[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Greg Aaron gca at icginc.com
Wed Feb 14 21:12:59 UTC 2018 

Reubens, you said that "GDPR applies to all domain services provided by a party that does business targeting EEA."  That statement has multiple possible implications.  I want to understand: what exactly are you saying here about the publication of personal data in an RDS?

Are you saying that any registrar outside the EU that does business with EU registrants must extend GDPR protection to all its registrants regarding RDS, no matter where the registrants live?  For example, GoDaddy is a U.S. company but has some registrants in the EU.  Are you saying that GoDaddy must extend GDRP-level protection to me, a U.S. registrant, so that my contact details (or some set of contact data fields) should not show up in WHOIS/RDS?

If your answer is "yes": please quote the section of the GDPR  regulation that you are referring to.  Also specifically the page and paragraph of which Hamilton memo; I tried to look up your previous reference but was unsure what exactly you were pointing at.  Generally, it is appreciated when members provide references we can all look at.

Thanks,
--Greg

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Rubens Kuhl
Sent: Wednesday, February 14, 2018 3:41 PM
To: John Horton <john.horton at legitscript.com>
Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards




On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>> wrote:

Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question:

  *   There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer.

Nope, GDPR applies to all domain services provided by a party that does business targeting EEA. So there is no agreement in limiting to whom GDPR applies to. You know what is in the Hamilton memo that you disagree with, and while it's your right to disagree, you can't define things as having agreement when there is no such thing.




  *   It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing).

Nope, that would only be valid for publishing of data. For collection and processing of data, private WHOIS as we know it might not be enough to achieve compliance, depending on TLD and ICANN requirements.



  *   Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information.
  *   Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on.
I guess I would turn around and ask you and others if everyone agrees with these two statements:

  1.  The GDPR applies to, and is intended to benefit, a limited set of registrants.

No, no agreement with that statement.



  1.  Registrar convenience or business objectives is not a valid basis to support a policy change.


That depends on level. If by business objectives you mean deny service for whole Europe, that's a pretty hard business hit. It's something like 20% of world's GDP.





Rubens


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180214/dd35055d/attachment.html>

More information about the gnso-rds-pdp-wg mailing list