[gnso-rds-pdp-wg] another document that might be of interest

nathalie coupet nathaliecoupet at yahoo.com
Mon Oct 23 21:02:51 UTC 2017 

@Michele,
Thank you Michele for meeting me half way. It's difficult to understand and explain what is going on with DNS resolution, WHOIS and who is involved with whom based on what contract. We are in the process of launching a new website. We didn't know who the web hosting company was nor the identity of the registrant (there were so many volunteers who were handling website issues, that nobody knows who did what). Our new tech person looked up the information and found out the name of the web hosting company. But we don't know who the registrant is. This query was then sent to the web hosting company. Our tech person wanted to have both websites (the new one and the old) to show us the difference. Does that make sense? Second question: Is this relevant to our work? :) 

@All:
With regards to the process and treatment of consent, two US laws seem particularly relevant.
The Gramm-Leach-Bliley Act (GLBA) - the Financial Modernization Act of 1999, to govern the collection, disclosure and protection of the personal information gathered by financial institutions about their customers. 
3 sections: 1) Financial Privacy Rule (collection and disclosure)
2) Safeguards Rule (security program)

3) Pretexting provisions (forbids looking up PPI on any pretext or to help out people = definition of purposes for looking up information, regulates human behavior) + financial institutions to give customers written privacy notices that explain their information-sharing practices. Privacy Policy Agreement between the company and the customer. 
The GLB Act provides no opt-out right in several situations: - a financial institution shares information with outside companies that provide essential services like data processing or servicing accounts;- the disclosure is legally required;- a financial institution shares customer data with outside service providers that market the financial company's products or services  
The Fair Credit Reporting Act (FCRA) is a federal law enacted to regulate the colection, dissemination and use of consummer info, including consummer credit information. It is responsible for the 'opt-out' option. Safeguards Rule = financial management must develop a written information security plan:1) what information is non-public and confidential2) what information is considered improper to release3) what is considered a serious risk to the organization's interests or its security, or to its customers, employees or vendors. 4) what the compliance implications would be according to the GLBA requirements. 
So, if we apply this legislation to WHOIS data, would safeguards developped by ICANN and other data processors/collectors suffice to solve the legitimate use problem, as affirmed by John Bambenek? Could the 'no opt-out' option be counterbalanced by a rigorous security information plan and even replace the need to obtain consent for each and every transaction? This would ensure stability and availability of the data, temper the effects of the 'right to be forgotten' on the availability of services and ensure technical continuity. (I hope this is relevant. :)  Nathalie  

    On Monday, October 23, 2017 11:15 AM, John Bambenek via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org> wrote:
 

 +1. This is truth. 

--
John Bambenek

> On Oct 23, 2017, at 09:53, Paul Keating <Paul at law.es> wrote:
> 
> The only thing I can agree with in this email is that DPAs indeed are
> behind the curve and struggling to understand the scope of the GDPR.  They
> are only now starting to entertain comments from businesses impacted by
> the regulation.  They are trying to understand but are understaffed.
> 
> Paul
> 
> On 10/22/17, 5:41 PM, "Rubens Kuhl" <gnso-rds-pdp-wg-bounces at icann.org on
> behalf of rubensk at nic.br> wrote:
> 
>> 
>>> On Oct 22, 2017, at 11:38 AM, John Bambenek via gnso-rds-pdp-wg
>>> <gnso-rds-pdp-wg at icann.org> wrote:
>>> 
>>> I would argue that their views are uninformed on other points of view
>>> or other changes that could be made that would satisfy their objectives
>>> which is similar but has important differences. So I disagree we are at
>>> the point we are violating EU law.
>> 
>> Unfortunately we are already violating EU law. We are only not been
>> sanctioned for it, because the law specify an adjusting period. Just read
>> all the legal memos we already got.
>> 
>>> EU DPAs may never change their mind.
>> 
>> EU courts are a viable way to make government officials change their
>> mind, if you think that's a matter of interpretation.
>> 
>>> I¹ll just get US law changed so that US entities offering domains have
>>> to list ownership information which means most if not all of the gTLDs I
>>> care about if not ICANN also.
>> 
>> You know that Verisign, Facebook and Amazon already have subsidiaries in
>> EU, right ? And they can move their contracts there if being in the US
>> becomes a competitive handicap ?
>> 
>>> We aren¹t there yet because the DPAs are only starting to hear from us.
>>> Until now these discussions were populated by ICANN and
>>> registrars/registries who want whois to go away anyway.
>> 
>> Frankly, registries and registrars couldn't care less about WHOIS. It's
>> just a cost of doing business. The real battle here is between
>> registrants in one side, and affected parties in the other. The balance
>> always favoured affected parties from the beginning, and people got used
>> to it; now that new laws are moving the needle towards registrants, there
>> is resistance among those that got used to being favoured.
>> 
>> 
>>> 
>>> This solitary focus on EU law presupposes that people believe that of
>>> the laws of the ~200 countries in the world, it is EU law that should be
>>> the controlling force of internet governance. Is that what you are
>>> saying?
>> 
>> 
>> EU privacy law is just the first of many laws pointing in a similar
>> direction, so it's not just a matter of following one jurisdiction, is
>> about following a trend.
>> 
>> 
>> Rubens
>> 
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> 
> 

_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171023/62c9f2c1/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list