[gnso-rds-pdp-wg] another document that might be of interest

Kris Seeburn seeburn.k at gmail.com
Sat Oct 21 16:10:26 UTC 2017 

Theo,

I get your point and understand this fully and effectively it is there. I came across another assessment or self assessment tool from Microsoft which is quite interesting and has the right questions. 

https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx <https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx>

This may be something we may need to rethink for sure but any self assessment is worth and may perhaps help us redefine the move ahead.

> On Oct 21, 2017, at 19:54, theo geurts <gtheo at xs4all.nl> wrote:
> 
> A couple of pointers here for everyone and not directed at anyone specifically. 
> 
> Eurid will update their Registrar agreement soon. So perhaps is not handy to dig into some agreement. 
> The agreement will state very clear who will be the data controller (Registry) and the data processor (Registrar/Reseller). As the all roles are defined and PII is not available through the WHOIS no consent is required. 
> 
> Let's dive a little into consent and the organizational "challenges."
> 
> Be specific and granular. Vague or blanket consent is not enough
> Name any third parties who will rely on the consent
> Make it easy for people to withdraw consent and tell them how
> Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity
> 
> Okay? Let's dig a little deeper into consent. 
> Consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes. 
> 
> So a registrant will have to consent to at least
> Escrow Registry to Escrow provider in country X
> Escrow Registrar to Escrow provider in country X
> Cross-border transfer of data to Registry in country X
> ICANN staff USA under set conditions must have access to Registry or Registrar RDE deposit
> ICANN staff access for audits
> Third parties selected by ICANN for audits
> Place holder for all the other stuff I am forgetting
> 
> As the PII will be published in the WHOIS that will require consent also. But you have to warn the Registrant, so it has to be crystal clear what will happen as soon that data becomes public. Spam, phone calls by folks trying to sell you stuff, i.e., the good stuff we all know about and encounter on a daily basis and much more.  
> 
> In data protection, there is the fundamental principle which is unchanged even in the age of Big Data.
> The data subject has to be in control of her/his data, which means for consent that you need consent for every each of the data processing activities (even for minor changes in the processing)
> 
> Now picture a domain name registration flow here. 
> We are talking over a thousand of TLD's here scattered all over the world. 
> This will not increase consumer trust for starters when it comes to gTLDs. It will be one big click fest and registration conversion will go down the drain. 
> 
> But let's assume we go this route. 
> Right to be forgotten? How do we do that when the WHOIS is scraped day and night by unknown third parties? I am not sure how we will meet this GDPR requirement. Most likely consent was not "freely" given. Perhaps part two will cover this so more. 
> 
>  Withdrawal of consent, how do we envision this GDPR requirement? I do not see how we will ever get this working if the current status quo is not changing. 
> 
> Art 6.1(b) can be used for companies who have a very direct customer relation on a small base. This is not a solution for Registrars nor Registries when it comes to mass registrations that happen on a daily basis. 
> 
> Thanks, 
> 
> Theo 
> 
> 
> On 21-10-2017 02:41, John Bambenek via gnso-rds-pdp-wg wrote:
>> Not the last few items discussed, no. That said I have been traveling from the past few weeks and need to read them side by side for a definitive synthesis. That aside, my primary concern is that said officials are not hearing enough from the anti-abuse and security community on these tools to have a more fully informed discussion. We are working to rectify that. 
>> 
>> Sent from my iPad
>> 
>> On Oct 21, 2017, at 2:35 AM, Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>> 
>>> My apologies, John. It was not clear to me that you had read the memo. I am glad to hear that you have. Particularly in relation to consent, I thought the advice that the memo contained (along with the Hamilton memo) was consistent with the advice that we received from the European Data Protection Commissioners earlier this year. Would you agree?
>>> 
>>> —Ayden
>>> 
>>> 
>>>> -------- Original Message --------
>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of interest
>>>> Local Time: 21 October 2017 1:27 AM
>>>> UTC Time: 21 October 2017 00:27
