Hi Steven, this is a false equivalency as the data processing is technically necessary to fulfill the contract to print the business cards. I cannot provide the service if I cannot process the data. The same is not necessarily true for domain registrations or privacy services. To refuse service because the customer refuses to provide data that is not necessary for the provision of the service is quintessential forced consent when given. This does not mean I cannot ask for further data if I have legitimate purposes other than consent, but I cannot rely on such consent as it is not free. Simple GDPR 101. To your fourth question, I would like to support it and further ask: "How is a provider to recognize/detect/identify a generic email address as opposed to a non-generic one?" To your fifth question, the GDPR actually specifies circumstances/cases under which the data subject must be informed of any disclosure not covered under the purposes specified at the time of the agreement. As well as when such disclosures can be omitted, such as lawful LEA requests for non-disclosure, for example. To your final point, I have reached stage 5, acceptance on this one... Best regards, Volker Am 11.09.2018 um 17:54 schrieb Metalitz, Steven:

Hi Amy,

A few additional comments on the PPAA text and suggested revisions to it.

First, could you please check the accuracy of the location of the comment boxes on the redline.  For example, the string of comments beginning with AB13 should be keyed to section 3.5.3.4 on page 12, not to 3.5.3.3.4 on page 10.  Similarly, the string beginning with AB 16 belongs with 3.5.3.8 on page 12, not with 3.5.3.3.8.

Second, with regard to the consent issue (keyed to 3.5.3.4):  Volker, I am not questioning that “forced consent is a no-no” under GDPR.  The significance of this issue is whether a service can be denied based on the customer’s refusal to consent to processing of data, or her withdrawal of that consent.  I am not challenging the view that in the case of the provider of registration services, such a denial of service (for failure to consent to processing of registration contact data by making it public) is problematic under GDPR, because (taking a narrow view of the service being provided) the processing is not required to provide the service.  However, this calculus is different where the service being provided is a privacy/proxy service, i.e., the essence of the service being provided is the processing of precisely this data. It’s hard to see how this service could be provided if the customer withdrew consent for the provider to process it. For this reason, it seems to me, the obtaining of consent (now a defined term in the PPAA, see 1.8) remains relevant and a sufficient basis to justify the processing required.

To give a simple-minded analogy, suppose you offer me the service of printing my business cards.  I contract with you to provide this service, but withhold or withdraw my consent to processing of my name, address, contact points, etc.   Are you still obligated to provide the service, or would you be justified in terminating the contract?

Third,  regarding 3.6 on accreditation fees, this is one area in which the Whois 2 Review Team draft report may be relevant (though of course not binding):

“The RDSWHOIS2 Review Team therefore views with concern the current intent of ICANN to fund the privacy/proxy service accreditation program solely by charging providers accreditation and annual fees comparable to the fees payable by ICANN accredited registrars. The RDS-WHOIS2 Review Team considers that such fees could have an effect counterproductive to the overall goal of the program. Creating a cost barrier next to the new policy requirements at a time that the use of such services is expected to decline due to the practical effects of GDPR is likely to cause low adoption of the accreditation program by providers.  “ (p. 67)

Fourth, in paragraph 3.11.5 on page 17, what is a “generic email address”?

Fifth, regarding the question in your e=mail about “provider logging of third-party requests for non-public RDDS data,” I would have no objection in principle to requiring this, but isn’t the more sensitive question who has access to such logs and under what conditions?  Does the staff have a specific proposal to make on this topic?  If so can you bring it forward now?

Finally, it is disappointing that the staff won’t have any “official feedback” for us this week on the points already raised in discussion of the revised PPAA over the past two weeks.  Can we get a commitment to a response by say Sept. 17 so we will have a chance to review and comment on it prior to the Sept. 20 call?

Thanks Amy!

Steve Metalitz

**

*From:* Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> *On Behalf Of *Amy Bivins *Sent:* Monday, September 10, 2018 2:53 PM *To:* gdd-gnso-ppsai-impl@icann.org *Subject:* [Gdd-gnso-ppsai-impl] Materials, discussion topics for this week's PP IRT meeting

Dear Colleagues,

Thank you for your feedback on the list since our last meeting. We will continue to discuss your feedback on the PPAA draft during our next PPIRT meeting on *Thursday, 13 September, 1600 UTC.* The most recent PPAA draft, including comments received on the list since our last meeting, is attached.

*Action Item:* The purpose of our call this week is to continue reviewing your feedback on the PPAA draft. We will pick up at Section 3.5, where we adjourned last week. *If you have any additional items that you would like to note in this week’s discussion version of the draft (for display in the AC room), please send them to the list no later than your end of day Wednesday.*

*Action Item:* We’d also like to hear any feedback you have on the possibility of adding a PPAA provision(s) to require provider logging of third-party requests for non-public RDDS data. Please consider this possibility and share any feedback you have on the list this week or during Thursday’s call.

I’m attaching a screenshot of the results of the PP IRT poll.

Of the 15 IRT members who responded to the poll:

·Nine IRT members answered “yes” to the question, /“Do you believe that the Privacy and Proxy Service Provider Accreditation Program Implementation Review Team should consult with the GNSO Council prior to proceeding to public comment due to one or more Policy questions surrounding the implementation of the Final Recommendations?” /(8-registrar; 1-no affiliation provided)

·Six IRT members answered “No.” (2-PSWG, 1-registrar, 2-IPC, 1-BC)

Your feedback on the PPAA draft and all other issues is being shared with the broader internal team for review. I won’t have official feedback to share this week, but am hoping that there will be more to share next week.

