[Gnso-epdp-team] On the proposed guidance

Volker Greimann vgreimann at key-systems.net
Thu Apr 15 14:10:26 UTC 2021


" Everyone who is named in a role in a registration must have already been
informed and consented to all of the conditions involved in the role. "
This is the ideal. Sadly, this ideal is very often not the case. Employees
are named by other employees without their knowledge, or remain named long
after they leave. From the experience as a registrar dealing with
registrants every day, this ideal is an assumption that does not survive
contact with reality.


-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for
the person(s) directly addressed. If you are not the intended recipient,
any use, copying, transmission, distribution, or other forms of
dissemination is strictly prohibited. If you have received this email in
error, please notify the sender immediately and permanently delete this
email with any files that may be attached.


On Thu, Apr 15, 2021 at 3:36 PM Steve Crocker via Gnso-epdp-team <
gnso-epdp-team at icann.org> wrote:

> Laureen,
>
> Thanks for your note.  With respect to the details under legal person, we
> believe the issue of consent should be moot.  Everyone who is named in a
> role in a registration must have already been informed and consented to all
> of the conditions involved in the role.  This is a prerequisite for having
> a working system and is not specific to meeting a privacy regulation.  The
> fact that this requirement is not specified in the existing contractual
> documentation is an error and needs to be rectified.
>
> Steve
>
>
> On Thu, Apr 15, 2021 at 6:28 AM Kapin, Laureen via Gnso-epdp-team <
> gnso-epdp-team at icann.org> wrote:
>
>> I think we share common ground on many key issues and I would like to
>> build on the many helpful inputs received as to what would be advisable.
>>
>>
>>
>> *Goal*: publish non-personal, non-protected data to the greatest extent
>> permissible under the GDPR and within low legal risks to data controllers
>> and processors.  Note, the description below does *not *fully detail the
>> advised safeguards which B&B has documented and which we’ve adopted in our
>> prior input because my impression is that we generally agree that the
>> safeguards are prudent.  This description merely seeks to identify the key
>> steps that must be taken to ensure that personal data is identified and
>> protected and non-personal data is published.  I also highlight the
>> addition of a potential additional safeguard – Confirmation.  I think this
>> process incorporates what we’ve discussed and inputs received and could
>> form a useful framework for discussion.
>>
>>
>>
>> *Note:*
>>
>>
>>
>> n  *New Registrations: *This process applies to new registrations (Steve
>> C. has some useful thoughts on how to deal with existing Registrations)
>>
>> n  *Publish: *When I use the word “publish,” I mean made public
>> directly; not via the SSAD.
>>
>> n  *Flexibility: *Based on input from our Registrar colleagues, we
>> should permit flexibility for how these steps are implemented to account
>> for the varied business models in place.
>>
>> n  *Timing: *All identifications need to take place at the time of
>> registration or shortly thereafter (w/in the 13-day accuracy verification
>> window) and no registration data should be published until the
>> identification, consent, and confirmation process concludes
>>
>>
>>
>> *Process:*
>>
>> 1.   A threshold identification of the registrant as a natural or legal
>> person;
>>
>> a.   If natural, registration info redacted
>>
>>
>>
>> b.   If legal, further inquiries and advisories (safeguards):
>>
>>                                          i.    if the legal person
>> identifies that it has a protected status under the GDPR
>>
>> 1.   registration info redacted
>>
>>
>>
>>                                         ii.    If the legal person
>> registration contains personal data, advise of consequences (publication)
>>
>> 1.   Obtain necessary consents
>>
>> 2.   *Possible additional safeguard*: *Ask Registrant to Confirm any
>> identification that will result in publication of contact data *(akin to
>> confirming a flight reservation or stock trade)
>>
>> a.   Publish
>>
>> 3.   If no consent
>>
>> a.   Redact
>>
>>
>>
>> 2.   Provide quick and easy opportunity to correct any mistakes
>>
>>
>>
>> I hope this is useful.
>>
>>
>>
>>
>>
>> Kind regards,
>>
>>
>>
>> Laureen Kapin
>>
>> Counsel for International Consumer Protection
>>
>> Federal Trade Commission
>>
>> (202) 326-3237
>>
>>
>>
>> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Volker
>> Greimann via Gnso-epdp-team
>> *Sent:* Thursday, April 15, 2021 8:35 AM
>> *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
>> *Cc:* gnso-epdp-team at icann.org
>> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>>
>>
>>
