[gnso-rds-pdp-wg] Legal basis vs. lawful
Alan Greenberg
alan.greenberg at mcgill.ca
Tue Feb 13 15:04:01 UTC 2018
[I really wish that when a topic morphs, the Subject line be adjusted!]
GDPR is one set of rules (potentially with
multiple interpretations by the various privacy
commissioners). Other jurisdictions may have
other rules, perhaps with stronger privacy,
perhaps less. There is nothing to say that one
country might not set rules saying that all
domain names must have full (current) WHOIS
information public, and we would have to comply,
allowing registrars/registries in that country to follow their local law.
Yes, it is an ugly world and such a rule may well
cause registrars/registries to set up business in
that country, or NOT set up business there. And
registrants might select them or avoid them.
Alan
At 13/02/2018 08:57 AM, Volker Greimann wrote:
>I am afraid that if we create different policies
>for different regions, we will break the model,
>encourage forum shopping and encourage
>firewalling of entire geographic sections of the
>net. I hope that is not what we are doing here.
>
>GDPR will cause some breakage of this and I see
>it as our mission to fix this breakage of the
>standard by proposing a unified model once again.
>
>Ultimately, if this solution does what the EU
>has been asking for, e.g. protect legitimate use
>cases of registration data as well as the rights
>of the data subjects, there is no reason why it
>should not be universally applicable.
>
>Best,
>
>Volker
>
>Am 13.02.2018 um 00:04 schrieb Chuck:
>>Volker,
>>
>>The WG could recommend policies that are
>>‘universally applicable to all
>>registrations’ but I seriously doubt that
>>will happen in today’s world. That would be
>>much simpler than policies that vary by region and users, but is it realistic?
>>
>>Chuck
>>
>>From: gnso-rds-pdp-wg
>>[<mailto:gnso-rds-pdp-wg-bounces at icann.org>mailto:gnso-rds-pdp-wg-bounces at icann.org]
>>On Behalf Of Volker Greimann
>>Sent: Monday, February 12, 2018 2:30 PM
>>To: Michael Palage <mailto:michael at palage.com><michael at palage.com>
>>Cc: <mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>Michael is right. ICANN iOS based on the
>>thought of “One World; one Internetâ€. This
>>also means that the policies it creates should
>>be universally applicable to all registrations,
>>if possible. IF we start creating policy that
>>diverges, that would only lead to further
>>fragmentation and undermine the founding ideal
>>of ICANN itself. Our aim should be to create
>>one policy that can be applied to all or most
>>registrations and that can be implemented by all registrars alike.
>>
>>While we will likely have a certain amount of
>>fragmentation following May 25 as each
>>contracted party applies its own solution, it
>>should be our goal to overcome this and present
>>a new unified policy that works for all contracted parties.
>>
>>Volker
>>
>>
>>
>>On 12. Feb 2018, at 20:27, Michael Palage
>><<mailto:michael at palage.com>michael at palage.com> wrote:
>>
>>Greg/John,
>>
>>I will respectfully push back on your legal over simplification of the GDPR.
>>
>>The exterritorial aspect of the GDPR set forth
>>in Article 3 is NOT just limited to EU
>>residents/citizens. As Michele has noted in
>>the past, the GDPR requires BlackKnight as an
>>Irish legal entity to protect all of its
>>customers data (EU/Non-EU) in compliance with
>>GDPR, as well as US entities that target and conduct business within the EU.
>>
>>Now your points about the distinction between
>>natural and legal persons is a fair one and one
>>that has been noted in EU and Art 29
>>communications. Could you please share the
>>basis of your proposition that 97% of all
>>domain name registrations are registered by legal entities.
>>
>>As I have note previously the long term
>>viability of the ICANN multi-stakeholder model
>>is at risk as national governments continue to
>>pass national laws that impact the operation of
>>the Internet. However, the European Union is
>>NOT alone in advancing Privacy Legislation, in
>>fact data localization is perhaps the next
>>biggest lurking threat to the domain name system.
