Re: [CPWG] [registration-issues-wg] Urgent EPDP question
Thanks for the quick replies. I agree that the issue that a legal person may have some "natural person" information associated with it. But there is no way that a registrar can reasonable parse that, so it is up to the registrant to rid their entries of natural person information if they choose to include it. And yes, "Alan Greenberg Inc" had personal information in it. As does alangreenberg.org. But no one forces me to have a domain name. I find particularly amusing the issue of a Legal Person including name-identifying e-mails. Clearly that is a choice which they may know about, but the registrar, registry or ICANN cannot. If you wish to be suitable amused, consider that there are several families in the US with a surname of "Contact". Abuse.Contact@gmail.com is potentially a protected address! Certainly registrars and registries would like to simplify their life. And adding a Natural/Legal flag will not be a trivial activity. But that does not imply it is not the right way to go. Alan At 14/10/2018 11:42 PM, you wrote:
In agreement of contractual parties of having 2 systems, one to protect the "natural person" privacy information for every one globally and not only those from Europe. The second is for the "legal persons" and because they're under licence agreements in the legal system of their respective countries. Hence moving to a two registered system has to have a limited and derminate timeframe to move towards the dual registrant system. I don't think their concerns about changing the system, but it seems it goes beyond that.
If there are concerns about the micro commercial business for individual who function without any registration in their countries, it would be their individual problem in how to be accountable to their countries requirements.
Nadira
On Mon, Oct 15, 2018, 05:01 Holly Raiche <<mailto:h.raiche@internode.on.net>h.raiche@internode.on.net> wrote: Folks An argument against differentiation is that the contracted parties want to be able, as much as possible, to implement one system for managing information rather than having to differentiate between the license of a name being a natural person and the licensee of a name being a corporate person. Another is says that there are circumstances where information about legal entities may amount to personal information - for example, when a small business (usually a legal person) has used the actual name of the person as the business name, or where, in the case of a legal person, the contact details provided are for a named individual - thus GDPR protections should apply uniformly. My personal view is that, from the perspective of users, the protections of GDPR really need only apply to natural persons. That means that companies will need to be careful not to provide personal contact information for the RAA/Registry agreements. And from an end user point of view, the management of systems to differentiate legal from natural persons is not our concern.
Holly
On Oct 15, 2018, at 12:12 PM, Alan Greenberg <<mailto:alan.greenberg@mcgill.ca>alan.greenberg@mcgill.ca> wrote:
Here is a question that we need an answer on no later than Tuesday morning.
GDPR requires the information related to Natural Persons be protected (for those resident in Europe) be protected. GDPR does not apply to Legal Persons (ie companies).
ICANN's Temporary Spec allows contracted parties to treat all registrant alike and subject to GDPR.
The EPDP Charter includes questions about whether contracted parties may or must treat Legal Persons differently from Natural Persons.
The GAC, BC and IPC have made strong statements about the need to restrict GDPS to Natural Persons. The contracted parties are pushing back - strongly. The words vary, but in essence what they are saying ranges from there should be no constraint on them to yes, they may differentiate but with an unspecified time-frame. (As you may note if you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA must do some validation of contact information for new an transfered domains, but none to simple renewal. so there are currently 140,000,000 domains without verified information (5 years after the 2013 RAA came into force) and there is no requirement to ever validate their information - so unspecified time frames can last a LONG time.)
I personally feel that it is essential that we should differentiate between legal persons and natural persons, just as GDPR and other privacy legislation does.
Comments?
