[gnso-rds-pdp-wg] Legal basis vs. lawful
Dotzero
dotzero at gmail.com
Tue Feb 13 16:23:08 UTC 2018
Volcker,
Registrars are not the only constituency with a stake in this.
Michael Hammer
On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann <vgreimann at key-systems.net
> wrote:
> Hi Mike,
>
> no, sensible because a great number of registrars will be forced to deal
> with this anyway, because this will affect a great many of registrations
> and therefore it makes sense to take this as a basis. Of course we will
> then need to see if there need to be tweaks to accomodate for other
> jurisdictions, but as more as more countries are adopting similar
> regimes....
>
> Sure it will be more restrictive than open access and some people may have
> a harder time than today getting at certain information, but with tiered
> access access would still be possible for those with overriding legitimate
> interests. That is the model the EU commission hinted at. Not the only
> model, but a working one.
>
> Volker
>
> Am 13.02.2018 um 17:04 schrieb Dotzero:
>
> Volker, you assert that "it would be sensible to take GDPR as a basis and
> start from there". Perhaps sensible from your perspective and easier from
> your perspective but ICANN is an international organization - primarily
> dealing with technical/administrative issues - and it MUST take an approach
> that, as best it can, accommodates the laws and practices of various
> jurisdictions around the world. Your proposed approach, quite simply does
> not do that.
>
> Michael Hammer
>
> On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <
> vgreimann at key-systems.net> wrote:
>
>> I think that it would be sensible to take the GDPR as a basis and start
>> from there. Obviously, where it conflicts with other applicable laws, we
>> should make sure to accomodate those as well, but as the EU Commission and
>> others have pointed out is that compliance with GDPR does not preclude
>> providing certain access levels to certain parties. What those levels would
>> be and who those parties could be should be the main focus of our work.
>>
>> Am 13.02.2018 um 15:41 schrieb Chuck:
>>
>> Volker,
>>
>>
>>
>> Are you saying that you think that RDS policies should be designed to
>> comply with European regulations and then applied to all other
>> jurisdictions in the world?
>>
>>
>>
>> Chuck
>>
>>
>>
>> *From:* Volker Greimann [mailto:vgreimann at key-systems.net
>> <vgreimann at key-systems.net>]
>> *Sent:* Tuesday, February 13, 2018 5:58 AM
>> *To:* Chuck <consult at cgomes.com> <consult at cgomes.com>; 'Michael Palage'
>> <michael at palage.com> <michael at palage.com>
>> *Cc:* gnso-rds-pdp-wg at icann.org
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>
>>
>> I am afraid that if we create different policies for different regions,
>> we will break the model, encourage forum shopping and encourage firewalling
>> of entire geographic sections of the net. I hope that is not what we are
>> doing here.
>>
>> GDPR will cause some breakage of this and I see it as our mission to fix
>> this breakage of the standard by proposing a unified model once again.
>>
>> Ultimately, if this solution does what the EU has been asking for, e.g.
>> protect legitimate use cases of registration data as well as the rights of
>> the data subjects, there is no reason why it should not be universally
>> applicable.
>>
>> Best,
>>
>> Volker
>>
>>
>>
>> Am 13.02.2018 um 00:04 schrieb Chuck:
>>
>> Volker,
>>
>>
>>
>> The WG could recommend policies that are ‘universally applicable to all
>> registrations’ but I seriously doubt that will happen in today’s world.
>> That would be much simpler than policies that vary by region and users, but
>> is it realistic?
>>
>>
>>
>> Chuck
>>
>>
>>
>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
>> *Sent:* Monday, February 12, 2018 2:30 PM
>> *To:* Michael Palage <michael at palage.com> <michael at palage.com>
>> *Cc:* gnso-rds-pdp-wg at icann.org
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>
>>
>> Michael is right. ICANN iOS based on the thought of “One World; one
>> Internet”. This also means that the policies it creates should be
>> universally applicable to all registrations, if possible. IF we start
>> creating policy that diverges, that would only lead to further
>> fragmentation and undermine the founding ideal of ICANN itself. Our aim
>> should be to create one policy that can be applied to all or most
>> registrations and that can be implemented by all registrars alike.