>>
>>Best regards,
>>
>>Michael
>>
>>
>>
>>
>>
>>
>>From: gnso-rds-pdp-wg
>>[<mailto:gnso-rds-pdp-wg-bounces at icann.org>mailto:gnso-rds-pdp-wg-bounces at icann.org]
>>On Behalf Of John Horton via gnso-rds-pdp-wg
>>Sent: Monday, February 12, 2018 1:22 PM
>>To: Greg Aaron <<mailto:gca at icginc.com>gca at icginc.com>
>>Cc: <mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>I think Greg is right on. There's simply no
>>justification to force a law that is only
>>intended to apply to a) EU residents/citizens
>>that are b) natural persons not using the
>>domain name for commercial purposes, to the
>>remaining...what? 97% - 99% of the world's
>>registrant population? That would be a balanced way to implement all of this.
>>John Horton
>>President and CEO, LegitScript
>>
>>Follow LegitScript:
>><http://www.linkedin.com/company/legitscript-com>LinkedIn
>>|
>><https://www.facebook.com/LegitScript>Facebook
>>| <https://twitter.com/legitscript>Twitter |
>><http://blog.legitscript.com/>Blog |
>><http://go.legitscript.com/Subscription-Management.html>Newsletter
>>
>>
>>On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron
>><<mailto:gca at icginc.com>gca at icginc.com> wrote:
>>I don’t know if we arrive at the same place.
>>
>>GDPR is based on one principle. It states what
>>is legal. It's explicit about what you _are
>>allowed to do_; granted there’s some
>>flexibility and room for
>>interpretation. It’s like saying what’s inside a box.
>>
>>U.S. law is one based on different
>>principles. AFAIK U.S. consumer protection law
>>does not enumerate specifically what is
>>lawful. Instead it tends to state what is
>>illegal, what you are _not allowed to
>>do_. It’s like saying what’s outside the
>>box. The U.S. doesn’t have something like
>>GDPR that spells out legal bases for collecting
>>data, i.e. the enumerated allowable
>>reasons. Instead the trade and consumer
>>protection laws basically say: entities have
>>the right to form contracts between themselves,
>>they should live up to the contract, don’t
>>surprise people, don’t do certain dishonest things.
>>
>>Here's the problem: if one makes the GDPR
>>principle the ICANN standard and you apply it
>>to all registrations, then practices that are
>>allowable in one place under the law (like the
>>U.S.) would no longer be allowed there by ICANN
>>policy. ICANN would be choosing one legal
>>approach or regime for everyone in the world.
>>
>>The alternative is to apply the GDRP only to
>>those that it is designed to protect: registrants in the EU.
>>
>>For example, there’s nothing in U.S. law that
>>prohibits a U.S. registrar from having a
>>contract that says publication of full contact
>>data in WHOIS is a condition of registering a
>>domain name if you are a registrant in the U.S.
>>
>>See
>><https://iapp.org/news/a/explaining-the-gdpr-to-an-american/>https://iapp.org/news/a/explaining-the-gdpr-to-an-american/
>>for more.
>>
>>
>>
>>From: gnso-rds-pdp-wg
>>[<mailto:gnso-rds-pdp-wg-bounces at icann.org>mailto:gnso-rds-pdp-wg-bounces at icann.org]
>>On Behalf Of Silver, Bradley via gnso-rds-pdp-wg
>>Sent: Friday, February 9, 2018 2:54 PM
>>To: Volker Greimann
>><<mailto:vgreimann at key-systems.net>vgreimann at key-systems.net>;
>><mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>It is true that the GDPR is prescriptive,
>>although also rather open-ended (hence our
>>current pickle). But regardless of the term we
>>use, don’t we arrive at the same
>>place: which is that if something that
>>requires a legal basis is done without one, it
>>will be unlawful? Using Kathy’s example, if
>>data is processed without complying with
>>minimization or purpose principles, will such
>>processing not run afoul of the law, and hence be unlawful?
>>
>>There are important distinctions between the
>>meaning of “legal basis†which implies that
>>a law requires something to be affirmatively
>>present, versus “lawfulâ€, which means that
>>something is not prohibited by law. Ultimately
>>though, isn’t “lawfulnessâ€, the same end point, regardless?
>>
>>From: gnso-rds-pdp-wg
>>[<mailto:gnso-rds-pdp-wg-bounces at icann.org>mailto:gnso-rds-pdp-wg-bounces at icann.org]
>>On Behalf Of Volker Greimann
>>Sent: Friday, February 09, 2018 11:27 AM
>>To: <mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>I do not see how. Kathy's analysis seems sound.
