For GDPR it's residence that counts, not citizenship. If you move to Europe your privacy is protected by GDPR. And a German citizen living in the US get no benefits. Where you are taxable is another issue altogether. At one point I was living and working in the US. I was a non-resident of both the US and Canada and taxable in both. Alan -- Sent from my mobile. Please excuse brevity and typos. On October 30, 2018 12:12:12 AM EDT, Maureen Hilyard <maureen.hilyard@gmail.com> wrote: I agree with Jonathan. For my own clarification, with EU citizens working and living all over the world for various reasons and varying lengths of time, what is the actual definition for "resident of the EU", Although I am a NZ citizen and live part-time in NZ, I am not considered resident there because I don't pay tax in NZ. I work and pay tax in the Cook Islands and am considered (by NZ) to be a Cook Island resident. M On Tue, Oct 30, 2018 at 4:12 PM Jonathan Zuck <JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different. On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" <gtld-wg-bounces@atlarge-lists.icann.org<mailto:gtld-wg-bounces@atlarge-lists.icann.org> on behalf of alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote: GDPR is applicable to residents of the EU by companies resident there and worldwide. One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere. There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction. The current (confusing) state of the working document is attached. Which side should ALAC come down on? - Restrict application to those to whom GDPR applies? - Apply universally ignoring residence? As usual, quick replies requested. Alan _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

Just a quick comment, also related to a comment Maureen made earlier ('with EU citizens working and living all over the world for various reasons and varying lengths of time, what is the actual definition for "resident of the EU”): I’m not aware of the GDPR referring to either EU ‘citizens’ or ‘residents’. See art 3 of the GDPR https://gdpr-info.eu/art-3-gdpr/ which sets the territorial scope. So the GDPR is applicable to controllers and processors in the Union, regardless of whether the processing takes place in the Union (and regardless of whether the data subjects affected are in the Union), and to the processing of personal data of data subjects who are in the Union by controllers and processors not established in the Union. (see also recitals 2 and 14 https://gdpr-info.eu/recitals/ ) Anyway, looking at the example mentioned below, any citizen living in the US, not just those from the EU, 'would get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU'. -Bastiaan

On 30 Oct 2018, at 05:52, Greg Shatan <greg@isoc-ny.org> wrote:

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org> wrote: I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" <gtld-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

GDPR is applicable to residents of the EU by companies resident there and worldwide.

One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere.

There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction.

The current (confusing) state of the working document is attached.

Which side should ALAC come down on?

- Restrict application to those to whom GDPR applies? - Apply universally ignoring residence?

As usual, quick replies requested.

Alan

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

PS: Having read the red-line small print, it would appear that the registries/registrars are also coming down in favour of applying universally, for simple practical reasons including cost and unreliability of differentiation. CW

El 30 de octubre de 2018 a las 11:22 wilkinson christopher <cw@christopherwilkinson.eu> escribió:

Alan wrote:

<<Which side should ALAC come down on?

- Restrict application to those to whom GDPR applies? - Apply universally ignoring residence?>>

Recall that the ALAC comment on the WHOIS Waiver policy included the idea that ICANN should adopt best practice privacy policy globally and not discriminate among Registrars whether in the EU or not. (That was before GDPR came into effet, although all parties should have been aware of its provisions since some time.)

CW

...

El 30 de octubre de 2018 a las 7:43 Bastiaan Goslings <bastiaan.goslings@ams-ix.net> escribió:

Just a quick comment, also related to a comment Maureen made earlier ('with EU citizens working and living all over the world for various reasons and varying lengths of time, what is the actual definition for "resident of the EU”):

I’m not aware of the GDPR referring to either EU ‘citizens’ or ‘residents’.

See art 3 of the GDPR https://gdpr-info.eu/art-3-gdpr/ which sets the territorial scope.

So the GDPR is applicable to controllers and processors in the Union, regardless of whether the processing takes place in the Union (and regardless of whether the data subjects affected are in the Union), and to the processing of personal data of data subjects who are in the Union by controllers and processors not established in the Union.

