[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards
Volker Greimann
vgreimann at key-systems.net
Thu Feb 15 15:44:03 UTC 2018
That very much depends on who gets what access how. It may mean less
data but it need not.
Am 15.02.2018 um 16:42 schrieb Paul Keating:
> Volker,
>
> The harm is to all those relying on the data to do other work (like
> security). If the DC limits collection based on the limited GDPR
> subset (individual EU residents), that means less data available.
>
> Paul
>
> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Volker
> Greimann <vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>>
> Date: Thursday, February 15, 2018 at 4:29 PM
> To: <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS
> Policy is backwards
>
> Regardless of whom the GDPR applies to, we need to ask ourselves
> the question whether the system we will be designing should make
> that differentiation. It may be beneficial and reduce user
> confusion if they do not have to use two different methods to
> access registration data depending on where in the world the
> registrant is based, but only one universal system. And if they
> have to jump through certain hoops (for example pre-certification
> of the requester) anyways to get at EU data subject data, where is
> the harm in using that same hoop for all data?
>
> Best,
>
> Volker
>
>
> Am 15.02.2018 um 15:56 schrieb Paul Keating:
>> Rubens,
>>
>> You stated:
>>
>>> * There is a limited set of registrants that is entitled to
>>> GDPR protection. There is a very large class of registrants
>>> that is not entitled to GDPR protection. There is
>>> disagreement about where this line is, but this seems to be
>>> something where consensus is possible and there's an
>>> objectively, legally correct answer."
>>>
>> And,
>>
>>> 1. The GDPR applies to, and is intended to benefit, a
>>> limited set of registrants.
>>>
>>
>> No, no agreement with that state
>>
>>
>>
>> I completely disagree. The GDPR does in fact act only to bind
>> Data Collectors and Processors as to data concerning a specific
>> and limited set of people (EU residents). That registrars may
>> seek to apply it across the board to all registrants is a matter
>> of convenience and risk avoidance given the potential issues of
>> properly identifying whether the registrant is in fact one of the
>> protected class. While I cannot fault the registrars for wanting
>> to limit risk, I do object to the objective miss-statement of the
>> law.
>>
>> Paul Keating.
>>
>> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org
>> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Rubens
>> Kuhl <rubensk at nic.br <mailto:rubensk at nic.br>>
>> Date: Wednesday, February 14, 2018 at 9:41 PM
>> To: John Horton <john.horton at legitscript.com
>> <mailto:john.horton at legitscript.com>>
>> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>>
>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS
>> Policy is backwards
>>
>>
>>
>>> On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg
>>> <gnso-rds-pdp-wg at icann.org
>>> <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>>
>>> Thanks, Chuck. I think whatever changes are required by the
>>> GDPR can be accomplished with changes that, in my view, do
>>> not constitute a fundamental change to Whois/RDS. Beyond
>>> what I think are non-fundamental changes relating to the
>>> GDPR, I do not believe that any changes are a "must." As to
>>> your question:
>>>
>>> * There is a limited set of registrants that is entitled
>>> to GDPR protection. There is a very large class of
>>> registrants that is not entitled to GDPR protection.
>>> There is disagreement about where this line is, but this
>>> seems to be something where consensus is possible and
>>> there's an objectively, legally correct answer.
>>>
>>
>> Nope, GDPR applies to all domain services provided by a party
>> that does business targeting EEA. So there is no agreement in
>> limiting to whom GDPR applies to. You know what is in the
>> Hamilton memo that you disagree with, and while it's your
>> right to disagree, you can't define things as having
>> agreement when there is no such thing.
>>
>>
>>> * It is possible to protect that subset of registrants
>>> through (e.g.) complimentary privacy protection, as well
>>> as some other limited policies granting access to the
>>> data for a legitimate purpose (etc., everything we've
>>> been discussing).
>>>
>>
>> Nope, that would only be valid for publishing of data. For
>> collection and processing of data, private WHOIS as we know
>> it might not be enough to achieve compliance, depending on
>> TLD and ICANN requirements.
>>
>>> * Whether a registrant is, in fact, an entity that is in
>>> the very limited class entitled to GDPR protection can
>>> be determined during the registration process, and ICANN
>>> policy can require registrars to add these fields to the
>>> registration process. Existing registrants can be asked
>>> to update their information.
>>> * Aside from the policies requiring that those additional
>>> data fields be collected during the registration process
>>> (e.g., are you an EU citizen and other relevant
>>> questions), and that if certain answers are "TRUE" then
>>> privacy protection is automatically granted, Whois would
>>> not change. Port 43 access would continue as is, and so on.
>>>
>>> I guess I would turn around and ask you and others if
>>> everyone agrees with these two statements:
>>>
>>> 1. The GDPR applies to, and is intended to benefit, a
>>> limited set of registrants.
>>>
>>
>> No, no agreement with that statement.
>>
>>> 2. Registrar convenience or business objectives is not a
>>> valid basis to support a policy change.
>>>
>>
>>
>> That depends on level. If by business objectives you mean
>> deny service for whole Europe, that's a pretty hard business
>> hit. It's something like 20% of world's GDP.
>>
>>
>>
>>
>>
>> Rubens
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg at icann.org
>> <mailto:gnso-rds-pdp-wg at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>> _______________________________________________
>> gnso-rds-pdp-wg mailing list
>> gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> _______________________________________________ gnso-rds-pdp-wg
> mailing list gnso-rds-pdp-wg at icann.org
> <mailto:gnso-rds-pdp-wg at icann.org>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/d89d9156/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list