>>The flexibility within the GDPR still only
>>allows processing in very specific
>>cicumstances, all of which are listed in the GDPR.
>>
>>Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>>Kathy’s analysis breaks down on a practical
>>level when one looks at the GDPR and what it
>>says about when data can be processed. The
>>GDPR allows for flexibility for what can be
>>processed and when, and kathy’s analysis overlooks that point.
>>
>>From: gnso-rds-pdp-wg
>>[<mailto:gnso-rds-pdp-wg-bounces at icann.org>mailto:gnso-rds-pdp-wg-bounces at icann.org]
>>On Behalf Of Kathy Kleiman
>>Sent: Thursday, February 8, 2018 7:07 PM
>>To: <mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>Tx for the invitation to join, Chuck, and
>>following up on the discussion of Sam and
>>Tapani, let me add that criteria for processing
>>must be clearer than something broadly within
>>ICANN's mission statement and something
>>permissible somewhere. The requirements under law are express and concrete.
>>Specifically, GDPR Article 5(1)(b and c) states:
>>Personal data shall be:
>>2. "collected for specified, explicit and
>>legitimate purposes and not further processed
>>in a manner that is incompatible with those
>>purposes" (the "purpose limitation") AND
>>3. "adequate, relevant and limited to what
>>is necessary in relation to the purposes for
>>which they are processed" (the "data
>>minimisation" requirement). [underline added]
>>Thus, our first criteria of "consistent with
>>ICANN's mission," is only the first step and we
>>need to go further than even the 3 criteria we are discussing..
>>Second, lawful and legal enter us into a debate
>>over words and I have to agree with Sam and
>>Tapani's analysis and let me add some of my own.
>>"Legal" is the term we use for actions
>>expressly allowed under law. How we process
>>personal data under the GDRP falls into this
>>category -- of processing expressly allowed
>>under law. Whereas the term lawful is used for
>>a much broader category of actions which are
>>generally permissible and allowable.
>>
>>The term "legal" is much more consistent with
>>our criteria statement because the processing
>>of personal data by ICANN must clearly have a
>>valid legal basis as expressly defined by data protection laws.
>>Best regards,
>>Kathy
>>On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>>Thanks Tapani,
>>I will extract from your longer message.
>>I deliberately kept my brief and less technical.
>>I think we are in agreement here and I support your position.
>>On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>>The key distinction, as I understand it, is that "lawful" would be
>> defined by the negative, everything that some law does not prohibit,
>>where as "legal basis" is defined by the positive, only things whose
>>justification can be explicitly derived from law.
>> <......>
>>So I would prefer "legal basis" specifically in
>>this sense: that any processing
>> would have to be explicitly based on one of
>> the criteria, or bases, as listed
>>in GDPR Article 6, or similar explicit
>>justification in other data protection legislation.
>>
>>
>>
>>
>>
>>
>>_______________________________________________
>>
>>
>>
>>gnso-rds-pdp-wg mailing list
>>
>>
>>
>><mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>
>>
>>
>>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>>
>>_______________________________________________
>>
>>
>>
>>gnso-rds-pdp-wg mailing list
>>
>>
>>
>><mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>
>>
>>
>>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>----------
>>Reminder: Any email that requests your login
>>credentials or that asks you to click on a link
>>could be a phishing attack. If you have any
>>questions regarding the authenticity of this
>>email or its sender, please contact the IT
>>Service Desk at
>><tel:%28212%29%20484-6000>212.484.6000 or via
>>email at <mailto:ITServices at timewarner.com>ITServices at timewarner.com
>>----------
>>This message is the property of Time Warner
>>Inc. and is intended only for the use of the
>>addressee(s) and may be legally privileged
>>and/or confidential. If the reader of this
>>message is not the intended recipient, or the
>>employee or agent responsible to deliver it to
>>the intended recipient, he or she is hereby
>>notified that any dissemination, distribution,
>>printing, forwarding, or any method of copying
>>of this information, and/or the taking of any
>>action in reliance on the information herein is
>>strictly prohibited except by the intended
>>recipient or those to whom he or she
>>intentionally distributes this message. If you
>>have received this communication in error,
>>please immediately notify the sender, and
>>delete the original message and any copies from
>>your computer or storage system. Thank you.
