[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards

Volker Greimann vgreimann at key-systems.net
Thu Feb 15 15:44:03 UTC 2018 

That very much depends on who gets what access how. It may mean less 
data but it need not.


Am 15.02.2018 um 16:42 schrieb Paul Keating:
> Volker,
>
> The harm is to all those relying on the data to do other work (like 
> security).  If the DC limits collection based on the limited GDPR 
> subset (individual EU residents), that means less data available.
>
> Paul
>
> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org 
> <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Volker 
> Greimann <vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>>
> Date: Thursday, February 15, 2018 at 4:29 PM
> To: <gnso-rds-pdp-wg at icann.org <mailto:gnso-rds-pdp-wg at icann.org>>
> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS 
> Policy is backwards
>
>     Regardless of whom the GDPR applies to, we need to ask ourselves
>     the question whether the system we will be designing should make
>     that differentiation. It may be beneficial and reduce user
>     confusion if they do not have to use two different methods  to
>     access registration data depending on where in the world the
>     registrant is based, but only one universal system. And if they
>     have to jump through certain hoops (for example pre-certification
>     of the requester) anyways to get at EU data subject data, where is
>     the harm in using that same hoop for all data?
>
>     Best,
>
>     Volker
>
>
>     Am 15.02.2018 um 15:56 schrieb Paul Keating:
>>     Rubens,
>>
>>     You stated:
>>
>>>       * There is a limited set of registrants that is entitled to
>>>         GDPR protection. There is a very large class of registrants
>>>         that is not entitled to GDPR protection. There is
>>>         disagreement about where this line is, but this seems to be
>>>         something where consensus is possible and there's an
>>>         objectively, legally correct answer."
>>>
>>     And,
>>
>>>          1. The GDPR applies to, and is intended to benefit, a
>>>             limited set of registrants.
>>>
>>
>>         No, no agreement with that state
>>
>>
>>
>>     I completely disagree.  The GDPR does in fact act only to bind
>>     Data Collectors and Processors as to data concerning a specific
>>     and limited set of people (EU residents).  That registrars may
>>     seek to apply it across the board to all registrants is a matter
>>     of convenience and risk avoidance given the potential issues of
>>     properly identifying whether the registrant is in fact one of the
>>     protected class.  While I cannot fault the registrars for wanting
>>     to limit risk, I do object to the objective miss-statement of the
>>     law.
>>
>>     Paul Keating.
>>
>>     From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org
>>     <mailto:gnso-rds-pdp-wg-bounces at icann.org>> on behalf of Rubens
>>     Kuhl <rubensk at nic.br <mailto:rubensk at nic.br>>
>>     Date: Wednesday, February 14, 2018 at 9:41 PM
>>     To: John Horton <john.horton at legitscript.com
>>     <mailto:john.horton at legitscript.com>>
>>     Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org
>>     <mailto:gnso-rds-pdp-wg at icann.org>>
>>     Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS
>>     Policy is backwards
>>
>>
>>
>>>         On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg
>>>         <gnso-rds-pdp-wg at icann.org
>>>         <mailto:gnso-rds-pdp-wg at icann.org>> wrote:
>>>
>>>         Thanks, Chuck. I think whatever changes are required by the
>>>         GDPR can be accomplished with changes that, in my view, do
>>>         not constitute a fundamental change to Whois/RDS. Beyond
>>>         what I think are non-fundamental changes relating to the
>>>         GDPR, I do not believe that any changes are a "must." As to
>>>         your question:
>>>
>>>           * There is a limited set of registrants that is entitled
>>>             to GDPR protection. There is a very large class of
>>>             registrants that is not entitled to GDPR protection.
>>>             There is disagreement about where this line is, but this
>>>             seems to be something where consensus is possible and
>>>             there's an objectively, legally correct answer.
>>>
>>
>>         Nope, GDPR applies to all domain services provided by a party
>>         that does business targeting EEA. So there is no agreement in
>>         limiting to whom GDPR applies to. You know what is in the
>>         Hamilton memo that you disagree with, and while it's your
>>         right to disagree, you can't define things as having
>>         agreement when there is no such thing.
>>
>>
>>>           * It is possible to protect that subset of registrants
>>>             through (e.g.) complimentary privacy protection, as well
>>>             as some other limited policies granting access to the
>>>             data for a legitimate purpose (etc., everything we've
>>>             been discussing).
>>>
>>
>>         Nope, that would only be valid for publishing of data. For
>>         collection and processing of data, private WHOIS as we know
>>         it might not be enough to achieve compliance, depending on
>>         TLD and ICANN requirements.
>>
>>>           * Whether a registrant is, in fact, an entity that is in
>>>             the very limited class entitled to GDPR protection can
>>>             be determined during the registration process, and ICANN
>>>             policy can require registrars to add these fields to the
>>>             registration process. Existing registrants can be asked
>>>             to update their information.
>>>           * Aside from the policies requiring that those additional
>>>             data fields be collected during the registration process
>>>             (e.g., are you an EU citizen and other relevant
>>>             questions), and that if certain answers are "TRUE" then
>>>             privacy protection is automatically granted, Whois would
>>>             not change. Port 43 access would continue as is, and so on.
>>>
>>>         I guess I would turn around and ask you and others if
>>>         everyone agrees with these two statements:
>>>
>>>          1. The GDPR applies to, and is intended to benefit, a
>>>             limited set of registrants.
>>>
>>
>>         No, no agreement with that statement.
>>
>>>          2. Registrar convenience or business objectives is not a
>>>             valid basis to support a policy change.
>>>
>>
>>
>>         That depends on level. If by business objectives you mean
>>         deny service for whole Europe, that's a pretty hard business
>>         hit. It's something like 20% of world's GDP.
>>
>>
>>
>>
>>
>>         Rubens
>>
>>
>>         _______________________________________________
>>         gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg at icann.org
>>         <mailto:gnso-rds-pdp-wg at icann.org>
>>         https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>>
>>
>>     _______________________________________________
>>     gnso-rds-pdp-wg mailing list
>>     gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>     _______________________________________________ gnso-rds-pdp-wg
>     mailing list gnso-rds-pdp-wg at icann.org
>     <mailto:gnso-rds-pdp-wg at icann.org>
>     https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/d89d9156/attachment-0001.html>

More information about the gnso-rds-pdp-wg mailing list