I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people's comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 "high level scenarios". The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on "inferences." That option just doesn't fly for those of us representing RNH's in this process. We cannot have a registrant's disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block]
Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://www.linkedin.com/company/clarivate>, Twitter<https://twitter.com/clarivate?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>, Facebook<https://www.facebook.com/clarivate/> and Instagram<https://www.instagram.com/clarivateofficial/?hl=en> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Hi Milton,
Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective.
One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right?
As always, we’re happy to work with you and look forward to finding consensus.
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <http://www.clarivate.com> | Accelerating innovation
Follow us on LinkedIn <https://www.linkedin.com/company/clarivate>, Twitter <https://twitter.com/clarivate?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>, Facebook <https://www.facebook.com/clarivate/> and Instagram <https://www.instagram.com/clarivateofficial/?hl=en>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 11:13 AM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] On the proposed guidance
I was reading through two documents setting out in detail the proposed guidance on legal/natural.
There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it.
I was pretty supportive of the Guidance overall. I had one problem with it, though.
I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”.
The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.”
That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[image: IGP_logo_gold block]
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://www.linkedin.com/company/clarivate>, Twitter<https://twitter.com/clarivate?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>, Facebook<https://www.facebook.com/clarivate/> and Instagram<https://www.instagram.com/clarivateofficial/?hl=en> From: Volker Greimann <vgreimann@key-systems.net> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com> Cc: Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com> wrote:
Hey Volker,
I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law.
I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data?
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <http://www.clarivate.com> | Accelerating innovation
Follow us on LinkedIn <https://www.linkedin.com/company/clarivate>, Twitter <https://twitter.com/clarivate?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>, Facebook <https://www.facebook.com/clarivate/> and Instagram <https://www.instagram.com/clarivateofficial/?hl=en>
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Wednesday, March 24, 2021 3:58 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Hi Milton,
Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective.
One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right?
As always, we’re happy to work with you and look forward to finding consensus.
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <http://www.clarivate.com> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 11:13 AM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] On the proposed guidance
I was reading through two documents setting out in detail the proposed guidance on legal/natural.
There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it.
I was pretty supportive of the Guidance overall. I had one problem with it, though.
I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”.
The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.”
That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[image: IGP_logo_gold block]
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Thank you for the well-reasoned and thorough response, Volker. I’m even more encouraged having read it. In many ways, I view the sort of approach you describe below as the best possible path forward to success in EPDP 2A: what reasonable steps can registrars take to achieve the level of certainty required under GDPR that registrants are legal/natural entities and that the RDS data contains/doesn’t contain personal data? We’ll get to whether any particular treatment of the data must happen from there, but let’s take a very similar approach to the one you describe below, applied to the question above (and this is already in progress). We’ll leave sufficient flexibility for registrars like yours, mine, and Sarah’s to operate in our own way. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://www.linkedin.com/company/clarivate>, Twitter<https://twitter.com/clarivate?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>, Facebook<https://www.facebook.com/clarivate/> and Instagram<https://www.instagram.com/clarivateofficial/?hl=en> From: Volker Greimann <vgreimann@key-systems.net> Sent: Wednesday, March 24, 2021 5:07 PM To: King, Brian <Brian.King@markmonitor.com> Cc: Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=EvWZxc6etz1odjAQYJLxo0SqgilT4ITkZCSuRQ6QVPg&s=BX2ON737pZp5TuoYtfguqbObc3NzOSB4KNVw2g6NwmU&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=EvWZxc6etz1odjAQYJLxo0SqgilT4ITkZCSuRQ6QVPg&s=jv8-SYoTcYwpjKchf5RrxiXLSb11Z0nZ2rh4-wXeaSU&e=>, Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=EvWZxc6etz1odjAQYJLxo0SqgilT4ITkZCSuRQ6QVPg&s=kmTEy8xqv41uS3ldy9VBOXDmE7yUJcghHasujQWtWsg&e=>, Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=EvWZxc6etz1odjAQYJLxo0SqgilT4ITkZCSuRQ6QVPg&s=-KTllH8T_2kQ8OfA4cBhEqN9cBZVB6gd7R6fa1dVTTI&e=> and Instagram<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=EvWZxc6etz1odjAQYJLxo0SqgilT4ITkZCSuRQ6QVPg&s=2NOdEMQlEfb3nQOdOZu3uLUFuXOloFocW6YhnTFIRYc&e=> From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Hi everyone, Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated. @Volker: 1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘protecting all data equally’ and that ‘you do not need to differentiate’. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)? 2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary? ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way? Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, March 24, 2021 10:07 PM To: King, Brian <Brian.King@markmonitor.com> Cc: Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>, Twitter<https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>, Facebook<https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$> and Instagram<https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$> From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Hi Melina, if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish. My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:
Hi everyone,
Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated.
