Good man! Keep going. And while at it, tell us why (grounding of principle) and how (that plays out in context of WHOIS)! -Carlton ============================== *Carlton A Samuels* *Mobile: 876-818-1799Strategy, Process, Governance, Assessment & Turnaround* ============================= On Tue, Jul 10, 2018 at 4:27 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote:

Thanks Holly for getting this started. I guess what we’re after are some basic principles on our *perspective* on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like

1. The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users.

I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with?

Jonathan

*From: *ALAC <alac-bounces@atlarge-lists.icann.org> on behalf of " h.raiche@internode.on.net" <h.raiche@internode.on.net> *Reply-To: *"h.raiche@internode.on.net" <h.raiche@internode.on.net> *Date: *Tuesday, July 10, 2018 at 5:22 PM *To: *ALAC List <alac@atlarge-lists.icann.org>, A t < staff@atlarge.icann.org> *Subject: *[ALAC] Draft Principles for GDPR

Folks

Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles.

Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.

And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.

So please everyone - comments

Thanks

Holly

*Temporary Specification for gTLD Registration Data *

*Principles for requirements to replace the RAA/Registry Requirements*

*(within the context of compliance with the GDPR)*

*Purpose of Collection of Data*

Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:

*purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries” *

*Purpose includes*

· 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);

· 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers;

· 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and

· 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names.

the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”

*Geographic Coverage of EPDP Outcome:*

· Apply globally *or*

· Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?)

*Data Collected*

· ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR

· Some lesser amount of information

*Consent*

· Registrants must be told, at the time of collection, what personal information is collected, why the collection is necessary to achieve the purposes, who will have access and in what circumstances access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent

*Access to Data – Tiered access (largely what is in the Technical Specification)*

· Applies to all Registrants – natural or corporate persons

· Information generally publicly available

o Registrant name

o Anonymised email or other anonymous contact means

· Access to other personal information –

o Only to accredited entities (not individuals)–

o Only in specific circumstances that warrant access

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

Yeah, definitely although that might be too broad which is why I was glad you posted what you did. Let’s get a little more granular From: h.raiche@internode.on.net [mailto:h.raiche@internode.on.net] Sent: Tuesday, July 10, 2018 9:44 PM To: Jonathan Zuck <JZuck@innovatorsnetwork.org>; h.raiche@internode.on.net; ALAC List <alac@atlarge-lists.icann.org>; A t <staff@atlarge.icann.org> Subject: Re: [ALAC] Draft Principles for GDPR Thanks Jonathan Agreed. And as soon as there is an agreed wiki for this, please put your comments there. (I find that putting ANYTHING down on paper (so to speak) makes it easier for others to comment - so the more text we put down, the better) Holly Would other principels be something like: general agreement with the TempSec? ----- Original Message ----- From: "Jonathan Zuck" <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> To: "h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>" <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>>, "ALAC List" <alac@atlarge-lists.icann.org<mailto:alac@atlarge-lists.icann.org>>, "A t" <staff@atlarge.icann.org<mailto:staff@atlarge.icann.org>> Cc: Sent: Tue, 10 Jul 2018 21:27:15 +0000 Subject: Re: [ALAC] Draft Principles for GDPR Thanks Holly for getting this started. I guess what we’re after are some basic principles on our perspective on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like 1. The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users. I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with? Jonathan From: ALAC <alac-bounces@atlarge-lists.icann.org<mailto:alac-bounces@atlarge-lists.icann.org>> on behalf of "h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>" <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>> Reply-To: "h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>" <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>> Date: Tuesday, July 10, 2018 at 5:22 PM To: ALAC List <alac@atlarge-lists.icann.org<mailto:alac@atlarge-lists.icann.org>>, A t <staff@atlarge.icann.org<mailto:staff@atlarge.icann.org>> Subject: [ALAC] Draft Principles for GDPR Folks Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles. Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on. And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access. So please everyone - comments Thanks Holly Temporary Specification for gTLD Registration Data Principles for requirements to replace the RAA/Registry Requirements (within the context of compliance with the GDPR) Purpose of Collection of Data Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws: purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries” Purpose includes • 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names); • 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers; • 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and • 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names. the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection” Geographic Coverage of EPDP Outcome: • Apply globally or • Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?) Data Collected • ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR • Some lesser amount of information Consent • Registrants must be told, at the time of collection, what personal information is collected, why the collection is necessary to achieve the purposes, who will have access and in what circumstances access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent Access to Data – Tiered access (largely what is in the Technical Specification) • Applies to all Registrants – natural or corporate persons • Information generally publicly available o Registrant name o Anonymised email or other anonymous contact means • Access to other personal information – o Only to accredited entities (not individuals)– o Only in specific circumstances that warrant access

