Hi Steve,

thank you for your helpful comments.


3.3 -remove in its entirety - we never proposed a public access RDS system by privacy services in the WG. It is also unclear whom the license is supposed to be granted to.

SM comment:  I don’t fully agree with Volker here.  While some change to the provision might be needed, this is still useful as a statement of the subset of the data collected by Provider that would be subject to Disclosure, either under one of the Frameworks or otherwise.  The reference to interactive, query-based access should be retained to make it clear that those registrars/registries not redacting the data of non-=EU registrations have a license to display it.   Perhaps we should also add a reference to the items listed as being subject to Disclosure in accordance with this agreement. 

The RDS is a registrar/registry obligation, PP services never had such an obligatuion and we also never proposed that. This does not affect the Relay or Disclosure obligations. Happy with replacing it with such a reference, as proposed.

3.5.3 Move information requirements to 3.8, unless a specific notice is absolutely required.

SM comment:  Not sure I understand Volker’s proposal here.  The data accuracy provisions need to be part of the accreditation agreement (and thus enforceable by ICANN) and not just part of the Terms of Service enforceable by the Provider (though they certainly could be there as well).  But I might be missing what Volker is driving at here.   

My main point is that ensuring data accuracy never is a responsibility of a contracted party, it is the responsibility of the registrant. The contracted party may have an obligation to verify upon receipt of a complaint and to conduct cvertain operations regarding verification and validation, but ultimately the responsibility lies with the registrant and the contracted party may be required to enforce this obligation against the registrant. Therefore the correct place for such notices is the terms of service or the provider. Note that this obligation to provide notice is still enforceable by ICANN.

3.5.3.3 Replace by: Provider shall provide appropriate notice to a Customer upon each initial agreement regarding a Registered Name for which Provider is providing the Services. Such a notice should provide all legally required information in accordance with applicable data privacy laws (optional: which may include: 3.5.3.3.1, 3.5.3.3.2, 3.5.3.3.3, 3.5.3.3.4, 3.5.3.3.5, 3.5.3.3.6, 3.5.3.3.9, 3.5.3.3.10, 3.5.3.3.11, 3.5.3.3.13 (add: if applicable), 3.5.3.3.14.)

SM comment:  Support this in principle, this is an example of where it would be inappropriate to import the Temp Spec into implementation of a consensus policy.  Furthermore, some of these elements make little sense outside of the EU context, and there will continue to be Providers not subject to the GDPR, at least as to certain non-EU Customers.   

Agreed. Non-EU registrars with non-EU customers will not be bound by GDPR (but may be bound by the incoming Californian privacy laws, or other such laws elsewhere). Hmm, come to think of it, ICANN is based in California ;-)

3.5.3.4 Remove completely, as this is invalid forced consent.

SM comment:  I disagree.  I am afraid Volker may be committing the error he has often warned us against of conflating a domain name registration service with the service provided by a P/P provider.  In the latter case, the only subject matter of the contract itself involves the collection, processing and disclosure of data, not the provision of any other service, so it may be perfectly acceptable to rely upon consent for the processing activities, even if this legal basis is of less value in the case of a domain name registration service where the processing of e.g. contact data of the registrant is arguably more ancillary to the main point of the contract.  

Hate to disagree, but forced consent is a no-go under the GDPR. Better base such processing by the provider on the need of processing for providing the service and to conclude a valid agreement.

3.5.3.8 Remove: Unnecessary as already included in registration agreements. No need for duplication of representation.

SM comment:  Disagree, breach of this representation should be a basis for terminating the p/p service even if the registrar is not enforcing the obligation.  In addition, as this provision has been in the draft PPAA since the beginning, and is not impacted by GDPR as far as I can tell,  I question why it is being challenged at this point.  Surely we should not be reopening issues that has already come to rest over the previous years….

So basically you want the registrant to make the same (implicit) representation twice? Once to the registrar when requesting the registration and once to the privacy service provider? What is the added benefit here?

3.17. add at the end: ...and to the extent permitted under applicable law.

SM comment:  I don’t object to this in principle (and as applicable to Disclosures outside the context of the Disclosure Frameworks) but would defer until we get to discussing the proposed edits to these Disclosure Frameworks. 

I'd prefer to settle this now and not push issues ahead for later to avoid further delay, but I could live with it.

3.18.2 Add: Provider shall not be required to allow transfers to registrars it has no agreement with as long as its data remains in the RDS at the time the transfer is requested.

SM comment:  Would like to hear more about why this addition is needed and what relationship if any it bears to GDPR and its impact on RDS.  (See above as to re-opening settled issues.) 