>>_______________________________________________
>>gnso-rds-pdp-wg mailing list
>><mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>_______________________________________________
>>gnso-rds-pdp-wg mailing list
>><mailto:gnso-rds-pdp-wg at icann.org>gnso-rds-pdp-wg at icann.org
>>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>--
>>Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>
>>Mit freundlichen Grüßen,
>>
>>Volker A. Greimann
>>- Rechtsabteilung -
>>
>>Key-Systems GmbH
>>Im Oberen Werk 1
>>66386 St. Ingbert
>>Tel.: +49 (0) 6894 - 9396 901
>>Fax.: +49 (0) 6894 - 9396 851
>><mailto:vgreimann at key-systems.net>Email: vgreimann at key-systems.net
>>
>>Web: <http://www.key-systems.net>www.key-systems.net / www.RRPproxy.net
>><http://www.domaindiscount24.com>www.domaindiscount24.com
>>/ www.BrandShelter.com
>>
>>Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>><http://www.facebook.com/KeySystems>www.facebook.com/KeySystems
>>www.twitter.com/key_systems
>>
>>Geschäftsführer: Alexander Siffrin
>>Handelsregister Nr.: HR B 18835 - Saarbruecken
>>Umsatzsteuer ID.: DE211006534
>>
>>Member of the KEYDRIVE GROUP
>><http://www.keydrive.lu>www.keydrive.lu
>>
>>Der Inhalt dieser Nachricht ist vertraulich und
>>nur für den angegebenen Empfänger bestimmt.
>>Jede Form der Kenntnisgabe, Veröffentlichung
>>oder Weitergabe an Dritte durch den Empfänger
>>ist unzulässig. Sollte diese Nachricht nicht
>>für Sie bestimmt sein, so bitten wir Sie, sich
>>mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
>>
>>--------------------------------------------
>>
>>Should you have any further questions, please do not hesitate to contact us.
>>
>>Best regards,
>>
>>Volker A. Greimann
>>- legal department -
>>
>>Key-Systems GmbH
>>Im Oberen Werk 1
>>66386 St. Ingbert
>>Tel.: +49 (0) 6894 - 9396 901
>>Fax.: +49 (0) 6894 - 9396 851
>>Email: <mailto:vgreimann at key-systems.net>vgreimann at key-systems.net
>>
>>Web: <http://www.key-systems.net>www.key-systems.net / www.RRPproxy.net
>><http://www.domaindiscount24.com>www.domaindiscount24.com
>>/ www.BrandShelter.com
>>
>>Follow us on Twitter or join our fan community on Facebook and stay updated:
>><http://www.facebook.com/KeySystems>www.facebook.com/KeySystems
>>www.twitter.com/key_systems
>>
>>CEO: Alexander Siffrin
>>Registration No.: HR B 18835 - Saarbruecken
>>V.A.T. ID.: DE211006534
>>
>>Member of the KEYDRIVE GROUP
>><http://www.keydrive.lu>www.keydrive.lu
>>
>>This e-mail and its attachments is intended
>>only for the person to whom it is addressed.
>>Furthermore it is not permitted to publish any
>>content of this email. You must not use,
>>disclose, copy, print or rely on this e-mail.
>>If an addressing or transmission error has
>>misdirected this e-mail, kindly notify the
>>author by replying to this e-mail or contacting us by telephone.
>>
>
>Content-Type: text/plain; charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>Content-Disposition: inline
>X-Microsoft-Exchange-Diagnostics:
>
>1;YQXPR0101MB1589;27:Ga5LygSUnZxLRDrrqk26gs5xsZiIqS2xtjalNER59Ud7uLFPiggPCUE2uiZiMk37t9ofGXJiL1NeDtvz55qfniYXPIdMKek/EzfmmNEbt/8FtMaChTQPkmFvWu6iXTv8
>X-Microsoft-Antispam-Message-Info:
>
>D43nmLDk/koUDJeAVxvI/mzQMGHvTT63oiYllZXniJgNGrJYX7hCbjyL8SNcS6GMmx7y0ldDyrx/dMoI+gm2owNCs3Zeo9FPmotTLqYVxm0xqLkMIqGeNiYAwg3GBxVhTsZWAA9nbomAVBGQDILNYQ==
>
>_______________________________________________
>gnso-rds-pdp-wg mailing list
>gnso-rds-pdp-wg at icann.org
>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/67d6e591/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list