Hi Tijani I think we can both agree that it is about the public interest.  And while privacy is a big part of that, so are other issues - a safe, stable DNS etc.  I have asked that this discussion is on the wiki so that there is a place for everyone to contribute - and I hope you will participate as well.  We need agreed principles for the people who will sit on the EpDP - which means we need to hear from everyone - you included Holly ----- Original Message ----- From: "Tijani BEN JEMAA" To:"Jonathan Zuck" Cc:"h.raiche@internode.on.net" , "ALAC List" , "A t" Sent:Wed, 11 Jul 2018 09:33:16 +0100 Subject:Re: [ALAC] Draft Principles for GDPR Good morning everyone, I disagree with this statement Jonathan. The registrants represent the active part of the end-users. we are responsible to defend their interest. I have heard such reflection, and it always lead to be more aligned with the commercial interests. We need to be careful and be always for the public interest, not for the political or commercial interests. ----------------------------------------------------------------------------- TIJANI BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114              +216 52 385 114 ----------------------------------------------------------------------------- Le 10 juil. 2018 à 22:27, Jonathan Zuck a écrit : Thanks Holly for getting this started.  I guess what we’re after are some basic principles on our _perspective_ on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like   * The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users. I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with? Jonathan     FROM: ALAC on behalf of "h.raiche@internode.on.net [3]" REPLY-TO: "h.raiche@internode.on.net [5]" DATE: Tuesday, July 10, 2018 at 5:22 PM TO: ALAC List , A t SUBJECT: [ALAC] Draft Principles for GDPR   Folks   Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start.  What we need now is discussion on the principles.   Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.   And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.   So please everyone - comments   Thanks   Holly   TEMPORARY SPECIFICATION FOR GTLD REGISTRATION DATA     PRINCIPLES FOR REQUIREMENTS TO REPLACE THE RAA/REGISTRY REQUIREMENTS _(within the context of compliance with the GDPR)_ _ _ PURPOSE OF COLLECTION OF DATA Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws: _purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries”_ _Purpose includes_ ·       􏰂  resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);  ·       􏰂  maintenance of and access to accurate and up-to-date information concerning registered names and name servers; ·       􏰂  procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and  ·       􏰂  the transfer of registration data upon a change in registrar sponsoring one or more registered names.   the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”  _ _ GEOGRAPHIC COVERAGE OF EPDP OUTCOME: ·      Apply globally OR ·      Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?)   DATA COLLECTED ·      ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR ·      Some lesser amount of information   CONSENT ·      Registrants must be told, at the time of collection, what personal information is collected, why the collection is  necessary to achieve the purposes, who will have access and in what circumstances  access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent   ACCESS TO DATA – TIERED ACCESS (LARGELY WHAT IS IN THE TECHNICAL SPECIFICATION) ·      Applies to all Registrants – natural or corporate persons ·      Information generally publicly available o   Registrant name o   Anonymised email or other anonymous contact means ·      Access to other personal information –  o   Only to accredited entities (not individuals)–  o   Only in specific circumstances that warrant access _______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org [9] https://atlarge-lists.icann.org/mailman/listinfo/alac [10] At-Large Online: http://www.atlarge.icann.org [11] ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...) [12] Links: ------ [1] mailto:JZuck@innovatorsnetwork.org [2] mailto:alac-bounces@atlarge-lists.icann.org [3] mailto:h.raiche@internode.on.net [4] mailto:h.raiche@internode.on.net [5] mailto:h.raiche@internode.on.net [6] mailto:h.raiche@internode.on.net [7] mailto:alac@atlarge-lists.icann.org [8] mailto:staff@atlarge.icann.org [9] mailto:ALAC@atlarge-listsicann.org [10] https://atlarge-lists.icann.org/mailman/listinfo/alac [11] http://www.atlarge.icann.org [12] https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