(see also recitals 2 and 14 https://gdpr-info.eu/recitals/ )

Anyway, looking at the example mentioned below, any citizen living in the US, not just those from the EU, 'would get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU'.

-Bastiaan

...

On 30 Oct 2018, at 05:52, Greg Shatan <greg@isoc-ny.org> wrote:

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org> wrote: I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck <JZuck@innovatorsnetwork.org> wrote: I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" <gtld-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

GDPR is applicable to residents of the EU by companies resident there and worldwide.

One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere.

There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction.

The current (confusing) state of the working document is attached.

Which side should ALAC come down on?

- Restrict application to those to whom GDPR applies? - Apply universally ignoring residence?

As usual, quick replies requested.

Alan

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

GDPR, in the context of WHOIS/RDS and ICANN applies only to gTLD Registrants' personal data and not all users. The wider we allow redaction, the less access there is for cybersecurity and consumer protection/fraud issues. Alan At 30/10/2018 08:07 AM, Sebastien Bachollet wrote: Hello, I have questions: If and when other GDPR like policies are developed in other part of the World do ICANN will need to enforce a policy for each « regime »? Or as At-Large can’t we ask for a protection for all the (individual) (end) users? And if we consider GDPR as a good step to protect (individual) (end) users privacy in Europe, why not for the others? If we have to support distinction, it must be on the basis of the residence (the address in the Whois) and not the citizenship. It must be also allow and possible if one want to publish their personal data to do so. One world, one Internet, one privacy protection for all Internet individual end users ;) All the best SeB Le 30 oct. 2018 � 07:43, Bastiaan Goslings < bastiaan.goslings@ams-ix.net<mailto:bastiaan.goslings@ams-ix.net>> a écrit : Just a quick comment, also related to a comment Maureen made earlier ('with EU citizens working and living all over the world for various reasons and varying lengths of time, what is the actual definition for "resident of the EU”): I’m not aware of the GDPR referring to either EU ‘citizens’ or ‘residents’. See art 3 of the GDPR https://gdpr-info.eu/art-3-gdpr/ which sets the territorial scope. So the GDPR is applicable to controllers and processors in the Union, regardless of whether the processing takes place in the Union (and regardless of whether the data subjects affected are in the Union), and to the processing of personal data of data subjects who are in the Union by controllers and processors not established in the Union. (see also recitals 2 and 14 https://gdpr-info.eu/recitals/ ) Anyway, looking at the example mentioned below, any citizen living in the US, not just those from the EU, 'would get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU'. -Bastiaan On 30 Oct 2018, at 05:52, Greg Shatan <greg@isoc-ny.org<mailto:greg@isoc-ny.org>> wrote: Alan, One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR. Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org<mailto:greg@isoc-ny.org>> wrote: I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP. There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation. Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck@innovatorsnetwork.org<mailto:JZuck@innovatorsnetwork.org>> wrote: I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different. On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces@atlarge-lists.icann.org<mailto:gtld-wg-bounces@atlarge-lists.icann.org> on behalf of alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > wrote: GDPR is applicable to residents of the EU by companies resident there and worldwide. One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere. There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction. The current (confusing) state of the working document is attached. Which side should ALAC come down on? - Restrict application to those to whom GDPR applies? - Apply universally ignoring residence? As usual, quick replies requested. Alan _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org<mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

Le 30 oct. 2018 à 14:49, Alan Greenberg <alan.greenberg@mcgill.ca> a écrit :

GDPR, in the context of WHOIS/RDS and ICANN applies only to gTLD Registrants' personal data and not all users. Yes sure. But if a good practice for once is coming from the g world I am sure that some of the cc can do the same.

The wider we allow redaction, the less access there is for cybersecurity and consumer protection/fraud issues. I guess here we have a question between collecting the data (and the need for law enforcement and consumer protection must be take into account) and displaying the data publicly with WHOIS/RDS. Allowing collection is different from public availability. SeB

Alan

At 30/10/2018 08:07 AM, Sebastien Bachollet wrote:

...

