[gnso-rds-pdp-wg] Legal basis vs. lawful
John Horton
john.horton at legitscript.com
Tue Feb 13 18:18:24 UTC 2018
+1 (to Greg)
On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca at icginc.com> wrote:
> What are the jurisdictions where gTLD registrants are located? The stats
> indicate that a distinct minority of gTLD registrations and registrants
> may qualify for GDPR protection. According to ICANN’s metrics, 14% of
> registrants are in the EU. The top jurisdictions are:
>
>
>
> USA 41.0%
>
> EU countries 14.0%
>
> China 9.4%
>
> Canada 4.2%
>
> Japan 3.5%
>
> Panama 3.3%
>
> [other 24.6%]
>
>
>
> These stats don’t tell us exactly how many registrations might involve
> GDPR (affecting that are the jurisdictions of the various parties involved
> in any given registartion, the fact that legal person in the EU are not due
> the same protection as natural persons, etc.). Still, that 14% is
> interesting.
>
>
>
> The European Commission itself recently told ICANN that solutions can and
> should be balanced, to “preserve the proper use of WHOIS while ensuring
> full compliance with the (current and future) EU data protection rules”,
> and that GDPR only applies to the personal data of natural persons in the
> EU.
>
>
>
> So, what justifies extending a particular protection regime (baseline) to
> all registrants worldwide, especially when a technical system can support
> situational-based needs? Over-compliance is not necessary, and
> over-compliance erodes the proper use of WHOIS. I suggest that a proper
> solution is to enable compliance with a rule in the situations in which the
> rule applies. The proper solution is not to over-apply a rule, or to apply
> the rule where it does not have power.
>
>
>
> All best,
>
> --Greg
>
>
>
> Source:
> https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2016-06-27-en
>
>
>
>
>
>
>
> **********************************
>
> Greg Aaron
>
> Vice-President, Product Management
>
> iThreat Cyber Group / Cybertoolbelt.com
>
> mobile: +1.215.858.2257
>
> **********************************
>
> The information contained in this message is privileged and confidential
> and protected from disclosure. If the reader of this message is not the
> intended recipient, or an employee or agent responsible for delivering this
> message to the intended recipient, you are hereby notified that any
> dissemination, distribution or copying of this communication is strictly
> prohibited. If you have received this communication in error, please notify
> us immediately by replying to the message and deleting it from your
> computer.
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On
> Behalf Of *Kathy Kleiman
> *Sent:* Tuesday, February 13, 2018 11:24 AM
>
>
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> More than half the countries in the world now have comprehensive data
> protection laws, and the number grows every year. We found that in our
> research of foundation documents at the start of this WG. The tipping point
> took place in 2015. As it happens, Volker's approach simply does take this
> perspective into account.
>
> Best, Kathy
>
> On 2/13/2018 11:04 AM, Dotzero wrote:
>
> Volker, you assert that "it would be sensible to take GDPR as a basis and
> start from there". Perhaps sensible from your perspective and easier from
> your perspective but ICANN is an international organization - primarily
> dealing with technical/administrative issues - and it MUST take an approach
> that, as best it can, accommodates the laws and practices of various
> jurisdictions around the world. Your proposed approach, quite simply does
> not do that.
>
> Michael Hammer
>
> On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <
> vgreimann at key-systems.net> wrote:
>
> I think that it would be sensible to take the GDPR as a basis and start
> from there. Obviously, where it conflicts with other applicable laws, we
> should make sure to accomodate those as well, but as the EU Commission and
> others have pointed out is that compliance with GDPR does not preclude
> providing certain access levels to certain parties. What those levels would
> be and who those parties could be should be the main focus of our work.
>
>
>
> Am 13.02.2018 um 15:41 schrieb Chuck:
>
> Volker,
>
>
>
> Are you saying that you think that RDS policies should be designed to
> comply with European regulations and then applied to all other
> jurisdictions in the world?
