We will certainly have to address similar legislation in other countries, but the problem is that it may vary country to country, with some less stringent than the EU and some more. For the "more" case, that will almost certainly require country identification. Alan At 30/10/2018 07:21 AM, Vanda Etges wrote: Considering several countries like in Latin America for instance are approving one by one its own law GDPR compliant I would bet on the universal , ignoring distinction related to place since in few years they will need to extend to all clients Vanda Scartezini Sent from my iPhone Sorry for typos On 30 Oct 2018, at 08:06, Tijani BEN JEMAA < tijani.benjemaa@topnet.tn<mailto:tijani.benjemaa@topnet.tn>> wrote: Alan, I do understand the contracted parties who push back for at least 2 reasons: * the mobility of registrants * the complexity of managing 2 kind of treatment I though it was said in the beginning that the contracted parties should remain free to apply universally or only for the European subjects. This is in my opinion the best choice. ----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 ----------------------------------------------------------------------------- Le 30 oct. 2018 à 02:32, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > a écrit : GDPR is applicable to residents of the EU by companies resident there and worldwide. One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere. There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction. The current (confusing) state of the working document is attached. Which side should ALAC come down on? - Restrict application to those to whom GDPR applies? - Apply universally ignoring residence? As usual, quick replies requested. Alan<RySG revisions Small Team #2 Geographic - updated.pdf>_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org> https://mm.icann.org/mailman/listinfo/registration-issues-wg

With regard to the geographic location I think it is more complex, an example of this complexity, if the registry is outside of the EU and is processing data that belongs to persons outside of the EU but has a processor within the EU then GDPR still applies. (A processor might be a reseller) Hadia From: CPWG [mailto:cpwg-bounces@icann.org] On Behalf Of Alan Greenberg Sent: Tuesday, October 30, 2018 3:50 PM To: Tijani BEN JEMAA Cc: CPWG Subject: Re: [CPWG] EPDP: Geographic distinction The issue is the 2nd one and the perceived risk of making a wrong decision. But the counter argument is that for every registration, the registrant indicates a country. And some contracted parties (such as GoDaddy with 35% of all .com registrations) already make that distinction. Alan At 30/10/2018 07:06 AM, Tijani BEN JEMAA wrote: Alan, I do understand the contracted parties who push back for at least 2 reasons: * the mobility of registrants * the complexity of managing 2 kind of treatment I though it was said in the beginning that the contracted parties should remain free to apply universally or only for the European subjects. This is in my opinion the best choice. ----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 ----------------------------------------------------------------------------- Le 30 oct. 2018 à 02:32, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > a écrit : GDPR is applicable to residents of the EU by companies resident there and worldwide. One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere. There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction. The current (confusing) state of the working document is attached. Which side should ALAC come down on? - Restrict application to those to whom GDPR applies? - Apply universally ignoring residence? As usual, quick replies requested. Alan<RySG revisions Small Team #2 Geographic - updated.pdf>_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

I'm not convinced that without the GDPR penalties, the community or the contracted parties would have invested the time to address this properly. But then we will never know. With regard to laws in other jurisdictions, we are putting a lot of effort into a "relatively" simple implementation for GDPR, but I am afraid that once we start paying attention to other laws and regulations we will find differences and potentially conflicts and the implementation is going to get a lot harder. I have a perverse sense of humour, but I am not sure I would call it "fun"! Alan At 30/10/2018 04:22 PM, Roberto Gaetano wrote: +1 Tijani. The problem comes from the fact that ICANN is reactive not proactive. The discussion about privacy has being going on for years, well before GDPR, and we are on record for positions about privacy. Incidentally, if other governments start taking position and develop their own criteria and imposing different rules on the contracted parties - as it seems already the case with the proposal in front of the US Congress - we re going to have fun. R On 30.10.2018, at 12:06, Tijani BEN JEMAA < tijani.benjemaa@topnet.tn<mailto:tijani.benjemaa@topnet.tn>> wrote: Alan, I do understand the contracted parties who push back for at least 2 reasons: * the mobility of registrants * the complexity of managing 2 kind of treatment I though it was said in the beginning that the contracted parties should remain free to apply universally or only for the European subjects. This is in my opinion the best choice. ----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 ----------------------------------------------------------------------------- Le 30 oct. 2018 à 02:32, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > a écrit : GDPR is applicable to residents of the EU by companies resident there and worldwide. One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere. There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction. The current (confusing) state of the working document is attached. Which side should ALAC come down on? - Restrict application to those to whom GDPR applies? - Apply universally ignoring residence? As usual, quick replies requested. Alan<RySG revisions Small Team #2 Geographic - updated.pdf>_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org> https://mm.icann.org/mailman/listinfo/registration-issues-wg

