[gnso-rds-pdp-wg] Legal basis vs. lawful
Chen, Tim
tim at domaintools.com
Tue Feb 13 16:29:38 UTC 2018
Hi Michael,
Thanks for your response. I guess I wasn't clear enough in my question.
I've read GDPR many times and a familiar with the language. That it
applies to non-EU companies processing data of EU citizens is quite clear.
What is not clear is how it applies to non EU data subjects. Michele made
the point that bc he runs an Irish company, it applies to all the data of
all his customers regardless of where they exist. It appeared you were
extending that to also apply to non-EU companies, which is not how I
interpret it. Every one of those GDPR quotes you pulled uses the term
'data subjects in the EU'.
Anyway, Greg Aaron captured this separately in his thread. No need to
debate it further here. It seems the reason to try and apply GDPR broadly
is 'convenience' and not 'law'. We can take the topic up from there as
many have already done on the parallel thread.
Tim
On Tue, Feb 13, 2018 at 7:20 AM, Michael Palage <michael at palage.com> wrote:
> Tim,
>
>
>
> The plain wording of Section 3 of the GDPR makes clear its
> extraterritorial reach. However, I would encourage you to read Section 3.2
> of the first Hamilton memo. Section 3.2. specifically states
> “Extraterritorial reach as described in Section 3.2.1 above will apply, for
> instance, when registrars and registries established outside the EU provide
> their domain name registration services to natural persons in the EU.” I
> have not meet one lawyer that has disagreed with this statement reading the
> extraterritorial reach of the GDPR. I would also encourage you to read the
> relevant recitals to Section 3 which I have reproduced in part below:
>
>
>
> Recital 22 of the GDPR states: “Any processing of personal data in the
> context of the activities of an establishment of a controller or a
> processor in the Union should be carried out in accordance with this
> Regulation, regardless of whether the processing itself takes place
> within the Union.”
>
>
>
> Recital 23 of the GDPR states in part ”In order to ensure that natural
> persons are not deprived of the protection to which they are entitled under
> this Regulation, the processing of personal data of data subjects who are
> in the Union by a controller or a processor not established in the Union
> should be subject to this Regulation where the processing activities are
> related to offering goods or services to such data subjects irrespective of
> whether connected to a payment.
>
>
>
> In order to determine whether such a controller or processor is offering
> goods or services to data subjects who are in the Union, it should be
> ascertained whether it is apparent that the controller or processor
> envisages offering services to data subjects in one or more Member States
> in the Union.”
>
>
>
> Recital 24 may be of particular interest to DomainTools based on how you
> have marketed your service to track cybersquatters. This recital states “The
> processing of personal data of data subjects who are in the Union by a
> controller or processor not established in the Union should also be subject
> to this Regulation when it is related to the monitoring of the behaviour of
> such data subjects in so far as their behaviour takes place within the Union
> .
>
>
>
> In order to determine whether a processing activity can be considered to
> monitor the behaviour of data subjects, it should be ascertained whether
> natural persons are tracked on the internet including potential subsequent
> use of personal data processing techniques which consist of profiling a
> natural person, particularly in order to take decisions concerning her or
> him or for analysing or predicting her or his personal preferences,
> behaviours and attitudes.
>
>
>
> Best regards,
>
>
>
> Michael
>
>
>
>
>
>
>
> *From:* Chen, Tim [mailto:tim at domaintools.com]
> *Sent:* Monday, February 12, 2018 5:07 PM
> *To:* Michael Palage <michael at palage.com>
> *Cc:* RDS PDP WG <gnso-rds-pdp-wg at icann
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Michael,
>
>
>
> It is possible to read this statement from your reply:
>
>
>
> "The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
> limited to EU residents/citizens. As Michele has noted in the past, the
> GDPR requires BlackKnight as an Irish legal entity to protect all of its
> customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
> that target and conduct business within the EU."
>
>
>
> to imply that you believe US entities that target or conduct business
> within the EU are subject to the broad mandate that Blacknight is as an
> Irish legal entity. But I don't want to jump to that conclusion. What is
> your read of how Article 3 of GDPR applies to the US entity type that you
> refer to in the quote above?
