[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy
Chuck
consult at cgomes.com
Wed Feb 14 14:40:55 UTC 2018
I apologize for injecting this message way to late in the thread and for not
responding to Alan Greenberg’s suggestion yesterday, but I was unavoidably
offline for the last 18+ hours.
As of now, let’s change the title of this thread to ‘Using the GDPR as a
basis for RDS Policy’. For any future responses to earlier messages about
this topic, please change the subject.
Note that I changed the subject in my reply. Feel free to respond to this
message with additional discussion about messages below. I hope this works;
if anyone has a different suggestion regarding how to do this, please feel
free to communicate it.
Chuck
From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf
Of Paul Keating
Sent: Wednesday, February 14, 2018 4:38 AM
To: Dotzero <dotzero at gmail.com>; Volker Greimann <vgreimann at key-systems.net>
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Correct but they are the ones collecting the data so unless they are
convinced of the need and legal ability they simply will not collect it.
Processing only comes after collection.
From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org
<mailto:gnso-rds-pdp-wg-bounces at icann.org> > on behalf of Dotzero
<dotzero at gmail.com <mailto:dotzero at gmail.com> >
Date: Tuesday, February 13, 2018 at 5:23 PM
To: Volker Greimann <vgreimann at key-systems.net
<mailto:vgreimann at key-systems.net> >
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
>
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Volcker,
Registrars are not the only constituency with a stake in this.
Michael Hammer
On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann <vgreimann at key-systems.net
<mailto:vgreimann at key-systems.net> > wrote:
Hi Mike,
no, sensible because a great number of registrars will be forced to deal
with this anyway, because this will affect a great many of registrations and
therefore it makes sense to take this as a basis. Of course we will then
need to see if there need to be tweaks to accomodate for other
jurisdictions, but as more as more countries are adopting similar
regimes....
Sure it will be more restrictive than open access and some people may have a
harder time than today getting at certain information, but with tiered
access access would still be possible for those with overriding legitimate
interests. That is the model the EU commission hinted at. Not the only
model, but a working one.
Volker
Am 13.02.2018 um 17:04 schrieb Dotzero:
Volker, you assert that "it would be sensible to take GDPR as a basis and
start from there". Perhaps sensible from your perspective and easier from
your perspective but ICANN is an international organization - primarily
dealing with technical/administrative issues - and it MUST take an approach
that, as best it can, accommodates the laws and practices of various
jurisdictions around the world. Your proposed approach, quite simply does
not do that.
Michael Hammer
On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann at key-systems.net
<mailto:vgreimann at key-systems.net> > wrote:
I think that it would be sensible to take the GDPR as a basis and start from
there. Obviously, where it conflicts with other applicable laws, we should
make sure to accomodate those as well, but as the EU Commission and others
have pointed out is that compliance with GDPR does not preclude providing
certain access levels to certain parties. What those levels would be and who
those parties could be should be the main focus of our work.
Am 13.02.2018 um 15:41 schrieb Chuck:
Volker,
Are you saying that you think that RDS policies should be designed to comply
with European regulations and then applied to all other jurisdictions in the
world?
Chuck
From: Volker Greimann [mailto:vgreimann at key-systems.net]
Sent: Tuesday, February 13, 2018 5:58 AM
To: Chuck <mailto:consult at cgomes.com> <consult at cgomes.com>; 'Michael
Palage' <mailto:michael at palage.com> <michael at palage.com>
Cc: gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
I am afraid that if we create different policies for different regions, we
will break the model, encourage forum shopping and encourage firewalling of
entire geographic sections of the net. I hope that is not what we are doing
here.
GDPR will cause some breakage of this and I see it as our mission to fix
this breakage of the standard by proposing a unified model once again.
Ultimately, if this solution does what the EU has been asking for, e.g.
protect legitimate use cases of registration data as well as the rights of
the data subjects, there is no reason why it should not be universally
applicable.
Best,
Volker
Am 13.02.2018 um 00:04 schrieb Chuck:
Volker,
The WG could recommend policies that are ‘universally applicable to all
registrations’ but I seriously doubt that will happen in today’s world.
That would be much simpler than policies that vary by region and users, but
is it realistic?
Chuck
From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf
Of Volker Greimann
Sent: Monday, February 12, 2018 2:30 PM
To: Michael Palage <mailto:michael at palage.com> <michael at palage.com>
Cc: gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Michael is right. ICANN iOS based on the thought of “One World; one
Internet”. This also means that the policies it creates should be
universally applicable to all registrations, if possible. IF we start
creating policy that diverges, that would only lead to further fragmentation
and undermine the founding ideal of ICANN itself. Our aim should be to
create one policy that can be applied to all or most registrations and that
can be implemented by all registrars alike.
While we will likely have a certain amount of fragmentation following May 25
as each contracted party applies its own solution, it should be our goal to
overcome this and present a new unified policy that works for all contracted
parties.
