[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP

Tapani Tarvainen ncsg at tapani.tarvainen.info
Sat Feb 17 09:06:25 UTC 2018 

On Fri, Feb 16, 2018 at 03:27:57PM -0800, John Horton via gnso-rds-pdp-wg (gnso-rds-pdp-wg at icann.org) wrote:

> I think some others have found that unless you are within the
> borders of the EU, you are not a data subject

That makes no sense to me. The GDPR speaks in places of "data subjects
in the union" and other places of "data subjects" without such
qualification. The only sensible interpretation is that when
not so qualified it also includes people outside the union.

>    - First, recitals help in interpretation and provide important context
>    -- so they are indeed relevant -- but typically aren't binding in the same
>    way that what comes afterwards is. So I don't think legally you can rely on
>    the recitals for the argument you are making.

Correct. That's why I quoted the (legally binding) Article text instead.

So let's look at how "data subject" is formally defined in Article 4(1):

 "'personal data' means any information relating to an identified or
   identifiable natural person ('data subject'); an identifiable
   natural person is one who can be identified, directly or
   indirectly, in particular by reference to an identifier such as a
   name, an identification number, location data, an online identifier
   or to one or more factors specific to the physical, physiological,
   genetic, mental, economic, cultural or social identity of that
   natural person;"

There is no limitation based on location or residence of said persons.

>    - Your reliance on the second clause (after the comma) in Article 3,
>    Paragraph 1 is (I'd respectfully submit) misplaced in the light of the
>    definitions section. The clause says "...regardless of whether the
>    processing takes place in the Union or not." Processing, however, is
>    defined as "any operation or set of operations on...personal data..." which
>    of course is defined in the definitions section as relating to natural
>    persons. You appear to be interpreting "processing" to mean "no matter
>    where your customers come from."

I'm not relying on that subclause. The first clause is enough: as
there's no explicit mention of the location of customers, it applies
regardless of their location.

The second clause only adds that if you're a company in the EU, you
won't get off the hook even by moving the actual processing outside EU.
So if an European company sets up a facility in the USA for processing
it's American customers, these can still sue it in Europe for GDPR
violations.

> I think you would all clearly agree: I don't, as a US citizen, have
> rights under the GDPR because...I'm not a Data Subject. I don't have
> what's known as "standing" to file a complaint, do I?

I certainly don't agree. I think it is obvious you would be data
subject in GDPR terminology and would have standing to file a
complaint, too, in the country where the data processor is located.

The argument that "data subject" is limited Europeans, here and
elsewhere, seems to me just an attempt to find loopholes in the text
to work around clear intent of the law. I don't think it'll fly.

Incidentally, I find it somewhat odd to find Americans arguing
that Americans should not have a standing to claim their rights
under European law against European companies.

-- 
Tapani Tarvainen

More information about the gnso-rds-pdp-wg mailing list