[gnso-rds-pdp-wg] Legal basis vs. lawful
Chen, Tim
tim at domaintools.com
Tue Feb 13 16:35:29 UTC 2018
and neither will a lot of bad actors, online criminals and miscreants.
On Tue, Feb 13, 2018 at 8:28 AM, Volker Greimann <vgreimann at key-systems.net>
wrote:
> But the only ones facing the fines or imprisonment of officers. Will you
> face government fines or prison if you can no longer look at whois? No?
> Thought so!
>
> Am 13.02.2018 um 17:23 schrieb Dotzero:
>
> Volcker,
>
> Registrars are not the only constituency with a stake in this.
>
> Michael Hammer
>
> On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann <
> vgreimann at key-systems.net> wrote:
>
>> Hi Mike,
>>
>> no, sensible because a great number of registrars will be forced to deal
>> with this anyway, because this will affect a great many of registrations
>> and therefore it makes sense to take this as a basis. Of course we will
>> then need to see if there need to be tweaks to accomodate for other
>> jurisdictions, but as more as more countries are adopting similar
>> regimes....
>>
>> Sure it will be more restrictive than open access and some people may
>> have a harder time than today getting at certain information, but with
>> tiered access access would still be possible for those with overriding
>> legitimate interests. That is the model the EU commission hinted at. Not
>> the only model, but a working one.
>>
>> Volker
>>
>> Am 13.02.2018 um 17:04 schrieb Dotzero:
>>
>> Volker, you assert that "it would be sensible to take GDPR as a basis and
>> start from there". Perhaps sensible from your perspective and easier from
>> your perspective but ICANN is an international organization - primarily
>> dealing with technical/administrative issues - and it MUST take an approach
>> that, as best it can, accommodates the laws and practices of various
>> jurisdictions around the world. Your proposed approach, quite simply does
>> not do that.
>>
>> Michael Hammer
>>
>> On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <
>> vgreimann at key-systems.net> wrote:
>>
>>> I think that it would be sensible to take the GDPR as a basis and start
>>> from there. Obviously, where it conflicts with other applicable laws, we
>>> should make sure to accomodate those as well, but as the EU Commission and
>>> others have pointed out is that compliance with GDPR does not preclude
>>> providing certain access levels to certain parties. What those levels would
>>> be and who those parties could be should be the main focus of our work.
>>>
>>> Am 13.02.2018 um 15:41 schrieb Chuck:
>>>
>>> Volker,
>>>
>>>
>>>
>>> Are you saying that you think that RDS policies should be designed to
>>> comply with European regulations and then applied to all other
>>> jurisdictions in the world?
>>>
>>>
>>>
>>> Chuck
>>>
>>>
>>>
>>> *From:* Volker Greimann [mailto:vgreimann at key-systems.net
>>> <vgreimann at key-systems.net>]
>>> *Sent:* Tuesday, February 13, 2018 5:58 AM
>>> *To:* Chuck <consult at cgomes.com> <consult at cgomes.com>; 'Michael Palage'
>>> <michael at palage.com> <michael at palage.com>
>>> *Cc:* gnso-rds-pdp-wg at icann.org
>>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>>
>>>
>>>
>>> I am afraid that if we create different policies for different regions,
>>> we will break the model, encourage forum shopping and encourage firewalling
>>> of entire geographic sections of the net. I hope that is not what we are
>>> doing here.
>>>
>>> GDPR will cause some breakage of this and I see it as our mission to fix
>>> this breakage of the standard by proposing a unified model once again.
>>>
>>> Ultimately, if this solution does what the EU has been asking for, e.g.
>>> protect legitimate use cases of registration data as well as the rights of
>>> the data subjects, there is no reason why it should not be universally
>>> applicable.
>>>
>>> Best,
>>>
>>> Volker
>>>
>>>
>>>
>>> Am 13.02.2018 um 00:04 schrieb Chuck:
>>>
>>> Volker,
>>>
>>>
>>>
>>> The WG could recommend policies that are ‘universally applicable to all
>>> registrations’ but I seriously doubt that will happen in today’s world.
>>> That would be much simpler than policies that vary by region and users, but
>>> is it realistic?
