[IRT.RegDataPolicy] Tech contact consent
Theo Geurts
gtheo at xs4all.nl
Fri Jul 26 17:43:38 UTC 2019
That is an excellent comment Jody.
Up till now, I did not realize that a third party tech contact
assigned by the registrant most likely will not have access to this or
her data.
It gets more complicated if such a data subject wants to exercise rights
under the GDPR or CCPA. How would a registrar be able to deal with a
deletion request? A scenario with multiple resellers and sub-resellers
might complicate things even more.
Sounds like a can of worms the size of New York.
Theo
On 26-7-2019 19:12, Jody Kolker wrote:
>
> Regarding this statement:
>
> */The controller has taken active steps, Tech contact is been
> informed, and the data subject can access their data and change it or
> delete it. /*
>
> Is the data subject the registrant or the tech contact? If it is the
> tech contact, the tech contact may not have access to their data if
> the registrant and tech contact are not the same. The registrar may
> only have a relationship with the registrant and not the tech
> contact. If so, the tech contact may only have access to their data
> through the registrant, which I’m not sure that would be considered as
> “access to their data”.
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org> *On
> Behalf Of *Mark Svancarek (CELA) via IRT.RegDataPolicy
> *Sent:* Friday, July 26, 2019 11:01 AM
> *To:* Sarah Wyld <swyld at tucows.com>; irt.regdatapolicy at icann.org
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
> Notice:This email is from an external sender.
>
> inline
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org
> <mailto:irt.regdatapolicy-bounces at icann.org>> *On Behalf Of *Sarah Wyld
> *Sent:* Friday, July 26, 2019 06:16
> *To:* irt.regdatapolicy at icann.org <mailto:irt.regdatapolicy at icann.org>
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
> Hello all,
>
> > 1. One would not collect “consent” from the RNH. There is a concept
> that if the RNH attests that they’ve gotten agreement from the Tech
> contact that the Rr is safe to proceed, particularly if the sign-up UI
> is well-defined and the Tech contact is informed during the initial
> accuracy check. We should get some legal advice on that.
>
> Well, the Policy section to which I was responding did originally have
> the RNH contact consenting to publish the Tech contact data; it was
> then updated to show the Tech contact consenting for their own data.
> We do already have legal advice on exactly this topic. Please visit
> https://community.icann.org/pages/viewpage.action?pageId=105386422
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.icann.org%2Fpages%2Fviewpage.action%3FpageId%3D105386422&data=02%7C01%7Cmarksv%40microsoft.com%7Cc6192db609dc47acecd808d711cb5495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636997437316049924&sdata=y5X4Lg97B6uqrYu4vYLfgf9gqvMCFuBbqNmA%2BwI0Hxo%3D&reserved=0>
> and look to #3, "Technical Contact Memo.docx". The conclusion in
> points 11 & 12 is that the Registrar cannot rely on the RNH to provide
> notice to the Tech contact on the Registrar's behalf, nor can the RNH
> be relied on to get the Tech contact's consent for data processing.
>
> */[Mark Svancarek] Sorry for mis-reading the thread. I thought you
> were discussing collecting consent *of* the RNH to publish the Tech
> contact info, rather than collecting the consent of the Tech contact
> *by way of* the RNH. Mea culpa. The legal advice does indeed confirm
> that such a system is unreliable, but what I am suggesting is
> different from the primary focus of that the legal advice./*
>
> */Regarding collecting the Registrar collecting Tech contact consent
> directly from the Tech contact, you’d do that when the Tech contact is
> “informed” – you would send an email to the Tech contact at the same
> time as your obligatory accuracy check. The controller has taken
> active steps, Tech contact is been informed, and the data subject can
> access their data and change it or delete it. This would meet the
> requirements of Article 14, and is the mechanism I described above.
> Advice bullet 11 implies this is possible (though it isn’t the topic
> of the memo per se), which is why I have confidence in this approach.
> I don’t see how Article 14 possibly works if the controller is not
> allowed to use the personal information they received to inform the
> data subject. And *that* is what I suggested we could get legal
> advice on./*
>
> */I understand that some registrars will not want to send this notice
> or offer this functionality, and they are not obliged in policy to do
> so, but I disagree with the assertion that it cannot lawfully be done./*
>
> */Does that make sense?/*
>
> > 2. I get a sense that we are creating new policy here, namely going
> down a path to prevent the collection of the Tech contact, in
> violation of the intent of the recommendation. For clarity, please
> let me know if you can support either of these scenarios:
>
> Nothing in my email below regarding the Tech contact consent to
> publication of their data was intended to relate to *collecting *a
> Tech contact in the first place.