Hello, I have questions: If and when other GDPR like policies are developed in other part of the World do ICANN will need to enforce a policy for each « regime »? Or as At-Large can’t we ask for a protection for all the (individual) (end) users? And if we consider GDPR as a good step to protect (individual) (end) users privacy in Europe, why not for the others?

If we have to support distinction, it must be on the basis of the residence (the address in the Whois) and not the citizenship.

It must be also allow and possible if one want to publish their personal data to do so.

One world, one Internet, one privacy protection for all Internet individual end users ;)

All the best SeB

...

Le 30 oct. 2018 à 07:43, Bastiaan Goslings < bastiaan.goslings@ams-ix.net <mailto:bastiaan.goslings@ams-ix.net>> a écrit :

Just a quick comment, also related to a comment Maureen made earlier ('with EU citizens working and living all over the world for various reasons and varying lengths of time, what is the actual definition for "resident of the EU”):

I’m not aware of the GDPR referring to either EU ‘citizens’ or ‘residents’.

See art 3 of the GDPR https://gdpr-info.eu/art-3-gdpr/ <https://gdpr-info.eu/art-3-gdpr/> which sets the territorial scope.

So the GDPR is applicable to controllers and processors in the Union, regardless of whether the processing takes place in the Union (and regardless of whether the data subjects affected are in the Union), and to the processing of personal data of data subjects who are in the Union by controllers and processors not established in the Union.

(see also recitals 2 and 14 https://gdpr-info.eu/recitals/ <https://gdpr-info.eu/recitals/> )

Anyway, looking at the example mentioned below, any citizen living in the US, not just those from the EU, 'would get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU'.

-Bastiaan

...

On 30 Oct 2018, at 05:52, Greg Shatan <greg@isoc-ny.org <mailto:greg@isoc-ny.org>> wrote:

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org <mailto:greg@isoc-ny.org>> wrote: I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck@innovatorsnetwork.org <mailto:JZuck@innovatorsnetwork.org>> wrote: I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces@atlarge-lists.icann.org <mailto:gtld-wg-bounces@atlarge-lists.icann.org> on behalf of alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca> > wrote:

GDPR is applicable to residents of the EU by companies resident there and worldwide.

One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere.

There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction.

The current (confusing) state of the working document is attached.

Which side should ALAC come down on?

- Restrict application to those to whom GDPR applies? - Apply universally ignoring residence?

As usual, quick replies requested.

Alan

_______________________________________________ CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg> _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs> _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg>

---

CPWG mailing list CPWG@icann.org <mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg <https://mm.icann.org/mailman/listinfo/cpwg> _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org <mailto:GTLD-WG@atlarge-lists.icann.org> https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg <https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg>

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs <https://community.icann.org/display/atlarge/New+GTLDs>

As an EU Registrar I need to comply with the GDPR (obvious), as such I need to apply the GDPR to all my international customers or I would not be compliant (maybe not so obvious). You could perhaps make a distinction between EU vs non EU Registrars? But how do you mix in the other 126 data protection laws that keep growing in numbers? The EPDP team needs to factor that in also. Ultimately the distinction will almost not work. https://iapp.org/news/privacy-tracker/ Thanks, Theo Geurts Greg Shatan schreef op 2018-10-30 05:52 AM:

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org> wrote:

...

I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck@innovatorsnetwork.org> wrote:

...

I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

GDPR is applicable to residents of the EU by companies resident there and worldwide.

One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere.

There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction.

The current (confusing) state of the working document is attached.

Which side should ALAC come down on?

- Restrict application to those to whom GDPR applies? - Apply universally ignoring residence?

As usual, quick replies requested.