Alan, You have just provided the best explanation on why ICANN was reluctant in addressing once and for good the privacy issue with a balanced policy and why it has been shortsighted - to say the least - to do so. And now we have to live with the fact that policy will be done outside ICANN, via legislation, and we can only comply. Quoting a song in Neapolitan dialect: “Addò’ pastine o’ggrano, o’ggrano cresce - o riesce o nun riesce, sempr’è ggrano chello ch’esce”. Basically, you harvest what you have sown. Cheers, Roberto On 30.10.2018, at 22:02, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote: I'm not convinced that without the GDPR penalties, the community or the contracted parties would have invested the time to address this properly. But then we will never know. With regard to laws in other jurisdictions, we are putting a lot of effort into a "relatively" simple implementation for GDPR, but I am afraid that once we start paying attention to other laws and regulations we will find differences and potentially conflicts and the implementation is going to get a lot harder. I have a perverse sense of humour, but I am not sure I would call it "fun"! Alan At 30/10/2018 04:22 PM, Roberto Gaetano wrote: +1 Tijani. The problem comes from the fact that ICANN is reactive not proactive. The discussion about privacy has being going on for years, well before GDPR, and we are on record for positions about privacy. Incidentally, if other governments start taking position and develop their own criteria and imposing different rules on the contracted parties - as it seems already the case with the proposal in front of the US Congress - we re going to have fun. R On 30.10.2018, at 12:06, Tijani BEN JEMAA <tijani.benjemaa@topnet.tn<mailto:tijani.benjemaa@topnet.tn>> wrote: Alan, I do understand the contracted parties who push back for at least 2 reasons: * the mobility of registrants * the complexity of managing 2 kind of treatment I though it was said in the beginning that the contracted parties should remain free to apply universally or only for the European subjects. This is in my opinion the best choice. ----------------------------------------------------------------------------- Tijani BEN JEMAA Executive Director Mediterranean Federation of Internet Associations (FMAI) Phone: +216 98 330 114 +216 52 385 114 ----------------------------------------------------------------------------- Le 30 oct. 2018 à 02:32, Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca> > a écrit : GDPR is applicable to residents of the EU by companies resident there and worldwide. One of the issues is whether contracted parties should be allowed or required to distinguish between those who are resident there and elsewhere. There is agreement that such distinction should be allowed, but EPDP is divided on whether it should be required. The GAC/BC/IPC want to see the distinction made, and at least one very large contracted party does already make the distinction. Other contracted parties are pushing back VERY strongly saying that there is virtually no way that the can or are willing to make the distinction. The current (confusing) state of the working document is attached. Which side should ALAC come down on? - Restrict application to those to whom GDPR applies? - Apply universally ignoring residence? As usual, quick replies requested. Alan<RySG revisions Small Team #2 Geographic - updated.pdf>_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ registration-issues-wg mailing list registration-issues-wg@atlarge-lists.icann.org<mailto:registration-issues-wg@atlarge-lists.icann.org> https://mm.icann.org/mailman/listinfo/registration-issues-wg

Of course, as a practical matter with the contracted parties trying to limit liability and the NCSG trying to limit everything, this restriction isn't going to happen. We nee to huddle and figure out where to really fight the good fight. On 10/30/18, 11:39 AM, "GTLD-WG on behalf of Carlton Samuels" <gtld-wg-bounces@atlarge-lists.icann.org on behalf of carlton.samuels@gmail.com> wrote: Restrict. But the [processing] principle at issue is really about granularity of data; granularity enables pointed decision-making. Multiple DP/P regimes are emerging, all of them sharing principles but often because of application makes for small to significant differences. In fact even in EU member states there are differences. Encourage granularity. -Carlton ============================== *Carlton A Samuels* *Mobile: 876-818-1799Strategy, Process, Governance, Assessment & Turnaround* ============================= On Mon, Oct 29, 2018 at 8:33 PM Alan Greenberg <alan.greenberg@mcgill.ca> wrote: > GDPR is applicable to residents of the EU by companies resident there > and worldwide. > > One of the issues is whether contracted parties should be allowed or > required to distinguish between those who are resident there and elsewhere. > > There is agreement that such distinction should be allowed, but EPDP > is divided on whether it should be required. The GAC/BC/IPC want to > see the distinction made, and at least one very large contracted > party does already make the distinction. Other contracted parties are > pushing back VERY strongly saying that there is virtually no way that > the can or are willing to make the distinction. > > The current (confusing) state of the working document is attached. > > Which side should ALAC come down on? > > - Restrict application to those to whom GDPR applies? > - Apply universally ignoring residence? > > As usual, quick replies requested. > > Alan_______________________________________________ > CPWG mailing list > CPWG@icann.org > https://mm.icann.org/mailman/listinfo/cpwg > _______________________________________________ > registration-issues-wg mailing list > registration-issues-wg@atlarge-lists.icann.org > https://mm.icann.org/mailman/listinfo/registration-issues-wg >