[gnso-rds-pdp-wg] Purpose in accordance with Registry Agreement section 2.18

Deacon, Alex Alex_Deacon at mpaa.org
Fri Jun 2 20:52:58 UTC 2017 

Hi All,

Michael makes an important point here – one that is often obscured in these long email threads – that the GDPR only applies to personal data associated with “natural persons” and does not cover personal data associated with legal persons.    This indicates that statements claiming WHOIS will somehow disappear on May 25, 2018 because of the GDPR are misleading at best.   I agree that we must not throw the baby out with the bathwater.   

Alex








-----Original Message-----
From: <gnso-rds-pdp-wg-bounces at icann.org> on behalf of Dotzero <dotzero at gmail.com>
Date: Friday, June 2, 2017 at 1:15 PM
To: Stephanie Perrin <stephanie.perrin at mail.utoronto.ca>
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Purpose in accordance with Registry Agreement section 2.18

    The overwhelming majority of domains registered would be considered for commercial purposes. The fact that a small percentage of domains are registered by individuals for personal use should not be the determining factor as to what is appropriate for ICANN
     to do. In fact, many of what people assert are personal domains have advertising on them and would therefor be considered by almost any jurisdiction to be engaged in a commercial activity. This includes many (most?) parked domains.
    
    
    Under these circumstances, having disclosure requirement in registry/registrar agreements seems very appropriate and reasonable. Adding in the fact that "private registration" is an option reduces the scope of the issue even further.
    
    
    This is starting to increasingly look like a case of throwing the baby out with the bath water.
    
    
    Michael Hammer
    
    
    On Fri, Jun 2, 2017 at 2:38 PM, Stephanie Perrin 
    <stephanie.perrin at mail.utoronto.ca> wrote:
    
    This clause has not been acceptable in the past, even before GDPR.  I think it is worth pointing out that what is in the ICANN agreements has been repeatedly pointed out, notably by the Art 29 WG, but certainly
     by others such as the IWGDPT, as violating DP law.  These documents I believe are all in our repository.  So please let us not assume that what has been happening is ok, even if we sign contract after contract with the same offending clauses in them.  Consent
     in most jurisdictions has to be some variant of "free, enlightened, and informed".  Noone can be compelled to consent to a practice that is disproportionate or fails the necessity test...An ability to withdraw consent has to be available.  I won't go on and
     on but this clause obviously does not pass this test.
    
    In my opinion, the longer ICANN tries to stymie the DPAs and ignore necessary changes in privacy policy, the greater the risk they run that a viral campaign will be launched among ordinary users, to appeal to the
     Courts.  DPAs try to effect change through dialogue.  WHen dialogue fails, individuals have to take cases to Court.  We don't want that.
    Stephanie
    
    
    On 2017-06-02 08:19, Volker Greimann wrote:
    
    
    I was just reviewing the changes to the registry agreement again and I noticed a section that has relevance here as well and that had not been discussed here.
    
    
    Apparently the definition of the purpose for personal data collection as far as ICANN is concerned is the job of the registry operators:
    
    
    2.18 Personal Data. Registry Operator shall (i) notify each ICANN-accredited registrar that is a party to the Registry-Registrar Agreement for the TLD of the purposes for which data about any identified or identifiable natural person (“Personal Data”) submitted
     to Registry Operator by such registrar is collected and used under this Agreement or otherwise and the intended recipients (or categories of recipients) of such Personal Data, and (ii) require such registrar to obtain the consent of each registrant in the
     TLD for such collection and use of Personal Data. Registry Operator shall take reasonable steps to protect Personal Data collected from such registrar from loss, misuse, unauthorized disclosure, alteration or destruction. Registry Operator shall not use or
     authorize the use of Personal Data in a way that is incompatible with the notice provided to registrars.
    
    
    This does have some relevance to our current discussion, so I thought I'd recklessly post it here!
    
    
    
    
    
    
    
    
    _______________________________________________
    gnso-rds-pdp-wg mailing list
    gnso-rds-pdp-wg at icann.org
    https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-rds-pdp-wg&data=02%7C01%7Calex_deacon%40mpaa.org%7C4109916067774da46ae208d4a9f42f2a%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636320313612985297&sdata=5j3CuCHT7yAxnlCr9fqbAVZlVOPnNVt72HNfpiAkpQg%3D&reserved=0>

More information about the gnso-rds-pdp-wg mailing list