That seems a bit of an extreme interpretation. We agreed not to make no differentiation based on geo for the smple fact that anything else would be an administrative nightmare. There are so many variables why a set of data may be protected under the GDPR (and comparable regulations) that it seemed unfeasible to design a system that made such differentiations. Consider the following scenarios triggering protection just under GDPR: -Registrar in EU -Reseller in EU -Registry in EU -Reseller of reseller (whom we usually do not know) in the EU -Registrant in EU -Other Contact in EU -Registrar outside the EU, but processing in the EU (For example using a Registrar backend service) -Registry outside the EU, but processing in the EU (For example using a Registry backend service) -Registrar outside the EU, Reseller outside the EU but reseller processing in the EU and many many more. Having to look at each data set like this individually is simply not feasible for a contracted party, hence the decision (and need) to simply treat all data as protected. And while I hate to contradict you Brian, the potentially problematic part is never the act of withholding, and always the act of disclosing, at least from a liability perspective. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Fri, Aug 30, 2019 at 1:56 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:

Hi Farzaneh,

That’s not quite right. We decided that CPs could differentiate in the context of publication/redaction, not in the context of SSAD.

In the SSAD context, the act of withholding data when someone needs it, without a legal basis for withholding it (i.e. application of privacy law), would be legally problematic for the entity withholding access. In this case, withholding the data could make the controller secondarily liable for the bad actor’s conduct.

So, the data must be disclosed unless there’s a legal basis for withholding it. For legal persons and natural persons not covered by data privacy law, there is no legal basis for withholding the data, and there should be no balancing test.

Brian J. King Director of Internet Policy and Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com

On Aug 30, 2019, at 7:22 AM, farzaneh badii <farzaneh.badii@gmail.com> wrote:

I don't know if this has been flagged and I know that the zero draft is frozen for now but I believe the diagram about the assessment of the data requested Step 2, is not correct. It says that if the data is non-EEA data may be released with no balancing test performed. In phase one we agreed that the contracted parties can make geo diff if they want. The ones that do not do geo diff should definitely follow the disclosure policy we are coming up with and perform the balancing test regardless of EEA or non-EEA data. I don't think they should just release the data. As we argued, ICANN's policies are global. If disclosure is global, data protection has to be global too.

Farzaneh

<epdp-p2_swimlane_v0.2.2.pdf>

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org

https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=21TqJSMQV0kHuTo9rha44EVs9jCy7uBr8L8cveIHb6c&e= _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=VeFjG9M5NbXD9OqeCXKleOaEpa6_jMxj3EseaMJ5H2U&e= ) and the website Terms of Service ( https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=7E_OKnno3mhFtTwXIwua0a8Qwg3_dmrXTO150Q4GL8Y&e= ). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi Brian. I think you have this part: “So, the data must be disclosed unless there’s a legal basis for withholding it.” Exactly backwards. One of the key principles of GDPR (and other privacy laws, including California which will become the de facto US model) is privacy by design/privacy by default. Any requests that the controller feels are in a gray area must be rejected unless/until the legal basis is strengthened. So it would be more correct to say that “The data must be protected, unless there is a legal basis for disclosing it.” Why do we keep harping on this? Because as a contracted parties and data controllers, we need SSAD to work, but also stand up to scrutiny and the inevitable legal challenges. If we work our tails off for two years to create a disclosure framework, only to see it promptly knocked down by courts or government regulators, then that puts us exactly in the same spot we were before the Temp Spec. Thanks— J. ------------- James Bladel GoDaddy ________________________________ From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org> Sent: Friday, August 30, 2019 06:56 To: farzaneh badii Cc: GNSO EPDP Subject: Re: [Gnso-epdp-team] Zero-Draft Doc- Assessment of the data being requested Notice:This email is from an external sender. Hi Farzaneh, That’s not quite right. We decided that CPs could differentiate in the context of publication/redaction, not in the context of SSAD. In the SSAD context, the act of withholding data when someone needs it, without a legal basis for withholding it (i.e. application of privacy law), would be legally problematic for the entity withholding access. In this case, withholding the data could make the controller secondarily liable for the bad actor’s conduct. So, the data must be disclosed unless there’s a legal basis for withholding it. For legal persons and natural persons not covered by data privacy law, there is no legal basis for withholding the data, and there should be no balancing test. Brian J. King Director of Internet Policy and Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com<mailto:brian.king@markmonitor.com> On Aug 30, 2019, at 7:22 AM, farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> wrote: I don't know if this has been flagged and I know that the zero draft is frozen for now but I believe the diagram about the assessment of the data requested Step 2, is not correct. It says that if the data is non-EEA data may be released with no balancing test performed. In phase one we agreed that the contracted parties can make geo diff if they want. The ones that do not do geo diff should definitely follow the disclosure policy we are coming up with and perform the balancing test regardless of EEA or non-EEA data. I don't think they should just release the data. As we argued, ICANN's policies are global. If disclosure is global, data protection has to be global too. Farzaneh <epdp-p2_swimlane_v0.2.2.pdf> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=21TqJSMQV0kHuTo9rha44EVs9jCy7uBr8L8cveIHb6c&e= _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=VeFjG9M5NbXD9OqeCXKleOaEpa6_jMxj3EseaMJ5H2U&e= ) and the website Terms of Service (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=7E_OKnno3mhFtTwXIwua0a8Qwg3_dmrXTO150Q4GL8Y&e= ). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