I'll work with Evin to get this discussion up and running on a wiki as Holly has suggested so there's an archive and people can more easily go back and track the discussion. Some of this will come down to the definition of security and stability. On 7/11/18, 8:51 AM, "Bastiaan Goslings" <bastiaan.goslings@ams-ix.net> wrote: I think I can agree with both Jonathan/Alan and Tijani on this. And as a matter of principle I’d therefore suggest to follow what the EDPB says on page 2 https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul1... ’The EDPB considers it essential that a clear distinction be maintained between the different processing activities that take place in the context of WHOIS and the respective purposes pursued by the various stakeholders involved. (…) The EDPB therefore reiterates that ICANN should take care not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case’ > On 11 Jul 2018, at 12:17, h.raiche@internode.on.net wrote: > > Hi Tijani > > I think we can both agree that it is about the public interest. And while privacy is a big part of that, so are other issues - a safe, stable DNS etc. > > I have asked that this discussion is on the wiki so that there is a place for everyone to contribute - and I hope you will participate as well. > > We need agreed principles for the people who will sit on the EpDP - which means we need to hear from everyone - you included > > Holly > > > ----- Original Message ----- > From: > "Tijani BEN JEMAA" <tijani.benjemaa@benjemaa.com> > > To: > "Jonathan Zuck" <JZuck@innovatorsnetwork.org> > Cc: > "h.raiche@internodeon.net" <h.raiche@internode.on.net>, "ALAC List" <alac@atlarge-lists.icann.org>, "A t" <staff@atlarge.icann.org> > Sent: > Wed, 11 Jul 2018 09:33:16 +0100 > Subject: > Re: [ALAC] Draft Principles for GDPR > > > Good morning everyone, > > I disagree with this statement Jonathan. > The registrants represent the active part of the end-users. we are responsible to defend their interest. > I have heard such reflection, and it always lead to be more aligned with the commercial interests. We need to be careful and be always for the public interest, not for the political or commercial interests. > > ----------------------------------------------------------------------------- > Tijani BEN JEMAA > Executive Director > Mediterranean Federation of Internet Associations (FMAI) > Phone: +216 98 330 114 > +216 52 385 114 > ----------------------------------------------------------------------------- > > > Le 10 juil. 2018 à 22:27, Jonathan Zuck <JZuck@innovatorsnetwork.org> a écrit : > > Thanks Holly for getting this started. I guess what we’re after are some basic principles on our perspective on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like > > > • The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users. > > I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with? > > Jonathan > > > > From: ALAC <alac-bounces@atlarge-lists.icann.org> on behalf of "h.raiche@internode.on.net" <h.raiche@internode.onnet> > Reply-To: "h.raiche@internode.on.net" <h.raiche@internode.on.net> > Date: Tuesday, July 10, 2018 at 5:22 PM > To: ALAC List <alac@atlarge-lists.icann.org>, A t <staff@atlarge.icann.org> > Subject: [ALAC] Draft Principles for GDPR > > > Folks > > > Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles. > > > Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on. > > > And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access. > > > So please everyone - comments > > > Thanks > > > Holly > > > Temporary Specification for gTLD Registration Data > > > > > Principles for requirements to replace the RAA/Registry Requirements > > (within the context of compliance with the GDPR) > > > > Purpose of Collection of Data > > Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws: > > > purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries” > > > Purpose includes > > · 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names); > > > · 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers; > > > · 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and > > > · 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names. > > > > > > the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection” > > > > > Geographic Coverage of EPDP Outcome: > > · Apply globally or > > > > · Apply only to European Economic Area (the coverage of the GD > R) and otherwise lesser requirements (existing RAA requirements?) > > > > > Data Collected > > · ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR > > > > · Some lesser amount of information > > > > > Consent > > · Registrants must be told, at the time of collection, what personal information is collected, why the collection is necessary to achieve the purposes, who will have access and in what circumstances access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent > > > > > Access to Data – Tiered access (largely what is in the Technical Specification) > > · Applies to all Registrants – natural or corporate persons > > > > · Information generally publicly available > > > > o Registrant name > > > > o Anonymised email or other anonymous contact means > > > > · Access to other personal information – > > > > o Only to accredited entities (not individuals)– > > > > o Only in specific circumstances that warrant access > > > > > > > _______________________________________________ > ALAC mailing list > ALAC@atlarge-lists.icann.org > https://atlarge-lists.icann.org/mailman/listinfo/alac > > At-Large Online: http://www.atlarge.icann.org > ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...) > > _______________________________________________ > ALAC mailing list > ALAC@atlarge-lists.icann.org > https://atlarge-lists.icann.org/mailman/listinfo/alac > > At-Large Online: http://www.atlarge.icann.org > ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

Thank you, Hadia - you exactly prove my point Bastiaan -- Envoyé de mon iPhone

On 11 Jul 2018, at 18:32, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote:

I certainly agree with Jonathan that the principles that we need to set should determine ALAC perspective on whois compliance with the GDPR, Bastian what the EDPB says on page two is not a principle that we need to state or say because it is a requirement by the EDPB whether we like it or not and whether we mention it or not.

