[gnso-rds-pdp-wg] URGENT: babypool GDPR Question

allison nixon elsakoo at gmail.com
Wed Jun 14 15:55:42 UTC 2017 

The laws don't seem to explicitly forbid making data public.

As a registrant, I share two datasets with my registrar. My private billing
data, which I understand from the beginning to be private, and my public
WHOIS data, which I also understand from the beginning to be public.

The laws don't explicitly forbid this at all, since no one here is asking
for the "private" dataset to be made public. The arguments against
publishing portraying this data as "personal" all hinge on the idea that
this data was never intended to be public in the first place. And that is
false.

"archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes" - these purposes are
demonstrated time and time again to be served by publicly available WHOIS
data.

Under the "lawfulness, fairness, and transparency" idea, it seems that
public WHOIS can be preserved by simply informing the customer- "this data
will be public. You may get spammed. If you disclose your home address you
may get unwanted attention". And give the user the free option for WHOIS
privacy. And I think that would remove all the potential nasty surprises
and make the process quite proportional and fair.



Thank you for citing these laws as this seems to be a lot less draconian
than they are frequently portrayed here.




On Wed, Jun 14, 2017 at 11:05 AM, Luc SEUFER <lseufer at dclgroup.eu> wrote:

> Hi Neil,
>
> If you are looking for a provision stating “The publication of domain
> registrant details to the public is forbidden by this Regulation” you won’t
> find it, text laws are purposely broad to apply to every justiciable. But
> you are lawyers and know that.
>
> The provisions you are interested in are not hard to find, here is the
> main one:
>
> Article 5
>
> Principles relating to processing of personal data
>
> 1. Personal data shall be:
>
>   1.  (a)  processed lawfully, fairly and in a transparent manner in
> relation to the data subject (‘lawfulness, fairness and transparency’);
>
>   2.  (b)  collected for specified, explicit and legitimate purposes and
> not further processed in a manner that is incompatible with those purposes;
> further processing for archiving purposes in the public interest,
> scientific or historical research purposes or statistical purposes shall,
> in accordance with Article 89(1), not be considered to be incompatible with
> the initial purposes (‘purpose limitation’);
>
> (c)  adequate, relevant and limited to what is necessary in relation to
> the purposes for which they are processed (‘data minimisation’);
>
> […]
>
> (e) kept in a form which permits identification of data subjects for no
> longer than is necessary for the purposes for which the personal data are
> processed; personal data may be stored for longer periods insofar as the
> personal data will be processed solely for archiving purposes in the public
> interest, scientific or historical research purposes or statistical
> purposes in accordance with Article 89(1) subject to implementation of the
> appropriate technical and organisational measures required by this
> Regulation in order to safeguard the rights and freedoms of the data
> subject (‘storage limitation’);
>
> (f) processed in a manner that ensures appropriate security of the
> personal data, including protection against unauthorised or unlawful
> processing and against accidental loss, destruction or damage, using
> appropriate technical or organisational measures (‘integrity and
> confidentiality’).
>
> When a registrant register a domain name their personal details should
> only be disclosed to third parties for a purpose to which such registrant
> agrees to prior to the disclosure. And I think you will agree that having
> your details transmitted to every marketing company out there wouldn’t
> qualify as a legitimate purpose. Nor would the disclosure to the general
> public qualify as proportional compared to the finality of the service
> provided. Nor would the unlimited retention of such data.
>
> And this is without entering into the whole issue that are cross border
> transfers in country which don’t have the same level of protection as the
> EEA.
>
> The current Directive 95/46/EC as transposed by each EEA country already
> forbids the current whois system. The main difference with the GDPR is that
> now those prohibitions will be enforced and fines will be pronounced
> against companies found in breach.
>
> There are of course ways to continue with the current WHOIS system, you
> can look at how the .cat, .de, .fr, .nl etc. registries are handling it.
> Individual registrants’ details are available but behind a protection
> system and with strict whois terms of use.
>
> Hoping this will help with your policy session.
>
> Best Wishes,
>
> Luc
>
>   1.
>
>
>
>
>
> On 14 Jun 2017, at 16:06, Greg Shatan <gregshatanipc at gmail.com<mailto:
> gregshatanipc at gmail.com>> wrote:
>
> I have heard this opinion stated several times in a conclusory fashion,
> but without citation or analysis.  Sorry I can't be of more help....
>
> Greg (S.)
>
> On Wed, Jun 14, 2017 at 9:44 AM, Neil Schwartzman <neil at cauce.org<mailto:
> neil at cauce.org>> wrote:
> I am about to head into the public policy sessions at M3AAWG.org<
> http://M3AAWG.org> in 1:15 and a colleague asked me pointedly which
> provisions of GDPR it is assumed WHOIS in its current state would violate.
>
> I’d like to be precise with my response and presentation to the assemblage.
>
> Can someone please cite chapter and verse?
>
>
> Thanks
>
> n
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
> ________________________________
>
> --------------------------------------------------------
>
> This e-mail and any attached files are confidential and intended solely
> for the use of the individual or entity to whom they are addressed. If you
> have received this e-mail by mistake, please notify the sender immediately
> and delete it from your system. You must not copy the message or disclose
> its contents to anyone.
>
> Think of the environment: don't print this e-mail unless you really need
> to.
>
> --------------------------------------------------------
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>



-- 
_________________________________
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20170614/613f9c85/attachment.html>

More information about the gnso-rds-pdp-wg mailing list