[Gnso-epdp-team] Rec 4 suggested text

Alan Woods alan at donuts.email
Thu Aug 12 12:36:50 UTC 2021

 Thanks Chris for this and for putting pen to paper!

Note as it is still early in the US, I have not been able to fully canvas
my colleagues on this, so this is just my own observations at this point.
As much as I appreciate this, I do fear it does not provide us with
anything more than a restatement of the recital. If we are aiming for this
to be meaningful, it needs more. I am unsure as to how this "guidance"
operationally provides any help to a CP to voluntarily follow this guidance
- it merely says they should follow the law - which I hope we all agree is
a truism, and does not reach the level of guidance.  This is all about the
*what*, and not the *how *and doesn't tend to provide any detail as to a
reliable method, as there is no real input as to what a reasonable
safeguard actually is, or even what we are safeguarding against in truth.

As the public comment noted, and as I hope we have been consistently open
on, the RYSG continues to be supportive of guidance as the outlining of the
legal obligations may be helpful for some CPs who are not as familiar with
the expectations of data privacy law - but we continue to hold reservations
as to the true utility of the guidance, as although well meaning, lacks any
true guidance as to how to practically achieve such objectives. I mean this
as no slight to the efforts of the team, but a large portion of this
guidance is simply written as a statement of an outcome, and not how to
arrive safely at that outcome.

Although I do not wish to create anything that could be considered as
'legal advice' (as this will create massive liability for ICANN in both
enforcement and expectation), I do think we should not try to reinvent the
wheel here. Why not just borrow heavily from the actual wording as used by
the EDPB in their letter of 5th July 2018. (
paragraph 3. I understand that Laureen expressed a belief that the recitals
of the GDPR were of more a persuasive authority than the letter of the
EDPB; however, given that the EPDB are the body tasked with enforcement,
and they have not only referenced recital 14, but expanded on the
interpretation therein, it would be remiss of us to exclude it. I
personally welcomed the additional insight into the recital from their
primary 'enforcement' POV. I have had a stab at tailoring it to make it
provide guidance, whilst still accepting that there may be more than one
way to achieve this (hence why this MUST be voluntary, as to say otherwise
will make this legal advice). It still does not engage in much of the HOW,
but it provides more detail as to the WHY, to enable the CPs to
individually consider how they can rise to the challenge, if they feel they

*"The GDPR does not apply to the processing of personal data which concerns
legal persons and in particular undertakings established as legal persons,
including the name and the form of the legal person and the contact details
of the legal person.[FN: Recital 14, GDPR] While the contact details of a
legal person are outside the scope of the GDPR, the contact details
concerning natural persons are within the scope of the GDPR, as well as any
other information relating to an identified or identifiable natural person
[FN Art 4(1), GDPR] , The mere fact that a registrant is a legal person
does not necessarily justify unlimited publication of personal data
relating to natural persons who work for or represent that organization,
such as natural persons who manage administrative or technical issues on
behalf of the registrant. *

*For example, the publication of the personal email address of a technical
contact person consisting of firstname.lastname at company.com
<firstname.lastname at company.com> can reveal information regarding their
current employer as well as their role within the organization. Together
with the address of the registrant, it may also reveal information about
his or her place of work. In light of these considerations, personal data
capable of identifying individual employees (or third parties) acting on
behalf of the registrant should not be made publicly available by default
in the context of WHOIS/RDAP. Any publication by a contracted party must
include sufficient safeguards to prevent the identification of any such
natural person, directly or indirectly (e.g. use of clearly generic contact
email information "admin at domain.com <admin at domain.com>").*

I hope this is constructive.


[image: Donuts Inc.] <http://donuts.domains/>

Alan Woods
Senior Manager, Compliance & Policy, Donuts Inc.
Ground Floor
Le Pole House
Ship Street Great
Dublin 8

<https://www.facebook.com/donutstlds>   <https://twitter.com/DonutsInc>

Please NOTE: This electronic message, including any attachments, may
include privileged, confidential and/or inside information owned by Donuts
Inc. . Any distribution or use of this communication by anyone other than
the intended recipient(s) is strictly prohibited and may be unlawful.  If
you are not the intended recipient, please notify the sender by replying to
this message and then delete it from your system. Thank you.

On Thu, Aug 12, 2021 at 11:57 AM LEWIS-EVANS, Christopher via
Gnso-epdp-team <gnso-epdp-team at icann.org> wrote:

> Suggested text for recommendation 4 as discussed on the last call, believe
> it should go between current 2 and 3.
> Thanks
> Chris
> The GDPR protects natural persons in relation to the processing of their
> personal data.  "It does not cover the processing of personal data which
> concerns legal persons and in particular undertakings established as legal
> persons, including the name and the form of the legal person and the
> contact details of the legal person." This allows for disclosure of legal
> persons’ data because it is outside the remit of GDPR.  Nevertheless, when
> processing legal persons’ data, safeguards should be put in place to ensure
> that personally identifying data about a natural person is not disclosed
> within data marked as a legal person.
> This information is supplied in confidence by the NCA. The NCA is not
> listed as a Public Authority under the Freedom of Information Act 2000. Any
> information supplied by, or relating to, the NCA is also subject to an
> absolute exemption.
>  It may also be subject to exemption under other UK legislation. Onward
> disclosure may be unlawful, for example, under data protection legislation.
> Requests for disclosure to the public must be referred to the NCA FOI
> single point of contact, by email on StatutoryDisclosureTeam at nca.gov.uk. All
> email sent and received by the NCA is scanned and subject to assessment.
> Messages sent or received by NCA staff are not private and may be the
> subject of lawful business monitoring. Email may be passed at any time and
> without notice to an appropriate branch within the NCA, on authority from
> the Director General or their Deputy for analysis. This email and any files
> transmitted with it are intended solely for the individual or entity to
> whom they are addressed. If you have received this message in error, please
> contact the sender as soon as possible.
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210812/d697b029/attachment-0001.html>

More information about the Gnso-epdp-team mailing list