[gnso-rds-pdp-wg] More mandatory reading in preparation for ICANN AD
Volker Greimann
vgreimann at key-systems.net
Fri Oct 27 09:39:32 UTC 2017
A domain enables communication, but it does not mean a registrant wants
everyone to be able to find them. They may only want a domain for a
private individual email address, shared only with close friends. Or
other, non-website puposes. And they still want privacy, they are just
using that public resource for their specific purpose, without the
intent that you are presuming.
Yes, some do want exactly what you assume, but not all.
Volker
Am 26.10.2017 um 18:40 schrieb John Bambenek:
> It may be PII in some legal sense because a domain or whatever may identify a person. I own BambenekConsulting.com and other domains. But he entire point of getting a domain is for the world to find you at a most basic level.
>
> If you want privacy, standing globally on a public resource and waving your hands shouting “here I am” probably doesn’t achieve your objective.
>
> --
> John Bambenek
>
>> On Oct 26, 2017, at 18:21, Theo Geurts <gtheo at xs4all.nl> wrote:
>>
>>
>> Yes, no, maybe, not sure Greg,
>>
>> If you had asked me the question does a thin WHOIS contain personal data 8 months ago, I would have said no.
>>
>> Today, I am not so so sure.
>> An IP address even a dynamic one is considered PII. I thought that was somewhat silly, as I cannot ask an ISP to hand over the data of a user. I need a court order, which I am not going to get. Nor can I look up in a database which person used IP address xxx.xxx.xxx.xx at a certain moment in time.
>>
>> But an LEA with a court order can, as such the GDPR concludes it is PII (explained on a basic level)
>>
>> If we follow this "logic" what ICANN does with the CZDS, we could argue that a domain name is PII in certain cases, or a nameserver listed in the WHOIS could be PII.
>>
>> I think the bottom line is here, can you single out a person based on thin WHOIS data? I think you can.
>>
>> And in the age of big data, we need to be very careful when we move forward with this and not take anything for granted.
>>
>> Best
>>
>> Theo Geurts
>>
>>> On 26-10-2017 16:53, Greg Aaron wrote:
>>> Thanks for that Volker. A note for the group: There is a statement at the beginning of the document that seems overbroad and does not seem to comport with the laws and recent legal cases in the EU. It may have been clumsily stated.
>>>
>>> This statement is: "In an ICANN context, even thin WHOIS data, IP addresses (including dynamic ones), metadata, etc. are to be considered personal data as the identification of an individual by using such data or by combining them with other publicly, easily accessible data is possible."
>>>
>>> That incorrectly implies that no thin data can be published. It's wrong to state that IP addresses and other thin data "are" always personal data.
>>>
>>> The Court of Justice of the European Union has held that IP addresses and the like are "personal data" _only in certain circumstances_. If one has no legal means of linking an IP address to the identity of its user, then that IP address is unlikely to be personal data. The legal principle is not "all data is personally identifiable because any piece of data might potentially be connected to an individual by somebody somewhere by some means."
>>>
>>> The statement might be more accurate if it said something like: "In an ICANN context, it should be considered in what situations thin WHOIS data, IP addresses (including dynamic ones), metadata, etc. may be personal data, namely when the identification of an individual by using such data or by combining them with other publicly, easily accessible data is possible."
>>>
>>> The CJEU recently decided that a dynamic IP address will be personal data in the hands of a website operator if:
>>> * there is another party (such as the natural person's ISP) that can link the dynamic IP address to the identity of an individual; and
>>> * the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
>>> So in that case, the IP address was "personal data" only to the ISP (who knows what IP it assigned to its natural person customer), and to the German government (which could use legal process to compel the ISP to give it info about the user who used the IP). The IP address was not PII for everyone else.
>>> See: https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
>>>
>>> As I've mentioned before, European TLD operators such as Nominet and SIDN have closely reviewed their legal obligations and have no issue publishing thin data. So that's interesting.
>>>
>>> And there's the little detail that if IP and nameserver data can’t be published, then the DNS won't work.
>>>
>>> All best,
>>> --Greg
>>>
>>> **********************************
>>> Greg Aaron
>>> Vice-President, Product Management
>>> iThreat Cyber Group / Cybertoolbelt.com
>>> mobile: +1.215.858.2257
>>> **********************************
>>> The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
>>>
>>> -----Original Message-----
>>> From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Volker Greimann
>>> Sent: Thursday, October 26, 2017 10:02 AM
>>> To: gnso-rds-pdp-wg at icann.org
>>> Subject: [gnso-rds-pdp-wg] More mandatory reading in preparation for ICANN AD
>>>
>>> The Council of Europe has just published a guide on privacy and data protection principles specifically for ICANN related data processing.
>>>
>>> TL;DR:
>>>
>>> 1) Data controller needs to define twofold purposes for processing; a) related to policy; b) for contracted parties and their agreements with data subjects.
>>>
>>> 2) Data controller is fully liable for all data processing performed in accordance with purpose statement in compliance with all applicable laws.
>>>
>>> 3) Data processed for purposes not included in purpose statement is unlawful.
>>>
>>> 4) Data processing must be limited by guiding principles of necessity, proportionality and purpose limitation
>>>
>>> 5) Data processing based on consent is practically impossible in ICANN context.
>>>
>>> 6) Personal data must not be stored for longer than absolutely necessary for the legitimate purpose pursued.
>>>
>>> 7) ICANN needs formal data transfer policy for trans-border transfers.
>>>
>>> 8) Privacy by design and default as basis for all processing considerations.
>>>
>>> --
>>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>>
>>> Mit freundlichen Grüßen,
>>>
>>> Volker A. Greimann
>>> - Rechtsabteilung -
>>>
>>> Key-Systems GmbH
>>> Im Oberen Werk 1
>>> 66386 St. Ingbert
>>> Tel.: +49 (0) 6894 - 9396 901
>>> Fax.: +49 (0) 6894 - 9396 851
>>> Email: vgreimann at key-systems.net
>>>
>>> Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
>>>
>>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>>> www.facebook.com/KeySystems
>>> www.twitter.com/key_systems
>>>
>>> Geschäftsführer: Alexander Siffrin
>>> Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534
>>>
>>> Member of the KEYDRIVE GROUP
>>> www.keydrive.lu
>>>
>>> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
>>>
>>> --------------------------------------------
>>>
>>> Should you have any further questions, please do not hesitate to contact us.
>>>
>>> Best regards,
>>>
>>> Volker A. Greimann
>>> - legal department -
>>>
>>> Key-Systems GmbH
>>> Im Oberen Werk 1
>>> 66386 St. Ingbert
>>> Tel.: +49 (0) 6894 - 9396 901
>>> Fax.: +49 (0) 6894 - 9396 851
>>> Email: vgreimann at key-systems.net
>>>
>>> Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com
>>>
>>> Follow us on Twitter or join our fan community on Facebook and stay updated:
>>> www.facebook.com/KeySystems
>>> www.twitter.com/key_systems
>>>
>>> CEO: Alexander Siffrin
>>> Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
>>>
>>> Member of the KEYDRIVE GROUP
>>> www.keydrive.lu
>>>
>>> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann at key-systems.net
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
More information about the gnso-rds-pdp-wg
mailing list