>
>
>
> Chuck
>
>
>
> *From:* Volker Greimann [mailto:vgreimann at key-systems.net
> <vgreimann at key-systems.net>]
> *Sent:* Tuesday, February 13, 2018 5:58 AM
> *To:* Chuck <consult at cgomes.com> <consult at cgomes.com>; 'Michael Palage'
> <michael at palage.com> <michael at palage.com>
> *Cc:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I am afraid that if we create different policies for different regions, we
> will break the model, encourage forum shopping and encourage firewalling of
> entire geographic sections of the net. I hope that is not what we are doing
> here.
>
> GDPR will cause some breakage of this and I see it as our mission to fix
> this breakage of the standard by proposing a unified model once again.
>
> Ultimately, if this solution does what the EU has been asking for, e.g.
> protect legitimate use cases of registration data as well as the rights of
> the data subjects, there is no reason why it should not be universally
> applicable.
>
> Best,
>
> Volker
>
>
>
> Am 13.02.2018 um 00:04 schrieb Chuck:
>
> Volker,
>
>
>
> The WG could recommend policies that are ‘universally applicable to all
> registrations’ but I seriously doubt that will happen in today’s world.
> That would be much simpler than policies that vary by region and users, but
> is it realistic?
>
>
>
> Chuck
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
> *Sent:* Monday, February 12, 2018 2:30 PM
> *To:* Michael Palage <michael at palage.com> <michael at palage.com>
> *Cc:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Michael is right. ICANN iOS based on the thought of “One World; one
> Internet”. This also means that the policies it creates should be
> universally applicable to all registrations, if possible. IF we start
> creating policy that diverges, that would only lead to further
> fragmentation and undermine the founding ideal of ICANN itself. Our aim
> should be to create one policy that can be applied to all or most
> registrations and that can be implemented by all registrars alike.
>
>
>
> While we will likely have a certain amount of fragmentation following May
> 25 as each contracted party applies its own solution, it should be our goal
> to overcome this and present a new unified policy that works for all
> contracted parties.
>
>
>
> Volker
>
>
>
>
>
>
>
> On 12. Feb 2018, at 20:27, Michael Palage <michael at palage.com> wrote:
>
>
>
> Greg/John,
>
>
>
> I will respectfully push back on your legal over simplification of the
> GDPR.
>
>
>
> The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
> limited to EU residents/citizens. As Michele has noted in the past, the
> GDPR requires BlackKnight as an Irish legal entity to protect all of its
> customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
> that target and conduct business within the EU.
>
>
>
> Now your points about the distinction between natural and legal persons is
> a fair one and one that has been noted in EU and Art 29 communications.
> Could you please share the basis of your proposition that 97% of all domain
> name registrations are registered by legal entities.
>
>
>
> As I have note previously the long term viability of the ICANN
> multi-stakeholder model is at risk as national governments continue to pass
> national laws that impact the operation of the Internet. However, the
> European Union is NOT alone in advancing Privacy Legislation, in fact data
> localization is perhaps the next biggest lurking threat to the domain name
> system.
>
>
>
> Best regards,
>
>
>
> Michael
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *John Horton via
> gnso-rds-pdp-wg
> *Sent:* Monday, February 12, 2018 1:22 PM
> *To:* Greg Aaron <gca at icginc.com>
> *Cc:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I think Greg is right on. There's simply no justification to force a law
> that is only intended to apply to a) EU residents/citizens that are b)
> natural persons not using the domain name for commercial purposes, to the
> remaining...what? 97% - 99% of the world's registrant population? That
> would be a balanced way to implement all of this.
>
> John Horton
> President and CEO, LegitScript
>
> [image:
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ]
>
>
>
> *Follow* *Legit**Script*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/>
> | Newsletter <http://go.legitscript.com/Subscription-Management.html>
>
>
>
> [image:
> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][image:
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ]
>
>
>
> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca at icginc.com> wrote:
>
> I don’t know if we arrive at the same place.
