[IRT.RegDataPolicy] Tech contact consent
Sarah Wyld
swyld at tucows.com
Fri Jul 26 13:16:18 UTC 2019
Hello all,
> 1. One would not collect “consent” from the RNH. There is a concept that if the RNH attests that they’ve gotten
agreement from the Tech contact that the Rr is safe to proceed,
particularly if the sign-up UI is well-defined and the Tech contact is
informed during the initial accuracy check. We should get some legal
advice on that.
Well, the Policy section to which I was responding did originally have
the RNH contact consenting to publish the Tech contact data; it was then
updated to show the Tech contact consenting for their own data. We do
already have legal advice on exactly this topic. Please visit
https://community.icann.org/pages/viewpage.action?pageId=105386422 and
look to #3, "Technical Contact Memo.docx". The conclusion in points 11 &
12 is that the Registrar cannot rely on the RNH to provide notice to the
Tech contact on the Registrar's behalf, nor can the RNH be relied on to
get the Tech contact's consent for data processing.
> 2. I get a sense that we are creating new policy here, namely going
down a path to prevent the collection of the Tech contact, in violation
of the intent of the recommendation. For clarity, please let me know if
you can support either of these scenarios:
Nothing in my email below regarding the Tech contact consent to
publication of their data was intended to relate to *collecting *a Tech
contact in the first place. That requirement is separate and I know
we've had other conversations about it, which we can continue as needed,
but I'd suggest we keep it a separate thread so as to avoid confusion of
these issues. My point is simply that there is no avenue in the
Recommendations or under applicable law for the RNH to consent to data
publication on the Tech contact's behalf, nor even for the Tech contact
themselves to grant this consent for publication.
Thanks and happy Friday!
--
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
On 7/25/2019 4:39 PM, Mark Svancarek (CELA) via IRT.RegDataPolicy wrote:
>
> 1. One would not collect “consent” from the RNH. There is a concept
> that if the RNH attests that they’ve gotten agreement from the
> Tech contact that the Rr is safe to proceed, particularly if the
> sign-up UI is well-defined and the Tech contact is informed during
> the initial accuracy check. We should get some legal advice on that.
> 2. I get a sense that we are creating new policy here, namely going
> down a path to prevent the collection of the Tech contact, in
> violation of the intent of the recommendation. For clarity,
> please let me know if you can support either of these scenarios:
> 1. Microsoft wants to use “Domain Administrator” /
> domains at microsoft.com as registrant and “MSN Hostmaster” /
> msnhst at microsoft.com as Tech contact.
> 2. A church wants to register a domain name as themselves (an
> org) and wants to have the geekiest member of the congregation
> be the Tech contact.
>
>
>
> (Thanks to Stephanie P for scenario b.)
>
>
>
> /marksv
>
>
>
>
>
>
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org> *On
> Behalf Of *Elizabeth Bacon
> *Sent:* Tuesday, July 23, 2019 9:08 AM
> *To:* Roger D Carney <rcarney at godaddy.com>; IRT.RegDataPolicy at icann.org
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
>
>
> Agreed all around. Including a requirement, or even option, to collect
> consent from a RNH is not consistent with the work or recommendations
> of Phase I.
>
> Thanks,
>
> Beth
>
>
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org
> <mailto:irt.regdatapolicy-bounces at icann.org>> *On Behalf Of *Roger D
> Carney
> *Sent:* Tuesday, July 23, 2019 11:00 AM
> *To:* IRT.RegDataPolicy at icann.org <mailto:IRT.RegDataPolicy at icann.org>
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
>
>
> Good Morning,
>
>
>
> +1 to Sarah’s comments, thanks Amr for the extra insight as well.
>
>
>
>
>
> Thanks
>
> Roger
>
>
>
>
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org
> <mailto:irt.regdatapolicy-bounces at icann.org>> *On Behalf Of *Amr Elsadr
> *Sent:* Sunday, July 21, 2019 7:04 AM
> *To:* Sarah Wyld <swyld at tucows.com <mailto:swyld at tucows.com>>
> *Cc:* irt.regdatapolicy at icann.org <mailto:irt.regdatapolicy at icann.org>
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
>
>
> Notice:This email is from an external sender.
>
>
>
> Hi,
>
>
>
> Lending my support to everything in Sarah's email below. The draft
> Consensus Policy language (sections 8.3 and 8.3.2) should only allow
> for publication of Tech Contact personal information upon gaining
> consent when the Registered Name Holder and the Tech Contact are the
> same (assuming this is implementable).
>
>
>
> However, the EPDP Team did not review privacy/data protection law
> requirements when processing of personal information is performed when
> this personal information was not obtained from the data subject (such
> as a Tech Contact who is not the same natural person as the Registered
> Name Holder). The EPDP Team, therefore, did not make a recommendation
> on how to gain consent to publish this data.
>
>
>
> Thanks.
>
>
>
> Amr
>
>
>
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Thursday, July 18, 2019 2:42 PM, Sarah Wyld <swyld at tucows.com
> <mailto:swyld at tucows.com>> wrote:
>
>
>
> Hello team,
>
> There is some great discussion in the Google Doc
> (https://docs.google.com/document/d/1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx_g9lXCYCw/edit?ts=5d2f60ce#
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx_g9lXCYCw%2Fedit%3Fts%3D5d2f60ce&data=02%7C01%7Cmarksv%40microsoft.com%7C7c1d82e522df46c57f3008d70f87f6be%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636994948955041779&sdata=opP9b%2BVCW4sOtIuRHNdV8gFgYyMTZSg%2F3hTldUIhFm8%3D&reserved=0>)
> about the possibility for the Tech contact to consent to
> publication of their data (name, phone and email), but I think
> it's a bit easier to consider it by email, so I will start this
> discussion and look forward to hearing what everyone else thinks.
>
> I see it as two separate questions, one of which is already
> resolved and the other remaining open.
>
> *1 - can the RNH grant consent for publication of Tech contact data? *
>
> Based on comments in the doc (including mine) and Dennis's
> subsequent changes, there is agreement that it is not possible for
> one person to consent to publication of another person's data. So,
> if the RNH is also the Tech contact, then maybe they could grant
> consent (if it's possible in an automated manner for the registrar
> to know that these contacts are the same, which may not be
> possible) but certainly if it's a different person then this is
> not an option.
>
> *2 - can the Tech contact grant consent for publication of its own
> data? *
>
> Although on the surface this sounds straightforward, I think it's
> actually a problem.
>
> There is no Recommendation in the Phase 1 final report relating to
> the Tech contact granting consent. Rec 5 explains what the tech
> contact may be ("For the purpose of the Technical contact, which
> is optional for the Registered Name Holder to complete (and if the
> Registrar provides this option), Registrars are to advise the
> Registered Name Holder at the time of registration that the
> Registered Name Holder is free to (1) designate the same person as
> the registrant (or its representative) as the technical contact;
> or (2) provide contact information which does not directly
> identify the technical contact person concerned.") Rec 6 requires
> that the RNH can consent to publication ("The EPDP Team recommends
> that, as soon as commercially reasonable, Registrar must provide
> the opportunity for the Registered Name Holder to provide its
> Consent to publish redacted contact information, as well as the
> email address, in the RDS for the sponsoring registrar.") Rec 10
> requires that the tech contact is redacted. Rec 13 refers again to
> the RNH consenting to publication of their data ("1) The EPDP Team
> recommends that the Registrar MUST provide an email address or a
> web form to facilitate email communication with the relevant
> contact, but MUST NOT identify the contact email address or the
> contact itself, unless as per Recommendation #6, the Registered
> Name Holder has provided consent for the publication of its email
> address.")
>
>
> Additionally, the Registrar may not have a legal basis on which to
> publish the Tech contact data (again, assuming it is not known to
> be the same as the RNH data). There is no contractual relationship
> between the registrar and the tech contact, so 'performance of a
> contract' cannot be the basis for publication, and because there
> is no contractual relationship it would be improper for the
> registrar to communicate with the tech contact (the registrar does
> not have any legal basis on which to process the tech contact's
> data) even just to send them an email about this consent request.
>
> As such, for question 2 the answer should be no, *the Tech contact
> cannot grant consent to publish their data*.
>
> Thanks,
>
> --
>
> Sarah Wyld
>
> Domains Product Team
>
> Tucows
>
> +1.416 535 0123 Ext. 1392
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> IRT.RegDataPolicy mailing list
> IRT.RegDataPolicy at icann.org
> https://mm.icann.org/mailman/listinfo/irt.regdatapolicy
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20190726/1931124e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20190726/1931124e/signature.asc>
More information about the IRT.RegDataPolicy
mailing list