[gnso-rds-pdp-wg] Legal basis vs. lawful
Volker Greimann
vgreimann at key-systems.net
Wed Feb 14 09:54:56 UTC 2018
Hi Alan,
when asking for excemptions, we would have preferred to get ICANN to
amend the rules that apply to all registrars similarly. As that was not
possible, we asked for what we needed to remain compliant with local laws.
However, none of those requests were system-breaking. For example
durations of data retention are behind-the-scenes changes that in all
likelyhood have no visible effect for anyone.
Redacting public whois records for a wide swath of registrants will on
the other hand have a profound impact for every party. LEAs will have to
jump through additional hoops for data access, registrants will no
longer be able to transfer domain names as easily (how would the gaining
registrar know where to send the FOA if there is no email address in
public whois), etc etc.
I think the actual effect of the deviations should be borne in mind when
looking at the chaos that will be wrought by fragmented data privacy
implementations.
I also want to point out that while everyone always assumes that
registrars are rejoicing over GDPR, this is not actually the case. It
will mean a lot of additional implementation work, manual handling of
requests for information, complaints and disruption of established
processes that quite honestly we would rather do without.
Best,
Volker
Am 13.02.2018 um 19:59 schrieb Alan Greenberg:
> We already have a fragmented system. And when European registrars were
> (reasonably) requesting exemptions, they were advocating fragmentation.
>
> Regardless of what the GDPR details are, we have to presume that other
> jurisdictions will have different rules, both more and less stringent,
> perhaps a lot so.
>
> Alan
>
> --
> Sent from my mobile. Please excuse brevity and typos.
>
> On February 13, 2018 1:36:52 PM EST, Volker Greimann
> <vgreimann at key-systems.net> wrote:
>
> That brings us back to the question whether we would want a
> unified DNS system or a fractured one. I personally think 14% of
> the worlds registrations are quite a significant number, but even
> if you do not, does this mean you would prefer fragmentation of
> policies and rules?
>
>
> Am 13.02.2018 um 19:18 schrieb John Horton via gnso-rds-pdp-wg:
>> +1 (to Greg)
>>
>> On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca at icginc.com
>> <mailto:gca at icginc.com>> wrote:
>>
>> What are the jurisdictions where gTLD registrants are
>> located? The stats indicate that a distinct minority of gTLD
>> registrations and registrants may qualify for GDPR
>> protection. According to ICANN’s metrics, 14% of registrants
>> are in the EU. The top jurisdictions are:
>>
>> USA 41.0%
>>
>> EU countries 14.0%
>>
>> China 9.4%
>>
>> Canada 4.2%
>>
>> Japan 3.5%
>>
>> Panama 3.3%
>>
>> [other 24.6%]
>>
>> These stats don’t tell us exactly how many registrations
>> might involve GDPR (affecting that are the jurisdictions of
>> the various parties involved in any given registartion, the
>> fact that legal person in the EU are not due the same
>> protection as natural persons, etc.). Still, that 14% is
>> interesting.
>>
>> The European Commission itself recently told ICANN that
>> solutions can and should be balanced, to “preserve the proper
>> use of WHOIS while ensuring full compliance with the (current
>> and future) EU data protection rules”, and that GDPR only
>> applies to the personal data of natural persons in the EU.
>>
>> So, what justifies extending a particular protection regime
>> (baseline) to all registrants worldwide, especially when a
>> technical system can support situational-based needs?
>> Over-compliance is not necessary, and over-compliance erodes
>> the proper use of WHOIS. I suggest that a proper solution is
>> to enable compliance with a rule in the situations in which
>> the rule applies. The proper solution is not to over-apply a
>> rule, or to apply the rule where it does not have power.