@Volker:
1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘*protecting all data equally’* and that ‘*you do not need to differentiate’*. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)?
2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary?
ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way?
Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting.
Best,
Melina
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 10:07 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate.
Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all.
On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address.
So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data.
But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com> wrote:
Hey Volker,
I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law.
I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data?
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>, Twitter <https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>, Facebook <https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$> and Instagram <https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$>
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Wednesday, March 24, 2021 3:58 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Hi Milton,
Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective.
One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right?
As always, we’re happy to work with you and look forward to finding consensus.
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 11:13 AM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] On the proposed guidance
I was reading through two documents setting out in detail the proposed guidance on legal/natural.
There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it.
I was pretty supportive of the Guidance overall. I had one problem with it, though.
I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”.
The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.”
That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[image: IGP_logo_gold block]
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Hi Volker, Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications. It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations: - providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data) - publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does not relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services. It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements. Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal). Hope this helps. Happy to discuss further. Best, Melina From: Volker Greimann <vgreimann@key-systems.net> Sent: Thursday, March 25, 2021 4:22 PM To: STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Melina, if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish. My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> wrote: Hi everyone, Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated. @Volker: 1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘protecting all data equally’ and that ‘you do not need to differentiate’. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)? 2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary? ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way? Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, March 24, 2021 10:07 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>, Twitter<https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>, Facebook<https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$> and Instagram<https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$> From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Dear Volker and all, First I would like to thank ICANN org for conducting additional research in relation to the ccTLDs' registration directory service policies. Having briefly looked at Appendix A, I would like to share with you some observations · None of the ccTLDs who differentiate between the data of legal and natural persons don't differentiate between the registrants' types. · Two ccTLD registries do not differentiate between the publication of the data of the legal and natural persons because they publish the data of both. · Four ccTLD registries neither make a differentiate between the registrants' types nor the registrants' registration data. · The rest of the ccTLDs who do not differentiate between the publication of the data still differentiate between the registrants' types. · It is unclear whether the ccTLD of Slovakia differentiates between the publication of the data. However the registry differentiates between the registrants' types (Legal/natural) From the policies' summary, it is clear that in order to look into the issue of differentiating between the processing of the data of legal and natural persons, we need to consider at least two types of classifications. The first is the differentiation between the registrants' types, which does not necessary lead to the publication of the data and the second is the differentiation between the data type. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of STROUNGI Melina via Gnso-epdp-team Sent: Monday, April 12, 2021 5:08 PM To: Volker Greimann Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Volker, Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications. It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations: - providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data) - publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does not relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services. It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements. Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal). Hope this helps. Happy to discuss further. Best, Melina From: Volker Greimann <vgreimann@key-systems.net> Sent: Thursday, March 25, 2021 4:22 PM To: STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Melina, if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish. My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> wrote: Hi everyone, Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated. @Volker: 1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘protecting all data equally’ and that ‘you do not need to differentiate’. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)? 2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary? ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way? Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, March 24, 2021 10:07 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>, Twitter<https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>, Facebook<https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$> and Instagram<https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$> From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
I think we may be over-complicating this discussion. Sounds to me like Volker and Melina have different views on what will satisfy the NIS2 requirement that non-personal data be made "publicly available" / "published without undue delay". If I'm understanding the point of this discussion, Volker suggests that prompt disclosure of non-personal data upon receipt of an SSAD request may be sufficient. Melina suggests that non-personal data must be available for non-intermediated access in some "always on" online RDDS database. If Volker is right, the relevance of the up-front legal/natural distinction is lessened because the disclosure is driven by the character of the data (personal or not personal). I don't have a view on what NIS2 requires, although access to things that are "published" on the Internet are almost always intermediated in one way or another. Also, FWIW, I think some ccTLDs differentiate registrant types in order to satisfy nexis requirements. On Wed, Apr 14, 2021 at 8:36 AM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Dear Volker and all,
First I would like to thank ICANN org for conducting additional research in relation to the ccTLDs' registration directory service policies. Having briefly looked at Appendix A, I would like to share with you some observations
· None of the ccTLDs who differentiate between the data of legal and natural persons don't differentiate between the registrants' types.
