[gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP
Raoul Plommer
plommer at gmail.com
Sat Feb 17 19:12:28 UTC 2018
Let me rephrase that: a non-European company complies with GDPR because of
its European data subjects (could be fined otherwise). Their non-European
clients are thus very possbily, indirectly protected because of the GDPR,
if the company makes changes to all of its processing of data. I think
GoDaddy is already an example of that.
-Raoul
On 17 February 2018 at 21:03, <consult at cgomes.com> wrote:
> Thanks Raoul. So you think that a non-European registrar or registry
> could be fined if it violated the GDPR for a non-European natural person?
>
>
>
> Chuck
>
>
>
> *From:* Raoul Plommer [mailto:plommer at gmail.com]
> *Sent:* Saturday, February 17, 2018 10:57 AM
> *To:* consult at cgomes.com
> *Cc:* Ayden Férdeline <icann at ferdeline.com>; Paul Keating <paul at law.es>;
> RDS PDP WG <gnso-rds-pdp-wg at icann.org>
>
> *Subject:* Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and
> GDRP
>
>
>
> I don't understand how the GDPR could
> protect non-European natural persons dealing with non-European companies.
>
>
>
> Unfortunately, not all laws can be that well enforced, but they are
> nevertheless in place. In this particular example, I think there's the
> massive threat of getting fined, that will give the companies the right
> incentive to comply. Banks and financial services in tax-havens didn't
> expect to get caught either.
>
>
>
> If a non-European company complies with the GDPR because of its European
> customers, then its non-European are extended the same protections through
> interfaces and access.
>
>
>
> -Raoul
>
>
>
> On 17 February 2018 at 20:20, <consult at cgomes.com> wrote:
>
> As one who is trying to understand the GDPR, the key condition for these
> recitals is ‘processed within the legal boundaries of the European Union’.
>
>
>
> Chuck
>
>
>
> *From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces at icann.org] *On
> Behalf Of *Ayden Férdeline
> *Sent:* Friday, February 16, 2018 12:27 PM
> *To:* Paul Keating <paul at law.es>
>
>
> *Cc:* RDS PDP WG <gnso-rds-pdp-wg at icann.org>
> *Subject:* Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and
> GDRP
>
>
>
> I interpret the GDPR as applying to anyone, residing anywhere, regardless
> of his or her citizenship, whose data is processed within the legal
> boundaries of the European Union.
>
>
>
> Recital 2 <http://www.privacy-regulation.eu/en/recital-2-GDPR.htm> (emphasis
> added) states: "The principles of, and rules on the protection of natural
> persons with regard to the processing of their personal data should, *whatever
> their nationality or residence*, respect their fundamental rights and
> freedoms, in particular their right to the protection of personal data."
>
>
>
> Recital 4 <http://www.privacy-regulation.eu/en/recital-4-GDPR.htm>
> (emphasis added) states: "The processing of personal data should be *designed
> to serve mankind*."
>
>
>
> Recital 14 <http://www.privacy-regulation.eu/en/recital-14-GDPR.htm>
> (emphasis added) states: "The protection afforded by this Regulation should
> apply to natural persons, *whatever their nationality or place of
> residence*, in relation to the processing of their personal data."
>
>
>
> Ayden
>
>
>
>
>
> -------- Original Message --------
>
> On 16 February 2018 9:07 PM, Paul Keating <paul at law.es> wrote:
>
>
>
> John,
>
>
>
> Given that the GDPR only applies to private data of private individuals
> residing in the EU, i dount you will ever see such a statement.
>
>
>
> Sent from my iPad
>
>
>
> On 16 Feb 2018, at 21:02, John Horton via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
>
> Ha, thanks Michele, and sorry for the timing! (Hope your answer was
> written over a bottle of red wine, preferably an Oregon pinot.)
