[gnso-rds-pdp-wg] Joint Controller / Article 26 / Hamilton Memo

theo geurts gtheo at xs4all.nl
Thu Oct 26 06:29:20 UTC 2017 

You are right Michael.

Though there is a chance that this is covered more in-depth in part 2?

Theo

On 25-10-2017 23:55, michael at palage.com wrote:
>
> Hello All,
>
> I must admit it has been hard to keep up with the flood of recent list 
> traffic.  However, I would like to interject a legal issue raised in 
> the Hamilton Memo which I do not believe has been properly discussed 
> to date. Specifically, Hamilton’s determination that both ICANN and 
> Registration Authorities (Registries and Registrars) are Joint 
> Controllers, see Paragraph 3.4.4 of Hamilton Memo.
>
> Article 26 of the GDPR on the issue of Joint Controller states that 
> “Where two or more controllers jointly determine the purposes and 
> means of processing, they shall be joint controllers.”  For the 
> purpose of this analysis I will focus exclusively on Registries as 
> well as the fact that there seems to have been a lot of list traffic 
> in connection with the recent actions of .AMSTERDAM and .FRL.  Prior 
> to ICANN, the legacy gTLDs were thin registries. Over the years ICANN 
> has mandated through various RFPs/Applicant Guidebooks the requirement 
> that a TLD be operated in a thick format.   But for a Consensus Policy 
> mandating VeriSign to convert .COM and .NET from thin to thick there 
> was no desire or need for Verisign to have access to this data. How 
> can parties be “joint” controllers, when one party has the unilateral 
> right to impose its will on the other?
>
> I am puzzled why Hamilton made this legal determination and whether it 
> knew of these historical data points. I am also puzzled why Hamilton 
> believes that ICANN as a Joint Controller can unilaterally undertake a 
> DPIA without consultation with the other joint controllers.  I would 
> submit that history and this action, point toward ICANN being the sole 
> Data Controller, and “most” registries being a Data Processor. As 
> evidenced by VeriSign, most gTLD registries do not need thick data to 
> perform their core business functions. They are only deemed a Joint 
> Controller because ICANN has mandated that they collect and process 
> the PII of registrants.
>
> I would welcome any additional insight on this Article 26 issue.
>
> Best regards,
>
> Michael
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171026/3d0921d7/attachment.html>

More information about the gnso-rds-pdp-wg mailing list