Alan

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

Hi Hadia, hi all, as non native speaker I apologize for any manhandling of the English language. +1 In addition if you take into account recital (2) "The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. ..." and (23) "In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. ..." it becomes even more complex. I would like to know what should be the indicators to decide that GDPR does or does not apply to a registrants personal data? All the best Rainer -- Rainer Rodewald Member of the board of Medienstadt Leipzig e. V., an Euralo ALS, writing in my own capacity Hadia Abdelsalam Mokhtar EL miniawi schrieb am 31.10.2018 um 11:26:

Hi All,

So going back to the EPDP team charter question if registry operators and registrars should be permitted or required to differentiate between registrants based on the geographic location, I am of the opinion that no distinction should be made based on the geographic location of the registrant and the reason is that whether the GDPR applies or not does not only depend on the location of the registrant but it also depends on the location of the controller and processor, that is the registry, registrars and resellers and any other related processors. The regulation has this nature of extended territory, as I see it the impact of this distinction will be mainly on the industry, so registrants might choose a reseller in Europe over a reseller or a registrar outside of the EU or vice versa just to be protected or not protected by the GDPR . I cannot see the merit of the registries and registrars differentiating between the registrants based on their geographic location, where registrants not residing in the EU will be treated in accordance to the GDPR if their reseller or registrar is in the EU, the distinction based only on the geographic location of the registrant is already not possible according to the GDPR.

Kindest Regards Hadia

-----Original Message----- From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of gtheo Sent: Tuesday, October 30, 2018 9:47 AM To: Greg Shatan Cc: Jonathan Zuck; CPWG Subject: Re: [CPWG] [registration-issues-wg] [GTLD-WG] EPDP: Geographic distinction

As an EU Registrar I need to comply with the GDPR (obvious), as such I need to apply the GDPR to all my international customers or I would not be compliant (maybe not so obvious).

You could perhaps make a distinction between EU vs non EU Registrars? But how do you mix in the other 126 data protection laws that keep growing in numbers? The EPDP team needs to factor that in also. Ultimately the distinction will almost not work. https://iapp.org/news/privacy-tracker/

Thanks,

Theo Geurts

Greg Shatan schreef op 2018-10-30 05:52 AM:

...

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org> wrote:

...

I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck@innovatorsnetwork.org> wrote:

...

I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

GDPR is applicable to residents of the EU by companies resident there and worldwide.

One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere.

There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction.

The current (confusing) state of the working document is attached.

Which side should ALAC come down on?

- Restrict application to those to whom GDPR applies? - Apply universally ignoring residence?

As usual, quick replies requested.