>
>
>
> Tim
>
>
>
>
>
> On Mon, Feb 12, 2018 at 11:27 AM, Michael Palage <michael at palage.com>
> wrote:
>
> Greg/John,
>
>
>
> I will respectfully push back on your legal over simplification of the
> GDPR.
>
>
>
> The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
> limited to EU residents/citizens. As Michele has noted in the past, the
> GDPR requires BlackKnight as an Irish legal entity to protect all of its
> customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
> that target and conduct business within the EU.
>
>
>
> Now your points about the distinction between natural and legal persons is
> a fair one and one that has been noted in EU and Art 29 communications.
> Could you please share the basis of your proposition that 97% of all domain
> name registrations are registered by legal entities.
>
>
>
> As I have note previously the long term viability of the ICANN
> multi-stakeholder model is at risk as national governments continue to pass
> national laws that impact the operation of the Internet. However, the
> European Union is NOT alone in advancing Privacy Legislation, in fact data
> localization is perhaps the next biggest lurking threat to the domain name
> system.
>
>
>
> Best regards,
>
>
>
> Michael
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On
> Behalf Of *John Horton via gnso-rds-pdp-wg
> *Sent:* Monday, February 12, 2018 1:22 PM
> *To:* Greg Aaron <gca at icginc.com>
> *Cc:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I think Greg is right on. There's simply no justification to force a law
> that is only intended to apply to a) EU residents/citizens that are b)
> natural persons not using the domain name for commercial purposes, to the
> remaining...what? 97% - 99% of the world's registrant population? That
> would be a balanced way to implement all of this.
>
>
> John Horton
> President and CEO, LegitScript
>
> [image: Image removed by sender.]
>
>
>
> *Follow* *Legit**Script*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/>
> | Newsletter <http://go.legitscript.com/Subscription-Management.html>
>
>
>
> [image: Image removed by sender.][image: Image removed by sender.]
>
>
>
> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca at icginc.com> wrote:
>
> I don’t know if we arrive at the same place.
>
>
>
> GDPR is based on one principle. It states what is legal. It's explicit
> about what you _are allowed to do_; granted there’s some flexibility and
> room for interpretation. It’s like saying what’s inside a box.
>
>
>
> U.S. law is one based on different principles. AFAIK U.S. consumer
> protection law does not enumerate specifically what is lawful. Instead it
> tends to state what is illegal, what you are _not allowed to do_. It’s
> like saying what’s outside the box. The U.S. doesn’t have something like
> GDPR that spells out legal bases for collecting data, i.e. the enumerated
> allowable reasons. Instead the trade and consumer protection laws
> basically say: entities have the right to form contracts between
> themselves, they should live up to the contract, don’t surprise people,
> don’t do certain dishonest things.
>
>
>
> Here's the problem: if one makes the GDPR principle the ICANN standard and
> you apply it to all registrations, then practices that are allowable in one
> place under the law (like the U.S.) would no longer be allowed there by
> ICANN policy. ICANN would be choosing one legal approach or regime for
> everyone in the world.
>
>
>
> The alternative is to apply the GDRP only to those that it is designed to
> protect: registrants in the EU.
>
>
>
> For example, there’s nothing in U.S. law that prohibits a U.S. registrar
> from having a contract that says publication of full contact data in WHOIS
> is a condition of registering a domain name if you are a registrant in the
> U.S.
>
>
>
> See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Silver, Bradley via
> gnso-rds-pdp-wg
> *Sent:* Friday, February 9, 2018 2:54 PM
> *To:* Volker Greimann <vgreimann at key-systems.net>;
> gnso-rds-pdp-wg at icann.org
>
>
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> It is true that the GDPR is prescriptive, although also rather open-ended
> (hence our current pickle). But regardless of the term we use, don’t we
> arrive at the same place: which is that if something that requires a legal
> basis is done without one, it will be unlawful? Using Kathy’s example, if
> data is processed without complying with minimization or purpose
> principles, will such processing not run afoul of the law, and hence be
> unlawful?