No relation to RDS, but immense business and liability impact. If registration is move to registrar with privacy data intact and the privacy service has no agreement with that registrar, provider loses control over registration where it still formally is registered name holder.

7.2. Please add data processing equivalency language. Also remove the reference to the "specification in effect".

SM comment:  Not sure what is being proposed here by Volker. 

Basically, a reference to chatper 5 GDPR without spelling that out, indicating that for disclosure to happen, requester should evidence or represent that requester uses similar/equivalent data protection measures when processing the data, indicating the duration of expected processing, indicating whom the data would be provided to, etc. Required due to corresponding responsibility of provider bound by GDPR to ensure this.
And for the specification in effect thing, we could change it to "any specification in effect binding upon providers" or similar. Current wording is too broad.

Spec 2, Remove Sections 1.2.5, 1.3.1,1.3.2, 1.3.3, 1.3.5 - irrelevant for pp services.

SM comment:  True but I assume this is simply the same boilerplate definition of Consensus Policies used in other contexts, and wouldn’t tinkering with it here raise unnecessary questions about whether certain topics are no longer within ICANN’s remit?  

I would prefer the agreement to be tailored to the services at hand. It is long enough as it is.

Best,
Volker

 

Am 31.08.2018 um 21:09 schrieb Amy Bivins:

Dear Colleagues,

 

Following up on our discussion yesterday, I checked with the Legal team about a couple of items that were discussed.

 

1.       With respect to the proposed edits to the PPAA that are related to data processing (see, e.g. Section 3.5.3 of the contract and the new draft Specification 8), provisions on these topics must be included in this contract, though these can be edited based on your feedback.

 

If you have suggested edits to these new provisions, please send them to the list and we can discuss them on the call next week. If, as discussed yesterday, you believe the inclusion of these provisions raises more fundamental questions about status, in light of the pending ePDP on similar topics, we can also discuss that.

 

As a reminder, the way the PPAA is drafted, any new ICANN Policy that is in conflict with current provisions (GDPR-related or otherwise) would supersede any conflicting provisions in this contract.

 

2.       On the overall timeline, and additional deliverables, any additional GDPR-related changes will be based on IRT feedback. We have a couple of additional discussion topics that we didn’t reach last week, which could require additional PPAA changes. We’ll discuss these next week:

a.       Are the disclosure frameworks intended to give Providers limited or no discretion on disclosure if other requirements in the framework are met?

b.       What should requirements be for a Provider’s logging of disclosure requests from third parties?

 

We are continuing to review the contract for any copy-editing related issues, and I expect we will finish with those in the next week or so.

 

I hope this is helpful. Please continue to consider these issues and share any feedback you have on-list. We can pick up on these issues next week.

 

Thanks, and have a great weekend!

Amy

 

Amy E. Bivins

Registrar Services and Engagement Senior Manager

Registrar Services and Industry Relations

Internet Corporation for Assigned Names and Numbers (ICANN)

Direct: +1 (202) 249-7551

Fax:  +1 (202) 789-0104

Email: amy.bivins@icann.org

www.icann.org

 



_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

 

-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.
 
Mit freundlichen Grüßen,
 
Volker A. Greimann
- Rechtsabteilung -
 
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann@key-systems.net
 
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
 
Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems
 
Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken 
Umsatzsteuer ID.: DE211006534
 
Member of the KEYDRIVE GROUP
www.keydrive.lu 
 
Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.
 
--------------------------------------------
 
Should you have any further questions, please do not hesitate to contact us.
 
Best regards,
 
Volker A. Greimann
- legal department -
 
Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann@key-systems.net
 
Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com
 
Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems
 
CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken 
V.A.T. ID.: DE211006534
 
Member of the KEYDRIVE GROUP
www.keydrive.lu 
 
This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
 
 
 


_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl



_______________________________________________
Gdd-gnso-ppsai-impl mailing list
Gdd-gnso-ppsai-impl@icann.org
https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-- 
Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann
- Rechtsabteilung -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook:
www.facebook.com/KeySystems
www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin
Handelsregister Nr.: HR B 18835 - Saarbruecken 
Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu 

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann
- legal department -

Key-Systems GmbH
Im Oberen Werk 1
66386 St. Ingbert
Tel.: +49 (0) 6894 - 9396 901
Fax.: +49 (0) 6894 - 9396 851
Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net
www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated:
www.facebook.com/KeySystems
www.twitter.com/key_systems

CEO: Alexander Siffrin
Registration No.: HR B 18835 - Saarbruecken 
V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP
www.keydrive.lu 

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.