[gnso-rds-pdp-wg] URGENT: babypool GDPR Question

Luc SEUFER lseufer at dclgroup.eu
Wed Jun 14 15:05:48 UTC 2017 

Hi Neil,

If you are looking for a provision stating “The publication of domain registrant details to the public is forbidden by this Regulation” you won’t find it, text laws are purposely broad to apply to every justiciable. But you are lawyers and know that.

The provisions you are interested in are not hard to find, here is the main one:

Article 5

Principles relating to processing of personal data

1. Personal data shall be:

  1.  (a)  processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

  2.  (b)  collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c)  adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

[…]

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

When a registrant register a domain name their personal details should only be disclosed to third parties for a purpose to which such registrant agrees to prior to the disclosure. And I think you will agree that having your details transmitted to every marketing company out there wouldn’t qualify as a legitimate purpose. Nor would the disclosure to the general public qualify as proportional compared to the finality of the service provided. Nor would the unlimited retention of such data.

And this is without entering into the whole issue that are cross border transfers in country which don’t have the same level of protection as the EEA.

The current Directive 95/46/EC as transposed by each EEA country already forbids the current whois system. The main difference with the GDPR is that now those prohibitions will be enforced and fines will be pronounced against companies found in breach.

There are of course ways to continue with the current WHOIS system, you can look at how the .cat, .de, .fr, .nl etc. registries are handling it. Individual registrants’ details are available but behind a protection system and with strict whois terms of use.

Hoping this will help with your policy session.

Best Wishes,

Luc

  1.





On 14 Jun 2017, at 16:06, Greg Shatan <gregshatanipc at gmail.com<mailto:gregshatanipc at gmail.com>> wrote:

I have heard this opinion stated several times in a conclusory fashion, but without citation or analysis.  Sorry I can't be of more help....

Greg (S.)

On Wed, Jun 14, 2017 at 9:44 AM, Neil Schwartzman <neil at cauce.org<mailto:neil at cauce.org>> wrote:
I am about to head into the public policy sessions at M3AAWG.org<http://M3AAWG.org> in 1:15 and a colleague asked me pointedly which provisions of GDPR it is assumed WHOIS in its current state would violate.

I’d like to be precise with my response and presentation to the assemblage.

Can someone please cite chapter and verse?


Thanks

n
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


________________________________

--------------------------------------------------------

This e-mail and any attached files are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail by mistake, please notify the sender immediately and delete it from your system. You must not copy the message or disclose its contents to anyone.

Think of the environment: don't print this e-mail unless you really need to.

--------------------------------------------------------

More information about the gnso-rds-pdp-wg mailing list