>
>
>
> GDPR is based on one principle. It states what is legal. It's explicit
> about what you _are allowed to do_; granted there’s some flexibility and
> room for interpretation. It’s like saying what’s inside a box.
>
>
>
> U.S. law is one based on different principles. AFAIK U.S. consumer
> protection law does not enumerate specifically what is lawful. Instead it
> tends to state what is illegal, what you are _not allowed to do_. It’s
> like saying what’s outside the box. The U.S. doesn’t have something like
> GDPR that spells out legal bases for collecting data, i.e. the enumerated
> allowable reasons. Instead the trade and consumer protection laws
> basically say: entities have the right to form contracts between
> themselves, they should live up to the contract, don’t surprise people,
> don’t do certain dishonest things.
>
>
>
> Here's the problem: if one makes the GDPR principle the ICANN standard and
> you apply it to all registrations, then practices that are allowable in one
> place under the law (like the U.S.) would no longer be allowed there by
> ICANN policy. ICANN would be choosing one legal approach or regime for
> everyone in the world.
>
>
>
> The alternative is to apply the GDRP only to those that it is designed to
> protect: registrants in the EU.
>
>
>
> For example, there’s nothing in U.S. law that prohibits a U.S. registrar
> from having a contract that says publication of full contact data in WHOIS
> is a condition of registering a domain name if you are a registrant in the
> U.S.
>
>
>
> See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.
>
>
>
>
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Silver, Bradley via
> gnso-rds-pdp-wg
> *Sent:* Friday, February 9, 2018 2:54 PM
> *To:* Volker Greimann <vgreimann at key-systems.net>;
> gnso-rds-pdp-wg at icann.org
>
>
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> It is true that the GDPR is prescriptive, although also rather open-ended
> (hence our current pickle). But regardless of the term we use, don’t we
> arrive at the same place: which is that if something that requires a legal
> basis is done without one, it will be unlawful? Using Kathy’s example, if
> data is processed without complying with minimization or purpose
> principles, will such processing not run afoul of the law, and hence be
> unlawful?
>
>
>
> There are important distinctions between the meaning of “legal basis”
> which implies that a law requires something to be affirmatively present,
> versus “lawful”, which means that something is not prohibited by law.
> Ultimately though, isn’t “lawfulness”, the same end point, regardless?
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Volker Greimann
> *Sent:* Friday, February 09, 2018 11:27 AM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> I do not see how. Kathy's analysis seems sound. The flexibility within the
> GDPR still only allows processing in very specific cicumstances, all of
> which are listed in the GDPR.
>
>
>
> Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
>
> Kathy’s analysis breaks down on a practical level when one looks at the
> GDPR and what it says about when data can be processed. The GDPR allows
> for flexibility for what can be processed and when, and kathy’s analysis
> overlooks that point.
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of *Kathy Kleiman
> *Sent:* Thursday, February 8, 2018 7:07 PM
> *To:* gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>
>
>
> Tx for the invitation to join, Chuck, and following up on the discussion
> of Sam and Tapani, let me add that criteria for processing must be clearer
> than something broadly within ICANN's mission statement and something
> permissible somewhere. The requirements under law are express and concrete.
>
>
> Specifically, GDPR Article 5(1)(b and c) states:
>
>
> *Personal data shall be: 2. "collected for specified, explicit and
> legitimate purposes and not further processed in a manner that is
> incompatible with those purposes"* (the "purpose limitation") AND
> * 3. "adequate, relevant and limited to what is necessary in relation
> to the purposes for which they are processed"* (the "data minimisation"
> requirement). [underline added]
>
> Thus, our first criteria of "consistent with ICANN's mission," is only the
> first step and we need to go further than even the 3 criteria we are
> discussing..
