[Gnso-epdp-team] Legal guidance - consent

Volker Greimann vgreimann at key-systems.net
Mon Mar 16 12:47:16 UTC 2020

There are two additional considerations that are essential here as well, 

1) the differentiation between legacy registrations and new 
registrations. Any regime that can rely on such self-identification can 
only work going forward, and not be retroactively be applied to prior 
self-identification or use of the Org field. This would quickly lead to 
a two-class handling of registration data that can have significant 
impact on the data subjects and the domain management processes. 
Further, experience has shown that any differentiation in domain 
handling procedures will be attacked down the road by interested parties.

2) the issue of personal information being included in the data of the 
legal entity. Even if a valid and reliable self-identification can be 
obtained, there is practically no guarantee that such information does 
not also includes personal information of staff members of said entities.

I therefore propose to stick to the original proposal that no 
differentiation be required.



Am 13.03.2020 um 18:57 schrieb Caitlin Tubergen:
> Dear EPDP Team:
> Please find attached the latest memo from Bird & Bird in response to 
> the following question:
> Registration data submitted by legal person registrants may contain 
> the data of natural persons.  A Phase 1 memo stated that registrars 
> can rely on a registrant's self-identification as legal or natural 
> person if risk is mitigated by taking further steps to ensure the 
> accuracy of the registrant's designation.
> As a follow-up to that memo: what are the consent options and 
> requirements related to such designations?  Specifically: are data 
> controllers entitled to rely on a statement obligating legal person 
> registrants to obtain consent from a natural person who would act as a 
> contact and whose information may be publicly displayed in RDS? If 
> so,what representations, if any, would be helpful for the controller 
> to obtain from the legal person registrant in this case?
> As part of your analysis, please consult the GDPR policies and 
> practices of the Internet protocol (IP address) registry RIPE-NCC (the 
> registry for Europe, based in the Netherlands).  RIPE-NCC’s customers 
> (registrants) are legal persons, usually corporations.  Natural 
> persons can serve as their contacts, resulting in the data of natural 
> persons being displayed publicly in WHOIS.  RIPE-NCC places the 
> responsibility on its legal-person registrants to obtain permission 
> from those natural persons, and provides procedures and safeguards for 
> that.  RIPE-NCC states mission justifications and data collection 
> purposes similar to those in ICANN's Temporary Specification.  Could 
> similar policies and procedures be used at ICANN?
> Please see these specific references:
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal 
> Data Processing and the RIPE Database”:
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database 
> [labs.ripe.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.ripe.net_Members_Athina_gdpr-2Dlegal-2Dgrounds-2Dfor-2Dlawful-2Dpersonal-2Ddata-2Dprocessing-2Dand-2Dthe-2Dripe-2Ddatabase&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=lm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY&s=JjRQGYCd0W_N54phYbjtCv9Bxt1nS4buSJcvPJf_6vw&e=> 
> 2)  “How We're Implementing the GDPR: The RIPE Database”: 
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database 
> [labs.ripe.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.ripe.net_Members_Athina_how-2Dwe-2Dre-2Dimplementing-2Dthe-2Dgdpr-2Dthe-2Dripe-2Ddatabase&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=lm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY&s=P3RxR6-R3MLf69vdiLp4krKwIoY7I7DCUBIhoLT8cog&e=>
> If time permits, also see the policies of ARIN, the IP address 
> registry for North America.  ARIN has some customers located in the 
> EU.  ARIN also publishes the data of natural persons in its WHOIS 
> output.  ARIN’s customers are natural persons, who submit the data of 
> natural person contacts.
> 3) ARIN "Data Accuracy": 
> https://www.arin.net/reference/materials/accuracy/ [arin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_reference_materials_accuracy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=lm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY&s=DOP1W8-coJ5GL4C6NL2umOQTFaaa3hISZ_mxhF7HFwg&e=>
> 4) ARIN Registration Services Agreement, paragraph 3: 
> https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_corporate_agreements_rsa.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=lm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY&s=vNYCjbgMw_MmaPMiwqygL3syqrs9GqG_mmTZVpoIjoA&e=>
> "Personal Data Privacy Considerations At ARIN": 
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ 
> [teamarin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__teamarin.net_2018_03_20_personal-2Ddata-2Dprivacy-2Dconsiderations-2Dat-2Darin_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=lm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY&s=KlSoVh8AH6aCxEBNTX5SsqDBgwzhKCWxVRcIRCcBdKg&e=> especially the first two paragraphs
> --
> Thank you.
> Best regards,
> Marika, Berry, and Caitlin
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200316/77d75e12/attachment.html>

More information about the Gnso-epdp-team mailing list