>
>
>
> Let me clarify my question, and feel free to defer the answer if next week
> is better. I'm asking if registrars have received specific guidance, or can
> point to anything specific in the GDPR or any written document, indicating
> that you have to provide GDPR protections to all of your customers, even if
> they aren't in scope. In other words, I'm looking for a very clear
> statement along these lines from a DPA:
>
>
>
> As an EU company, even if your customer is a natural person in the US, you
> must provide them the same rights under the GDPR that an EU natural person
> would receive. Failure to do so is non-compliant with the GDPR.
>
>
>
> Obviously, the exact wording my differ, but I'm trying to challenge your
> statement that "As an Irish company all our clients have to be handled
> under GDPR." If that's true as a legal requirement, I think it's important
> for the security/compliance community to be aware of that...if it's not,
> perhaps that opens up some more granular approaches that can satisfy both
> sides.
>
>
>
> John Horton
> President and CEO, LegitScript
>
> [image: Image removed by sender.]
>
>
>
> *Follow* *Legit**Script*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | *Blog
> <http://blog.legitscript.com/>* | Newsletter
> <http://go.legitscript.com/Subscription-Management.html>
>
>
>
> [image: Image removed by sender.][image: Image removed by sender.]
>
>
>
> On Fri, Feb 16, 2018 at 11:53 AM, Michele Neylon - Blacknight <
> michele at blacknight.com> wrote:
>
> John
>
>
>
> Of course you would wait until a Friday evening to ask me this ..
>
>
>
> Anyway ..
>
>
>
> As a company in the EU we have to do everything through the lens of GDPR.
>
>
> That does not mean that a company will get the same treatment as a private
> individual.
>
>
>
> What it does mean is that we (and other EU based registrars and
> registries) have to consider whether or not there is personal information
> in the currently public whois information. I’m not 100% sure yet what the
> best way of dealing with that is.
> While we can ask new clients things during signup, it’s going to be
> significantly harder to get a response from the existing ones.
>
>
>
> Regards
>
>
>
> Michele
>
>
>
>
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com
>
> https://blacknight.blog /
>
> http://ceo.hosting/
>
> Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>
>
> Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>
> Road,Graiguecullen,Carlow, R93 X265
>
> ,Ireland Company No.: 370845
>
> *From: *John Horton <john.horton at legitscript.com>
> *Date: *Friday 16 February 2018 at 19:28
> *To: *Michele Neylon <michele at blacknight.com>
> *Cc: *"benny at nordreg.se" <benny at nordreg.se>, RDS PDP WG <
> gnso-rds-pdp-wg at icann.org>
> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and
> GDRP
>
>
>
> Michele,
>
>
>
> Let me dig in a bit on one question there -- actually curious about this.
> You indicated "As an Irish company all our clients have to be handled
> under GDPR." So, for example, let's say that I transferred my company's
> domain name (obviously, we're a legal person, and we're domiciled in the US
> and registered here) to Blacknight. I think you'd agree we're not the
> intended beneficiary of the GDPR. My specific question for you is: Is there
> written guidance somewhere indicating that you do, in fact, have to provide
> me GDPR protections? That your policies have to apply to me? If there's
> some language out there specifically indicating that, it would be helpful
> to see that. I didn't see that in the Hamilton memo (perhaps I'm missing
> it) nor in the text of the GDPR (but again, perhaps I'm missing it). Let me
> know if my question doesn't make sense.
>
>
>
> John Horton
> President and CEO, LegitScript
>
> [image: Image removed by sender.
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ]
>
>
>
> *Follow* *Legit**Script*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/>
> | Newsletter <http://go.legitscript.com/Subscription-Management.html>
>
>
>
> [image: Image removed by sender.
> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][image:
> Image removed by sender.
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ]
>
>
>
> On Fri, Feb 16, 2018 at 11:15 AM, Michele Neylon - Blacknight <
> michele at blacknight.com> wrote:
>
> John
>
>
>
> There are two distinct discussions here which seem to be getting mixed
> together.
>
>
>
> During the proxy / privacy discussion some people wanted there to be a
> distinction between who could avail of proxy / privacy services. Some
> wanted a prohibition on letting “commercial” have the ability to use proxy
> / privacy.