Alan
_______________________________________________ CPWG mailing list <mailto:CPWG@icann.org>CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list
<mailto:registration-issues-wg@atlarge-lists.icann.org>registration-issues-wg@atlarge-lists.icann.org
https://mm.icann.org/mailman/listinfo/registration-issues-wg
CPWG mailing list <mailto:CPWG@icann.org>CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
+1 The very meaning of registering a "legal person" is to make it reachable by the public. There is no privacy involved. At least in the part of world I know of. Kaili ----- Original Message ----- From: Alan Greenberg To: CPWG Sent: Monday, October 15, 2018 12:04 PM Subject: Re: [CPWG] [registration-issues-wg] Urgent EPDP question Thanks for the quick replies. I agree that the issue that a legal person may have some "natural person" information associated with it. But there is no way that a registrar can reasonable parse that, so it is up to the registrant to rid their entries of natural person information if they choose to include it. And yes, "Alan Greenberg Inc" had personal information in it. As does alangreenberg.org. But no one forces me to have a domain name. I find particularly amusing the issue of a Legal Person including name-identifying e-mails. Clearly that is a choice which they may know about, but the registrar, registry or ICANN cannot. If you wish to be suitable amused, consider that there are several families in the US with a surname of "Contact". Abuse.Contact@gmail.com is potentially a protected address! Certainly registrars and registries would like to simplify their life. And adding a Natural/Legal flag will not be a trivial activity. But that does not imply it is not the right way to go. Alan At 14/10/2018 11:42 PM, you wrote: In agreement of contractual parties of having 2 systems, one to protect the "natural person" privacy information for every one globally and not only those from Europe. The second is for the "legal persons" and because they're under licence agreements in the legal system of their respective countries. Hence moving to a two registered system has to have a limited and derminate timeframe to move towards the dual registrant system. I don't think their concerns about changing the system, but it seems it goes beyond that. If there are concerns about the micro commercial business for individual who function without any registration in their countries, it would be their individual problem in how to be accountable to their countries requirements. Nadira On Mon, Oct 15, 2018, 05:01 Holly Raiche < h.raiche@internode.on.net> wrote: Folks An argument against differentiation is that the contracted parties want to be able, as much as possible, to implement one system for managing information rather than having to differentiate between the license of a name being a natural person and the licensee of a name being a corporate person. Another is says that there are circumstances where information about legal entities may amount to personal information - for example, when a small business (usually a legal person) has used the actual name of the person as the business name, or where, in the case of a legal person, the contact details provided are for a named individual - thus GDPR protections should apply uniformly. My personal view is that, from the perspective of users, the protections of GDPR really need only apply to natural persons. That means that companies will need to be careful not to provide personal contact information for the RAA/Registry agreements. And from an end user point of view, the management of systems to differentiate legal from natural persons is not our concern. Holly > On Oct 15, 2018, at 12:12 PM, Alan Greenberg <alan.greenberg@mcgill.ca > wrote: > > Here is a question that we need an answer on no later than Tuesday morning. > > GDPR requires the information related to Natural Persons be protected (for those resident in Europe) be protected. GDPR does not apply to Legal Persons (ie companies). > > ICANN's Temporary Spec allows contracted parties to treat all registrant alike and subject to GDPR. > > The EPDP Charter includes questions about whether contracted parties may or must treat Legal Persons differently from Natural Persons. > > The GAC, BC and IPC have made strong statements about the need to restrict GDPS to Natural Persons. The contracted parties are pushing back - strongly. The words vary, but in essence what they are saying ranges from there should be no constraint on them to yes, they may differentiate but with an unspecified time-frame. (As you may note if you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA must do some validation of contact information for new an transfered domains, but none to simple renewal. so there are currently 140,000,000 domains without verified information (5 years after the 2013 RAA came into force) and there is no requirement to ever validate their information - so unspecified time frames can last a LONG time.) > > I personally feel that it is essential that we should differentiate between legal persons and natural persons, just as GDPR and other privacy legislation does. > > Comments? > > Alan > > _______________________________________________ > CPWG mailing list > CPWG@icann.org > https://mm.icann.org/mailman/listinfo/cpwg > _______________________________________________ > registration-issues-wg mailing list > registration-issues-wg@atlarge-lists.icann.org > https://mm.icann.org/mailman/listinfo/registration-issues-wg _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg ------------------------------------------------------------------------------ _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
While the GDPR makes a distinction it is a moving target, the Privacy regulation will not make a distinction (current draft). Plus I wonder how to deal with recommendation 7 from the Berlin Group? https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/publikationen/wo... Why do we not make the distinction on a browser level through SSL certificates rather then WHOIS and have Certificate Authorities do the validation and verification of such legal entities? https://www.ssl.com/article/dv-ov-and-ev-certificates/ A simple OV SLL validated cert does already do what the majority wants and price should not be an issue, plus it is easier for an internet user to verify. Do we want tougher verification and validation? Then perhaps propose an Extended Validated SSL? But perhaps such solutions already been discussed on this list and deemed not to be a silver bullet? Best. Theo Kan Kaili schreef op 2018-10-15 09:59 AM:
+1
The very meaning of registering a "legal person" is to make it reachable by the public. There is no privacy involved. At least in the part of world I know of.
