[gnso-rds-pdp-wg] Legal basis vs. lawful

Mon Feb 12 22:54:56 UTC 2018

+1 (Bradley)

John Horton
President and CEO, LegitScript

*Follow LegitScript*: LinkedIn
<http://www.linkedin.com/company/legitscript-com>  |  Facebook
<https://www.facebook.com/LegitScript>  |  Twitter
<https://twitter.com/legitscript>  |  *Blog <http://blog.legitscript.com/>*
  |  Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 2:53 PM, Silver, Bradley via gnso-rds-pdp-wg <
gnso-rds-pdp-wg at icann.org> wrote:

> It is not possible to create one policy that would comply with every legal
> requirement in the world.  In creating a framework for a future RDS, we
> will certainly need to be mindful of some basic rules, including the GDPR.
> I have not read any comments to suggest that we should ignore the GDPR, but
> rather that the positive obligations under the GDPR should not be made
> mandatory for the rest of the world.  Those that need to comply with the
> GDPR, should.  And those that do not, can choose what level of protection
> to apply.   I am concerned that the vision Volker outlines is a maximalist
> approach which would turn ICANN into a quasi-data protection regulator.
> Some flexibility needs to remain for differing levels of data protection
> standards to be applied in accordance with national laws.
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On
> Behalf Of *Volker Greimann
> *Sent:* Monday, February 12, 2018 5:30 PM
> *To:* Michael Palage
>
> *Cc:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Michael is right. ICANN iOS based on the thought of “One World; one
> Internet”. This also means that the policies it creates should be
> universally applicable to all registrations, if possible. IF we start
> creating policy that diverges, that would only lead to further
> fragmentation and undermine the founding ideal of ICANN itself. Our aim
> should be to create one policy that can be applied to all or most
> registrations and that can be implemented by all registrars alike.
>
>
>
> While we will likely have a certain amount of fragmentation following May
> 25 as each contracted party applies its own solution, it should be our goal
> to overcome this and present a new unified policy that works for all
> contracted parties.
>
>
>
> Volker
>
>
>
>
>
>
>
> On 12. Feb 2018, at 20:27, Michael Palage <michael at palage.com> wrote:
>
>
>
> Greg/John,
>
>
>
> I will respectfully push back on your legal over simplification of the
> GDPR.
>
>
>
> The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
> limited to EU residents/citizens.  As Michele has noted in the past, the
> GDPR requires BlackKnight as an Irish legal entity to protect all of its
> customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
> that target and conduct business within the EU.
>
>
>
> Now your points about the distinction between natural and legal persons is
> a fair one and one that has been noted in EU and Art 29 communications.
> Could you please share the basis of your proposition that 97% of all domain
> name registrations are registered by legal entities.
>
>
>
> As I have note previously the long term viability of the ICANN
> multi-stakeholder model is at risk as national governments continue to pass
> national laws that impact the operation of the Internet.  However, the
> European Union is NOT alone in advancing Privacy Legislation, in fact data
> localization is perhaps the next biggest lurking threat to the domain name
> system.
>
>
>
> Best regards,
>
>
>
> Michael
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *John Horton via
> gnso-rds-pdp-wg
> *Sent:* Monday, February 12, 2018 1:22 PM
> *To:* Greg Aaron <gca at icginc.com>
> *Cc:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I think Greg is right on. There's simply no justification to force a law
> that is only intended to apply to a) EU residents/citizens that are b)
> natural persons not using the domain name for commercial purposes, to the
> remaining...what? 97% - 99% of the world's registrant population? That
> would be a balanced way to implement all of this.
>
>
> John Horton
> President and CEO, LegitScript
>
>
>
> *Follow* *LegitScript*: LinkedIn
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company_legitscript-2Dcom&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=TkcTruRlBOGrvEsR27fqEno1HOr-jnFQDpjT8xqpGJ8&e=>
> |  Facebook
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitScript&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=UjUGQgqEEXVmv30ZOs0iJ_fNtmSK07ZE1lSRTQjye6M&e=>
> |  Twitter
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=u3pXmHBB6r4ryKPZO0scj1on6NzerGmw-iJDG9IM1ss&e=>
> |  *Blog
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=R1Q9_i0UnQSUOZ2OgFHABqiOsMEm6gjqZ9OiKlYbv4k&e=>*
>   |  Newsletter
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subscription-2DManagement.html&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=sfx0vnwDqBiFnRTa9uh09B6xzmvC4FiRzyH_et4YrHs&e=>
>
>
>
>
>
> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca at icginc.com> wrote:
>
> I don’t know if we arrive at the same place.
>
>
>
> GDPR is based on one principle.  It states what is legal.  It's explicit
> about what you _are allowed to do_; granted there’s some flexibility and
> room for interpretation.   It’s like saying what’s inside a box.
>
>
>
> U.S. law is one based on different principles.  AFAIK U.S. consumer
> protection law does not enumerate specifically what is lawful.  Instead it
> tends to state what is illegal, what you are _not allowed to do_.   It’s
> like saying what’s outside the box.   The U.S. doesn’t have something like
> GDPR that spells out legal bases for collecting data, i.e. the enumerated
> allowable reasons.  Instead the trade and consumer protection laws
> basically say: entities have the right to form contracts between
> themselves, they should live up to the contract, don’t surprise people,
> don’t do certain dishonest things.
>
>
>
> Here's the problem: if one makes the GDPR principle the ICANN standard and
> you apply it to all registrations, then practices that are allowable in one
> place under the law (like the U.S.) would no longer be allowed there by
> ICANN policy.   ICANN would be choosing one legal approach or regime for
> everyone in the world.
>
>
>
> The alternative is to apply the GDRP only to those that it is designed to
> protect:  registrants in the EU.
>
>
>
> For example, there’s nothing in U.S. law that prohibits a U.S. registrar
> from having a contract that says publication of full contact data in WHOIS
> is  a condition of registering a domain name if you are a registrant in the
> U.S.
>
>
>
> See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explaining-2Dthe-2Dgdpr-2Dto-2Dan-2Damerican_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=zfWvOaNveiu295fSGLGMpOBktuK2oZQcRYFQhLVeaCs&e=>
> for more.
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Silver, Bradley via
> gnso-rds-pdp-wg
> *Sent:* Friday, February 9, 2018 2:54 PM
> *To:* Volker Greimann <vgreimann at key-systems.net>; g
> nso-rds-pdp-wg at icann.org
>
>
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> It is true that the GDPR is prescriptive, although also rather open-ended
> (hence our current pickle).  But regardless of the term we use, don’t we
> arrive at the same place:  which is that if something that requires a legal
> basis is done without one, it will be unlawful?  Using Kathy’s example, if
> data is processed without complying with minimization or purpose
> principles, will such processing not run afoul of the law, and hence be
> unlawful?
>
>
>
> There are important distinctions between the meaning of “legal basis”
> which implies that a law requires something to be affirmatively present,
> versus “lawful”, which means that something is not prohibited by law.
> Ultimately though, isn’t “lawfulness”, the same end point, regardless?
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
> *Sent:* Friday, February 09, 2018 11:27 AM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I do not see how. Kathy's analysis seems sound. The flexibility within the
> GDPR still only allows processing in very specific cicumstances, all of
> which are listed in the GDPR.
>
>
>
> Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>
> Kathy’s analysis breaks down on a practical level when one looks at the
> GDPR and what it says about when data can be processed.  The GDPR allows
> for flexibility for what can be processed and when, and kathy’s analysis
> overlooks that point.
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kathy Kleiman
> *Sent:* Thursday, February 8, 2018 7:07 PM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Tx for the invitation to join, Chuck, and following up on the discussion
> of Sam and Tapani, let me add that criteria for processing must be clearer
> than something broadly within ICANN's mission statement and something
> permissible somewhere. The requirements under law are express and concrete.
>
>
> Specifically, GDPR Article 5(1)(b and c) states:
>
>
> *Personal data shall be:  2.    "collected for specified, explicit and
> legitimate purposes and not further processed in a manner that is
> incompatible with those purposes"* (the "purpose limitation") AND
> * 3.    "adequate, relevant and limited to what is necessary in relation
> to the purposes for which they are processed"* (the "data minimisation"
> requirement).  [underline added]
>
> Thus, our first criteria of "consistent with ICANN's mission," is only the
> first step and we need to go further than even the 3 criteria we are
> discussing..
>
> Second, lawful and legal enter us into a debate over words and I have to
> agree with Sam and Tapani's analysis and let me add some of my own.
>
> "Legal" is the term we use for actions expressly allowed under law. How we
> process personal data under the GDRP falls into this category -- of
> processing expressly allowed under law. Whereas the term lawful is used for