This is just to agree with James. The general rule is that processing is prohibited, unless there is a legal basis. Best, Thomas ***** rickert.law ________________________________ Von: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> im Auftrag von James M. Bladel <jbladel@godaddy.com> Gesendet: Friday, August 30, 2019 3:56:58 PM An: King, Brian <Brian.King@markmonitor.com>; farzaneh badii <farzaneh.badii@gmail.com> Cc: GNSO EPDP <gnso-epdp-team@icann.org> Betreff: Re: [Gnso-epdp-team] Zero-Draft Doc- Assessment of the data being requested Hi Brian. I think you have this part: “So, the data must be disclosed unless there’s a legal basis for withholding it.” Exactly backwards. One of the key principles of GDPR (and other privacy laws, including California which will become the de facto US model) is privacy by design/privacy by default. Any requests that the controller feels are in a gray area must be rejected unless/until the legal basis is strengthened. So it would be more correct to say that “The data must be protected, unless there is a legal basis for disclosing it.” Why do we keep harping on this? Because as a contracted parties and data controllers, we need SSAD to work, but also stand up to scrutiny and the inevitable legal challenges. If we work our tails off for two years to create a disclosure framework, only to see it promptly knocked down by courts or government regulators, then that puts us exactly in the same spot we were before the Temp Spec. Thanks— J. ------------- James Bladel GoDaddy ________________________________ From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org> Sent: Friday, August 30, 2019 06:56 To: farzaneh badii Cc: GNSO EPDP Subject: Re: [Gnso-epdp-team] Zero-Draft Doc- Assessment of the data being requested Notice:This email is from an external sender. Hi Farzaneh, That’s not quite right. We decided that CPs could differentiate in the context of publication/redaction, not in the context of SSAD. In the SSAD context, the act of withholding data when someone needs it, without a legal basis for withholding it (i.e. application of privacy law), would be legally problematic for the entity withholding access. In this case, withholding the data could make the controller secondarily liable for the bad actor’s conduct. So, the data must be disclosed unless there’s a legal basis for withholding it. For legal persons and natural persons not covered by data privacy law, there is no legal basis for withholding the data, and there should be no balancing test. Brian J. King Director of Internet Policy and Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com<mailto:brian.king@markmonitor.com> On Aug 30, 2019, at 7:22 AM, farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> wrote: I don't know if this has been flagged and I know that the zero draft is frozen for now but I believe the diagram about the assessment of the data requested Step 2, is not correct. It says that if the data is non-EEA data may be released with no balancing test performed. In phase one we agreed that the contracted parties can make geo diff if they want. The ones that do not do geo diff should definitely follow the disclosure policy we are coming up with and perform the balancing test regardless of EEA or non-EEA data. I don't think they should just release the data. As we argued, ICANN's policies are global. If disclosure is global, data protection has to be global too. Farzaneh <epdp-p2_swimlane_v0.2.2.pdf> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=21TqJSMQV0kHuTo9rha44EVs9jCy7uBr8L8cveIHb6c&e= _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=VeFjG9M5NbXD9OqeCXKleOaEpa6_jMxj3EseaMJ5H2U&e= ) and the website Terms of Service (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=7E_OKnno3mhFtTwXIwua0a8Qwg3_dmrXTO150Q4GL8Y&e= ). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.