>> I think we need to be cognisant of the current status quo and use that as
>> the basis for our thoughts on the matter:
>>
>>
>>
>> 1) There is no differentiation between legal or natural contacts.
>>
>> 2) The redaction of all contacts is permitted and has become the de-facto
>> standard.
>>
>> 3) We allow consent-based disclosure.
>>
>> 4) NIS 2 may at some point in the future require publication of
>> non-personal information.
>>
>>
>>
>> This leads to two very simple follow-on questions:
>>
>> a) How do we identify such non-personal information? What is really
>> necessary for this end?
>>
>> b) What would publication entail?
>>
>>
>>
>> For a) we and Twobirds identified voluntary self-declaration of the data
>> submitted. As all data is redacted by default, the differentiation of the
>> data subject category is irrelevant as it ultimately only boils down to the
>> declaration of the data subject thatthe data contains no personal
>> information.
>>
>>
>>
>> For b), the term "publish" is undefined. For all we know, it could mean
>> publication in a physical print edition (it doesn't mean that though). But
>> publication within SSAD can very well be sufficient for that definition.
>> There is no reason whatsoever to assume differently.
>>
>>
>>
>> --
>> Volker A. Greimann
>> General Counsel and Policy Manager
>> *KEY-SYSTEMS GMBH*
>>
>> T: +49 6894 9396901
>> M: +49 6894 9396851
>> F: +49 6894 9396851
>> W: www.key-systems.net
>>
>> Key-Systems GmbH is a company registered at the local court of
>> Saarbruecken, Germany with the registration no. HR B 18835
>> CEO: Oliver Fries and Robert Birkner
>>
>> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
>> England and Wales with company number 8576358.
>>
>> This email and any files transmitted are confidential and intended only
>> for the person(s) directly addressed. If you are not the intended
>> recipient, any use, copying, transmission, distribution, or other forms of
>> dissemination is strictly prohibited. If you have received this email in
>> error, please notify the sender immediately and permanently delete this
>> email with any files that may be attached.
>>
>>
>>
>>
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>
>> Virus-free. www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>
>>
>>
>> On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via
>> Gnso-epdp-team <gnso-epdp-team at icann.org> wrote:
>>
>> Dear Milton,
>>
>>
>>
>> Thank you for your constructive thoughts. I believe we have a lot to
>> build on. In relation to principle one, I think we all agree that some
>> legal data subjects would want to publish their data in the RDDS, but
>> without your first principle they can only do this through consent. The
>> legal memo received lately from Bird & Bird explains that if CPs publish
>> the data of legal persons based on consent they are at a higher risk than
>> if they publish the data of legal persons based on self-designation. In the
>> latter case CPs might only be liable if they fail to address a complaint.
>> So the question always was: what is the benefit of labeling the data as
>> belonging to a natural or legal person? Of course we all know that GDPR
>> protects the data of natural persons and not legal persons, but the
>> important answer now is that the distinction significantly reduces the
>> liability of CPs. In addition, the distinction is helpful in performing the
>> balancing test in case the data is not published and I am sure if we look
>> into individual use cases we can find much more benefits. Moreover, it
>> could prove to be useful regarding possible upcoming regulations. I would
>> also add that the level of protection assigned to the data elements
>> suggested by Steve provides additional safe guards and flexibility in the
>> implementation.
>>
>>
>>
>> Finally, I join you in being optimistic about our ability to finish this.
>>
>>
>>
>> Kind regards
>>
>> Hadia
>>
>>
>>
>> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] *On
>> Behalf Of *Mueller, Milton L via Gnso-epdp-team
>> *Sent:* Wednesday, April 14, 2021 10:12 PM
>> *To:* gnso-epdp-team at icann.org
>> *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
>>
>>
>>
>> Colleagues:
>>
>> I have only gotten time to review the latest Guidance document and the
>> surrounding debate today. Apologies, but there is a lot going on in my day
>> job.
>>
>>
>>
>> I am disappointed to see that we seem to be going backwards. I see
>> divergence rather than convergence on the way we are approaching the
>> problem.
>>
>>
>>
>> I see no point in adding more noise to the current document via the
>> Comments function. What I would like to try to do is articulate some broad
>> principles about how to deal with the legal/natural distinction. If we can
>> agree on those principles, it will be relatively easy to complete the