· Two ccTLD registries do not differentiate between the publication of the data of the legal and natural persons because they publish the data of both.
· Four ccTLD registries neither make a differentiate between the registrants' types nor the registrants' registration data.
· The rest of the ccTLDs who do not differentiate between the publication of the data still differentiate between the registrants' types.
· It is unclear whether the ccTLD of Slovakia differentiates between the publication of the data. However the registry differentiates between the registrants' types (Legal/natural)
From the policies' summary, it is clear that in order to look into the issue of differentiating between the processing of the data of legal and natural persons, we need to consider at least two types of classifications. The first is the differentiation between the registrants' types, which does not necessary lead to the publication of the data and the second is the differentiation between the data type.
Kind regards
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *STROUNGI Melina via Gnso-epdp-team *Sent:* Monday, April 12, 2021 5:08 PM *To:* Volker Greimann *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Volker,
Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications.
It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations:
- providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data)
- publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does *not* relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services.
It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements.
Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal).
Hope this helps. Happy to discuss further.
Best,
Melina
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Thursday, March 25, 2021 4:22 PM *To:* STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Melina,
if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish.
My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:
Hi everyone,
Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated.
@Volker:
1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘*protecting all data equally’* and that ‘*you do not need to differentiate’*. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)?
2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary?
ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way?
Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting.
Best,
Melina
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 10:07 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate.
Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all.
On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address.
So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data.
But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com> wrote:
Hey Volker,
I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law.
I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data?
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>, Twitter <https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>, Facebook <https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$> and Instagram <https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$>
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Wednesday, March 24, 2021 3:58 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Hi Milton,
Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective.
One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right?
As always, we’re happy to work with you and look forward to finding consensus.
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 11:13 AM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] On the proposed guidance
I was reading through two documents setting out in detail the proposed guidance on legal/natural.
There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it.
I was pretty supportive of the Guidance overall. I had one problem with it, though.
I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”.
The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.”
That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[image: IGP_logo_gold block]
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
I don’t think this is an over-complication. It’s an issue which must be clarified and settled. We’ve already determined that the non-contact non-personal data will be available to anyone for any purpose. The Registrar field would be an example of such data; ICANN Lookup<https://lookup.icann.org/> is an “always on” example of how such data is made freely available. We would not consider forcing a user to become accredited in order to get these data via SSAD. We would also not consider the transmission of such non-personal data to be “disclosure”. Melina can correct me if I am wrong, but I think we would call such transmission “publishing”. Now we are discussing non-personal contact data. Once again, it’s not correct to characterize the transmission of non-personal contact data as “disclosure”, and to do so implies that it’s OK to hide non-personal contact data in spite of it being unprotected by GDPR and required to be “published” under NIS2D. Given the lack of protection and the obligation to “publish”, it is unworkable if non-personal contact data is only available via SSAD, a system for disclosure which requires accreditation, codes of conduct, and fees. These non-personal data must be available both via SSAD and via sources such as ICANN Lookup<https://lookup.icann.org/>. Regarding intermediation of content published on the internet, I’d point to your Vcard at Becky Burr | Harris, Wiltshire & Grannis LLP (hwglaw.com)<https://www.hwglaw.com/team/becky-burr/>. That is an example of personal contact data being made freely available. I don’t know the details under which you are obliged to publish it, so I won’t make a direct comparison to domain name registration contact data --- but it would be silly if the