[gnso-rds-pdp-wg] Joint Controller / Article 26 / Hamilton Memo

[consult at cgomes.com]

Rubens,

 

Please remember to focus your messages on the subject of RDS purposes for the time being. If you want to respond to a previously sent message, please do it off-list.

 

Chuck

 

From: gnso-rds-pdp-wg-bounces at icann.org [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Rubens Kuhl
Sent: Saturday, October 28, 2017 8:15 AM
To: michael at palage.com
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Joint Controller / Article 26 / Hamilton Memo

 

 

Michael,

 

I'll add a bit of salt to that: since ICANN contracts open up to definitions from the community to control ICANN and contracted parties, thru the consensus policies, it might possible that for GDPR effects, that the community is also considered a controller, not only ICANN. So a GDPR fine might be in all of our futures. 

 

 

Rubens

 

 

 

 

 

 

 

 

 

On Oct 26, 2017, at 1:55 AM, michael at palage.com wrote:

 

Hello All, 

 

I must admit it has been hard to keep up with the flood of recent list traffic.  However, I would like to interject a legal issue raised in the Hamilton Memo which I do not believe has been properly discussed to date. Specifically, Hamilton’s determination that both ICANN and Registration Authorities (Registries and Registrars) are Joint Controllers, see Paragraph 3.4.4 of Hamilton Memo. 

 

Article 26 of the GDPR on the issue of Joint Controller states that “Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.”  For the purpose of this analysis I will focus exclusively on Registries as well as the fact that there seems to have been a lot of list traffic in connection with the recent actions of .AMSTERDAM and .FRL.  Prior to ICANN, the legacy gTLDs were thin registries. Over the years ICANN has mandated through various RFPs/Applicant Guidebooks the requirement that a TLD be operated in a thick format.   But for a Consensus Policy mandating VeriSign to convert .COM and .NET from thin to thick there was no desire or need for Verisign to have access to this data. How can parties be “joint” controllers, when one party has the unilateral right to impose its will on the other?

 

I am puzzled why Hamilton made this legal determination and whether it knew of these historical data points. I am also puzzled why Hamilton believes that ICANN as a Joint Controller can unilaterally undertake a DPIA without consultation with the other joint controllers.  I would submit that history and this action, point toward ICANN being the sole Data Controller, and “most” registries being a Data Processor. As evidenced by VeriSign, most gTLD registries do not need thick data to perform their core business functions. They are only deemed a Joint Controller because ICANN has mandated that they collect and process the PII of registrants.

 

I would welcome any additional insight on this Article 26 issue.

 

Best regards,

 

Michael

 

 

_______________________________________________
gnso-rds-pdp-wg mailing list
 <mailto:gnso-rds-pdp-wg at icann.org> gnso-rds-pdp-wg at icann.org
 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171028/f7a63dd7/attachment-0001.html>