>
> Second, lawful and legal enter us into a debate over words and I have to
> agree with Sam and Tapani's analysis and let me add some of my own.
>
> "Legal" is the term we use for actions expressly allowed under law. How we
> process personal data under the GDRP falls into this category -- of
> processing expressly allowed under law. Whereas the term lawful is used for
> a much broader category of actions which are generally permissible and
> allowable.
>
> The term "legal" is much more consistent with our criteria statement
> because the processing of personal data by ICANN must clearly have a *valid
> legal basis* as expressly defined by data protection laws.
>
> Best regards,
> Kathy
>
> On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
>
> Thanks Tapani,
>
> I will extract from your longer message.
> I deliberately kept my brief and less technical.
> I think we are in agreement here and I support your position.
>
> On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
>
> The key distinction, as I understand it, is that "lawful" would be
> defined by the negative, everything that some law does not prohibit,
>
> where as "legal basis" is defined by the positive, only things whose
> justification can be explicitly derived from law.
>
> <......>
>
> So I would prefer "legal basis" specifically in this sense: that any
> processing
> would have to be explicitly based on one of the criteria, or bases, as
> listed
> in GDPR Article 6, or similar explicit justification in other data
> protection legislation.
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
>
>
> ------------------------------
>
> *Reminder: Any email that requests your login credentials or that asks you
> to click on a link could be a phishing attack. If you have any questions
> regarding the authenticity of this email or its sender, please contact the
> IT Service Desk at **212.484.6000* <%28212%29%20484-6000> *or via email
> at **ITServices at timewarner.com* <ITServices at timewarner.com>
> ------------------------------
>
> This message is the property of Time Warner Inc. and is intended only for
> the use of the addressee(s) and may be legally privileged and/or
> confidential. If the reader of this message is not the intended recipient,
> or the employee or agent responsible to deliver it to the intended
> recipient, he or she is hereby notified that any dissemination,
> distribution, printing, forwarding, or any method of copying of this
> information, and/or the taking of any action in reliance on the information
> herein is strictly prohibited except by the intended recipient or those to
> whom he or she intentionally distributes this message. If you have received
> this communication in error, please immediately notify the sender, and
> delete the original message and any copies from your computer or storage
> system. Thank you.
>
> _______________________________________________ gnso-rds-pdp-wg mailing
> list gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________ gnso-rds-pdp-wg mailing
> list gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit
> freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems
> GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901
> <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851
> <+49%206894%209396851> Email: vgreimann at key-systems.net
> <vgreimann at key-systems.net> Web: www.key-systems.net / www.RRPproxy.net
> www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei
> Twitter oder werden Sie unser Fan bei Facebook:
> www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer:
> Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken
> Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu
> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
> Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
> Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese
> Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per
> E-Mail oder telefonisch in Verbindung zu setzen.
> -------------------------------------------- Should you have any further
> questions, please do not hesitate to contact us. Best regards, Volker A.
> Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St.
> Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49
> (0) 6894 - 9396 851 <+49%206894%209396851> Email:
> vgreimann at key-systems.net Web: www.key-systems.net / www.RRPproxy.net
> www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or
> join our fan community on Facebook and stay updated:
> www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander
> Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534
> Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its
> attachments is intended only for the person to whom it is addressed.
> Furthermore it is not permitted to publish any content of this email.
> You must not use, disclose, copy, print or rely on this e-mail. If an
> addressing or transmission error has misdirected this e-mail, kindly notify
> the author by replying to this e-mail or contacting us by telephone.
>
>
>
> _______________________________________________ gnso-rds-pdp-wg mailing
> list gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
John Horton
President and CEO, LegitScript
*Follow LegitScript*: LinkedIn
<http://www.linkedin.com/company/legitscript-com> | Facebook
<https://www.facebook.com/LegitScript> | Twitter
<https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>*
| Newsletter <http://go.legitscript.com/Subscription-Management.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180213/1a1a154c/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list