[gnso-rds-pdp-wg] Joint Controller / Article 26 / Hamilton Memo
theo geurts
gtheo at xs4all.nl
Thu Oct 26 06:29:20 UTC 2017
You are right Michael.
Though there is a chance that this is covered more in-depth in part 2?
Theo
On 25-10-2017 23:55, michael at palage.com wrote:
>
> Hello All,
>
> I must admit it has been hard to keep up with the flood of recent list
> traffic. However, I would like to interject a legal issue raised in
> the Hamilton Memo which I do not believe has been properly discussed
> to date. Specifically, Hamilton’s determination that both ICANN and
> Registration Authorities (Registries and Registrars) are Joint
> Controllers, see Paragraph 3.4.4 of Hamilton Memo.
>
> Article 26 of the GDPR on the issue of Joint Controller states that
> “Where two or more controllers jointly determine the purposes and
> means of processing, they shall be joint controllers.” For the
> purpose of this analysis I will focus exclusively on Registries as
> well as the fact that there seems to have been a lot of list traffic
> in connection with the recent actions of .AMSTERDAM and .FRL. Prior
> to ICANN, the legacy gTLDs were thin registries. Over the years ICANN
> has mandated through various RFPs/Applicant Guidebooks the requirement
> that a TLD be operated in a thick format. But for a Consensus Policy
> mandating VeriSign to convert .COM and .NET from thin to thick there
> was no desire or need for Verisign to have access to this data. How
> can parties be “joint” controllers, when one party has the unilateral
> right to impose its will on the other?
>
> I am puzzled why Hamilton made this legal determination and whether it
> knew of these historical data points. I am also puzzled why Hamilton
> believes that ICANN as a Joint Controller can unilaterally undertake a
> DPIA without consultation with the other joint controllers. I would
> submit that history and this action, point toward ICANN being the sole
> Data Controller, and “most” registries being a Data Processor. As
> evidenced by VeriSign, most gTLD registries do not need thick data to
> perform their core business functions. They are only deemed a Joint
> Controller because ICANN has mandated that they collect and process
> the PII of registrants.
>
> I would welcome any additional insight on this Article 26 issue.
>
> Best regards,
>
> Michael
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171026/3d0921d7/attachment.html>
More information about the gnso-rds-pdp-wg
mailing list