Thanks Chris for this and for putting pen to paper!  

Note as it is still early in the US, I have not been able to fully canvas my colleagues on this, so this is just my own observations at this point. As much as I appreciate this, I do fear it does not provide us with anything more than a restatement of the recital. If we are aiming for this to be meaningful, it needs more. I am unsure as to how this "guidance" operationally provides any help to a CP to voluntarily follow this guidance - it merely says they should follow the law - which I hope we all agree is a truism, and does not reach the level of guidance.  This is all about the what, and not the how and doesn't tend to provide any detail as to a reliable method, as there is no real input as to what a reasonable safeguard actually is, or even what we are safeguarding against in truth. 

As the public comment noted, and as I hope we have been consistently open on, the RYSG continues to be supportive of guidance as the outlining of the legal obligations may be helpful for some CPs who are not as familiar with the expectations of data privacy law - but we continue to hold reservations as to the true utility of the guidance, as although well meaning, lacks any true guidance as to how to practically achieve such objectives. I mean this as no slight to the efforts of the team, but a large portion of this guidance is simply written as a statement of an outcome, and not how to arrive safely at that outcome. 


Although I do not wish to create anything that could be considered as 'legal advice' (as this will create massive liability for ICANN in both enforcement and expectation), I do think we should not try to reinvent the wheel here. Why not just borrow heavily from the actual wording as used by the EDPB in their letter of 5th July 2018. (https://edpb.europa.eu/sites/default/files/files/file1/icann_letter_en.pdf) paragraph 3. I understand that Laureen expressed a belief that the recitals of the GDPR were of more a persuasive authority than the letter of the EDPB; however, given that the EPDB are the body tasked with enforcement, and they have not only referenced recital 14, but expanded on the interpretation therein, it would be remiss of us to exclude it. I personally welcomed the additional insight into the recital from their primary 'enforcement' POV. I have had a stab at tailoring it to make it provide guidance, whilst still accepting that there may be more than one way to achieve this (hence why this MUST be voluntary, as to say otherwise will make this legal advice). It still does not engage in much of the HOW, but it provides more detail as to the WHY, to enable the CPs to individually consider how they can rise to the challenge, if they feel they can.  

"The GDPR does not apply to the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.[FN: Recital 14, GDPR] While the contact details of a legal person are outside the scope of the GDPR, the contact details concerning natural persons are within the scope of the GDPR, as well as any other information relating to an identified or identifiable natural person [FN Art 4(1), GDPR] , The mere fact that a registrant is a legal person does not necessarily justify unlimited publication of personal data relating to natural persons who work for or represent that organization, such as natural persons who manage administrative or technical issues on behalf of the registrant. 

For example, the publication of the personal email address of a technical contact person consisting of firstname.lastname@company.com can reveal information regarding their current employer as well as their role within the organization. Together with the address of the registrant, it may also reveal information about his or her place of work. In light of these considerations, personal data capable of identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the context of WHOIS/RDAP. Any publication by a contracted party must include sufficient safeguards to prevent the identification of any such natural person, directly or indirectly (e.g. use of clearly generic contact email information "admin@domain.com").


I hope this is constructive. 


Alan 

Donuts Inc.

Alan Woods
Senior Manager, Compliance & Policy, Donuts Inc. 
Donuts
Ground Floor
Le Pole House
Ship Street Great
Dublin 8


    

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful.  If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.




On Thu, Aug 12, 2021 at 11:57 AM LEWIS-EVANS, Christopher via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:

OFFICIAL

Suggested text for recommendation 4 as discussed on the last call, believe it should go between current 2 and 3.

 

Thanks

Chris

 

 

 

 

The GDPR protects natural persons in relation to the processing of their personal data.  "It does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person." This allows for disclosure of legal persons’ data because it is outside the remit of GDPR.  Nevertheless, when processing legal persons’ data, safeguards should be put in place to ensure that personally identifying data about a natural person is not disclosed within data marked as a legal person.

 

 

This information is supplied in confidence by the NCA. The NCA is not listed as a Public Authority under the Freedom of Information Act 2000. Any information supplied by, or relating to, the NCA is also subject to an absolute exemption.

 It may also be subject to exemption under other UK legislation. Onward disclosure may be unlawful, for example, under data protection legislation. Requests for disclosure to the public must be referred to the NCA FOI single point of contact, by email on StatutoryDisclosureTeam@nca.gov.uk. All email sent and received by the NCA is scanned and subject to assessment. Messages sent or received by NCA staff are not private and may be the subject of lawful business monitoring. Email may be passed at any time and without notice to an appropriate branch within the NCA, on authority from the Director General or their Deputy for analysis. This email and any files transmitted with it are intended solely for the individual or entity to whom they are addressed. If you have received this message in error, please contact the sender as soon as possible.

 

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.