[gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is backwards
Paul Keating
Paul at law.es
Thu Feb 15 15:58:47 UTC 2018
Volker,
If the idea is to treat all registrations as if they must meet compliance
under the GDPR. And, if the registrars are actively stating that they will
collect less data under the GDPR. It then logically results in less overall
data.
From: Volker Greimann <vgreimann at key-systems.net>
Date: Thursday, February 15, 2018 at 4:44 PM
To: Paul Keating <paul at law.es>, <gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
backwards
>
>
>
> That very much depends on who gets what access how. It may mean less data but
> it need not.
>
>
>
> Am 15.02.2018 um 16:42 schrieb Paul Keating:
>
>
>>
>> Volker,
>>
>>
>>
>>
>> The harm is to all those relying on the data to do other work (like
>> security). If the DC limits collection based on the limited GDPR subset
>> (individual EU residents), that means less data available.
>>
>>
>>
>>
>> Paul
>>
>>
>>
>>
>> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of
>> Volker Greimann <vgreimann at key-systems.net>
>> Date: Thursday, February 15, 2018 at 4:29 PM
>> To: <gnso-rds-pdp-wg at icann.org>
>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy is
>> backwards
>>
>>
>>
>>
>>
>>>
>>>
>>>
>>>
>>> Regardless of whom the GDPR applies to, we need to ask ourselves the
>>> question whether the system we will be designing should make that
>>> differentiation. It may be beneficial and reduce user confusion if they do
>>> not have to use two different methods to access registration data depending
>>> on where in the world the registrant is based, but only one universal
>>> system. And if they have to jump through certain hoops (for example
>>> pre-certification of the requester) anyways to get at EU data subject data,
>>> where is the harm in using that same hoop for all data?
>>>
>>>
>>>
>>> Best,
>>>
>>>
>>> Volker
>>>
>>>
>>>
>>> Am 15.02.2018 um 15:56 schrieb Paul Keating:
>>>
>>>
>>>>
>>>> Rubens,
>>>>
>>>>
>>>>
>>>>
>>>> You stated:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> * There is a limited set of registrants that is entitled to GDPR
>>>>> protection. There is a very large class of registrants that is not
>>>>> entitled to GDPR protection. There is disagreement about where this line
>>>>> is, but this seems to be something where consensus is possible and there's
>>>>> an objectively, legally correct answer."
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> And,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 1. The GDPR applies to, and is intended to benefit, a limited set of
>>>>>> registrants.
>>>>>> 2.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> No, no agreement with that state
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I completely disagree. The GDPR does in fact act only to bind Data
>>>> Collectors and Processors as to data concerning a specific and limited set
>>>> of people (EU residents). That registrars may seek to apply it across the
>>>> board to all registrants is a matter of convenience and risk avoidance
>>>> given the potential issues of properly identifying whether the registrant
>>>> is in fact one of the protected class. While I cannot fault the registrars
>>>> for wanting to limit risk, I do object to the objective miss-statement of
>>>> the law.
>>>>
>>>>
>>>>
>>>>
>>>> Paul Keating.
>>>>
>>>>
>>>>
>>>>
>>>> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of
>>>> Rubens Kuhl <rubensk at nic.br>
>>>> Date: Wednesday, February 14, 2018 at 9:41 PM
>>>> To: John Horton <john.horton at legitscript.com>
>>>> Cc: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>>>> Subject: Re: [gnso-rds-pdp-wg] Using the GDPR as a basis for RDS Policy
>>>> is backwards
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg
>>>>>> <gnso-rds-pdp-wg at icann.org> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks, Chuck. I think whatever changes are required by the GDPR can be
>>>>>> accomplished with changes that, in my view, do not constitute a
>>>>>> fundamental change to Whois/RDS. Beyond what I think are non-fundamental
>>>>>> changes relating to the GDPR, I do not believe that any changes are a
>>>>>> "must." As to your question:
>>>>>>
>>>>>>
>>>>>> * There is a limited set of registrants that is entitled to GDPR
>>>>>> protection. There is a very large class of registrants that is not
>>>>>> entitled to GDPR protection. There is disagreement about where this line
>>>>>> is, but this seems to be something where consensus is possible and
>>>>>> there's an objectively, legally correct answer.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Nope, GDPR applies to all domain services provided by a party that does
>>>>> business targeting EEA. So there is no agreement in limiting to whom GDPR
>>>>> applies to. You know what is in the Hamilton memo that you disagree with,
>>>>> and while it's your right to disagree, you can't define things as having
>>>>> agreement when there is no such thing.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> * It is possible to protect that subset of registrants through (e.g.)
>>>>>> complimentary privacy protection, as well as some other limited policies
>>>>>> granting access to the data for a legitimate purpose (etc., everything
>>>>>> we've been discussing).
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Nope, that would only be valid for publishing of data. For collection and
>>>>> processing of data, private WHOIS as we know it might not be enough to
>>>>> achieve compliance, depending on TLD and ICANN requirements.
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> * Whether a registrant is, in fact, an entity that is in the very limited
>>>>>> class entitled to GDPR protection can be determined during the
>>>>>> registration process, and ICANN policy can require registrars to add
>>>>>> these fields to the registration process. Existing registrants can be
>>>>>> asked to update their information.
>>>>>> * Aside from the policies requiring that those additional data fields be
>>>>>> collected during the registration process (e.g., are you an EU citizen
>>>>>> and other relevant questions), and that if certain answers are "TRUE"
>>>>>> then privacy protection is automatically granted, Whois would not change.
>>>>>> Port 43 access would continue as is, and so on.
>>>>>>
>>>>>> I guess I would turn around and ask you and others if everyone agrees
>>>>>> with these two statements:
>>>>>>
>>>>>>
>>>>>> 1. The GDPR applies to, and is intended to benefit, a limited set of
>>>>>> registrants.
>>>>>> 2.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> No, no agreement with that statement.
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 1. Registrar convenience or business objectives is not a valid basis to
>>>>>> support a policy change.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> That depends on level. If by business objectives you mean deny service
>>>>> for whole Europe, that's a pretty hard business hit. It's something like
>>>>> 20% of world's GDP.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Rubens
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________ gnso-rds-pdp-wg mailing
>>>>> list gnso-rds-pdp-wg at icann.org
>>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-rds-pdp
>>>> -wg
>>>>
>>>
>>>
>>>
>>> _______________________________________________ gnso-rds-pdp-wg mailing
>>> list gnso-rds-pdp-wg at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/15811f4d/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list