Volker
On 12. Feb 2018, at 20:27, Michael Palage <michael at palage.com
<mailto:michael at palage.com> > wrote:
Greg/John,
I will respectfully push back on your legal over simplification of the GDPR.
The exterritorial aspect of the GDPR set forth in Article 3 is NOT just
limited to EU residents/citizens. As Michele has noted in the past, the
GDPR requires BlackKnight as an Irish legal entity to protect all of its
customers data (EU/Non-EU) in compliance with GDPR, as well as US entities
that target and conduct business within the EU.
Now your points about the distinction between natural and legal persons is a
fair one and one that has been noted in EU and Art 29 communications. Could
you please share the basis of your proposition that 97% of all domain name
registrations are registered by legal entities.
As I have note previously the long term viability of the ICANN
multi-stakeholder model is at risk as national governments continue to pass
national laws that impact the operation of the Internet. However, the
European Union is NOT alone in advancing Privacy Legislation, in fact data
localization is perhaps the next biggest lurking threat to the domain name
system.
Best regards,
Michael
From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf
Of John Horton via gnso-rds-pdp-wg
Sent: Monday, February 12, 2018 1:22 PM
To: Greg Aaron <gca at icginc.com <mailto:gca at icginc.com> >
Cc: gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
I think Greg is right on. There's simply no justification to force a law
that is only intended to apply to a) EU residents/citizens that are b)
natural persons not using the domain name for commercial purposes, to the
remaining...what? 97% - 99% of the world's registrant population? That would
be a balanced way to implement all of this.
John Horton
President and CEO, LegitScript
<https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&
revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ>
Follow LegitScript: <http://www.linkedin.com/company/legitscript-com>
LinkedIn | <https://www.facebook.com/LegitScript> Facebook |
<https://twitter.com/legitscript> Twitter |
<http://blog.legitscript.com/> Blog |
<http://go.legitscript.com/Subscription-Management.html> Newsletter
<https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplac
e.png>
<https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&
revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ>
On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron < <mailto:gca at icginc.com>
gca at icginc.com> wrote:
I don’t know if we arrive at the same place.
GDPR is based on one principle. It states what is legal. It's explicit
about what you _are allowed to do_; granted there’s some flexibility and
room for interpretation. It’s like saying what’s inside a box.
U.S. law is one based on different principles. AFAIK U.S. consumer
protection law does not enumerate specifically what is lawful. Instead it
tends to state what is illegal, what you are _not allowed to do_. It’s
like saying what’s outside the box. The U.S. doesn’t have something like
GDPR that spells out legal bases for collecting data, i.e. the enumerated
allowable reasons. Instead the trade and consumer protection laws basically
say: entities have the right to form contracts between themselves, they
should live up to the contract, don’t surprise people, don’t do certain
dishonest things.
Here's the problem: if one makes the GDPR principle the ICANN standard and
you apply it to all registrations, then practices that are allowable in one
place under the law (like the U.S.) would no longer be allowed there by
ICANN policy. ICANN would be choosing one legal approach or regime for
everyone in the world.
The alternative is to apply the GDRP only to those that it is designed to
protect: registrants in the EU.
For example, there’s nothing in U.S. law that prohibits a U.S. registrar
from having a contract that says publication of full contact data in WHOIS
is a condition of registering a domain name if you are a registrant in the
U.S.
See <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/>
https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.
From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces at icann.org>
mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Silver, Bradley via
gnso-rds-pdp-wg
Sent: Friday, February 9, 2018 2:54 PM
To: Volker Greimann < <mailto:vgreimann at key-systems.net>
vgreimann at key-systems.net>; <mailto:gnso-rds-pdp-wg at icann.org>
gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
It is true that the GDPR is prescriptive, although also rather open-ended
(hence our current pickle). But regardless of the term we use, don’t we
arrive at the same place: which is that if something that requires a legal
basis is done without one, it will be unlawful? Using Kathy’s example, if
data is processed without complying with minimization or purpose principles,
will such processing not run afoul of the law, and hence be unlawful?
There are important distinctions between the meaning of “legal basis” which
implies that a law requires something to be affirmatively present, versus
“lawful”, which means that something is not prohibited by law. Ultimately
though, isn’t “lawfulness”, the same end point, regardless?
From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces at icann.org>
mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Volker Greimann
Sent: Friday, February 09, 2018 11:27 AM
To: <mailto:gnso-rds-pdp-wg at icann.org> gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
I do not see how. Kathy's analysis seems sound. The flexibility within the
GDPR still only allows processing in very specific cicumstances, all of
which are listed in the GDPR.
Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
Kathy’s analysis breaks down on a practical level when one looks at the GDPR
and what it says about when data can be processed. The GDPR allows for
flexibility for what can be processed and when, and kathy’s analysis
overlooks that point.