>
>
>
> The discussions here and elsewhere around collection and publication of
> data in light of GDPR are very different.
>
>
>
> Nobody is disputing that there is a distinction between private
> individuals and corporations when it comes to GDPR. However there are risks
> associated with the processing of personal information, which may be tied
> into corporate information. And the “commercial” vs “non-commercial”
> distinction won’t work.
>
>
>
> Where there is a clear difference is between treatment of registrants
> based on geography.
>
> As an Irish company all our clients have to be handled under GDPR. The
> same would be true of any other provider based in the EU.
>
>
>
> I cannot speak to nor will I get involved in debates around what various
> non-EU based operators may currently be doing or plan to do in the future –
> there are enough of them on this list who can do so more ably than I and
> without my help.
>
>
>
> Regards
>
>
>
> Michele
>
>
>
>
>
> --
>
> Mr Michele Neylon
>
> Blacknight Solutions
>
> Hosting, Colocation & Domains
>
> https://www.blacknight.com
>
> https://blacknight.blog /
>
> http://ceo.hosting/
>
> Intl. +353 (0) 59 9183072 <+353%2059%20918%203072>
>
> Direct Dial: +353 (0)59 9183090 <+353%2059%20918%203090>
>
> -------------------------------
>
> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty
>
> Road,Graiguecullen,Carlow, R93 X265
>
> ,Ireland Company No.: 370845
>
> *From: *gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of
> John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg at icann.org>
> *Reply-To: *John Horton <john.horton at legitscript.com>
> *Date: *Friday 16 February 2018 at 18:54
> *To: *"benny at nordreg.se" <benny at nordreg.se>
> *Cc: *RDS PDP WG <gnso-rds-pdp-wg at icann.org>
> *Subject: *Re: [gnso-rds-pdp-wg] Krebs On Security article RE whois and
> GDRP
>
>
>
> I think quite a bit in this WG and certainly in the prior privacy/proxy
> PDP, and absolutely what we're seeing with GoDaddy. To make sure I'm being
> clear about what I mean, GoDaddy isn't only redacting Whois information
> (via Port 43) where it's an EU natural citizen or natural resident. The
> information is being redacted for....everyone. All registrants. There's
> simply no justification for that.
>
>
>
> I predict you'd see (I'm not speaking for anyone here, just me) a real
> willingness on the security and compliance community's part to compromise
> and support a system where, IF a registrant is an EU natural person (yes, I
> know we need to define it accurately -- citizen, resident, we can get
> granular later) then...hey, let's set up a system in involving redaction of
> some fields, access to those fields in legitimate cases, etc. I want to
> support registrars' compliance with the GDPR. But we're seeing the
> registrar community say: We want to apply this globally. To all domain name
> registrations. Doesn't matter if the registrant is the intended beneficiary
> of the new law, or in scope, or not. We're going to just change global
> policy.
>
>
>
> I think that viewpoint has been pretty repeatedly represented in this
> working group, but I'd love to hear from registrars that would support a
> more targeted solution where only the intended beneficiaries of the GDPR
> (that is, in-scope registrants) are covered under the policy.
>
>
>
> John Horton
> President and CEO, LegitScript
>
> [image: Image removed by sender.
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&revid=0B13GfLt8zwZJSG9zOUVwN1lFKzFrRVlnaWU0NGZ4RmdkUjg4PQ]
>
>
>
> *Follow* *Legit**Script*: LinkedIn
> <http://www.linkedin.com/company/legitscript-com> | Facebook
> <https://www.facebook.com/LegitScript> | Twitter
> <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/>
> | Newsletter <http://go.legitscript.com/Subscription-Management.html>
>
>
>
> [image: Image removed by sender.
> https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][image:
> Image removed by sender.
> https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ]
>
>
>
> On Fri, Feb 16, 2018 at 10:44 AM, benny at nordreg.se <benny at nordreg.se>
> wrote:
>
> Please refer to where registrars have been unwilling to explore this
> option?