Best Hadia

-----Original Message----- From: ALAC [mailto:alac-bounces@atlarge-lists.icann.org] On Behalf Of Jonathan Zuck Sent: Wednesday, July 11, 2018 3:00 PM To: Bastiaan Goslings; Holly Raiche Cc: ALAC List Subject: Re: [ALAC] Draft Principles for GDPR

I'll work with Evin to get this discussion up and running on a wiki as Holly has suggested so there's an archive and people can more easily go back and track the discussion. Some of this will come down to the definition of security and stability.

On 7/11/18, 8:51 AM, "Bastiaan Goslings" <bastiaan.goslings@ams-ix.net> wrote:

I think I can agree with both Jonathan/Alan and Tijani on this. And as a matter of principle I’d therefore suggest to follow what the EDPB says on page 2 https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul1...

’The EDPB considers it essential that a clear distinction be maintained between the different processing activities that take place in the context of WHOIS and the respective purposes pursued by the various stakeholders involved. (…) The EDPB therefore reiterates that ICANN should take care not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case’

...

On 11 Jul 2018, at 12:17, h.raiche@internode.on.net wrote:

Hi Tijani

I think we can both agree that it is about the public interest. And while privacy is a big part of that, so are other issues - a safe, stable DNS etc.

I have asked that this discussion is on the wiki so that there is a place for everyone to contribute - and I hope you will participate as well.

We need agreed principles for the people who will sit on the EpDP - which means we need to hear from everyone - you included

Holly

----- Original Message ----- From: "Tijani BEN JEMAA" <tijani.benjemaa@benjemaa.com>

To: "Jonathan Zuck" <JZuck@innovatorsnetwork.org> Cc: "h.raiche@internodeon.net" <h.raiche@internode.on.net>, "ALAC List" <alac@atlarge-lists.icann.org>, "A t" <staff@atlarge.icann.org> Sent: Wed, 11 Jul 2018 09:33:16 +0100 Subject: Re: [ALAC] Draft Principles for GDPR

Good morning everyone,

I disagree with this statement Jonathan. The registrants represent the active part of the end-users. we are responsible to defend their interest. I have heard such reflection, and it always lead to be more aligned with the commercial interests. We need to be careful and be always for the public interest, not for the political or commercial interests.

----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

Le 10 juil. 2018 à 22:27, Jonathan Zuck <JZuck@innovatorsnetwork.org> a écrit :

Thanks Holly for getting this started. I guess what we’re after are some basic principles on our perspective on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like

• The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users.

I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with?

Jonathan

From: ALAC <alac-bounces@atlarge-lists.icann.org> on behalf of "h.raiche@internode.on.net" <h.raiche@internode.onnet> Reply-To: "h.raiche@internode.on.net" <h.raiche@internode.on.net> Date: Tuesday, July 10, 2018 at 5:22 PM To: ALAC List <alac@atlarge-lists.icann.org>, A t <staff@atlarge.icann.org> Subject: [ALAC] Draft Principles for GDPR

Folks

Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles.

Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.

And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.

So please everyone - comments

Thanks

Holly

Temporary Specification for gTLD Registration Data

Principles for requirements to replace the RAA/Registry Requirements

(within the context of compliance with the GDPR)

Purpose of Collection of Data

Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:

purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries”

Purpose includes

· 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);

· 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers;

· 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and

· 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names.

the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”

Geographic Coverage of EPDP Outcome:

· Apply globally or

· Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?)

Data Collected

· ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR

· Some lesser amount of information

Consent

· Registrants must be told, at the time of collection, what personal information is collected, why the collection is necessary to achieve the purposes, who will have access and in what circumstances access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent

Access to Data – Tiered access (largely what is in the Technical Specification)

· Applies to all Registrants – natural or corporate persons

· Information generally publicly available

o Registrant name

o Anonymised email or other anonymous contact means

· Access to other personal information –

o Only to accredited entities (not individuals)–

o Only in specific circumstances that warrant access

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

Hi Tijani Although I can appreciate that we shouldn't miss out any end-users, I don't think that registrants are our focus. They will already be advocated for by sections of the GNSO. I have to agree with what has already been said that our focus should be on ordinary end-users who are domain users (many unaware that they are domain users) and from what I understand, for the purposes of the EPDP, those who are not yet domain owners as well as those who are. I would really appreciate it if everyone's discussion above was on the workspace <https://community.icann.org/pages/viewpage.action?pageId=88574457> so that I am not having to look all over the place to see where we are up to. *Perhaps staff could move these conversations over *so that more people can be seen to be involved in the workspace discussion <https://community.icann.org/pages/viewpage.action?pageId=88574457>. On Thu, Jul 12, 2018 at 7:34 AM, Tijani BEN JEMAA <tijani.benjemaa@topnet.tn

wrote:

Alan,

I see that you exclude the registrants from the Users: Quit interesting…. Registrants are users and our duty is to defend the interest of both registrant and not registrant users. For more clarity, I wouldn’t accept that criminals use domain names to harm users. This doesn’t mean that I accept to use the registrant data for other purpose than the one they were collected for.

