As a follow-up to that memo: what are the consent options and requirements related to such designations?  Specifically: are data controllers entitled to rely on a statement obligating legal person registrants to obtain consent from a natural person who would act as a contact and whose information may be publicly displayed in RDS? If so, what representations, if any, would be helpful for the controller to obtain from the legal person registrant in this case?

As part of your analysis, please consult the GDPR policies and practices of the Internet protocol (IP address) registry RIPE-NCC (the registry for Europe, based in the Netherlands).  RIPE-NCC’s customers (registrants) are legal persons, usually corporations.  Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS.  RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that.  RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification.  Could similar policies and procedures be used at ICANN? 

Please see these specific references:

1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:

https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]  

2)  “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]

If time permits, also see the policies of ARIN, the IP address registry for North America.  ARIN has some customers located in the EU.  ARIN also publishes the data of natural persons in its WHOIS output.  ARIN’s customers are natural persons, who submit the data of natural person contacts.

3) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]

4) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]

"Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]  especially the first two paragraphs

--

Thank you.

Best regards,

Marika, Berry, and Caitlin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200313/1869bb03/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ICANN memo 13 March 2020 - consent.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 350523 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200313/1869bb03/ICANNmemo13March2020-consent-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200313/1869bb03/smime-0001.p7s>