[gnso-rds-pdp-wg] another document that might be of interest

theo geurts gtheo at xs4all.nl
Sat Oct 21 15:54:54 UTC 2017 

A couple of pointers here for everyone and not directed at anyone 
specifically.

Eurid will update their Registrar agreement soon. So perhaps is not 
handy to dig into some agreement.
The agreement will state very clear who will be the data controller 
(Registry) and the data processor (Registrar/Reseller). As the all roles 
are defined and PII is not available through the WHOIS no consent is 
required.

Let's dive a little into consent and the organizational "challenges."

  * Be specific and granular. Vague or blanket consent is not enough
  * Name any third parties who will rely on the consent
  * Make it easy for people to withdraw consent and tell them how

Consent must specifically cover the controller’s name, the purposes of 
the processing and the types of processing activity

Okay? Let's dig a little deeper into consent.
Consent will be needed for different processing operations wherever 
appropriate – so you need to give granular options to consent separately 
to separate purposes.

So a registrant will have to consent to at least

  * Escrow Registry to Escrow provider in country X
  * Escrow Registrar to Escrow provider in country X
  * Cross-border transfer of data to Registry in country X
  * ICANN staff USA under set conditions must have access to Registry or
    Registrar RDE deposit
  * ICANN staff access for audits
  * Third parties selected by ICANN for audits
  * Place holder for all the other stuff I am forgetting


As the PII will be published in the WHOIS that will require consent 
also. But you have to warn the Registrant, so it has to be crystal clear 
what will happen as soon that data becomes public. Spam, phone calls by 
folks trying to sell you stuff, i.e., the good stuff we all know about 
and encounter on a daily basis and much more.
/
//In data protection, there is the fundamental principle which is 
unchanged even in the age of Big Data.//
//The data subject has to be in control of her/his data, which means for 
consent that you need consent for every each of the data processing 
activities (even for minor changes in the processing)/

Now picture a domain name registration flow here.
We are talking over a thousand of TLD's here scattered all over the world.
This will not increase consumer trust for starters when it comes to 
gTLDs. It will be one big click fest and registration conversion will go 
down the drain.

But let's assume we go this route.
Right to be forgotten? How do we do that when the WHOIS is scraped day 
and night by unknown third parties? I am not sure how we will meet this 
GDPR requirement. Most likely consent was not "freely" given. Perhaps 
part two will cover this so more.

  Withdrawal of consent, how do we envision this GDPR requirement? I do 
not see how we will ever get this working if the current status quo is 
not changing.

Art 6.1(b) can be used for companies who have a very direct customer 
relation on a small base. This is not a solution for Registrars nor 
Registries when it comes to mass registrations that happen on a daily 
basis.