In my opinion, if we are to fix principles to our representatives in the EPDP, it should be through a large consultation among the whole at-large community, means the ALSes, individual members, RALOs and ALAC, not only the 15 members of ALAC and the few people around them. An official call for comment in a well communicated wiki page should be sent to all the RALO lists and the ALAC one

------------------------------------------------------------ ----------------- *Tijani BEN JEMAA* Executive Director Mediterranean Federation of Internet Associations (*FMAI*) Phone: +216 98 330 114 +216 52 385 114 ------------------------------------------------------------ -----------------

Le 11 juil. 2018 à 22:16, Bastiaan Goslings <bastiaan.goslings@ams-ix.net> a écrit :

Thank you, Hadia - you exactly prove my point

Bastiaan

-- Envoyé de mon iPhone

On 11 Jul 2018, at 18:32, Hadia Abdelsalam Mokhtar EL miniawi < Hadia@tra.gov.eg> wrote:

I certainly agree with Jonathan that the principles that we need to set should determine ALAC perspective on whois compliance with the GDPR, Bastian what the EDPB says on page two is not a principle that we need to state or say because it is a requirement by the EDPB whether we like it or not and whether we mention it or not.

Best Hadia

-----Original Message----- From: ALAC [mailto:alac-bounces@atlarge-lists.icann.org <alac-bounces@atlarge-lists.icann.org>] On Behalf Of Jonathan Zuck Sent: Wednesday, July 11, 2018 3:00 PM To: Bastiaan Goslings; Holly Raiche Cc: ALAC List Subject: Re: [ALAC] Draft Principles for GDPR

I'll work with Evin to get this discussion up and running on a wiki as Holly has suggested so there's an archive and people can more easily go back and track the discussion. Some of this will come down to the definition of security and stability.

On 7/11/18, 8:51 AM, "Bastiaan Goslings" <bastiaan.goslings@ams-ix.net> wrote:

I think I can agree with both Jonathan/Alan and Tijani on this. And as a matter of principle I’d therefore suggest to follow what the EDPB says on page 2 https://www.icann.org/en/system/files/correspondence/ jelinek-to-marby-05jul18-en.pdf

’The EDPB considers it essential that a clear distinction be maintained between the different processing activities that take place in the context of WHOIS and the respective purposes pursued by the various stakeholders involved. (…) The EDPB therefore reiterates that ICANN should take care not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case’

On 11 Jul 2018, at 12:17, h.raiche@internode.on.net wrote:

Hi Tijani

I think we can both agree that it is about the public interest. And while privacy is a big part of that, so are other issues - a safe, stable DNS etc.

I have asked that this discussion is on the wiki so that there is a place for everyone to contribute - and I hope you will participate as well.

We need agreed principles for the people who will sit on the EpDP - which means we need to hear from everyone - you included

Holly

----- Original Message ----- From: "Tijani BEN JEMAA" <tijani.benjemaa@benjemaa.com>

To: "Jonathan Zuck" <JZuck@innovatorsnetwork.org> Cc: "h.raiche@internodeon.net" <h.raiche@internode.on.net>, "ALAC List" < alac@atlarge-lists.icann.org>, "A t" <staff@atlarge.icann.org> Sent: Wed, 11 Jul 2018 09:33:16 +0100 Subject: Re: [ALAC] Draft Principles for GDPR

Good morning everyone,

I disagree with this statement Jonathan. The registrants represent the active part of the end-users. we are responsible to defend their interest. I have heard such reflection, and it always lead to be more aligned with the commercial interests. We need to be careful and be always for the public interest, not for the political or commercial interests.

------------------------------------------------------------ ----------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 ------------------------------------------------------------ -----------------

Le 10 juil. 2018 à 22:27, Jonathan Zuck <JZuck@innovatorsnetwork.org> a écrit :

Thanks Holly for getting this started. I guess what we’re after are some basic principles on our perspective on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like

• The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users.

I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with?

Jonathan

From: ALAC <alac-bounces@atlarge-lists.icann.org> on behalf of " h.raiche@internode.on.net" <h.raiche@internode.onnet> Reply-To: "h.raiche@internode.on.net" <h.raiche@internode.on.net> Date: Tuesday, July 10, 2018 at 5:22 PM To: ALAC List <alac@atlarge-lists.icann.org>, A t <staff@atlarge.icann.org

...

Subject: [ALAC] Draft Principles for GDPR

Folks

Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles.

Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.

And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.

So please everyone - comments

Thanks

Holly

Temporary Specification for gTLD Registration Data

Principles for requirements to replace the RAA/Registry Requirements

(within the context of compliance with the GDPR)

Purpose of Collection of Data

Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:

purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries”

Purpose includes

· 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);

· 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers;

· 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and

· 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names.

the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”

Geographic Coverage of EPDP Outcome:

· Apply globally or

· Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?)

Data Collected

· ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR

· Some lesser amount of information

Consent

· Registrants must be told, at the time of collection, what personal information is collected, why the collection is necessary to achieve the purposes, who will have access and in what circumstances access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent

Access to Data – Tiered access (largely what is in the Technical Specification)

· Applies to all Registrants – natural or corporate persons

· Information generally publicly available

o Registrant name

o Anonymised email or other anonymous contact means

· Access to other personal information –

o Only to accredited entities (not individuals)–

o Only in specific circumstances that warrant access

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+ Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+ Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+ Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+ Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+ Advisory+Committee+(ALAC)

Good idea. Done. Alan At 12/07/2018 01:34 PM, Tijani BEN JEMAA wrote:

In my opinion, if we are to fix principles to our representatives in the EPDP, it should be through a large consultation among the whole at-large community, means the ALSes, individual members, RALOs and ALAC, not only the 15 members of ALAC and the few people around them. An official call for comment in a well communicated wiki page should be sent to all the RALO lists and the ALAC one

----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

...

Le 11 juil. 2018 à 22:16, Bastiaan Goslings <<mailto:bastiaan.goslings@ams-ix.net>bastiaan.goslings@ams-ix.net> a écrit :

Thank you, Hadia - you exactly prove my point

Bastiaan

-- Envoyé de mon iPhone

...

On 11 Jul 2018, at 18:32, Hadia Abdelsalam Mokhtar EL miniawi <<mailto:Hadia@tra.gov.eg>Hadia@tra.gov.eg> wrote:

I certainly agree with Jonathan that the principles that we need to set should determine ALAC perspective on whois compliance with the GDPR, Bastian what the EDPB says on page two is not a principle that we need to state or say because it is a requirement by the EDPB whether we like it or not and whether we mention it or not.

Best Hadia

-----Original Message----- From: ALAC [<mailto:alac-bounces@atlarge-lists.icann.org>mailto:alac-bounces@atlarge-lists.icann.org] On Behalf Of Jonathan Zuck Sent: Wednesday, July 11, 2018 3:00 PM To: Bastiaan Goslings; Holly Raiche Cc: ALAC List Subject: Re: [ALAC] Draft Principles for GDPR

I'll work with Evin to get this discussion up and running on a wiki as Holly has suggested so there's an archive and people can more easily go back and track the discussion. Some of this will come down to the definition of security and stability.

On 7/11/18, 8:51 AM, "Bastiaan Goslings" <<mailto:bastiaan.goslings@ams-ix.net>bastiaan.goslings@ams-ix.net> wrote:

I think I can agree with both Jonathan/Alan and Tijani on this. And as a matter of principle I’d therefore suggest to follow what the EDPB says on page 2 <https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf>https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf

’The EDPB considers it essential that a clear distinction be maintained between the different processing activities that take place in the context of WHOIS and the respective purposes pursued by the various stakeholders involved. (…) The EDPB therefore reiterates that ICANN should ttake care not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case’

...

On 11 Jul 2018, at 12:17, <mailto:h.raiche@internode.on.net>h.raiche@internode.on.net wrote:

Hi Tijani

I think we can both agree that it is about the public interest. And while privacy is a big part of that, so are other issues - a safe, stable DNS etc.

I have asked that this discussion is on the wiki so that there is a place for everyone to contribute - and I hope you will participate as well.

We need agreed principles for the people who will sit on the EpDP - which means we need to hear from everyone - you included

Holly

----- Original Message ----- From: "Tijani BEN JEMAA" <<mailto:tijani.benjemaa@benjemaa.com>tijani.benjemaa@benjemaa.com>

To: "Jonathan Zuck" <<mailto:JZuck@innovatorsnetwork.org>JZuck@innovatorsnetwork.org> Cc: "<mailto:h.raiche@internodeon.net>h.raiche@internodeon.net" <<mailto:h.raiche@internode.on.net>h.raiche@internode.on.net>, "ALAC List" <<mailto:alac@atlarge-lists.icann.org>alac@atlarge-lists.icann.org>, "A t" <<mailto:staff@atlarge.icann.org>staff@atlarge.icann.org> Sent: Wed, 11 Jul 2018 09:33:16 +0100 Subject: Re: [ALAC] Draft Principles for GDPR

Good morning everyone,

I disagree with this statement Jonathan. The registrants represent the active part of the end-users. we are responsible to defend their interest. I have heard such reflection, and it always lead to be more aligned with the commercial interests. We need to be careful and be always for the public interest, not for the political or commercial interests.

