[gnso-rds-pdp-wg] Legal basis vs. lawful

Chuck consult at cgomes.com
Mon Feb 12 21:07:18 UTC 2018 

Tapani,

It seems to me that it is possible to have 'one RDS' that includes gated access to accommodate different requirements by jurisdiction.  RDAP certainly allows for this; it might get complicated, but I think it is possible.

Chuck

-----Original Message-----
From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Tapani Tarvainen
Sent: Monday, February 12, 2018 11:26 AM
To: gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

On Mon, Feb 12, 2018 at 05:57:06PM +0000, Greg Aaron (gca at icginc.com) wrote:

> GDPR is based on one principle. It states what is legal. It's explicit 
> about what you _are allowed to do_; granted there’s some flexibility 
> and room for interpretation. It’s like saying what’s inside a box.

Yes. In other words, GDPR says that processing personal data is in effect forbidden by default, only allowed when expressly allowed.

> U.S. law is one based on different principles. AFAIK U.S. consumer 
> protection law does not enumerate specifically what is lawful.
> Instead it tends to state what is illegal, what you are _not allowed 
> to do_. It’s like saying what’s outside the box.

Yes. There even processing personal data is allowed by default, whenever something doesn't explicitly forbid it.

(I note that this his how things usually work in Europe as well, but processing personal data has deliberately been made an exception.)

> Here's the problem: if one makes the GDPR principle the ICANN standard 
> and you apply it to all registrations, then practices that are 
> allowable in one place under the law (like the U.S.) would no longer 
> be allowed there by ICANN policy.

Would it? Regardless of what we do with RDS, I thought it'd only mean that's what ICANN would *require*. I didn't think it'd forbid other things.

That is, a US-based, US-only-serving registrar could go on using also old public-to-all whois alongside the new RDS with its annoying restrictions. Europeans would have to stick with RDS only, or add other, GDPR-compliant things if they like. Others could add whatever their laws allow or require.

Have I missed something? Is there a plan to put in registry agreements something to the effect that "besides having to maintain RDS, you are also not allowed to do anything else that would violate GDPR"?

> ICANN would be choosing one legal approach or regime for everyone in 
> the world.

That ICANN would have to do in any case. If we are to have one RDS, it must be based on one legal approach.

Moreover, it must be designed so it is usable (almost) everywhere.
So it must satisfy the strictest legal restrictions (almost) anywhere.

And EU is too big to fit in that "(almost)". Even if we ignore the fact that quite a few other countries in the world are following EU example here.

> The alternative is to apply the GDRP only to those that it is designed 
> to protect: registrants in the EU.

In practice how?

> For example, there's nothing in U.S. law that prohibits a U.S.
> registrar from having a contract that says publication of full contact 
> data in WHOIS is a condition of registering a domain name if you are a 
> registrant in the U.S.

As I said I don't see how that would stop being the case.

Those registrars would have to bear the cost of maintaining two parallel systems, RDS and WHOIS, sure.

But the alternative of allowing such registrars opt out of RDS if they prefer WHOIS, let alone designing a new but different RDS-like system for them, would put the burden of having to use two different systems to all users of RDS/WHOIS. And ICANN and registries would face extra complications as well. I don't think that'd be a good idea.

Of course the third alternative is to give up requiring anything of the kind and let markets and legislators sort it out. In practice I expect that'd lead to WHOIS disappearing without successor.
I don't like that idea either.

--
Tapani Tarvainen
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More information about the gnso-rds-pdp-wg mailing list