Thanks,

Theo


On 21-10-2017 02:41, John Bambenek via gnso-rds-pdp-wg wrote:
> Not the last few items discussed, no. That said I have been traveling 
> from the past few weeks and need to read them side by side for a 
> definitive synthesis. That aside, my primary concern is that said 
> officials are not hearing enough from the anti-abuse and security 
> community on these tools to have a more fully informed discussion. We 
> are working to rectify that.
>
> Sent from my iPad
>
> On Oct 21, 2017, at 2:35 AM, Ayden Férdeline <icann at ferdeline.com 
> <mailto:icann at ferdeline.com>> wrote:
>
>> My apologies, John. It was not clear to me that you had read the 
>> memo. I am glad to hear that you have. Particularly in relation to 
>> consent, I thought the advice that the memo contained (along with the 
>> Hamilton memo) was consistent with the advice that we received from 
>> the European Data Protection Commissioners earlier this year. Would 
>> you agree?
>>
>> —Ayden
>>
>>
>>> -------- Original Message --------
>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of 
>>> interest
>>> Local Time: 21 October 2017 1:27 AM
>>> UTC Time: 21 October 2017 00:27
>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>> To: Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>>
>>> Victoria Sheckler <vsheckler at riaa.com <mailto:vsheckler at riaa.com>>, 
>>> GNSO RDS PDP <gnso-rds-pdp-wg at icann.org 
>>> <mailto:gnso-rds-pdp-wg at icann.org>>
>>>
>>> Yes, I believe I pointed out on this very list that among other 
>>> things, the notion the EU law should reign supreme globally even 
>>> when it conflicts with local laws as patently offensive, among other 
>>> things.
>>>
>>> Is there a particular outcome that you are trying to achieve by 
>>> insinuating that I am ignorant and not reading the mounds of 
>>> paperwork generated by this group? I mean besides the continual, 
>>> consistent, and vigorous disrespect shown to those who work in 
>>> anti-abuse or security?
>>>
>>> And if you’d like an analysis of the legal memo it is this: it is 
>>> always better to take the word of the regulators over merely that of 
>>> some lawfirm. Which is what I thought we were actually talking about 
>>> in the first place.
>>>
>>>
>>>
>>> --
>>> John Bambenek
>>>
>>> On Oct 20, 2017, at 19:10, Ayden Férdeline <icann at ferdeline.com 
>>> <mailto:icann at ferdeline.com>> wrote:
>>>> John,
>>>>
>>>> Have you read the legal memo that we received from Wilson Sonsini 
>>>> Goodrich & Rosati?
>>>>
>>>> It states on page 14, "asking for consent would not be simple, 
>>>> would not solve all data protection issues, and would pose a number 
>>>> of organizational challenges."
>>>>
>>>> The rationale behind this statement is contained within the memo.
>>>>
>>>> —Ayden
>>>>
>>>>
>>>>> -------- Original Message --------
>>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of 
>>>>> interest
>>>>> Local Time: 21 October 2017 1:06 AM
>>>>> UTC Time: 21 October 2017 00:06
>>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>>> To: Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>>
>>>>> Victoria Sheckler <vsheckler at riaa.com 
>>>>> <mailto:vsheckler at riaa.com>>, GNSO RDS PDP 
>>>>> <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>
>>>>> So, in short, if we create a consent system, we are fine.
>>>>>
>>>>> Am I missing something?
>>>>>
>>>>> --
>>>>> John Bambenek
>>>>>
>>>>> On Oct 20, 2017, at 17:31, Ayden Férdeline <icann at ferdeline.com 
>>>>> <mailto:icann at ferdeline.com>> wrote:
>>>>>> I would like to flag two extracts from this Regulation that may 
>>>>>> be relevant to our work:
>>>>>>
>>>>>>   * "The Registry should also comply with the relevant data
>>>>>>     protection rules, principles, guidelines and best practices,
>>>>>>     notably concerning the amount and type of data displayed in
>>>>>>     the WHOIS database." (page 3)
>>>>>>   * "The WHOIS database shall contain information about the
>>>>>>     holder of a domain name that is relevant and not excessive in
>>>>>>     relation to the purpose of the database. In as far as the
>>>>>>     information is not strictly necessary in relation to the
>>>>>>     purpose of the database, and *if the domain name holder is a
>>>>>>     natural person, the information that is to be made publicly
>>>>>>     available shall be subject to the unambiguous consent of the
>>>>>>     domain name holder*." (page 10 - emphasis added)
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> Ayden Férdeline
>>>>>>
>>>>>>
>>>>>>
>>>>>>> -------- Original Message --------
>>>>>>> Subject: [gnso-rds-pdp-wg] another document that might be of 
>>>>>>> interest
>>>>>>> Local Time: 20 October 2017 10:47 PM
>>>>>>> UTC Time: 20 October 2017 21:47
>>>>>>> From: vsheckler at riaa.com <mailto:vsheckler at riaa.com>
>>>>>>> To: GNSO RDS PDP <gnso-rds-pdp-wg at icann.org 
>>>>>>> <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>>
>>>>>>>
>>>>>>> I think we missed this document when we were reviewing documents 
>>>>>>> for this WG back in the day, and thought some of you might find 
>>>>>>> it of interest given our current discussions on GDPR
>>>>>>>
>>>>>>>
>>>>>>> COMMISSION REGULATION (EC) No 874/2004 of 28 April 2004 laying 
>>>>>>> down public policy rules concerning the implementation and 
>>>>>>> functions of the .eu Top Level Domain and the principles 
>>>>>>> governing registration, available at 
>>>>>>> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> gnso-rds-pdp-wg mailing list
>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/faff1286/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list