From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces at icann.org>
mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Kathy Kleiman
Sent: Thursday, February 8, 2018 7:07 PM
To: <mailto:gnso-rds-pdp-wg at icann.org> gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Tx for the invitation to join, Chuck, and following up on the discussion of
Sam and Tapani, let me add that criteria for processing must be clearer than
something broadly within ICANN's mission statement and something permissible
somewhere. The requirements under law are express and concrete.
Specifically, GDPR Article 5(1)(b and c) states:
Personal data shall be:
2. "collected for specified, explicit and legitimate purposes and not
further processed in a manner that is incompatible with those purposes" (the
"purpose limitation") AND
3. "adequate, relevant and limited to what is necessary in relation to
the purposes for which they are processed" (the "data minimisation"
requirement). [underline added]
Thus, our first criteria of "consistent with ICANN's mission," is only the
first step and we need to go further than even the 3 criteria we are
discussing..
Second, lawful and legal enter us into a debate over words and I have to
agree with Sam and Tapani's analysis and let me add some of my own.
"Legal" is the term we use for actions expressly allowed under law. How we
process personal data under the GDRP falls into this category -- of
processing expressly allowed under law. Whereas the term lawful is used for
a much broader category of actions which are generally permissible and
allowable.
The term "legal" is much more consistent with our criteria statement because
the processing of personal data by ICANN must clearly have a valid legal
basis as expressly defined by data protection laws.
Best regards,
Kathy
On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
Thanks Tapani,
I will extract from your longer message.
I deliberately kept my brief and less technical.
I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be
defined by the negative, everything that some law does not prohibit,
where as "legal basis" is defined by the positive, only things whose
justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any
processing
would have to be explicitly based on one of the criteria, or bases, as
listed
in GDPR Article 6, or similar explicit justification in other data
protection legislation.
_______________________________________________
gnso-rds-pdp-wg mailing list
<mailto:gnso-rds-pdp-wg at icann.org> gnso-rds-pdp-wg at icann.org
<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_l
istinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQI
x78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wr
ojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
<mailto:gnso-rds-pdp-wg at icann.org> gnso-rds-pdp-wg at icann.org
<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_l
istinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQI
x78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wr
ojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_____
Reminder: Any email that requests your login credentials or that asks you to
click on a link could be a phishing attack. If you have any questions
regarding the authenticity of this email or its sender, please contact the
IT Service Desk at <tel:%28212%29%20484-6000> 212.484.6000 or via email at
<mailto:ITServices at timewarner.com> ITServices at timewarner.com
_____
This message is the property of Time Warner Inc. and is intended only for
the use of the addressee(s) and may be legally privileged and/or
confidential. If the reader of this message is not the intended recipient,
or the employee or agent responsible to deliver it to the intended
recipient, he or she is hereby notified that any dissemination,
distribution, printing, forwarding, or any method of copying of this
information, and/or the taking of any action in reliance on the information
herein is strictly prohibited except by the intended recipient or those to
whom he or she intentionally distributes this message. If you have received
this communication in error, please immediately notify the sender, and
delete the original message and any copies from your computer or storage
system. Thank you.
_______________________________________________
gnso-rds-pdp-wg mailing list
<mailto:gnso-rds-pdp-wg at icann.org> gnso-rds-pdp-wg at icann.org
<https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
--
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
Mit freundlichen Grüßen,
Volker A. Greimann
- Rechtsabteilung -
Key-Systems GmbH
Im Oberen Werk 1
<https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gma
il&source=g>
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>
Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>
Email: <mailto:vgreimann at key-systems.net> vgreimann at key-systems.net
Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net
<http://www.RRPproxy.net>
www.domaindiscount24.com <http://www.domaindiscount24.com> /
www.BrandShelter.com <http://www.BrandShelter.com>
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>
www.twitter.com/key_systems <http://www.twitter.com/key_systems>
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken
Umsatzsteuer ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu <http://www.keydrive.lu>
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen
Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder
Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese
Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per
E-Mail oder telefonisch in Verbindung zu setzen.
--------------------------------------------
Should you have any further questions, please do not hesitate to contact us.
Best regards,
Volker A. Greimann
- legal department -
Key-Systems GmbH
Im Oberen Werk 1
<https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gma
il&source=g>
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>
Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>
Email: vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>
Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net
<http://www.RRPproxy.net>
www.domaindiscount24.com <http://www.domaindiscount24.com> /
www.BrandShelter.com <http://www.BrandShelter.com>
Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>
www.twitter.com/key_systems <http://www.twitter.com/key_systems>
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken
V.A.T. ID.: DE211006534
Member of the KEYDRIVE GROUP
www.keydrive.lu <http://www.keydrive.lu>
This e-mail and its attachments is intended only for the person to whom it
is addressed. Furthermore it is not permitted to publish any content of this
email. You must not use, disclose, copy, print or rely on this e-mail. If an
addressing or transmission error has misdirected this e-mail, kindly notify
the author by replying to this e-mail or contacting us by telephone.
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180214/ed052c4e/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list