----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

Le 10 juil. 2018 à 22:27, Jonathan Zuck <<mailto:JZuck@innovatorsnetwork.org>JZuck@innovatorsnetwork.org> a écrit :

Thanks Holly for getting this started. I guess what we’re after are some basic principles on our perspective on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like

• The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users.

I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with?

Jonathan

From: ALAC <<mailto:alac-bounces@atlarge-lists.icann.org>alac-bounces@atlarge-lists.icann.org> on behalf of "<mailto:h.raiche@internode.on.net>h.raiche@internode.on.net" <<mailto:h.raiche@internode.onnet>h.raiche@internode.onnet> Reply-To: "<mailto:h.raiche@internode.on.net>h.raiche@internode.on.net" <<mailto:h.raiche@internode.on.net>h.raiche@internode.on.net> Date: Tuesday, July 10, 2018 at 5:22 PM To: ALAC List <<mailto:alac@atlarge-lists.icann.org>alac@atlarge-lists.icann.org>, A t <<mailto:staff@atlarge.icann.org>staff@atlarge.icann.org> Subject: [ALAC] Draft Principles for GDPR

Folks

Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles.

Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.

And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.

So please everyone - comments

Thanks

Holly

Temporary Specification for gTLD Registration Data

Principles for requirements to replace the RAA/Registry Requirements

(within the context of compliance with the GDPR)

Purpose of Collection of Data

Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:

purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries”

Purpose includes

· 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);

· 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers;

· 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and

· 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names.

the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”

Geographic Coverage of EPDP Outcome:

· Apply globally or

· Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?)

Data Collected

· ‘Thick Whois” – based on the differing uses of the data is listed inn the purpose above – OR

o Only in specific circumstances that warrant access

_______________________________________________ ALAC mailing list <mailto:ALAC@atlarge-lists.icann.org>ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org ALAC Working Wiki: <https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list <mailto:ALAC@atlarge-lists.icann.org>ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org ALAC Working Wiki: <https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list <mailto:ALAC@atlarge-lists.icann.org>ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org ALAC Working Wiki: <https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list <mailto:ALAC@atlarge-lists.icann.org>ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: <http://www.atlarge.icann.org>http://www.atlarge.icann.org ALAC Working Wiki: <https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)>https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALAC)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

Agree with you Carlton, since the beginning of the WHOIS work, back many years ago, end users are the main beneficiary of all chain players that work to improve their own reputation. Kisses Vanda Scartezini Polo Consultores Associados Av. Paulista 1159, cj 1004 01311-200- Sao Paulo, SP, Brazil Land Line: +55 11 3266.6253 Mobile: + 55 11 98181.1464 Sorry for any typos. From: ALAC <alac-bounces@atlarge-lists.icann.org> on behalf of Carlton Samuels <carlton.samuels@gmail.com> Date: Wednesday, July 11, 2018 at 12:10 To: Bastiaan Goslings <bastiaan.goslings@ams-ix.net> Cc: 'ALAC List' <alac@atlarge-lists.icann.org> Subject: Re: [ALAC] Draft Principles for GDPR A good piece to introduce here. So we not mis read this let me state how the end user interest is inextricably conjoined with "third parties". The first is the protection of end users from predators and predatory practices enabled by the DNS. The vast majority of end users would not know a WHOIS record even it jumped up and bit them in the butt. We depend on others to help us, to be on the line for our collective sake. These surrogates, if you will, include the reputation companies, the antivirus folks, the researchers and a whole amalgam of third party interests. When the end user gets a green tick that says this is a safe website, it protects the end user. That springs from the work of reputation companies. Accesd to WHOIS data is vested in their formulaic response that keeps me from wandering, mouth-breathing, into dangerous territory. ICANN and the entire chain of connections in the DNS infrastructure has a role, each from a slightly different perspective. But reputation is not a sole interest as it is for these guys. And the end user is a beneficiary of this interest, which kicks in long way before the mainline DNS actors. This is just one example. But let us be clear. That end user interests are defended by surrogates and so-called third parties is not an outlier. I would argue it is the central case. The ALAC may not argue for end user interests absent an appreciation of the role in defending those interests by third parties. That would be a failure to recognize the facts as they are...and an egregious abdication of responsibilities. -Carlton On Wed, 11 Jul 2018, 7:51 am Bastiaan Goslings, <bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net>> wrote: I think I can agree with both Jonathan/Alan and Tijani on this. And as a matter of principle I’d therefore suggest to follow what the EDPB says on page 2 https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul1... ’The EDPB considers it essential that a clear distinction be maintained between the different processing activities that take place in the context of WHOIS and the respective purposes pursued by the various stakeholders involved. (…) The EDPB therefore reiterates that ICANN should take care not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case’

On 11 Jul 2018, at 12:17, h.raiche@internode.on.net<mailto:h.raiche@internode.on.net> wrote:

Hi Tijani

I think we can both agree that it is about the public interest. And while privacy is a big part of that, so are other issues - a safe, stable DNS etc.