Alan

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

I agree that ICANN is not in the business of making its own privacy laws and indeed the RDS WG ship sunk !!! Hadia On Wednesday, October 31, 2018, 8:27:22 PM GMT+2, Greg Shatan <greg@isoc-ny.org> wrote: Hadia and all, First, I think we must assume that registries/registrars know whether they are located (or “established,” to use GDPR terminology) in the European Union.  At the least, we must assume that they are capable of making that determination. For registries and registrars located in the EU, a distinction based on the geographic location of the registrant is irrelevant, since the registry/registrar must comply with GDPR regarding the personal data of all natural person data subjects.  So, the EPDP cannot even discuss the application of geographic distinctions by EU registries/registrars, because these registries/registrars have no use for that distinction. Therefore, this discussion in the EPDP should be limited to non-EU registries/registrars.  The question then becomes whether non-EU registry operators and registrars should be permitted or required to differentiate between registrants based on the their geographic location.  These registries/registrars are under no obligation to extend GDPR protections to non-EU registrants.  They are, however, under a contractual obligation to collect and publish WHOIS data to the extent allowed by applicable law.  These registries/registrars need to follow their obligations, which are unchanged regarding all who are not EU data subjects. The GDPR’s extraterritorial effect needs to be appropriately interpreted and respected.  Its limits also need to be respected.  Applying a law where that law does not apply is not applying the law at all.  For ICANN, it is pure policy-making, not legal compliance.  I’m fairly sure the EPDP does not have a mandate to undo WHOIS/RDS policy and make new data protection policy.   (Arguably, the RDS WG did, but that ship has sailed (or more accurately, that ship has sunk).). Nor does the EPDP have a mandate to extend the reach of GDPR beyond its legal bounds.  Taken in tandem with ALAC’s long-standing commitments to WHOIS access and to the interest of the end-users (the vast, vast majority of whom are not registrants), I think the choice is so clear, it is not even a choice.  Non-EU registrars/registrars should be required to make the geographic distinction. Of course, there is a complicating case, where an EU reseller is a reseller for a non-EU registrar, and the reseller collects data of non-EU data subject.  The issues raised by the reseller case should be resolved for that particular case, and should not be used as an excuse to apply GDPR beyond its legal and geographic boundaries. Best regards, Greg   On Wed, Oct 31, 2018 at 6:26 AM Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote: Hi All, So going back to the EPDP team charter question if registry operators and registrars should be permitted or required  to differentiate between registrants based on the geographic location, I am of the opinion that no distinction should be made based on the geographic location of the registrant and the reason is that whether the GDPR applies or not does not only depend on the location of the registrant but it also depends on the location of the controller and processor, that is  the registry, registrars and resellers  and any other related processors. The regulation has this nature of extended territory, as I see it the impact of this distinction will be mainly on the industry, so registrants might choose a reseller in Europe over a reseller or a registrar outside of the EU  or vice versa  just to be protected or not protected by the GDPR . I cannot see the merit of the registries and registrars differentiating between the registrants based on their geographic location, where registrants not residing in the EU will be treated in accordance to the GDPR if their reseller or registrar is in the EU, the distinction based only on the geographic location of the registrant is already not possible according to the GDPR. Kindest Regards Hadia  -----Original Message----- From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of gtheo Sent: Tuesday, October 30, 2018 9:47 AM To: Greg Shatan Cc: Jonathan Zuck; CPWG Subject: Re: [CPWG] [registration-issues-wg] [GTLD-WG] EPDP: Geographic distinction As an EU Registrar I need to comply with the GDPR (obvious), as such I need to apply the GDPR to all my international customers or I would not be compliant (maybe not so obvious). You could perhaps make a distinction between EU vs non EU Registrars? But how do you mix in the other 126 data protection laws that keep growing in numbers? The EPDP team needs to factor that in also. Ultimately the distinction will almost not work. https://iapp.org/news/privacy-tracker/ Thanks, Theo Geurts Greg Shatan schreef op 2018-10-30 05:52 AM:

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established” in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org> wrote:

...

I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck@innovatorsnetwork.org> wrote:

...

I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

     GDPR is applicable to residents of the EU by companies resident there      and worldwide.

     One of the issues is whether contracted parties should be allowed or      required to distinguish between those who are resident there and elsewhere.

     There is agreement that such distinction should be allowed, but EPDP      is divided on whether it should be required. The GAC/BC/IPC want to      see the distinction made, and at least one very large contracted      party does already make the distinction. Other contracted parties are      pushing back VERY strongly saying that there is virtually no way that      the can or are willing to make the distinction.

     The current (confusing) state of the working document is attached.

     Which side should ALAC come down on?

     - Restrict application to those to whom GDPR applies?      - Apply universally ignoring residence?

     As usual, quick replies requested.

     Alan

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

Hi Alan, Protecting registrars is not the issue, the impact that I see of the distinction is only on the market, new businesses being created or flourishing and others being diminished  however, all of this is industry related matters it does not relate to the protection of rights or privacy, moreover I see it of very little help to third parties with legitimate interest. In all cases I do share our main aim and goal as ALAC to protect end users and help those who try to keep us safe. BestHadia On Wednesday, October 31, 2018, 8:34:54 PM GMT+2, Alan Greenberg <alan.greenberg@mcgill.ca> wrote: Hadia, On the geographic location of controllers and processors: if a Ry/Rr doesn't know where it's processors are, I think it needs to look at its business. A Rr knows who it's direct resellers are but not necessarily it's second and lower-level resellers. Isn't it about time it did???  Not knowing who is in the reseller chain has already caused all sorts of problem in enforcing terms of the RAA which bind an unknown and unknowable group of resellers (unknowable without the Rr taking action) in a way that cannot be audited. On differentiating Registrars, if the Rr with a 35% market share does not care, why are we trying to protect registrars? Is that our business? Alan At 31/10/2018 06:26 AM, Hadia  Abdelsalam Mokhtar EL miniawi wrote:

Hi All,

So going back to the EPDP team charter question if registry operators and registrars should be permitted or required  to differentiate between registrants based on the geographic location, I am of the opinion that no distinction should be made based on the geographic location of the registrant and the reason is that whether the GDPR applies or not does not only depend on the location of the registrant but it also depends on the location of the controller and processor, that is  the registry, registrars and resellers  and any other related processors. The regulation has this nature of extended territory, as I see it the impact of this distinction will be mainly on the industry, so registrants might choose a reseller in Europe over a reseller or a registrar outside of the EU  or vice versa  just to be protected or not protected by the GDPR . I cannot see the merit of the registries and registrars differentiating between the registrants based on their geographic location, where registrants not residing in the EU will be treated in accordance to the GDPR if their reseller or registrar is in the EU, the distinction based only on the geographic location of the registrant is already not possible according to the GDPR.

Kindest Regards Hadia

-----Original Message----- From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of gtheo Sent: Tuesday, October 30, 2018 9:47 AM To: Greg Shatan Cc: Jonathan Zuck; CPWG Subject: Re: [CPWG] [registration-issues-wg] [GTLD-WG] EPDP: Geographic distinction

As an EU Registrar I need to comply with the GDPR (obvious), as such I need to apply the GDPR to all my international customers or I would not be compliant (maybe not so obvious).

You could perhaps make a distinction between EU vs non EU Registrars? But how do you mix in the other 126 data protection laws that keep growing in numbers? The EPDP team needs to factor that in also. Ultimately the distinction will almost not work. https://iapp.org/news/privacy-tracker/

Thanks,

Theo Geurts

Greg Shatan schreef op 2018-10-30 05:52 AM:

...

Alan,

One slight caveat: an EU Citizen living in the US would still get the benefit of GDPR when the Controller or Processor with their data is “established� in the EU. But they get that benefit only because the Controller or Processor’s covered by GDPR.

Greg On Tue, Oct 30, 2018 at 12:40 AM Greg Shatan <greg@isoc-ny.org> wrote:

...

I also think it should be restricted to what GDPR requires. Anything beyond that essentially puts ICANN into the business of making privacy policy without a basis in law, which is beyond the remit of the EPDP.

There may be an interesting discussion to be had about whether ICANN should change WHOIS for policy reasons, but the EPDP is not the place for that conversation.

Greg On Mon, Oct 29, 2018 at 11:12 PM Jonathan Zuck < JZuck@innovatorsnetwork.org> wrote:

...

I'm inclined to say restricted if for no other reason than we'll eventually have a bunch of GDPRs that are slightly different.

On 10/29/18, 9:36 PM, "GTLD-WG on behalf of Alan Greenberg" < gtld-wg-bounces@atlarge-lists.icann.org on behalf of alan.greenberg@mcgill.ca> wrote:

    GDPR is applicable to residents of the EU by companies resident there     and worldwide.

    One of the issues is whether contracted parties should be allowed or     required to distinguish between those who are resident there and elsewhere.

    There is agreement that such distinction should be allowed, but EPDP     is divided on whether it should be required. The GAC/BC/IPC want to     see the distinction made, and at least one very large contracted     party does already make the distinction. Other contracted parties are     pushing back VERY strongly saying that there is virtually no way that     the can or are willing to make the distinction.

    The current (confusing) state of the working document is attached.

    Which side should ALAC come down on?

    - Restrict application to those to whom GDPR applies?     - Apply universally ignoring residence?

    As usual, quick replies requested.

    Alan

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ GTLD-WG mailing list GTLD-WG@atlarge-lists.icann.org https://atlarge-lists.icann.org/mailman/listinfo/gtld-wg

Working Group direct URL: https://community.icann.org/display/atlarge/New+GTLDs

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg