[IRT.RegDataPolicy] Legal clarification regarding publication of TC data

Theo Geurts gtheo at xs4all.nl
Tue Oct 15 12:35:11 UTC 2019 

Thanks, Mark,

Consent is always an option. Though I will avoid it whenever I can. 
Getting consent right without creating a colossal consent form is, in my 
opinion, impossible. Plus, I am not going to hang myself on the 
obligation for Art 17.2. (these are my personal ramblings and not of the 
RrSG)

The legitimate interest of the controller I do not see that legal basis 
happening in all circumstances.

First, who is the controller? Is that the registrar, the registrant, the 
reseller, or the entities who collect the data?
As a wholesale registrar in Europe where ccTLD registries already 
abandoned the tech contact or are in the process, it makes it somewhat 
impossible to comply with Art 5.2. Plus, the fact that even our 
recommendation says it is optional. If it is optional, it already does 
not meet Art 25.

That being said, you made a short summerary.
We might need more info to understand how the law firm came to the 
determination for 6.1.F.

Art 14 is useful info and enforces my firm opinion that third party TC 
contacts will be costly for a registrar to comply with Art 14. A reason 
not to collect it.  At least I am not going to build an exclusive portal 
for those types of contacts, nor am I going to do this manually.

Thanks,
Theo Geurts CIPP/E

On 15-10-2019 2:15, Mark Svancarek (CELA) via IRT.RegDataPolicy wrote:
>
> Dear Registration Data Policy IRT team:
>
> You may recall that several weeks ago we discussed the publication of 
> the Technical Contact fields in the case where RNH has requested 
> publication.  At that time, there was concern about the lawful 
> mechanism for collecting TC consent for the publication.  Section 
> 8.2.9 and 8.3.2 in the document linked below reflect the discussion on 
> this topic.
>
> https://docs.google.com/document/d/1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx_g9lXCYCw/edit?pli=1 
> [docs.google.com] 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__docs.google.com_document_d_1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx-5Fg9lXCYCw_edit-3Fpli-3D1%26d%3DDwMFAg%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DdqLP1wJqBvDSYLKrSEaAkCi_Kv0Mk5D_d32n29DHCN8%26m%3DdRIvMjxUWA6PNbG-02tm9GzCJLWkYawTHFw5xNiVkQw%26s%3D7KOh9NBp5Oe7Exn_pELSWbcFnSVbgbxEdx0A136mVSY%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C0f7e9ba3dce44cb3d5b308d750e47238%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637066814410087798&sdata=TUOxs0XL3Nba3VFok7TAnIXY0Pz%2FdiS5J2F0ZD763oE%3D&reserved=0>
>
> Since it seemed unlikely to me that there would be no lawful way to 
> process the data of a party who desires it to be processed, I secured 
> outside counsel [hintzelaw.com] 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__hintzelaw.com_%26d%3DDwMFAg%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DdqLP1wJqBvDSYLKrSEaAkCi_Kv0Mk5D_d32n29DHCN8%26m%3DdRIvMjxUWA6PNbG-02tm9GzCJLWkYawTHFw5xNiVkQw%26s%3DbOI6WBEMfzTYIgDeEMMHk5t-kscPrErQKQWSecD-7AQ%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C0f7e9ba3dce44cb3d5b308d750e47238%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637066814410097793&sdata=5716nnQk4arSIzR%2Fy9GJP74eMsxnYUA16VQ22%2BcjCfk%3D&reserved=0> 
> [https://hintzelaw.com/] to analyze the scenario and provide 
> feedback.  I am pleased to share this legal opinion now with the IRT team.
>
> In summary, per Hintze there are two lawful mechanisms for publication:
>
>   * 6.1(a) – Consent
>   * 6.1(f) – Legitimate Interest
>
> Hintze notes that Article 14 requires the data controller to notify 
> the TC that they have received personal data from another party, and 
> that this notice provides the opportunity to perform multiple functions:
>
>   * Present TC with information regarding personal data in general and
>     publication in particular
>   * Allow TC to correct their contact information
>   * Allow TC to change their contact information to remove personal data
>   * Allow TC to submit or decline to submit their consent for
>     publication should the registrar prefer to use consent as a basis
>     rather than legitimate interest
>
> This clarification should remove remaining implementation concerns 
> regarding the EPDP Phase 1 implementation of the policy 
> recommendations.  I look forward to discussing in our upcoming calls 
> and at ICANN 66 later this month.
>
> Mark Svancarek
>
>
> _______________________________________________
> IRT.RegDataPolicy mailing list
> IRT.RegDataPolicy at icann.org
> https://mm.icann.org/mailman/listinfo/irt.regdatapolicy
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20191015/ffa57f64/attachment.html>

More information about the IRT.RegDataPolicy mailing list