>> document. If we cannot/do not agree on those principles, additional
>> wordsmithing and debates over terms will not get us anywhere.
>>
>>
>>
>> So here are the broad principles that I would offer up for debate:
>>
>>
>>
>> 1.       The legal/natural distinction is relevant and we need to find a
>> way make it in RDDS without compromising privacy rights.
>>
>> 2.       Registrants should be able to self-designate as legal or
>> natural, with no burden of authentication placed on registrars or registries
>>
>> 3.       To protect small home offices or NGOs who are technically Legal
>> persons but whose registration data may include Personal data, we need an
>> additional check in the process.
>>
>> 4.       As long as they conform with the above 3 principles,
>> registrars/ries (CPs) should be given maximum flexibility to choose the way
>> to differentiate.
>>
>>
>>
>> Principle 1 discussion:
>>
>> If we cannot agree on this (or agree to abandon this principle), _*nothing
>> else will fall into place*_. Ever. So let’s settle that. Steve and
>> Volker I suspect will disagree with this principle. Steve has argued that
>> the L/N distinction is “not a central concern” and all that matters is
>> whether the registrant’s data is to be made available to anyone. If he is
>> right, we can discard the guidance altogether, because we already have a
>> recommendation to allow the RNH to consent to the publication of their
>> data. Volker has also suggested that it is personal data we need to
>> differentiate, not L/N . I disagree with Steve and Volker on this and so do
>> most of the rest of the group. L/N distinction is a central concern to
>> certain stakeholder groups in the EPDP, because a) GDPR and other data
>> protection laws do not protect it and this process is all about bringing
>> RDS into compliance with privacy law; b) Legal person data could be
>> published and it would provide easier access to their registration data. As
>> a NCSG member I can find no basis for objecting to the publication of
>> WalMart’s, Kroger’s or the local hardware store’s registration data. Any
>> concerns about PII are addressed by principles 2 and 3. Steve is
>> approaching this as an engineer, but this is a policy process, and we will
>> not obtain agreement on a solution unless certain stakeholders are
>> satisfied. If they think it is a central concern, it’s a central concern,
>> that’s how policy/politics work.
>>
>>
>>
>> Principle 2 discussion
>>
>> This is the key principle that keeps NCSG and CPH satisfied. Registrants
>> are in control of how they are designated. Yes, this means that some people
>> will lie. That is just something we will have to accept. One cannot erase
>> that possibility without creating a system that is too burdensome and
>> costly as to outweigh any benefits.
>>
>>
>>
>> Principle 3 discussion
>>
>> This is something everyone seems to agree on already. But it is good to
>> make it explicit, then we can work out how specific our guidance can get,
>> so as to conform to …
>>
>>
>>
>> Principle 4
>>
>> Avoid being overly prescriptive, but ensure that the other 3 principles
>> are honored. So yes, Volker, we give you maximum flexibility to implement
>> in accordance with different business models, but you can NOT make a
>> designation for a RNH, because it violates principle 2.
>>
>>
>>
>> I truly believe that if we can come to agreement on these 4 principles
>> and use them as the basis for drafting guidance, we can actually finish
>> this.
>>
>>
>>
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your
>> personal data for purposes of subscribing to this mailing list accordance
>> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
>> the website Terms of Service (https://www.icann.org/privacy/tos). You
>> can visit the Mailman link above to change your membership status or
>> configuration, including unsubscribing, setting digest-style delivery or
>> disabling delivery altogether (e.g., for a vacation), and so on.
>>
>>
>>
>>
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>
>> Virus-free. www.avast.com
>> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
>>
>>
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>> _______________________________________________
>> By submitting your personal data, you consent to the processing of your
>> personal data for purposes of subscribing to this mailing list accordance
>> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
>> the website Terms of Service (https://www.icann.org/privacy/tos). You
>> can visit the Mailman link above to change your membership status or
>> configuration, including unsubscribing, setting digest-style delivery or
>> disabling delivery altogether (e.g., for a vacation), and so on.
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210415/abf6657d/attachment-0001.html>


More information about the Gnso-epdp-team mailing list