I have asked that this discussion is on the wiki so that there is a place for everyone to contribute - and I hope you will participate as well.

We need agreed principles for the people who will sit on the EpDP - which means we need to hear from everyone - you included

Holly

----- Original Message ----- From: "Tijani BEN JEMAA" <tijani.benjemaa@benjemaa.com<mailto:tijani.benjemaa@benjemaa.com>>

To: "Jonathan Zuck" <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> Cc: "h.raiche@internodeon.net<mailto:h.raiche@internodeon.net>" <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>>, "ALAC List" <alac@atlarge-lists.icann.org<mailto:alac@atlarge-lists.icann.org>>, "A t" <staff@atlarge.icann.org<mailto:staff@atlarge.icann.org>> Sent: Wed, 11 Jul 2018 09:33:16 +0100 Subject: Re: [ALAC] Draft Principles for GDPR

Good morning everyone,

I disagree with this statement Jonathan. The registrants represent the active part of the end-users. we are responsible to defend their interest. I have heard such reflection, and it always lead to be more aligned with the commercial interests. We need to be careful and be always for the public interest, not for the political or commercial interests.

----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 -----------------------------------------------------------------------------

Le 10 juil. 2018 à 22:27, Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> a écrit :

Thanks Holly for getting this started. I guess what we’re after are some basic principles on our perspective on the GDPR. The temp spec is the temp spec so some of this will apply for sure, if we reach some consensus on these but there are areas that are simply part of the law over which we don’t have influence. A principle might be something like

• The ALAC feels responsible to represent the interests of non-registrants more so than registrants as they represent the majority of users.

I’m not saying we’ve agreed to that but that’s the kind of filter we could send our reps in with?

Jonathan

From: ALAC <alac-bounces@atlarge-lists.icann.org<mailto:alac-bounces@atlarge-lists.icann.org>> on behalf of "h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>" <h.raiche@internode.onnet> Reply-To: "h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>" <h.raiche@internode.on.net<mailto:h.raiche@internode.on.net>> Date: Tuesday, July 10, 2018 at 5:22 PM To: ALAC List <alac@atlarge-lists.icann.org<mailto:alac@atlarge-lists.icann.org>>, A t <staff@atlarge.icann.org<mailto:staff@atlarge.icann.org>> Subject: [ALAC] Draft Principles for GDPR

Folks

Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start. What we need now is discussion on the principles.

Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.

And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.

So please everyone - comments

Thanks

Holly

Temporary Specification for gTLD Registration Data

Principles for requirements to replace the RAA/Registry Requirements

(within the context of compliance with the GDPR)

Purpose of Collection of Data

Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:

purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries”

Purpose includes

· 􏰂 resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);

· 􏰂 maintenance of and access to accurate and up-to-date information concerning registered names and name servers;

· 􏰂 procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and

· 􏰂 the transfer of registration data upon a change in registrar sponsoring one or more registered names.

the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”

Geographic Coverage of EPDP Outcome:

· Apply globally or

· Apply only to European Economic Area (the coverage of the GD R) and otherwise lesser requirements (existing RAA requirements?)

Data Collected

· ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR

· Some lesser amount of information

Consent

· Registrants must be told, at the time of collection, what personal information is collected, why the collection is necessary to achieve the purposes, who will have access and in what circumstances access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent

Access to Data – Tiered access (largely what is in the Technical Specification)

· Applies to all Registrants – natural or corporate persons

· Information generally publicly available

o Registrant name

o Anonymised email or other anonymous contact means

· Access to other personal information –

o Only to accredited entities (not individuals)–

o Only in specific circumstances that warrant access

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org<mailto:ALAC@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org<mailto:ALAC@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/alac

At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)

_______________________________________________ ALAC mailing list ALAC@atlarge-lists.icann.org<mailto:ALAC@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/alac At-Large Online: http://www.atlarge.icann.org ALAC Working Wiki: https://community.icann.org/display/atlarge/At-Large+Advisory+Committee+(ALA...)