Best,

Amy

*Amy E. Bivins*

Registrar Services and Engagement Senior Manager

Registrar Services and Industry Relations

Internet Corporation for Assigned Names and Numbers (ICANN)

Direct: +1 (202) 249-7551

Fax:  +1 (202) 789-0104

Email: amy.bivins@icann.org <mailto:amy.bivins@icann.org>

www.icann.org <http://www.icann.org>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Thanks, Steve, and all. I'm updating the draft to correct the locations of the comments, and will distribute that before tomorrow's meeting. I'm also adding in all of the comments over the last couple of days on the list (truncating, where appropriate, as the threads have continued). On your question about a staff proposal on logging-there isn't one at this stage. As background, note the 5 July communication to ICANN org from the EDPB, which references this topic on p. 5, https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul1... I'm doing everything I can to ensure the IRT's feedback is reviewed by the internal team and responded to as quickly as possible. I'll keep the group up to date on status as I have more information. Thanks, and I look forward to speaking with you tomorrow. Amy From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> On Behalf Of Metalitz, Steven Sent: Tuesday, September 11, 2018 11:54 AM To: gdd-gnso-ppsai-impl@icann.org Subject: Re: [Gdd-gnso-ppsai-impl] Materials, discussion topics for this week's PP IRT meeting Hi Amy, A few additional comments on the PPAA text and suggested revisions to it. First, could you please check the accuracy of the location of the comment boxes on the redline. For example, the string of comments beginning with AB13 should be keyed to section 3.5.3.4 on page 12, not to 3.5.3.3.4 on page 10. Similarly, the string beginning with AB 16 belongs with 3.5.3.8 on page 12, not with 3.5.3.3.8. Second, with regard to the consent issue (keyed to 3.5.3.4): Volker, I am not questioning that "forced consent is a no-no" under GDPR. The significance of this issue is whether a service can be denied based on the customer's refusal to consent to processing of data, or her withdrawal of that consent. I am not challenging the view that in the case of the provider of registration services, such a denial of service (for failure to consent to processing of registration contact data by making it public) is problematic under GDPR, because (taking a narrow view of the service being provided) the processing is not required to provide the service. However, this calculus is different where the service being provided is a privacy/proxy service, i.e., the essence of the service being provided is the processing of precisely this data. It's hard to see how this service could be provided if the customer withdrew consent for the provider to process it. For this reason, it seems to me, the obtaining of consent (now a defined term in the PPAA, see 1.8) remains relevant and a sufficient basis to justify the processing required. To give a simple-minded analogy, suppose you offer me the service of printing my business cards. I contract with you to provide this service, but withhold or withdraw my consent to processing of my name, address, contact points, etc. Are you still obligated to provide the service, or would you be justified in terminating the contract? Third, regarding 3.6 on accreditation fees, this is one area in which the Whois 2 Review Team draft report may be relevant (though of course not binding): "The RDSWHOIS2 Review Team therefore views with concern the current intent of ICANN to fund the privacy/proxy service accreditation program solely by charging providers accreditation and annual fees comparable to the fees payable by ICANN accredited registrars. The RDS-WHOIS2 Review Team considers that such fees could have an effect counterproductive to the overall goal of the program. Creating a cost barrier next to the new policy requirements at a time that the use of such services is expected to decline due to the practical effects of GDPR is likely to cause low adoption of the accreditation program by providers. " (p. 67) Fourth, in paragraph 3.11.5 on page 17, what is a "generic email address"? Fifth, regarding the question in your e=mail about "provider logging of third-party requests for non-public RDDS data," I would have no objection in principle to requiring this, but isn't the more sensitive question who has access to such logs and under what conditions? Does the staff have a specific proposal to make on this topic? If so can you bring it forward now? Finally, it is disappointing that the staff won't have any "official feedback" for us this week on the points already raised in discussion of the revised PPAA over the past two weeks. Can we get a commitment to a response by say Sept. 17 so we will have a chance to review and comment on it prior to the Sept. 20 call? Thanks Amy! Steve Metalitz From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> On Behalf Of Amy Bivins Sent: Monday, September 10, 2018 2:53 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, discussion topics for this week's PP IRT meeting Dear Colleagues, Thank you for your feedback on the list since our last meeting. We will continue to discuss your feedback on the PPAA draft during our next PPIRT meeting on Thursday, 13 September, 1600 UTC. The most recent PPAA draft, including comments received on the list since our last meeting, is attached. Action Item: The purpose of our call this week is to continue reviewing your feedback on the PPAA draft. We will pick up at Section 3.5, where we adjourned last week. If you have any additional items that you would like to note in this week's discussion version of the draft (for display in the AC room), please send them to the list no later than your end of day Wednesday. Action Item: We'd also like to hear any feedback you have on the possibility of adding a PPAA provision(s) to require provider logging of third-party requests for non-public RDDS data. Please consider this possibility and share any feedback you have on the list this week or during Thursday's call. I'm attaching a screenshot of the results of the PP IRT poll. Of the 15 IRT members who responded to the poll: * Nine IRT members answered "yes" to the question, "Do you believe that the Privacy and Proxy Service Provider Accreditation Program Implementation Review Team should consult with the GNSO Council prior to proceeding to public comment due to one or more Policy questions surrounding the implementation of the Final Recommendations?" (8-registrar; 1-no affiliation provided) * Six IRT members answered "No." (2-PSWG, 1-registrar, 2-IPC, 1-BC) Your feedback on the PPAA draft and all other issues is being shared with the broader internal team for review. I won't have official feedback to share this week, but am hoping that there will be more to share next week. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>