>
>
>
> There are important distinctions between the meaning of “legal basis”
> which implies that a law requires something to be affirmatively present,
> versus “lawful”, which means that something is not prohibited by law.
> Ultimately though, isn’t “lawfulness”, the same end point, regardless?
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
> *Sent:* Friday, February 09, 2018 11:27 AM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I do not see how. Kathy's analysis seems sound. The flexibility within the
> GDPR still only allows processing in very specific cicumstances, all of
> which are listed in the GDPR.
>
>
>
> Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>
> Kathy’s analysis breaks down on a practical level when one looks at the
> GDPR and what it says about when data can be processed. The GDPR allows
> for flexibility for what can be processed and when, and kathy’s analysis
> overlooks that point.
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kathy Kleiman
> *Sent:* Thursday, February 8, 2018 7:07 PM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Tx for the invitation to join, Chuck, and following up on the discussion
> of Sam and Tapani, let me add that criteria for processing must be clearer
> than something broadly within ICANN's mission statement and something
> permissible somewhere. The requirements under law are express and concrete.
>
> Specifically, GDPR Article 5(1)(b and c) states:
>
>
> *Personal data shall be: 2. "collected for specified, explicit and
> legitimate purposes and not further processed in a manner that is
> incompatible with those purposes"* (the "purpose limitation") AND
> *3. "adequate, relevant and limited to what is necessary in relation to
> the purposes for which they are processed"* (the "data minimisation"
> requirement). [underline added]
>
> Thus, our first criteria of "consistent with ICANN's mission," is only the
> first step and we need to go further than even the 3 criteria we are
> discussing..
>
> Second, lawful and legal enter us into a debate over words and I have to
> agree with Sam and Tapani's analysis and let me add some of my own.
>
> "Legal" is the term we use for actions expressly allowed under law. How we
> process personal data under the GDRP falls into this category -- of
> processing expressly allowed under law. Whereas the term lawful is used for
> a much broader category of actions which are generally permissible and
> allowable.
>
> The term "legal" is much more consistent with our criteria statement
> because the processing of personal data by ICANN must clearly have a *valid
> legal basis* as expressly defined by data protection laws.
>
> Best regards,
> Kathy
>
> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>
> Thanks Tapani,
>
> I will extract from your longer message.
> I deliberately kept my brief and less technical.
> I think we are in agreement here and I support your position.
>
> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>
> The key distinction, as I understand it, is that "lawful" would be
> defined by the negative, everything that some law does not prohibit,
>
> where as "legal basis" is defined by the positive, only things whose
> justification can be explicitly derived from law.
>
> <......>
>
> So I would prefer "legal basis" specifically in this sense: that any
> processing
> would have to be explicitly based on one of the criteria, or bases, as
> listed
> in GDPR Article 6, or similar explicit justification in other data
> protection legislation.
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
> ------------------------------
>
>
>
> *Reminder: Any email that requests your login credentials or that asks you
> to click on a link could be a phishing attack. If you have any questions
> regarding the authenticity of this email or its sender, please contact the
> IT Service Desk at **212.484.6000* <(212)%20484-6000>* or via email at *
> *ITServices at timewarner.com* <ITServices at timewarner.com>
> ------------------------------
>
> This message is the property of Time Warner Inc. and is intended only for
> the use of the addressee(s) and may be legally privileged and/or
> confidential. If the reader of this message is not the intended recipient,
> or the employee or agent responsible to deliver it to the intended
> recipient, he or she is hereby notified that any dissemination,
> distribution, printing, forwarding, or any method of copying of this
> information, and/or the taking of any action in reliance on the information
> herein is strictly prohibited except by the intended recipient or those to
> whom he or she intentionally distributes this message. If you have received
> this communication in error, please immediately notify the sender, and
> delete the original message and any copies from your computer or storage
> system. Thank you.
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/9ca54b88/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 426 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/9ca54b88/image001-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 453 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/9ca54b88/image002-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 460 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/9ca54b88/image003-0001.jpg>
More information about the gnso-rds-pdp-wg
mailing list