[gnso-rds-pdp-wg] Legal basis vs. lawful

Mon Feb 12 19:25:43 UTC 2018

On Mon, Feb 12, 2018 at 05:57:06PM +0000, Greg Aaron (gca at icginc.com) wrote:

> GDPR is based on one principle. It states what is legal. It's
> explicit about what you _are allowed to do_; granted there’s some
> flexibility and room for interpretation. It’s like saying what’s
> inside a box.

Yes. In other words, GDPR says that processing personal data is in
effect forbidden by default, only allowed when expressly allowed.

> U.S. law is one based on different principles. AFAIK U.S. consumer
> protection law does not enumerate specifically what is lawful.
> Instead it tends to state what is illegal, what you are _not allowed
> to do_. It’s like saying what’s outside the box.

Yes. There even processing personal data is allowed by default,
whenever something doesn't explicitly forbid it.

(I note that this his how things usually work in Europe as well, but
processing personal data has deliberately been made an exception.)

> Here's the problem: if one makes the GDPR principle the ICANN
> standard and you apply it to all registrations, then practices that
> are allowable in one place under the law (like the U.S.) would no
> longer be allowed there by ICANN policy.

Would it? Regardless of what we do with RDS, I thought it'd only
mean that's what ICANN would *require*. I didn't think it'd forbid
other things.

That is, a US-based, US-only-serving registrar could go on using also
old public-to-all whois alongside the new RDS with its annoying
restrictions. Europeans would have to stick with RDS only, or add
other, GDPR-compliant things if they like. Others could add whatever
their laws allow or require.

Have I missed something? Is there a plan to put in registry agreements
something to the effect that "besides having to maintain RDS, you are
also not allowed to do anything else that would violate GDPR"?

> ICANN would be choosing one legal approach or regime for everyone in
> the world.

That ICANN would have to do in any case. If we are to have one RDS, it
must be based on one legal approach.

Moreover, it must be designed so it is usable (almost) everywhere.
So it must satisfy the strictest legal restrictions (almost) anywhere.

And EU is too big to fit in that "(almost)". Even if we ignore the
fact that quite a few other countries in the world are following EU
example here.

> The alternative is to apply the GDRP only to those that it is
> designed to protect: registrants in the EU.

In practice how?

> For example, there's nothing in U.S. law that prohibits a U.S.
> registrar from having a contract that says publication of full
> contact data in WHOIS is a condition of registering a domain name if
> you are a registrant in the U.S.

As I said I don't see how that would stop being the case.

Those registrars would have to bear the cost of maintaining two
parallel systems, RDS and WHOIS, sure.

But the alternative of allowing such registrars opt out of RDS if they
prefer WHOIS, let alone designing a new but different RDS-like system
for them, would put the burden of having to use two different systems
to all users of RDS/WHOIS. And ICANN and registries would face extra
complications as well. I don't think that'd be a good idea.

Of course the third alternative is to give up requiring anything
of the kind and let markets and legislators sort it out. In practice
I expect that'd lead to WHOIS disappearing without successor.
I don't like that idea either.

-- 
Tapani Tarvainen