[gnso-rds-pdp-wg] Legal basis vs. lawful

Wed Feb 7 20:36:33 UTC 2018

Not to derail the conversation here and turn this into a GDPR crash 
course. But, I think the below is relevant regarding the current 
discussion.

https://gdpr-info.eu/chapter-1/

Now we discussed purposes in the past regarding scientific or historical 
whois research.
But how does that work under the GDPR?
https://gdpr-info.eu/art-89-gdpr/

So this gives us some more information on how that can work, though one 
has to keep in mind the derogations on a member state level.
I use 
https://www.twobirds.com/en/hot-topics/general-data-protection-regulation/gdpr-tracker 
to keep track regarding the derogations on a member state level (EU). 
But there are more trackers out there (ping me off list).

Again this is a straightforward tool to zoom in on the relevant articles 
and suitable recitals under the GDPR.
And if we as a group want to make the purposes to work for processing 
personal data I think it helps when look at those articles, or we will 
make the wrong assumptions. And keep in mind the GDPR originated from 
the EU 95/46 directives, and these are based on some really old data 
protection principles. I understand the desire to discuss our purposes, 
and it is natural we feel they are justified due to its history, but we 
need to get prepped for the many data protection laws that are in effect 
and make sure they match with the law.

Hope this helps,

Theo Geurts

On 7-2-2018 19:15, Ayden Férdeline wrote:
> Thanks for this explanation, Sam and Tapani. On this basis I am most 
> comfortable with the existing text; that is, any purpose must satisfy 
> at least one 'legal basis' for processing.
>
> Kind regards,
> Ayden
>
>
> -------- Original Message --------
> On 7 February 2018 4:53 PM, Sam Lanfranco <sam at lanfranco.net> wrote:
>
>> Thanks Tapani,
>>
>> I will extract from your longer message.
>> I deliberately kept my brief and less technical.
>> I think we are in agreement here and I support your position.
>>
>>
>> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>>
>> The key distinction, as I understand it, is that "lawful" would be
>>  defined by the negative, everything that some law does not prohibit,
>> where as "legal basis" is defined by the positive, only things whose
>> justification can be explicitly derived from law.
>>
>>   <......>
>>
>> So I would prefer "legal basis" specifically in this sense: that any 
>> processing
>>  would have to be explicitly based on one of the criteria, or bases, 
>> as listed
>> in GDPR Article 6, or similar explicit justification in other data 
>> protection legislation.
>>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180207/1dcf99c4/attachment.html>