[Gnso-epdp-team] [EXTERNAL] Re: Legal guidance - consent

[Mark Svancarek (CELA)]

Hi, could you share the experience for the uninformed?
Further, experience has shown that any differentiation in domain handling procedures will be attacked down the road by interested parties.



From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Volker Greimann
Sent: Monday, March 16, 2020 5:47 AM
To: gnso-epdp-team at icann.org
Subject: [EXTERNAL] Re: [Gnso-epdp-team] Legal guidance - consent


There are two additional considerations that are essential here as well, namely:

1) the differentiation between legacy registrations and new registrations. Any regime that can rely on such self-identification can only work going forward, and not be retroactively be applied to prior self-identification or use of the Org field. This would quickly lead to a two-class handling of registration data that can have significant impact on the data subjects and the domain management processes. Further, experience has shown that any differentiation in domain handling procedures will be attacked down the road by interested parties.

2) the issue of personal information being included in the data of the legal entity. Even if a valid and reliable self-identification can be obtained, there is practically no guarantee that such information does not also includes personal information of staff members of said entities.

I therefore propose to stick to the original proposal that no differentiation be required.

Best,

Volker
Am 13.03.2020 um 18:57 schrieb Caitlin Tubergen:
Dear EPDP Team:

Please find attached the latest memo from Bird & Bird in response to the following question:

Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation.

As a follow-up to that memo: what are the consent options and requirements related to such designations?  Specifically: are data controllers entitled to rely on a statement obligating legal person registrants to obtain consent from a natural person who would act as a contact and whose information may be publicly displayed in RDS? If so, what representations, if any, would be helpful for the controller to obtain from the legal person registrant in this case?

As part of your analysis, please consult the GDPR policies and practices of the Internet protocol (IP address) registry RIPE-NCC (the registry for Europe, based in the Netherlands).  RIPE-NCC’s customers (registrants) are legal persons, usually corporations.  Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS.  RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that.  RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification.  Could similar policies and procedures be used at ICANN?

Please see these specific references:
1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:
https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__labs.ripe.net_Members_Athina_gdpr-2Dlegal-2Dgrounds-2Dfor-2Dlawful-2Dpersonal-2Ddata-2Dprocessing-2Dand-2Dthe-2Dripe-2Ddatabase%26d%3DDwMFaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3D8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH%26m%3Dlm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY%26s%3DJjRQGYCd0W_N54phYbjtCv9Bxt1nS4buSJcvPJf_6vw%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672175867&sdata=j%2BhCjZJ%2FBX5hC0DF3pFlnTB5UtYza13bp2NijXOQV0U%3D&reserved=0>
2)  “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__labs.ripe.net_Members_Athina_how-2Dwe-2Dre-2Dimplementing-2Dthe-2Dgdpr-2Dthe-2Dripe-2Ddatabase%26d%3DDwMFaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3D8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH%26m%3Dlm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY%26s%3DP3RxR6-R3MLf69vdiLp4krKwIoY7I7DCUBIhoLT8cog%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672175867&sdata=Vae3TK9Wz4MpXBX5S4oHXoZbpyUcWK5B%2BX4zrWtqeVo%3D&reserved=0>
If time permits, also see the policies of ARIN, the IP address registry for North America.  ARIN has some customers located in the EU.  ARIN also publishes the data of natural persons in its WHOIS output.  ARIN’s customers are natural persons, who submit the data of natural person contacts.
3) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.arin.net_reference_materials_accuracy_%26d%3DDwMFaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3D8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH%26m%3Dlm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY%26s%3DDOP1W8-coJ5GL4C6NL2umOQTFaaa3hISZ_mxhF7HFwg%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672185824&sdata=juCfoYSZ3%2FXyTnOp9zdEwztwkthELV4o508RwBTDXxs%3D&reserved=0>
4) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.arin.net_about_corporate_agreements_rsa.pdf%26d%3DDwMFaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3D8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH%26m%3Dlm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY%26s%3DvNYCjbgMw_MmaPMiwqygL3syqrs9GqG_mmTZVpoIjoA%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672185824&sdata=tLEGn564qlefpblrk90GVgqFG%2FKQPHkiJZ0iscuCrsQ%3D&reserved=0>
"Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__teamarin.net_2018_03_20_personal-2Ddata-2Dprivacy-2Dconsiderations-2Dat-2Darin_%26d%3DDwMFaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3D8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH%26m%3Dlm9kGn8JwDnJnbIoNg4je0dwEcDgveT_fksb7KE3MsY%26s%3DKlSoVh8AH6aCxEBNTX5SsqDBgwzhKCWxVRcIRCcBdKg%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672195780&sdata=%2BJgy8Thmx7KbMAEXiS3nDzmKL97ApDz2hRgndUTpN1s%3D&reserved=0>  especially the first two paragraphs

--

Thank you.

Best regards,

Marika, Berry, and Caitlin




_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>

https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672195780&sdata=BPuCjdKVQ%2FUb%2Ff98jTSXHo7glufqaRlR8%2BoAOGQ1Fp8%3D&reserved=0>

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672195780&sdata=p4pOp4szix0oSXW2xH2Oor11x5X9nW8UsA87kSIsZEc%3D&reserved=0>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672205738&sdata=GnQ%2B092rhct5NiHgETlH0WFTamEQkMTNlCvpSTVwHkY%3D&reserved=0>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.key-systems.net%2F&data=02%7C01%7Cmarksv%40microsoft.com%7C2f2beeb6893646826d1308d7c9a82d4e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637199597672205738&sdata=C6WMMNcxTJY%2BhKMDXTgsb%2FiUKgiuJxNnYP76%2BwHgi5M%3D&reserved=0>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200317/9e3299d1/attachment-0001.html>