>>
>>
>>
>> While we will likely have a certain amount of fragmentation following May
>> 25 as each contracted party applies its own solution, it should be our goal
>> to overcome this and present a new unified policy that works for all
>> contracted parties.
>>
>>
>>
>> Volker
>>
>>
>>
>>
>>
>>
>>
>>
>> On 12. Feb 2018, at 20:27, Michael Palage <michael at palage.com> wrote:
>>
>>
>>
>> Greg/John,
>>
>>
>>
>> I will respectfully push back on your legal over simplification of the
>> GDPR.
>>
>>
>>
>> The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
>> limited to EU residents/citizens. As Michele has noted in the past, the
>> GDPR requires BlackKnight as an Irish legal entity to protect all of its
>> customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
>> that target and conduct business within the EU.
>>
>>
>>
>> Now your points about the distinction between natural and legal persons
>> is a fair one and one that has been noted in EU and Art 29 communications.
>> Could you please share the basis of your proposition that 97% of all domain
>> name registrations are registered by legal entities.
>>
>>
>>
>> As I have note previously the long term viability of the ICANN
>> multi-stakeholder model is at risk as national governments continue to pass
>> national laws that impact the operation of the Internet. However, the
>> European Union is NOT alone in advancing Privacy Legislation, in fact data
>> localization is perhaps the next biggest lurking threat to the domain name
>> system.
>>
>>
>>
>> Best regards,
>>
>>
>>
>> Michael
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *John Horton via
>> gnso-rds-pdp-wg
>> *Sent:* Monday, February 12, 2018 1:22 PM
>> *To:* Greg Aaron <gca at icginc.com>
>> *Cc:* gnso-rds-pdp-wg at icann.org
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>
>>
>> I think Greg is right on. There's simply no justification to force a law
>> that is only intended to apply to a) EU residents/citizens that are b)
>> natural persons not using the domain name for commercial purposes, to the
>> remaining...what? 97% - 99% of the world's registrant population? That
>> would be a balanced way to implement all of this.
>>
>>
>> John Horton
>> President and CEO, LegitScript
>>
>>
>>
>> *Follow* *Legit**Script*: LinkedIn
>> <http://www.linkedin.com/company/legitscript-com> | Facebook
>> <https://www.facebook.com/LegitScript> | Twitter
>> <https://twitter.com/legitscript> | *Blog
>> <http://blog.legitscript.com/>* | Newsletter
>> <http://go.legitscript.com/Subscription-Management.html>
>>
>>
>>
>>
>>
>> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca at icginc.com> wrote:
>>
>> I don’t know if we arrive at the same place.
>>
>>
>>
>> GDPR is based on one principle. It states what is legal. It's explicit
>> about what you _are allowed to do_; granted there’s some flexibility and
>> room for interpretation. It’s like saying what’s inside a box.
>>
>>
>>
>> U.S. law is one based on different principles. AFAIK U.S. consumer
>> protection law does not enumerate specifically what is lawful. Instead it
>> tends to state what is illegal, what you are _not allowed to do_. It’s
>> like saying what’s outside the box. The U.S. doesn’t have something like
>> GDPR that spells out legal bases for collecting data, i.e. the enumerated
>> allowable reasons. Instead the trade and consumer protection laws
>> basically say: entities have the right to form contracts between
>> themselves, they should live up to the contract, don’t surprise people,
>> don’t do certain dishonest things.
>>
>>
>>
>> Here's the problem: if one makes the GDPR principle the ICANN standard
>> and you apply it to all registrations, then practices that are allowable in
>> one place under the law (like the U.S.) would no longer be allowed there by
>> ICANN policy. ICANN would be choosing one legal approach or regime for
>> everyone in the world.
>>
>>
>>
>> The alternative is to apply the GDRP only to those that it is designed to
>> protect: registrants in the EU.
