[gnso-rds-pdp-wg] Legal basis vs. lawful

John Horton john.horton at legitscript.com
Mon Feb 12 18:22:22 UTC 2018 

I think Greg is right on. There's simply no justification to force a law
that is only intended to apply to a) EU residents/citizens that are b)
natural persons not using the domain name for commercial purposes, to the
remaining...what? 97% - 99% of the world's registrant population? That
would be a balanced way to implement all of this.

John Horton
President and CEO, LegitScript


*Follow LegitScript*: LinkedIn
<http://www.linkedin.com/company/legitscript-com>  |  Facebook
<https://www.facebook.com/LegitScript>  |  Twitter
<https://twitter.com/legitscript>  |  *Blog <http://blog.legitscript.com/>*
  |  Newsletter <http://go.legitscript.com/Subscription-Management.html>




On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca at icginc.com> wrote:

> I don’t know if we arrive at the same place.
>
>
>
> GDPR is based on one principle.  It states what is legal.  It's explicit
> about what you _are allowed to do_; granted there’s some flexibility and
> room for interpretation.   It’s like saying what’s inside a box.
>
>
>
> U.S. law is one based on different principles.  AFAIK U.S. consumer
> protection law does not enumerate specifically what is lawful.  Instead it
> tends to state what is illegal, what you are _not allowed to do_.   It’s
> like saying what’s outside the box.   The U.S. doesn’t have something like
> GDPR that spells out legal bases for collecting data, i.e. the enumerated
> allowable reasons.  Instead the trade and consumer protection laws
> basically say: entities have the right to form contracts between
> themselves, they should live up to the contract, don’t surprise people,
> don’t do certain dishonest things.
>
>
>
> Here's the problem: if one makes the GDPR principle the ICANN standard and
> you apply it to all registrations, then practices that are allowable in one
> place under the law (like the U.S.) would no longer be allowed there by
> ICANN policy.   ICANN would be choosing one legal approach or regime for
> everyone in the world.
>
>
>
> The alternative is to apply the GDRP only to those that it is designed to
> protect:  registrants in the EU.
>
>
>
> For example, there’s nothing in U.S. law that prohibits a U.S. registrar
> from having a contract that says publication of full contact data in WHOIS
> is  a condition of registering a domain name if you are a registrant in the
> U.S.
>
>
>
> See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/  for more.
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Silver, Bradley via
> gnso-rds-pdp-wg
> *Sent:* Friday, February 9, 2018 2:54 PM
> *To:* Volker Greimann <vgreimann at key-systems.net>;
> gnso-rds-pdp-wg at icann.org
>
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> It is true that the GDPR is prescriptive, although also rather open-ended
> (hence our current pickle).  But regardless of the term we use, don’t we
> arrive at the same place:  which is that if something that requires a legal
> basis is done without one, it will be unlawful?  Using Kathy’s example, if
> data is processed without complying with minimization or purpose
> principles, will such processing not run afoul of the law, and hence be
> unlawful?
>
>
>
> There are important distinctions between the meaning of “legal basis”
> which implies that a law requires something to be affirmatively present,
> versus “lawful”, which means that something is not prohibited by law.
> Ultimately though, isn’t “lawfulness”, the same end point, regardless?
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
> *Sent:* Friday, February 09, 2018 11:27 AM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I do not see how. Kathy's analysis seems sound. The flexibility within the
> GDPR still only allows processing in very specific cicumstances, all of
> which are listed in the GDPR.
>
>
>
> Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>
> Kathy’s analysis breaks down on a practical level when one looks at the
> GDPR and what it says about when data can be processed.  The GDPR allows
> for flexibility for what can be processed and when, and kathy’s analysis
> overlooks that point.
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kathy Kleiman
> *Sent:* Thursday, February 8, 2018 7:07 PM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Tx for the invitation to join, Chuck, and following up on the discussion
> of Sam and Tapani, let me add that criteria for processing must be clearer
> than something broadly within ICANN's mission statement and something
> permissible somewhere. The requirements under law are express and concrete.
>
> Specifically, GDPR Article 5(1)(b and c) states:
>
>
> *Personal data shall be: 2.    "collected for specified, explicit and
> legitimate purposes and not further processed in a manner that is
> incompatible with those purposes"* (the "purpose limitation") AND
> * 3.    "adequate, relevant and limited to what is necessary in relation
> to the purposes for which they are processed"* (the "data minimisation"
> requirement).  [underline added]
>
> Thus, our first criteria of "consistent with ICANN's mission," is only the
> first step and we need to go further than even the 3 criteria we are
> discussing..
>
> Second, lawful and legal enter us into a debate over words and I have to
> agree with Sam and Tapani's analysis and let me add some of my own.
>
> "Legal" is the term we use for actions expressly allowed under law. How we
> process personal data under the GDRP falls into this category -- of
> processing expressly allowed under law. Whereas the term lawful is used for
> a much broader category of actions which are generally permissible and
> allowable.
>
> The term "legal" is much more consistent with our criteria statement
> because the processing of personal data by ICANN must clearly have a *valid
> legal basis* as expressly defined by data protection laws.
>
> Best regards,
> Kathy
>
> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>
> Thanks Tapani,
>
> I will extract from your longer message.
> I deliberately kept my brief and less technical.
> I think we are in agreement here and I support your position.
>
> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>
> The key distinction, as I understand it, is that "lawful" would be
>  defined by the negative, everything that some law does not prohibit,
>
> where as "legal basis" is defined by the positive, only things whose
> justification can be explicitly derived from law.
>
>   <......>
>
> So I would prefer "legal basis" specifically in this sense: that any
> processing
>  would have to be explicitly based on one of the criteria, or bases, as
> listed
> in GDPR Article 6, or similar explicit justification in other data
> protection legislation.
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
> ------------------------------
>
>
>
> * Reminder: Any email that requests your login credentials or that asks
> you to click on a link could be a phishing attack.  If you have any
> questions regarding the authenticity of this email or its sender, please
> contact the IT Service Desk at 212.484.6000 <(212)%20484-6000> or via email
> at **ITServices at timewarner.com* <ITServices at timewarner.com>
> ------------------------------
>
> This message is the property of Time Warner Inc. and is intended only for
> the use of the addressee(s) and may be legally privileged and/or
> confidential. If the reader of this message is not the intended recipient,
> or the employee or agent responsible to deliver it to the intended
> recipient, he or she is hereby notified that any dissemination,
> distribution, printing, forwarding, or any method of copying of this
> information, and/or the taking of any action in reliance on the information
> herein is strictly prohibited except by the intended recipient or those to
> whom he or she intentionally distributes this message. If you have received
> this communication in error, please immediately notify the sender, and
> delete the original message and any copies from your computer or storage
> system. Thank you.
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180212/d168fbf2/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list