>>>
>>>
>>>
>>> Chuck
>>>
>>>
>>>
>>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
>>> *Sent:* Monday, February 12, 2018 2:30 PM
>>> *To:* Michael Palage <michael at palage.com> <michael at palage.com>
>>> *Cc:* gnso-rds-pdp-wg at icann.org
>>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>>
>>>
>>>
>>> Michael is right. ICANN iOS based on the thought of “One World; one
>>> Internet”. This also means that the policies it creates should be
>>> universally applicable to all registrations, if possible. IF we start
>>> creating policy that diverges, that would only lead to further
>>> fragmentation and undermine the founding ideal of ICANN itself. Our aim
>>> should be to create one policy that can be applied to all or most
>>> registrations and that can be implemented by all registrars alike.
>>>
>>>
>>>
>>> While we will likely have a certain amount of fragmentation following
>>> May 25 as each contracted party applies its own solution, it should be our
>>> goal to overcome this and present a new unified policy that works for all
>>> contracted parties.
>>>
>>>
>>>
>>> Volker
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 12. Feb 2018, at 20:27, Michael Palage <michael at palage.com> wrote:
>>>
>>>
>>>
>>> Greg/John,
>>>
>>>
>>>
>>> I will respectfully push back on your legal over simplification of the
>>> GDPR.
>>>
>>>
>>>
>>> The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
>>> limited to EU residents/citizens. As Michele has noted in the past, the
>>> GDPR requires BlackKnight as an Irish legal entity to protect all of its
>>> customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
>>> that target and conduct business within the EU.
>>>
>>>
>>>
>>> Now your points about the distinction between natural and legal persons
>>> is a fair one and one that has been noted in EU and Art 29 communications.
>>> Could you please share the basis of your proposition that 97% of all domain
>>> name registrations are registered by legal entities.
>>>
>>>
>>>
>>> As I have note previously the long term viability of the ICANN
>>> multi-stakeholder model is at risk as national governments continue to pass
>>> national laws that impact the operation of the Internet. However, the
>>> European Union is NOT alone in advancing Privacy Legislation, in fact data
>>> localization is perhaps the next biggest lurking threat to the domain name
>>> system.
>>>
>>>
>>>
>>> Best regards,
>>>
>>>
>>>
>>> Michael
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *John Horton via
>>> gnso-rds-pdp-wg
>>> *Sent:* Monday, February 12, 2018 1:22 PM
>>> *To:* Greg Aaron <gca at icginc.com>
>>> *Cc:* gnso-rds-pdp-wg at icann.org
>>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>>
>>>
>>>
>>> I think Greg is right on. There's simply no justification to force a law
>>> that is only intended to apply to a) EU residents/citizens that are b)
>>> natural persons not using the domain name for commercial purposes, to the
>>> remaining...what? 97% - 99% of the world's registrant population? That
>>> would be a balanced way to implement all of this.
>>>
>>>
>>> John Horton
>>> President and CEO, LegitScript
>>>
>>>
>>>
>>> *Follow* *Legit**Script*: LinkedIn
>>> <http://www.linkedin.com/company/legitscript-com> | Facebook
>>> <https://www.facebook.com/LegitScript> | Twitter
>>> <https://twitter.com/legitscript> | *Blog
>>> <http://blog.legitscript.com/>* | Newsletter
>>> <http://go.legitscript.com/Subscription-Management.html>
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca at icginc.com> wrote:
>>>
>>> I don’t know if we arrive at the same place.
>>>
>>>
>>>
>>> GDPR is based on one principle. It states what is legal. It's explicit
>>> about what you _are allowed to do_; granted there’s some flexibility and
>>> room for interpretation. It’s like saying what’s inside a box.
>>>
>>>
>>>
>>> U.S. law is one based on different principles. AFAIK U.S. consumer
>>> protection law does not enumerate specifically what is lawful. Instead it
>>> tends to state what is illegal, what you are _not allowed to do_. It’s
>>> like saying what’s outside the box. The U.S. doesn’t have something like
>>> GDPR that spells out legal bases for collecting data, i.e. the enumerated
>>> allowable reasons. Instead the trade and consumer protection laws
>>> basically say: entities have the right to form contracts between
>>> themselves, they should live up to the contract, don’t surprise people,
>>> don’t do certain dishonest things.
>>>
>>>
>>>
>>> Here's the problem: if one makes the GDPR principle the ICANN standard
>>> and you apply it to all registrations, then practices that are allowable in
>>> one place under the law (like the U.S.) would no longer be allowed there by
>>> ICANN policy. ICANN would be choosing one legal approach or regime for
>>> everyone in the world.