>>
>>
>>
>> For example, there’s nothing in U.S. law that prohibits a U.S. registrar
>> from having a contract that says publication of full contact data in WHOIS
>> is a condition of registering a domain name if you are a registrant in the
>> U.S.
>>
>>
>>
>> See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for
>> more.
>>
>>
>>
>>
>>
>>
>>
>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Silver, Bradley via
>> gnso-rds-pdp-wg
>> *Sent:* Friday, February 9, 2018 2:54 PM
>> *To:* Volker Greimann <vgreimann at key-systems.net>; g
>> nso-rds-pdp-wg at icann.org
>>
>>
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>
>>
>> It is true that the GDPR is prescriptive, although also rather open-ended
>> (hence our current pickle). But regardless of the term we use, don’t we
>> arrive at the same place: which is that if something that requires a legal
>> basis is done without one, it will be unlawful? Using Kathy’s example, if
>> data is processed without complying with minimization or purpose
>> principles, will such processing not run afoul of the law, and hence be
>> unlawful?
>>
>>
>>
>> There are important distinctions between the meaning of “legal basis”
>> which implies that a law requires something to be affirmatively present,
>> versus “lawful”, which means that something is not prohibited by law.
>> Ultimately though, isn’t “lawfulness”, the same end point, regardless?
>>
>>
>>
>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
>> *Sent:* Friday, February 09, 2018 11:27 AM
>> *To:* gnso-rds-pdp-wg at icann.org
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>
>>
>> I do not see how. Kathy's analysis seems sound. The flexibility within
>> the GDPR still only allows processing in very specific cicumstances, all of
>> which are listed in the GDPR.
>>
>>
>>
>> Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>>
>> Kathy’s analysis breaks down on a practical level when one looks at the
>> GDPR and what it says about when data can be processed. The GDPR allows
>> for flexibility for what can be processed and when, and kathy’s analysis
>> overlooks that point.
>>
>>
>>
>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kathy Kleiman
>> *Sent:* Thursday, February 8, 2018 7:07 PM
>> *To:* gnso-rds-pdp-wg at icann.org
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>>
>>
>> Tx for the invitation to join, Chuck, and following up on the discussion
>> of Sam and Tapani, let me add that criteria for processing must be clearer
>> than something broadly within ICANN's mission statement and something
>> permissible somewhere. The requirements under law are express and concrete.
>>
>>
>> Specifically, GDPR Article 5(1)(b and c) states:
>>
>>
>> *Personal data shall be: 2. "collected for specified, explicit and
>> legitimate purposes and not further processed in a manner that is
>> incompatible with those purposes"* (the "purpose limitation") AND
>> * 3. "adequate, relevant and limited to what is necessary in relation
>> to the purposes for which they are processed"* (the "data minimisation"
>> requirement). [underline added]
>>
>> Thus, our first criteria of "consistent with ICANN's mission," is only
>> the first step and we need to go further than even the 3 criteria we are
>> discussing..
>>
>> Second, lawful and legal enter us into a debate over words and I have to
>> agree with Sam and Tapani's analysis and let me add some of my own.
>>
>> "Legal" is the term we use for actions expressly allowed under law. How
>> we process personal data under the GDRP falls into this category -- of
>> processing expressly allowed under law. Whereas the term lawful is used for
>> a much broader category of actions which are generally permissible and
>> allowable.
>>
>> The term "legal" is much more consistent with our criteria statement
>> because the processing of personal data by ICANN must clearly have a *valid
>> legal basis* as expressly defined by data protection laws.
>>
>> Best regards,
>> Kathy
>>
>> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>>
>> Thanks Tapani,
>>
>> I will extract from your longer message.
>> I deliberately kept my brief and less technical.
>> I think we are in agreement here and I support your position.
>>
>> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>>
>> The key distinction, as I understand it, is that "lawful" would be
>> defined by the negative, everything that some law does not prohibit,
>>
>> where as "legal basis" is defined by the positive, only things whose
>> justification can be explicitly derived from law.
