[IRT.RegDataPolicy] Legal clarification regarding publication of TC data

Mark Svancarek (CELA) marksv at microsoft.com
Tue Oct 15 17:01:01 UTC 2019 

Thanks, Theo.
I will collect all the questions and consult with Hintze to get them answered for you.

From: Theo Geurts <gtheo at xs4all.nl>
Sent: Tuesday, October 15, 2019 05:35
To: Mark Svancarek (CELA) <marksv at microsoft.com>; irt.regdatapolicy at icann.org
Subject: Re: [IRT.RegDataPolicy] Legal clarification regarding publication of TC data


Thanks, Mark,

Consent is always an option. Though I will avoid it whenever I can. Getting consent right without creating a colossal consent form is, in my opinion, impossible. Plus, I am not going to hang myself on the obligation for Art 17.2. (these are my personal ramblings and not of the RrSG)

The legitimate interest of the controller I do not see that legal basis happening in all circumstances.

First, who is the controller? Is that the registrar, the registrant, the reseller, or the entities who collect the data?
As a wholesale registrar in Europe where ccTLD registries already abandoned the tech contact or are in the process, it makes it somewhat impossible to comply with Art 5.2. Plus, the fact that even our recommendation says it is optional. If it is optional, it already does not meet Art 25.

That being said, you made a short summerary.
We might need more info to understand how the law firm came to the determination for 6.1.F.

Art 14 is useful info and enforces my firm opinion that third party TC contacts will be costly for a registrar to comply with Art 14. A reason not to collect it.  At least I am not going to build an exclusive portal for those types of contacts, nor am I going to do this manually.

Thanks,
Theo Geurts CIPP/E
On 15-10-2019 2:15, Mark Svancarek (CELA) via IRT.RegDataPolicy wrote:
Dear Registration Data Policy IRT team:

You may recall that several weeks ago we discussed the publication of the Technical Contact fields in the case where RNH has requested publication.  At that time, there was concern about the lawful mechanism for collecting TC consent for the publication.  Section 8.2.9 and 8.3.2 in the document linked below reflect the discussion on this topic.
https://docs.google.com/document/d/1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx_g9lXCYCw/edit?pli=1 [docs.google.com]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__docs.google.com_document_d_1OuZT7xL5wuV1ynVmpVNxFycU93gvPlvbzx-5Fg9lXCYCw_edit-3Fpli-3D1%26d%3DDwMFAg%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DdqLP1wJqBvDSYLKrSEaAkCi_Kv0Mk5D_d32n29DHCN8%26m%3DdRIvMjxUWA6PNbG-02tm9GzCJLWkYawTHFw5xNiVkQw%26s%3D7KOh9NBp5Oe7Exn_pELSWbcFnSVbgbxEdx0A136mVSY%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7Ca4053a0d3e964c0d5da508d7516c21c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067397183886634&sdata=1WvFYHxeFU0DNQdJQJpuUZzKdZOA7eCid6axsDm4jxA%3D&reserved=0>

Since it seemed unlikely to me that there would be no lawful way to process the data of a party who desires it to be processed, I secured outside counsel [hintzelaw.com]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__hintzelaw.com_%26d%3DDwMFAg%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DdqLP1wJqBvDSYLKrSEaAkCi_Kv0Mk5D_d32n29DHCN8%26m%3DdRIvMjxUWA6PNbG-02tm9GzCJLWkYawTHFw5xNiVkQw%26s%3DbOI6WBEMfzTYIgDeEMMHk5t-kscPrErQKQWSecD-7AQ%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7Ca4053a0d3e964c0d5da508d7516c21c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067397183896629&sdata=YcjH55%2FTY78jUM%2BkA9w5UHkxGgoeDATk3gz%2BKphppOM%3D&reserved=0> [https://hintzelaw.com/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhintzelaw.com%2F&data=02%7C01%7Cmarksv%40microsoft.com%7Ca4053a0d3e964c0d5da508d7516c21c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067397183896629&sdata=yaiIK8%2BHqRE%2Bs7WdT%2F4Q4Nnb1hjn%2BGvIjIOv8LJCBAs%3D&reserved=0>] to analyze the scenario and provide feedback.  I am pleased to share this legal opinion now with the IRT team.

In summary, per Hintze there are two lawful mechanisms for publication:

  *   6.1(a) - Consent
  *   6.1(f) - Legitimate Interest

Hintze notes that Article 14 requires the data controller to notify the TC that they have received personal data from another party, and that this notice provides the opportunity to perform multiple functions:

  *   Present TC with information regarding personal data in general and publication in particular
  *   Allow TC to correct their contact information
  *   Allow TC to change their contact information to remove personal data
  *   Allow TC to submit or decline to submit their consent for publication should the registrar prefer to use consent as a basis rather than legitimate interest

This clarification should remove remaining implementation concerns regarding the EPDP Phase 1 implementation of the policy recommendations.  I look forward to discussing in our upcoming calls and at ICANN 66 later this month.

Mark Svancarek





_______________________________________________

IRT.RegDataPolicy mailing list

IRT.RegDataPolicy at icann.org<mailto:IRT.RegDataPolicy at icann.org>

https://mm.icann.org/mailman/listinfo/irt.regdatapolicy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Firt.regdatapolicy&data=02%7C01%7Cmarksv%40microsoft.com%7Ca4053a0d3e964c0d5da508d7516c21c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067397183906625&sdata=Z3PdCi9%2Fe0Uev4qi2RYERi752eAiWws%2FEcvhfEVjOeg%3D&reserved=0>



_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=02%7C01%7Cmarksv%40microsoft.com%7Ca4053a0d3e964c0d5da508d7516c21c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067397183906625&sdata=vl32%2BvGEpul%2FYXXon%2FXLzcdnP4YWHr9iX6mKUntMSNk%3D&reserved=0>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=02%7C01%7Cmarksv%40microsoft.com%7Ca4053a0d3e964c0d5da508d7516c21c8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637067397183916620&sdata=rA2yGyyQOmNGOu5%2FfbkfgA9f2SconDHECH5f4ynyk88%3D&reserved=0>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20191015/bfd1c3e1/attachment.html>

More information about the IRT.RegDataPolicy mailing list