>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>> To: Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>>
>>>> Victoria Sheckler <vsheckler at riaa.com <mailto:vsheckler at riaa.com>>, GNSO RDS PDP <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>> 
>>>> Yes, I believe I pointed out on this very list that among other things, the notion the EU law should reign supreme globally even when it conflicts with local laws as patently offensive, among other things. 
>>>> 
>>>> Is there a particular outcome that you are trying to achieve by insinuating that I am ignorant and not reading the mounds of paperwork generated by this group? I mean besides the continual, consistent, and vigorous disrespect shown to those who work in anti-abuse or security?
>>>> 
>>>> And if you’d like an analysis of the legal memo it is this: it is always better to take the word of the regulators over merely that of some lawfirm. Which is what I thought we were actually talking about in the first place. 
>>>> 
>>>> 
>>>> 
>>>> --
>>>> John Bambenek
>>>> 
>>>> On Oct 20, 2017, at 19:10, Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>>> John,
>>>>> 
>>>>> Have you read the legal memo that we received from Wilson Sonsini Goodrich & Rosati? 
>>>>> 
>>>>> It states on page 14, "asking for consent would not be simple, would not solve all data protection issues, and would pose a number of organizational challenges."
>>>>> 
>>>>> The rationale behind this statement is contained within the memo.
>>>>> 
>>>>> —Ayden
>>>>> 
>>>>> 
>>>>>> -------- Original Message --------
>>>>>> Subject: Re: [gnso-rds-pdp-wg] another document that might be of interest
>>>>>> Local Time: 21 October 2017 1:06 AM
>>>>>> UTC Time: 21 October 2017 00:06
>>>>>> From: jcb at bambenekconsulting.com <mailto:jcb at bambenekconsulting.com>
>>>>>> To: Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>>
>>>>>> Victoria Sheckler <vsheckler at riaa.com <mailto:vsheckler at riaa.com>>, GNSO RDS PDP <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>> 
>>>>>> So, in short, if we create a consent system, we are fine. 
>>>>>> 
>>>>>> Am I missing something?
>>>>>> 
>>>>>> --
>>>>>> John Bambenek
>>>>>> 
>>>>>> On Oct 20, 2017, at 17:31, Ayden Férdeline <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>>>>>>> I would like to flag two extracts from this Regulation that may be relevant to our work:
>>>>>>> "The Registry should also comply with the relevant data protection rules, principles, guidelines and best practices, notably concerning the amount and type of data displayed in the WHOIS database." (page 3)
>>>>>>> "The WHOIS database shall contain information about the holder of a domain name that is relevant and not excessive in relation to the purpose of the database. In as far as the information is not strictly necessary in relation to the purpose of the database, and if the domain name holder is a natural person, the information that is to be made publicly available shall be subject to the unambiguous consent of the domain name holder." (page 10 - emphasis added)
>>>>>>> Thank you, 
>>>>>>> 
>>>>>>> Ayden Férdeline
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> -------- Original Message --------
>>>>>>>> Subject: [gnso-rds-pdp-wg] another document that might be of interest
>>>>>>>> Local Time: 20 October 2017 10:47 PM
>>>>>>>> UTC Time: 20 October 2017 21:47
>>>>>>>> From: vsheckler at riaa.com <mailto:vsheckler at riaa.com>
>>>>>>>> To: GNSO RDS PDP <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
>>>>>>>> 
>>>>>>>> 
>>>>>>>> I think we missed this document when we were reviewing documents for this WG back in the day, and thought some of you might find it of interest given our current discussions on GDPR
>>>>>>>>  
>>>>>>>> COMMISSION REGULATION (EC) No 874/2004 of 28 April 2004 laying down public policy rules concerning the implementation and functions of the .eu Top Level Domain and the principles governing registration, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004R0874:20051011:EN:PDF>
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> gnso-rds-pdp-wg mailing list
>>>>>>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>>>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
>>>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg





Kris Seeburn
seeburn.k at gmail.com
www.linkedin.com/in/kseeburn/ <http://www.linkedin.com/in/kseeburn/>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/441f115b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KeepItOn_Social_animated.gif
Type: image/gif
Size: 51490 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171021/441f115b/KeepItOn_Social_animated-0001.gif>

More information about the gnso-rds-pdp-wg mailing list