[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

John Horton john.horton at legitscript.com
Wed Feb 14 22:36:00 UTC 2018 

Rubens,

I think I see where the disconnect might be. Section 3.2.2 says
"Extraterritorial reach as described in section 3.2.1 above will apply, for
instance, when registrars and registries established outside the EU provide
their domain name registration services to natural persons in the EU."

Are you interpreting that to mean: "If a registrar/registry outside of the
EU markets/offers their services to natural persons in the EU (that is, you
either have some customers in the EU or you potentially could), then they
are fully subject to the GDPR for all of their registrations."? Because I
think that's a misreading of it. I think it means "with respect to the
*actual* provision of services to a natural person in the EU." In other
words, taking it to an extreme, I think you might be interpreting the
Hamilton language in 3.2.2 to mean that all of a non-EU registrar's
registrants are entitled to full GDPR protection if that registrar has even
a single *potential* customer in the EU. However, I think they mean that
even a non-EU registrar has to ensure that any natural person in the EU is
afforded GDPR protections (and I'd agree with you on that -- my own company
has been deep into GDPR compliance even though we aren't in the EU).

John Horton
President and CEO, LegitScript


*Follow LegitScript*: LinkedIn
<http://www.linkedin.com/company/legitscript-com>  |  Facebook
<https://www.facebook.com/LegitScript>  |  Twitter
<https://twitter.com/legitscript>  |  *Blog <http://blog.legitscript.com/>*
  |  Newsletter <http://go.legitscript.com/Subscription-Management.html>




On Wed, Feb 14, 2018 at 2:00 PM, Rubens Kuhl <rubensk at nic.br> wrote:

>
>
> On 14 Feb 2018, at 19:12, Greg Aaron <gca at icginc.com> wrote:
>
> Reubens, you said that “GDPR applies to all domain services provided by a
> party that does business targeting EEA.”  That statement has multiple
> possible implications.  I want to understand: what exactly are you saying
> here about the publication of personal data in an RDS?
>
>
> Collection, processing and eventual publication. GDPR looks at the full
> lifecycle of all data, not limited to RDS data; but even the RDS PDP has to
> look at the full lifecycle of data that ends up in RDS, not only at
> publishing them. How they are collected, processed and stored has to be
> part of the policy for it to be implementable.
>
>
> Are you saying that any registrar outside the EU that does business with
> EU registrants must extend GDPR protection to all its registrants regarding
> RDS, no matter where the registrants live?  For example, GoDaddy is a U.S.
> company but has some registrants in the EU.  Are you saying that GoDaddy
> must extend GDRP-level protection to me, a U.S. registrant, so that my
> contact details (or some set of contact data fields) should not show up in
> WHOIS/RDS?
>
>
> I would say GDPR compliance, not GDPR protection. And yes, I am saying
> that GoDaddy should extend its compliance for all registrants, but if that
> means omitting contact details in WHOIS is a totally different matter; for
> instance, part 3 of the Hamilton memos hinted at the possibility of
> convincing European DPAs that publishing all information, or most of it, is
> a legitimate use. So that would open the possible publishing of data and
> still be compliant with GDPR, provided that written binding assurances from
> DPAs are obtained by ICANN or further legislation is approved by the EU,
> which is the long term road suggested by eco.
>
>
>
> If your answer is “yes”: please quote the section of the GDPR  regulation
> that you are referring to.  Also specifically the page and paragraph of
> which Hamilton memo; I tried to look up your previous reference but was
> unsure what exactly you were pointing at.  Generally, it is appreciated
> when members provide references we can all look at.
>
>
> The reference in the Hamilton memo can be found at:
> https://www.icann.org/en/system/files/files/gdpr-
> memorandum-part1-16oct17-en.pdf
>
> 3.2 Territorial Application - 3.2.1 and 3.2.2
>
> I'll let Hamilton answer from where in GDPR (and other applicable law like
> directive 2016/680 regarding law enforcement) they based that, but looks
> like GDRP articles 1 to 4 to me.
>
>
> Rubens
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180214/cb8d4b3a/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list