>
>
>
> --
> Med vänliga hälsningar / Kind Regards / Med vennlig hilsen
>
> Benny Samuelsen
> Registry Manager - Domainexpert
>
> Nordreg AB - ICANN accredited registrar
> IANA-ID: 638
> Phone: +46.42197000
> Direct: +47.32260201
> Mobile: +47.40410200
>
> > On 16 Feb 2018, at 19:38, John Horton via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
> >
> > Just imagine how much of all of this could be avoided if registrars were
> willing to agree to a commercial/individual distinction.
> >
> > John Horton
> > President and CEO, LegitScript
> >
> >
> > Follow LegitScript: LinkedIn | Facebook | Twitter | Blog |
> Newsletter
> >
> >
> >
>
> > On Fri, Feb 16, 2018 at 10:33 AM, John Bambenek via gnso-rds-pdp-wg <
> gnso-rds-pdp-wg at icann.org> wrote:
> > GDPR taken to its logical extreme very well could require us to abandon
> IP reputation and to emptying our firewalls. I mean, no consumer authorized
> me to process their IP just by attacking me, right?
> >
> > Privacy absolutism is not the answer unless you basically want to
> mandate the internet backbone be converted to tor.
> >
> > --
> > John Bambenek
> >
> > On Feb 16, 2018, at 06:09, Michele Neylon - Blacknight <
> michele at blacknight.com> wrote:
> >
> >> It’s an interesting read, but it has several flaws.
> >>
> >> It refers to registrars solely and ignores registries.
> >>
> >> It also makes it sound like issues around whois are “new”, which we all
> know isn’t true.
> >>
> >> The comments about IP addresses make it sound like it’s a theoretical
> concern, yet there is case law eg:
> >>
> >> https://www.irishtimes.com/business/technology/european-
> court-of-justice-rules-ip-addresses-are-personal-data-1.2835704
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> --
> >>
> >> Mr Michele Neylon
> >>
> >> Blacknight Solutions
> >>
> >> Hosting, Colocation & Domains
> >>
> >> https://www.blacknight.com/
> >>
> >> http://blacknight.blog/
> >>
> >> Intl. +353 (0) 59 9183072 <%2B353%20%280%29%2059%20%209183072>
> >>
> >> Direct Dial: +353 (0)59 9183090
> >>
> >> Personal blog: https://michele.blog/
> >>
> >> Some thoughts: https://ceo.hosting/
> >>
> >> -------------------------------
> >>
> >> Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business
> Park,Sleaty
> >>
> >> Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845
> >>
> >> From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of
> Dotzero <dotzero at gmail.com>
> >> Date: Friday 16 February 2018 at 00:07
> >> To: RDS PDP WG <gnso-rds-pdp-wg at icann.org>
> >> Subject: [gnso-rds-pdp-wg] Krebs On Security article RE whois and GDRP
> >>
> >>
> >>
> >>
> >> https://krebsonsecurity.com/2018/02/new-eu-privacy-law-
> may-weaken-security/
> >>
> >> Michael Hammer
> >>
> >> _______________________________________________
> >> gnso-rds-pdp-wg mailing list
> >> gnso-rds-pdp-wg at icann.org
> >> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >
> > _______________________________________________
> > gnso-rds-pdp-wg mailing list
> > gnso-rds-pdp-wg at icann.org
> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
> >
> > _______________________________________________
> > gnso-rds-pdp-wg mailing list
> > gnso-rds-pdp-wg at icann.org
> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
>
>
>
> _______________________________________________
>
> gnso-rds-pdp-wg mailing list
>
> gnso-rds-pdp-wg at icann.org
>
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180217/f73b8616/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 426 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180217/f73b8616/image001-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 453 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180217/f73b8616/image002-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 453 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180217/f73b8616/image003-0001.jpg>
More information about the gnso-rds-pdp-wg
mailing list