>>
>> All best,
>>
>> --Greg
>>
>> Source:
>> https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2016-06-27-en
>>
>>
>> **********************************
>>
>> Greg Aaron
>>
>> Vice-President, Product Management
>>
>> iThreat Cyber Group / Cybertoolbelt.com
>>
>> mobile: +1.215.858.2257
>>
>> **********************************
>>
>> The information contained in this message is privileged and
>> confidential and protected from disclosure. If the reader of
>> this message is not the intended recipient, or an employee or
>> agent responsible for delivering this message to the intended
>> recipient, you are hereby notified that any dissemination,
>> distribution or copying of this communication is strictly
>> prohibited. If you have received this communication in error,
>> please notify us immediately by replying to the message and
>> deleting it from your computer.
>>
>> *From:*gnso-rds-pdp-wg
>> [mailto:gnso-rds-pdp-wg-bounces at icann.org
>> <mailto:gnso-rds-pdp-wg-bounces at icann.org>] *On Behalf Of
>> *Kathy Kleiman
>> *Sent:* Tuesday, February 13, 2018 11:24 AM
>>
>>
>> *To:* gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
>>
>> More than half the countries in the world now have
>> comprehensive data protection laws, and the number grows
>> every year. We found that in our research of foundation
>> documents at the start of this WG. The tipping point took
>> place in 2015. As it happens, Volker's approach simply does
>> take this perspective into account.
>>
>> Best, Kathy
>>
>> On 2/13/2018 11:04 AM, Dotzero wrote:
>>
>> Volker, you assert that "it would be sensible to take
>> GDPR as a basis and start from there". Perhaps sensible
>> from your perspective and easier from your perspective
>> but ICANN is an international organization - primarily
>> dealing with technical/administrative issues - and it
>> MUST take an approach that, as best it can, accommodates
>> the laws and practices of various jurisdictions around
>> the world. Your proposed approach, quite simply does not
>> do that.
>>
>> Michael Hammer
>>
>> On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann
>> <vgreimann at key-systems.net
>> <mailto:vgreimann at key-systems.net>> wrote:
>>
>> I think that it would be sensible to take the GDPR as
>> a basis and start from there. Obviously, where it
>> conflicts with other applicable laws, we should make
>> sure to accomodate those as well, but as the EU
>> Commission and others have pointed out is that
>> compliance with GDPR does not preclude providing
>> certain access levels to certain parties. What those
>> levels would be and who those parties could be should
>> be the main focus of our work.
>>
>> Am 13.02.2018 um 15:41 schrieb Chuck:
>>
>> Volker,
>>
>> Are you saying that you think that RDS policies
>> should be designed to comply with European
>> regulations and then applied to all other
>> jurisdictions in the world?
>>
>> Chuck
>>
>> *From:*Volker Greimann
>> [mailto:vgreimann at key-systems.net]
>> *Sent:* Tuesday, February 13, 2018 5:58 AM
>> *To:* Chuck <consult at cgomes.com>
>> <mailto:consult at cgomes.com>; 'Michael Palage'
>> <michael at palage.com> <mailto:michael at palage.com>
>> *Cc:* gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs.
>> lawful
>>
>> I am afraid that if we create different policies
>> for different regions, we will break the model,
>> encourage forum shopping and encourage
>> firewalling of entire geographic sections of the
>> net. I hope that is not what we are doing here.
>>
>> GDPR will cause some breakage of this and I see
>> it as our mission to fix this breakage of the
>> standard by proposing a unified model once again.
>>
>> Ultimately, if this solution does what the EU has
>> been asking for, e.g. protect legitimate use
>> cases of registration data as well as the rights
>> of the data subjects, there is no reason why it
>> should not be universally applicable.
>>
>> Best,
>>
>> Volker
>>
>> Am 13.02.2018 um 00:04 schrieb Chuck:
>>
>> Volker,
>>
>> The WG could recommend policies that are
>> ‘universally applicable to all registrations’
>> but I seriously doubt that will happen in
>> today’s world. That would be much simpler
>> than policies that vary by region and users,
>> but is it realistic?