>>>
>>>
>>>
>>> The alternative is to apply the GDRP only to those that it is designed
>>> to protect: registrants in the EU.
>>>
>>>
>>>
>>> For example, there’s nothing in U.S. law that prohibits a U.S. registrar
>>> from having a contract that says publication of full contact data in WHOIS
>>> is a condition of registering a domain name if you are a registrant in the
>>> U.S.
>>>
>>>
>>>
>>> See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for
>>> more.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Silver, Bradley via
>>> gnso-rds-pdp-wg
>>> *Sent:* Friday, February 9, 2018 2:54 PM
>>> *To:* Volker Greimann <vgreimann at key-systems.net>; g
>>> nso-rds-pdp-wg at icann.org
>>>
>>>
>>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>>
>>>
>>>
>>> It is true that the GDPR is prescriptive, although also rather
>>> open-ended (hence our current pickle). But regardless of the term we use,
>>> don’t we arrive at the same place: which is that if something that
>>> requires a legal basis is done without one, it will be unlawful? Using
>>> Kathy’s example, if data is processed without complying with minimization
>>> or purpose principles, will such processing not run afoul of the law, and
>>> hence be unlawful?
>>>
>>>
>>>
>>> There are important distinctions between the meaning of “legal basis”
>>> which implies that a law requires something to be affirmatively present,
>>> versus “lawful”, which means that something is not prohibited by law.
>>> Ultimately though, isn’t “lawfulness”, the same end point, regardless?
>>>
>>>
>>>
>>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
>>> *Sent:* Friday, February 09, 2018 11:27 AM
>>> *To:* gnso-rds-pdp-wg at icann.org
>>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>>
>>>
>>>
>>> I do not see how. Kathy's analysis seems sound. The flexibility within
>>> the GDPR still only allows processing in very specific cicumstances, all of
>>> which are listed in the GDPR.
>>>
>>>
>>>
>>> Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>>>
>>> Kathy’s analysis breaks down on a practical level when one looks at the
>>> GDPR and what it says about when data can be processed. The GDPR allows
>>> for flexibility for what can be processed and when, and kathy’s analysis
>>> overlooks that point.
>>>
>>>
>>>
>>> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
>>> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kathy Kleiman
>>> *Sent:* Thursday, February 8, 2018 7:07 PM
>>> *To:* gnso-rds-pdp-wg at icann.org
>>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>>
>>>
>>>
>>> Tx for the invitation to join, Chuck, and following up on the discussion
>>> of Sam and Tapani, let me add that criteria for processing must be clearer
>>> than something broadly within ICANN's mission statement and something
>>> permissible somewhere. The requirements under law are express and concrete.
>>>
>>>
>>> Specifically, GDPR Article 5(1)(b and c) states:
>>>
>>>
>>> *Personal data shall be: 2. "collected for specified, explicit and
>>> legitimate purposes and not further processed in a manner that is
>>> incompatible with those purposes"* (the "purpose limitation") AND
>>> * 3. "adequate, relevant and limited to what is necessary in relation
>>> to the purposes for which they are processed"* (the "data minimisation"
>>> requirement). [underline added]
>>>
>>> Thus, our first criteria of "consistent with ICANN's mission," is only
>>> the first step and we need to go further than even the 3 criteria we are
>>> discussing..
>>>
>>> Second, lawful and legal enter us into a debate over words and I have to
>>> agree with Sam and Tapani's analysis and let me add some of my own.
>>>
>>> "Legal" is the term we use for actions expressly allowed under law. How
>>> we process personal data under the GDRP falls into this category -- of
>>> processing expressly allowed under law. Whereas the term lawful is used for
>>> a much broader category of actions which are generally permissible and
>>> allowable.
>>>
>>> The term "legal" is much more consistent with our criteria statement
>>> because the processing of personal data by ICANN must clearly have a *valid
>>> legal basis* as expressly defined by data protection laws.
>>>
>>> Best regards,
>>> Kathy
>>>
>>> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>>>
>>> Thanks Tapani,
>>>
>>> I will extract from your longer message.
>>> I deliberately kept my brief and less technical.
>>> I think we are in agreement here and I support your position.
>>>
>>> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>>>
>>> The key distinction, as I understand it, is that "lawful" would be
>>> defined by the negative, everything that some law does not prohibit,
>>>
>>> where as "legal basis" is defined by the positive, only things whose
>>> justification can be explicitly derived from law.
