[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Paul Keating Paul at law.es
Thu Feb 15 14:56:01 UTC 2018 

Rubens,

You stated:

> * There is a limited set of registrants that is entitled to GDPR protection.
> There is a very large class of registrants that is not entitled to GDPR
> protection. There is disagreement about where this line is, but this seems to
> be something where consensus is possible and there's an objectively, legally
> correct answer."
And,

>> 1. The GDPR applies to, and is intended to benefit, a limited set of
>> registrants. 
> 
> No, no agreement with that state


I completely disagree.  The GDPR does in fact act only to bind Data
Collectors and Processors as to data concerning a specific and limited set
of people (EU residents).  That registrars may seek to apply it across the
board to all registrants is a matter of convenience and risk avoidance given
the potential issues of properly identifying whether the registrant is in
fact one of the protected class.  While I cannot fault the registrars for
wanting to limit risk, I do object to the objective miss-statement of the
law.

Paul Keating.

From:  gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of
Rubens Kuhl <rubensk at nic.br>
Date:  Wednesday, February 14, 2018 at 9:41 PM
To:  John Horton <john.horton at legitscript.com>
Cc:  RDS PDP WG <gnso-rds-pdp-wg at icann.org>
Subject:  Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
backwards

> 
> 
>> On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg
>> <gnso-rds-pdp-wg at icann.org> wrote:
>> 
>> Thanks, Chuck. I think whatever changes are required by the GDPR can be
>> accomplished with changes that, in my view, do not constitute a fundamental
>> change to Whois/RDS. Beyond what I think are non-fundamental changes relating
>> to the GDPR, I do not believe that any changes are a "must." As to your
>> question:
>> * There is a limited set of registrants that is entitled to GDPR protection.
>> There is a very large class of registrants that is not entitled to GDPR
>> protection. There is disagreement about where this line is, but this seems to
>> be something where consensus is possible and there's an objectively, legally
>> correct answer. 
> 
> Nope, GDPR applies to all domain services provided by a party that does
> business targeting EEA. So there is no agreement in limiting to whom GDPR
> applies to. You know what is in the Hamilton memo that you disagree with, and
> while it's your right to disagree, you can't define things as having agreement
> when there is no such thing.
> 
> 
>> * It is possible to protect that subset of registrants through (e.g.)
>> complimentary privacy protection, as well as some other limited policies
>> granting access to the data for a legitimate purpose (etc., everything we've
>> been discussing).
> 
> Nope, that would only be valid for publishing of data. For collection and
> processing of data, private WHOIS as we know it might not be enough to achieve
> compliance, depending on TLD and ICANN requirements.
> 
>> * Whether a registrant is, in fact, an entity that is in the very limited
>> class entitled to GDPR protection can be determined during the registration
>> process, and ICANN policy can require registrars to add these fields to the
>> registration process. Existing registrants can be asked to update their
>> information. 
>> * Aside from the policies requiring that those additional data fields be
>> collected during the registration process (e.g., are you an EU citizen and
>> other relevant questions), and that if certain answers are "TRUE" then
>> privacy protection is automatically granted, Whois would not change. Port 43
>> access would continue as is, and so on.
>> I guess I would turn around and ask you and others if everyone agrees with
>> these two statements:
>> 1. The GDPR applies to, and is intended to benefit, a limited set of
>> registrants. 
> 
> No, no agreement with that statement.
> 
>> 1. Registrar convenience or business objectives is not a valid basis to
>> support a policy change.
> 
> 
> That depends on level. If by business objectives you mean deny service for
> whole Europe, that's a pretty hard business hit. It's something like 20% of
> world's GDP. 
> 
> 
> 
> 
> 
> Rubens
> 
> 
> _______________________________________________ gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/4a8681be/attachment.html>

More information about the gnso-rds-pdp-wg mailing list