>
> */Yep, oops, sorry about that./*
>
> That requirement is separate and I know we've had other conversations
> about it, which we can continue as needed, but I'd suggest we keep it
> a separate thread so as to avoid confusion of these issues. My point
> is simply that there is no avenue in the Recommendations or under
> applicable law for the RNH to consent to data publication on the Tech
> contact's behalf, nor even for the Tech contact themselves to grant
> this consent for publication.
>
> Thanks and happy Friday!
>
> */[Mark Svancarek] Right back at you!/*
>
> --
> Sarah Wyld
> Domains Product Team
> Tucows
> +1.416 535 0123 Ext. 1392
>
>
> On 7/25/2019 4:39 PM, Mark Svancarek (CELA) via IRT.RegDataPolicy wrote:
>
> 1.One would not collect “consent” from the RNH. There is a
> concept that if the RNH attests that they’ve gotten agreement from
> the Tech contact that the Rr is safe to proceed, particularly if
> the sign-up UI is well-defined and the Tech contact is informed
> during the initial accuracy check. We should get some legal
> advice on that.
>
> 2.I get a sense that we are creating new policy here, namely going
> down a path to prevent the collection of the Tech contact, in
> violation of the intent of the recommendation. For clarity,
> please let me know if you can support either of these scenarios:
>
> a.Microsoft wants to use “Domain Administrator” /
> domains at microsoft.com <mailto:domains at microsoft.com>as registrant
> and “MSN Hostmaster” / msnhst at microsoft.com
> <mailto:msnhst at microsoft.com>as Tech contact.
>
> b.A church wants to register a domain name as themselves (an org)
> and wants to have the geekiest member of the congregation be the
> Tech contact.
>
> (Thanks to Stephanie P for scenario b.)
>
> /marksv
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org>
> <mailto:irt.regdatapolicy-bounces at icann.org>*On Behalf Of
> *Elizabeth Bacon
> *Sent:* Tuesday, July 23, 2019 9:08 AM
> *To:* Roger D Carney <rcarney at godaddy.com>
> <mailto:rcarney at godaddy.com>; IRT.RegDataPolicy at icann.org
> <mailto:IRT.RegDataPolicy at icann.org>
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
> Agreed all around. Including a requirement, or even option, to
> collect consent from a RNH is not consistent with the work or
> recommendations of Phase I.
>
> Thanks,
>
> Beth
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org
> <mailto:irt.regdatapolicy-bounces at icann.org>> *On Behalf Of *Roger
> D Carney
> *Sent:* Tuesday, July 23, 2019 11:00 AM
> *To:* IRT.RegDataPolicy at icann.org <mailto:IRT.RegDataPolicy at icann.org>
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
> Good Morning,
>
> +1 to Sarah’s comments, thanks Amr for the extra insight as well.
>
> Thanks
>
> Roger
>
> *From:*IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org
> <mailto:irt.regdatapolicy-bounces at icann.org>> *On Behalf Of *Amr
> Elsadr
> *Sent:* Sunday, July 21, 2019 7:04 AM
> *To:* Sarah Wyld <swyld at tucows.com <mailto:swyld at tucows.com>>
> *Cc:* irt.regdatapolicy at icann.org <mailto:irt.regdatapolicy at icann.org>
> *Subject:* Re: [IRT.RegDataPolicy] Tech contact consent
>
> Notice:This email is from an external sender.
>
> Hi,
>
> Lending my support to everything in Sarah's email below. The draft
> Consensus Policy language (sections 8.3 and 8.3.2) should only
> allow for publication of Tech Contact personal information upon
> gaining consent when the Registered Name Holder and the Tech
> Contact are the same (assuming this is implementable).
>
> However, the EPDP Team did not review privacy/data protection law
> requirements when processing of personal information is performed
> when this personal information was not obtained from the data
> subject (such as a Tech Contact who is not the same natural person
> as the Registered Name Holder). The EPDP Team, therefore, did not
> make a recommendation on how to gain consent to publish this data.
>
> Thanks.
>
> Amr
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Thursday, July 18, 2019 2:42 PM, Sarah Wyld <swyld at tucows.com
> <mailto:swyld at tucows.com>> wrote:
>
> Hello team,
>
> There is some great discussion in the Google Doc
> (https://docs.google.com/document/d/1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx_g9lXCYCw/edit?ts=5d2f60ce#
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx_g9lXCYCw%2Fedit%3Fts%3D5d2f60ce&data=02%7C01%7Cmarksv%40microsoft.com%7Cc6192db609dc47acecd808d711cb5495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636997437316049924&sdata=8uuBoWHgF%2B2pF84G3L6cacLxlDSd4P1wE2npKhabBC8%3D&reserved=0>)
> about the possibility for the Tech contact to consent to
> publication of their data (name, phone and email), but I think
> it's a bit easier to consider it by email, so I will start
> this discussion and look forward to hearing what everyone else
> thinks.