>>
>> Chuck
>>
>> *From:* gnso-rds-pdp-wg
>> [mailto:gnso-rds-pdp-wg-bounces at icann.org]
>> *On Behalf Of *Volker Greimann
>> *Sent:* Monday, February 12, 2018 2:30 PM
>> *To:* Michael Palage <michael at palage.com>
>> <mailto:michael at palage.com>
>> *Cc:* gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis
>> vs. lawful
>>
>> Michael is right. ICANN iOS based on the
>> thought of “One World; one Internet”. This
>> also means that the policies it creates
>> should be universally applicable to all
>> registrations, if possible. IF we start
>> creating policy that diverges, that would
>> only lead to further fragmentation and
>> undermine the founding ideal of ICANN itself.
>> Our aim should be to create one policy that
>> can be applied to all or most registrations
>> and that can be implemented by all registrars
>> alike.
>>
>> While we will likely have a certain amount of
>> fragmentation following May 25 as each
>> contracted party applies its own solution, it
>> should be our goal to overcome this and
>> present a new unified policy that works for
>> all contracted parties.
>>
>> Volker
>>
>>
>>
>> On 12. Feb 2018, at 20:27, Michael Palage
>> <michael at palage.com
>> <mailto:michael at palage.com>> wrote:
>>
>> Greg/John,
>>
>> I will respectfully push back on your
>> legal over simplification of the GDPR.
>>
>> The exterritorial aspect of the GDPR set
>> forth in Article 3 is NOT just limited to
>> EU residents/citizens. As Michele has
>> noted in the past, the GDPR requires
>> BlackKnight as an Irish legal entity to
>> protect all of its customers data
>> (EU/Non-EU) in compliance with GDPR, as
>> well as US entities that target and
>> conduct business within the EU.
>>
>> Now your points about the distinction
>> between natural and legal persons is a
>> fair one and one that has been noted in
>> EU and Art 29 communications. Could you
>> please share the basis of your
>> proposition that 97% of all domain name
>> registrations are registered by legal
>> entities.
>>
>> As I have note previously the long term
>> viability of the ICANN multi-stakeholder
>> model is at risk as national governments
>> continue to pass national laws that
>> impact the operation of the Internet.
>> However, the European Union is NOT alone
>> in advancing Privacy Legislation, in fact
>> data localization is perhaps the next
>> biggest lurking threat to the domain name
>> system.
>>
>> Best regards,
>>
>> Michael
>>
>> *From:*gnso-rds-pdp-wg
>> [mailto:gnso-rds-pdp-wg-bounces at icann.org]*On
>> Behalf Of*John Horton via gnso-rds-pdp-wg
>> *Sent:*Monday, February 12, 2018 1:22 PM
>> *To:*Greg Aaron <gca at icginc.com
>> <mailto:gca at icginc.com>>
>> *Cc:*gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> *Subject:*Re: [gnso-rds-pdp-wg] Legal
>> basis vs. lawful
>>
>> I think Greg is right on. There's simply
>> no justification to force a law that is
>> only intended to apply to a) EU
>> residents/citizens that are b) natural
>> persons not using the domain name for
>> commercial purposes, to the
>> remaining...what? 97% - 99% of the
>> world's registrant population? That would
>> be a balanced way to implement all of this.
>>
>> John Horton
>> President and CEO, LegitScript
>>
>> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ
>>
>> *Follow****Legit**Script*: LinkedIn
>> <http://www.linkedin.com/company/legitscript-com>
>> | Facebook
>> <https://www.facebook.com/LegitScript> |
>> Twitter
>> <https://twitter.com/legitscript> | Blog
>> <http://blog.legitscript.com/> |Newsletter
>> <http://go.legitscript.com/Subscription-Management.html>
>>
>> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.pnghttps://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ
>>
>> On Mon, Feb 12, 2018 at 9:57 AM, Greg
>> Aaron <gca at icginc.com
>> <mailto:gca at icginc.com>> wrote:
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180214/e2b06aee/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list