>>>
>>> <......>
>>>
>>> So I would prefer "legal basis" specifically in this sense: that any
>>> processing
>>> would have to be explicitly based on one of the criteria, or bases, as
>>> listed
>>> in GDPR Article 6, or similar explicit justification in other data
>>> protection legislation.
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> gnso-rds-pdp-wg mailing list
>>>
>>> gnso-rds-pdp-wg at icann.org
>>>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> gnso-rds-pdp-wg mailing list
>>>
>>> gnso-rds-pdp-wg at icann.org
>>>
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>>>
>>>
>>> ------------------------------
>>>
>>>
>>>
>>> * Reminder: Any email that requests your login credentials or that asks
>>> you to click on a link could be a phishing attack. If you have any
>>> questions regarding the authenticity of this email or its sender, please
>>> contact the IT Service Desk at 212.484.6000 <%28212%29%20484-6000> or via
>>> email at **ITServices at timewarner.com* <ITServices at timewarner.com>
>>> ------------------------------
>>>
>>> This message is the property of Time Warner Inc. and is intended only
>>> for the use of the addressee(s) and may be legally privileged and/or
>>> confidential. If the reader of this message is not the intended recipient,
>>> or the employee or agent responsible to deliver it to the intended
>>> recipient, he or she is hereby notified that any dissemination,
>>> distribution, printing, forwarding, or any method of copying of this
>>> information, and/or the taking of any action in reliance on the information
>>> herein is strictly prohibited except by the intended recipient or those to
>>> whom he or she intentionally distributes this message. If you have received
>>> this communication in error, please immediately notify the sender, and
>>> delete the original message and any copies from your computer or storage
>>> system. Thank you.
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>
>>>
>>> --
>>> Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
>>>
>>> Mit freundlichen Grüßen,
>>>
>>> Volker A. Greimann
>>> - Rechtsabteilung -
>>>
>>> Key-Systems GmbH
>>> Im Oberen Werk 1
>>> <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmail&source=g>
>>> 66386 St. Ingbert
>>> Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>
>>> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851>
>>> Email: vgreimann at key-systems.net <vgreimann at key-systems.net>
>>>
>>> Web: www.key-systems.net / www.RRPproxy.net
>>> www.domaindiscount24.com / www.BrandShelter.com
>>>
>>> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
>>> www.facebook.com/KeySystems
>>> www.twitter.com/key_systems
>>>
>>> Geschäftsführer: Alexander Siffrin
>>> Handelsregister Nr.: HR B 18835 - Saarbruecken
>>> Umsatzsteuer ID.: DE211006534
>>>
>>> Member of the KEYDRIVE GROUP
>>> www.keydrive.lu
>>>
>>> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
>>> Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
>>> Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese
>>> Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per
>>> E-Mail oder telefonisch in Verbindung zu setzen.
>>>
>>> --------------------------------------------
>>>
>>> Should you have any further questions, please do not hesitate to contact
>>> us.
>>>
>>> Best regards,
>>>
>>> Volker A. Greimann
>>> - legal department -
>>>
>>> Key-Systems GmbH
>>> Im Oberen Werk 1
>>> <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmail&source=g>
>>> 66386 St. Ingbert
>>> Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901>
>>> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851>
>>> Email: vgreimann at key-systems.net
>>>
>>> Web: www.key-systems.net / www.RRPproxy.net
>>> www.domaindiscount24.com / www.BrandShelter.com
>>>
>>> Follow us on Twitter or join our fan community on Facebook and stay
>>> updated:
>>> www.facebook.com/KeySystems
>>> www.twitter.com/key_systems
>>>
>>> CEO: Alexander Siffrin
>>> Registration No.: HR B 18835 - Saarbruecken
>>> V.A.T. ID.: DE211006534
>>>
>>> Member of the KEYDRIVE GROUP
>>> www.keydrive.lu
>>>
>>> This e-mail and its attachments is intended only for the person to whom
>>> it is addressed. Furthermore it is not permitted to publish any content of
>>> this email. You must not use, disclose, copy, print or rely on this e-mail.
>>> If an addressing or transmission error has misdirected this e-mail, kindly
>>> notify the author by replying to this e-mail or contacting us by telephone.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> gnso-rds-pdp-wg mailing list
>>> gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>
>>
>>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/41de0505/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list