>>
>> <......>
>>
>> So I would prefer "legal basis" specifically in this sense: that any
>> processing
>> would have to be explicitly based on one of the criteria, or bases, as
>> listed
>> in GDPR Article 6, or similar explicit justification in other data
>> protection legislation.
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> gnso-rds-pdp-wg mailing list
>>
>> gnso-rds-pdp-wg at icann.org
>>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> gnso-rds-pdp-wg mailing list
>>
>> gnso-rds-pdp-wg at icann.org
>>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>>
>>
>> ------------------------------
>>
>>
>>
>> * Reminder: Any email that requests your login credentials or that asks
>> you to click on a link could be a phishing attack. If you have any
>> questions regarding the authenticity of this email or its sender, please
>> contact the IT Service Desk at 212.484.6000 <%28212%29%20484-6000> or via
>> email at **ITServices at timewarner.com* <ITServices at timewarner.com>
>> ------------------------------
>>
>> This message is the property of Time Warner Inc. and is intended only for
>> the use of the addressee(s) and may be legally privileged and/or
>> confidential. If the reader of this message is not the intended recipient,
>> or the employee or agent responsible to deliver it to the intended
>> recipient, he or she is hereby notified that any dissemination,
>> distribution, printing, forwarding, or any method of copying of this
>> information, and/or the taking of any action in reliance on the information
>> herein is strictly prohibited except by the intended recipient or those to
>> whom he or she intentionally distributes this message. If you have received
>> this communication in error, please immediately notify the sender, and
>> delete the original message and any copies from your computer or storage
>> system. Thank you.
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> --
>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>
>> Mit freundlichen Grüßen,
>>
>> Volker A. Greimann
>> - Rechtsabteilung -
>>
>> Key-Systems GmbH
>> Im Oberen Werk 1
>> <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmail&source=g>
>> 66386 St. Ingbert
>> Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>
>> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851>
>> Email: vgreimann at key-systems.net <vgreimann at key-systems.net>
>>
>> Web: www.key-systems.net / www.RRPproxy.net
>> www.domaindiscount24.com / www.BrandShelter.com
>>
>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>> www.facebook.com/KeySystems
>> www.twitter.com/key_systems
>>
>> Geschäftsführer: Alexander Siffrin
>> Handelsregister Nr.: HR B 18835 - Saarbruecken
>> Umsatzsteuer ID.: DE211006534
>>
>> Member of the KEYDRIVE GROUP
>> www.keydrive.lu
>>
>> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
>> Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
>> Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese
>> Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per
>> E-Mail oder telefonisch in Verbindung zu setzen.
>>
>> --------------------------------------------
>>
>> Should you have any further questions, please do not hesitate to contact
>> us.
>>
>> Best regards,
>>
>> Volker A. Greimann
>> - legal department -
>>
>> Key-Systems GmbH
>> Im Oberen Werk 1
>> <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmail&source=g>
>> 66386 St. Ingbert
>> Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>
>> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851>
>> Email: vgreimann at key-systems.net
>>
>> Web: www.key-systems.net / www.RRPproxy.net
>> www.domaindiscount24.com / www.BrandShelter.com
>>
>> Follow us on Twitter or join our fan community on Facebook and stay
>> updated:
>> www.facebook.com/KeySystems
>> www.twitter.com/key_systems
>>
>> CEO: Alexander Siffrin
>> Registration No.: HR B 18835 - Saarbruecken
>> V.A.T. ID.: DE211006534
>>
>> Member of the KEYDRIVE GROUP
>> www.keydrive.lu
>>
>> This e-mail and its attachments is intended only for the person to whom
>> it is addressed. Furthermore it is not permitted to publish any content of
>> this email. You must not use, disclose, copy, print or rely on this e-mail.
>> If an addressing or transmission error has misdirected this e-mail, kindly
>> notify the author by replying to this e-mail or contacting us by telephone.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/5cdabcd7/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list