> a much broader category of actions which are generally permissible and
> allowable.
>
> The term "legal" is much more consistent with our criteria statement
> because the processing of personal data by ICANN must clearly have a *valid
> legal basis* as expressly defined by data protection laws.
>
> Best regards,
> Kathy
>
> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>
> Thanks Tapani,
>
> I will extract from your longer message.
> I deliberately kept my brief and less technical.
> I think we are in agreement here and I support your position.
>
> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>
> The key distinction, as I understand it, is that "lawful" would be
>  defined by the negative, everything that some law does not prohibit,
>
> where as "legal basis" is defined by the positive, only things whose
> justification can be explicitly derived from law.
>
>   <......>
>
> So I would prefer "legal basis" specifically in this sense: that any
> processing
>  would have to be explicitly based on one of the criteria, or bases, as
> listed
> in GDPR Article 6, or similar explicit justification in other data
> protection legislation.
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
> ------------------------------
>
>
>
> * Reminder: Any email that requests your login credentials or that asks
> you to click on a link could be a phishing attack.  If you have any
> questions regarding the authenticity of this email or its sender, please
> contact the IT Service Desk at 212.484.6000 <(212)%20484-6000> or via email
> at **ITServices at timewarner.com* <ITServices at timewarner.com>
> ------------------------------
>
> This message is the property of Time Warner Inc. and is intended only for
> the use of the addressee(s) and may be legally privileged and/or
> confidential. If the reader of this message is not the intended recipient,
> or the employee or agent responsible to deliver it to the intended
> recipient, he or she is hereby notified that any dissemination,
> distribution, printing, forwarding, or any method of copying of this
> information, and/or the taking of any action in reliance on the information
> herein is strictly prohibited except by the intended recipient or those to
> whom he or she intentionally distributes this message. If you have received
> this communication in error, please immediately notify the sender, and
> delete the original message and any copies from your computer or storage
> system. Thank you.
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=0qhW8UHVF7jgIiAXZv5P89-LYHkUtvv7JUSwpaXbH68&e=>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=0qhW8UHVF7jgIiAXZv5P89-LYHkUtvv7JUSwpaXbH68&e=>
>
>
>
> --
> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>
> Mit freundlichen Grüßen,
>
> Volker A. Greimann
> - Rechtsabteilung -
>
> Key-Systems GmbH
> Im Oberen Werk 1
> 66386 St. Ingbert
> Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>
> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851>
> Email: vgreimann at key-systems.net <vgreimann at key-systems.net>
>
> Web: www.key-systems.net / www.RRPproxy.net
> www.domaindiscount24.com / www.BrandShelter.com
>
> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
> www.facebook.com/KeySystems
> www.twitter.com/key_systems
>
> Geschäftsführer: Alexander Siffrin
> Handelsregister Nr.: HR B 18835 - Saarbruecken
> Umsatzsteuer ID.: DE211006534
>
> Member of the KEYDRIVE GROUP
> www.keydrive.lu
>
> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
> Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
> Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese
> Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per
> E-Mail oder telefonisch in Verbindung zu setzen.
>
> --------------------------------------------
>
> Should you have any further questions, please do not hesitate to contact
> us.
>
> Best regards,
>
> Volker A. Greimann
> - legal department -
>
> Key-Systems GmbH
> Im Oberen Werk 1
> 66386 St. Ingbert
> Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>
> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851>
> Email: vgreimann at key-systems.net
>
> Web: www.key-systems.net / www.RRPproxy.net
> www.domaindiscount24.com / www.BrandShelter.com
>
> Follow us on Twitter or join our fan community on Facebook and stay
> updated:
> www.facebook.com/KeySystems
> www.twitter.com/key_systems
>
> CEO: Alexander Siffrin
> Registration No.: HR B 18835 - Saarbruecken
> V.A.T. ID.: DE211006534
>
> Member of the KEYDRIVE GROUP
> www.keydrive.lu
>
> This e-mail and its attachments is intended only for the person to whom it
> is addressed. Furthermore it is not permitted to publish any content of
> this email. You must not use, disclose, copy, print or rely on this e-mail.
> If an addressing or transmission error has misdirected this e-mail, kindly
> notify the author by replying to this e-mail or contacting us by telephone.
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180212/35799309/attachment-0001.html>