Kaili
----- Original Message ----- From: Alan Greenberg To: CPWG Sent: Monday, October 15, 2018 12:04 PM Subject: Re: [CPWG] [registration-issues-wg] Urgent EPDP question
Thanks for the quick replies.
I agree that the issue that a legal person may have some "natural person" information associated with it. But there is no way that a registrar can reasonable parse that, so it is up to the registrant to rid their entries of natural person information if they choose to include it. And yes, "Alan Greenberg Inc" had personal information in it. As does alangreenberg.org. But no one forces me to have a domain name.
I find particularly amusing the issue of a Legal Person including name-identifying e-mails. Clearly that is a choice which they may know about, but the registrar, registry or ICANN cannot. If you wish to be suitable amused, consider that there are several families in the US with a surname of "Contact". Abuse.Contact@gmail.com is potentially a protected address!
Certainly registrars and registries would like to simplify their life. And adding a Natural/Legal flag will not be a trivial activity. But that does not imply it is not the right way to go.
Alan
At 14/10/2018 11:42 PM, you wrote:
In agreement of contractual parties of having 2 systems, one to protect the "natural person" privacy information for every one globally and not only those from Europe. The second is for the "legal persons" and because they're under licence agreements in the legal system of their respective countries. Hence moving to a two registered system has to have a limited and derminate timeframe to move towards the dual registrant system. I don't think their concerns about changing the system, but it seems it goes beyond that.
If there are concerns about the micro commercial business for individual who function without any registration in their countries, it would be their individual problem in how to be accountable to their countries requirements.
Nadira
On Mon, Oct 15, 2018, 05:01 Holly Raiche < h.raiche@internode.on.net> wrote: Folks
An argument against differentiation is that the contracted parties want to be able, as much as possible, to implement one system for managing information rather than having to differentiate between the license of a name being a natural person and the licensee of a name being a corporate person.
Another is says that there are circumstances where information about legal entities may amount to personal information - for example, when a small business (usually a legal person) has used the actual name of the person as the business name, or where, in the case of a legal person, the contact details provided are for a named individual - thus GDPR protections should apply uniformly.
My personal view is that, from the perspective of users, the protections of GDPR really need only apply to natural persons.
That means that companies will need to be careful not to provide personal contact information for the RAA/Registry agreements. And from an end user point of view, the management of systems to differentiate legal from natural persons is not our concern.
Holly
> On Oct 15, 2018, at 12:12 PM, Alan Greenberg <alan.greenberg@mcgill.ca > wrote: > > Here is a question that we need an answer on no later than Tuesday morning. > > GDPR requires the information related to Natural Persons be protected (for those resident in Europe) be protected. GDPR does not apply to Legal Persons (ie companies). > > ICANN's Temporary Spec allows contracted parties to treat all registrant alike and subject to GDPR. > > The EPDP Charter includes questions about whether contracted parties may or must treat Legal Persons differently from Natural Persons. > > The GAC, BC and IPC have made strong statements about the need to restrict GDPS to Natural Persons. The contracted parties are pushing back - strongly. The words vary, but in essence what they are saying ranges from there should be no constraint on them to yes, they may differentiate but with an unspecified time-frame. (As you may note if you looked at the RDS-WHOIS2 report, registrars under the 2013 RAA must do some validation of contact information for new an transfered domains, but none to simple renewal. so there are currently 140,000,000 domains without verified information (5 years after the 2013 RAA came into force) and there is no requirement to ever validate their information - so unspecified time frames can last a LONG time.) > > I personally feel that it is essential that we should differentiate between legal persons and natural persons, just as GDPR and other privacy legislation does. > > Comments? > > Alan > > _______________________________________________ > CPWG mailing list > CPWG@icann.org > https://mm.icann.org/mailman/listinfo/cpwg > _______________________________________________ > registration-issues-wg mailing list > registration-issues-wg@atlarge-lists.icann.org > https://mm.icann.org/mailman/listinfo/registration-issues-wg
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
------------------------------------------------------------------------------
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg
_______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org https://mm.icann.org/mailman/listinfo/registration-issues-wg
participants (3)
-
Alan Greenberg -
gtheo -
Kan Kaili