>
> I see it as two separate questions, one of which is already
> resolved and the other remaining open.
>
> *1 - can the RNH grant consent for publication of Tech contact
> data? *
>
> Based on comments in the doc (including mine) and Dennis's
> subsequent changes, there is agreement that it is not possible
> for one person to consent to publication of another person's
> data. So, if the RNH is also the Tech contact, then maybe they
> could grant consent (if it's possible in an automated manner
> for the registrar to know that these contacts are the same,
> which may not be possible) but certainly if it's a different
> person then this is not an option.
>
> *2 - can the Tech contact grant consent for publication of its
> own data? *
>
> Although on the surface this sounds straightforward, I think
> it's actually a problem.
>
> There is no Recommendation in the Phase 1 final report
> relating to the Tech contact granting consent. Rec 5 explains
> what the tech contact may be ("For the purpose of the
> Technical contact, which is optional for the Registered Name
> Holder to complete (and if the Registrar provides this
> option), Registrars are to advise the Registered Name Holder
> at the time of registration that the Registered Name Holder is
> free to (1) designate the same person as the registrant (or
> its representative) as the technical contact; or (2) provide
> contact information which does not directly identify the
> technical contact person concerned.") Rec 6 requires that the
> RNH can consent to publication ("The EPDP Team recommends
> that, as soon as commercially reasonable, Registrar must
> provide the opportunity for the Registered Name Holder to
> provide its Consent to publish redacted contact information,
> as well as the email address, in the RDS for the sponsoring
> registrar.") Rec 10 requires that the tech contact is
> redacted. Rec 13 refers again to the RNH consenting to
> publication of their data ("1) The EPDP Team recommends that
> the Registrar MUST provide an email address or a web form to
> facilitate email communication with the relevant contact, but
> MUST NOT identify the contact email address or the contact
> itself, unless as per Recommendation #6, the Registered Name
> Holder has provided consent for the publication of its email
> address.")
>
>
> Additionally, the Registrar may not have a legal basis on
> which to publish the Tech contact data (again, assuming it is
> not known to be the same as the RNH data). There is no
> contractual relationship between the registrar and the tech
> contact, so 'performance of a contract' cannot be the basis
> for publication, and because there is no contractual
> relationship it would be improper for the registrar to
> communicate with the tech contact (the registrar does not have
> any legal basis on which to process the tech contact's data)
> even just to send them an email about this consent request.
>
> As such, for question 2 the answer should be no, *the Tech
> contact cannot grant consent to publish their data*.
>
> Thanks,
>
> --
>
> Sarah Wyld
>
> Domains Product Team
>
> Tucows
>
> +1.416 535 0123 Ext. 1392
>
>
>
>
>
>
>
> _______________________________________________
>
> IRT.RegDataPolicy mailing list
>
> IRT.RegDataPolicy at icann.org <mailto:IRT.RegDataPolicy at icann.org>
>
> https://mm.icann.org/mailman/listinfo/irt.regdatapolicy <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Firt.regdatapolicy&data=02%7C01%7Cmarksv%40microsoft.com%7Cc6192db609dc47acecd808d711cb5495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636997437316059933&sdata=2YfghxXjuW1A3wuw4ctY%2Fxce%2FsiP8gIA0qo4PQPDmE4%3D&reserved=0>
>
> _______________________________________________
>
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=02%7C01%7Cmarksv%40microsoft.com%7Cc6192db609dc47acecd808d711cb5495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636997437316069938&sdata=HWQSuuXgrtO39%2FYPLminyRDpEsTL0RyaeeFlzyoiSc0%3D&reserved=0>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=02%7C01%7Cmarksv%40microsoft.com%7Cc6192db609dc47acecd808d711cb5495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636997437316069938&sdata=8c90ABJ9DXAyyicNuCkdLl9o9H5hIK8BouS8Pchg8N0%3D&reserved=0>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
>
> _______________________________________________
> IRT.RegDataPolicy mailing list
> IRT.RegDataPolicy at icann.org
> https://mm.icann.org/mailman/listinfo/irt.regdatapolicy
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20190726/5b3ba136/attachment.html>
More information about the IRT.RegDataPolicy
mailing list