non-personal contact data of a legal person such as Walmart should be harder to acquire than the personal contact data of an attorney, which is what I think you are acquiescing to below. Finally, I think there is a meaningful distinction between what Melina is advocating (first determine if the person is legal, then look for the edge case where a legal person has submitted personal data despite being instructed not to do so) and what I think Volker is advocating (disregard legal status entirely and make no effort to ensure that legal entities submit only non-personal data). The intent of these are different and the outcomes will certainly be different. Given that Melina’s proposal is in line with my reading of the EPDP Phase 2a Charter, I assert that Melina’s approach is required. From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Becky Burr via Gnso-epdp-team Sent: Wednesday, April 14, 2021 11:33 AM To: Hadia <Hadia@tra.gov.eg> Cc: gnso-epdp-team@icann.org Subject: [EXTERNAL] Re: [Gnso-epdp-team] On the proposed guidance I think we may be over-complicating this discussion. Sounds to me like Volker and Melina have different views on what will satisfy the NIS2 requirement that non-personal data be made "publicly available" / "published without undue delay". If I'm understanding the point of this discussion, Volker suggests that prompt disclosure of non-personal data upon receipt of an SSAD request may be sufficient. Melina suggests that non-personal data must be available for non-intermediated access in some "always on" online RDDS database. If Volker is right, the relevance of the up-front legal/natural distinction is lessened because the disclosure is driven by the character of the data (personal or not personal). I don't have a view on what NIS2 requires, although access to things that are "published" on the Internet are almost always intermediated in one way or another. Also, FWIW, I think some ccTLDs differentiate registrant types in order to satisfy nexis requirements. On Wed, Apr 14, 2021 at 8:36 AM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Dear Volker and all, First I would like to thank ICANN org for conducting additional research in relation to the ccTLDs' registration directory service policies. Having briefly looked at Appendix A, I would like to share with you some observations • None of the ccTLDs who differentiate between the data of legal and natural persons don't differentiate between the registrants' types. • Two ccTLD registries do not differentiate between the publication of the data of the legal and natural persons because they publish the data of both. • Four ccTLD registries neither make a differentiate between the registrants' types nor the registrants' registration data. • The rest of the ccTLDs who do not differentiate between the publication of the data still differentiate between the registrants' types. • It is unclear whether the ccTLD of Slovakia differentiates between the publication of the data. However the registry differentiates between the registrants' types (Legal/natural) From the policies' summary, it is clear that in order to look into the issue of differentiating between the processing of the data of legal and natural persons, we need to consider at least two types of classifications. The first is the differentiation between the registrants' types, which does not necessary lead to the publication of the data and the second is the differentiation between the data type. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of STROUNGI Melina via Gnso-epdp-team Sent: Monday, April 12, 2021 5:08 PM To: Volker Greimann Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Volker, Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications. It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations: - providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data) - publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does not relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services. It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements. Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal). Hope this helps. Happy to discuss further. Best, Melina From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Thursday, March 25, 2021 4:22 PM To: STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Melina, if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish. My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Fwww.key-systems.net%2F__%3B!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775063266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F1Migb9wb5zfNDJAG3Id6Dw%2F7eolxxvlJBMPfLNpeLc%3D&reserved=0> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> wrote: Hi everyone, Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated. @Volker: 1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘protecting all data equally’ and that ‘you do not need to differentiate’. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)? 2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary? ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way? Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, March 24, 2021 10:07 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Fwww.key-systems.net%2F__%3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775068257%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=AK7IBPEHOFl1NiLWEp7VPH8p8upYLx5wg7%2FU6Nf30No%3D&reserved=0> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Fwww.clarivate.com__%3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775073247%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DrrkLUSB3S8KdPRdVPGkx8gzeS8G48YqqHaTlfS43dk%3D&reserved=0> | Accelerating innovation Follow us on LinkedIn<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.linkedin.com%2Fcompany%2Fclarivate__%3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775078238%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=1NbXEuqFX2waKAsCHo79uUvkgv37itBz%2B0m32I%2F6NRc%3D&reserved=0>, Twitter<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Ftwitter.com%2Fclarivate%3Fref_src%3Dtwsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__%3BJSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775083229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=KZXSdWjg1kpCVgX7DBA0iLQeI1biBqmhCXPQeQgvtjg%3D&reserved=0>, Facebook<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.facebook.com%2Fclarivate%2F__%3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775088219%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2B60h0OSoi5Q99yvek6dUUfAM119F1JZNpmjrbFVPWzA%3D&reserved=0> and Instagram<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fwww.instagram.com%2Fclarivateofficial%2F%3Fhl%3Den__%3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775093210%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Sa7BdXNYarL761YQKJ12iO4bpJGA7KRnxbbf0U%2BSXow%3D&reserved=0> From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.key-2Dsystems.net_%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DyN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775098202%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=551aTJeIVxemFuB7v4nHYCajf2dk2jNjdOPydyR27qg%3D&reserved=0> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.com%2Fv3%2F__http%3A%2Fwww.clarivate.com__%3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp%24&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775103192%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=V7eIn%2Fz860xTmBwMZfok3du%2FMdmTQOARZzx0txxqqqo%3D&reserved=0> | Accelerating innovation Follow us on LinkedIn<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.linkedin.com_company_clarivate%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DbTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775108183%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7hh%2BfVJ2ZLuadR6kopyPwJcMje2xY%2BkyyrVgxMgunjM%3D&reserved=0>, Twitter<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DsaAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775113173%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5IoaAUjr%2FaDtrC9k9l2GK681DNs%2FAVrvNOJRK%2BC3ct0%3D&reserved=0>, Facebook<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.facebook.com_clarivate_%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DguRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775118165%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=q9LzDORCCWfYs38JpwBOqxDOCTCiAskOSJFBQ%2F7NnxM%3D&reserved=0> and Instagram<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775123155%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LZUT2hJkrpqq6oAafiyY93AeZ0Y5%2BIElyT%2FvQg00xxA%3D&reserved=0> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DKB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775128150%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=H2ANPynAKDzKQLBhECzL9CcbJHMUo7%2FdSZYgEo88B64%3D&reserved=0> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.icann.org_privacy_policy%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DKI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775133136%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=NDZ%2BYKePOzPxclHZgAjRECKNiubTDgtgxx7MMCkFXVc%3D&reserved=0>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.icann.org_privacy_tos%26d%3DDwMFaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8%26s%3DPe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0%26e%3D&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775138127%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Y8VKBeJalCINEIC7rliHsqnOyrjONW1kRDhJyAmtyL4%3D&reserved=0>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775148110%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FhYhLs9ZIfeWdQo2ZKzJmRMPvbdNZAiauiOkMwRBQmc%3D&reserved=0> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775148110%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eX7HaYSvxHh7a0kVqn0LNrPkCDjoynibiuuxLo0G1kQ%3D&reserved=0>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=04%7C01%7Cmarksv%40microsoft.com%7C1fa89fb70c634c80a69c08d8ff73b7e7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637540219775153100%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=odP%2Fh0hw7IV0xQJrwVfySMr7XGH1Ov8w%2F%2FQs3pUgAmU%3D&reserved=0>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Are we/is the plenary discussing a requirement that CPs make an affirmative effort to dissuade legal persons from submitting personal data , eg encourage them to use email alias for tech contact? If so, then an initial distinction would be necessary. But isn’t that a policy question? As I said, I do not have an opinion as to whether NIS2 would permit making non personal data publicly accessible via an SSAD request. Becky Burr * Sent from my iPad
On Apr 14, 2021, at 3:34 PM, Mark Svancarek (CELA) <marksv@microsoft.com> wrote:
below.
Finally, I think there is a meaningful distinction between what Melina is advocating (first determine if the person is legal, then look for the edge case where a legal person has submitted personal data despite being instructed not to do so) and what I think Volker is advocating (disregard legal status entirely and make no effort to ensure that legal entities submit only non-personal data). The intent of these are different and the outcomes will certainly be different. Given that Melina’s
Dear all, Thank you for your comments. I see some very good points made by Mark, Milton, Hadia, Brian and Alan. I believe we are – almost – all on the same page on the very basic principle of differentiating between legal and natural persons. @Becky to reply to your message and to clarify any ambiguities on NIS2 Proposal: I hope it may be helpful to note that I have been personally involved in the drafting of art. 23 of NIS2 Proposal and the accompanying relevant recitals and I was actively involved in the negotiations of every single word of the text and the reasons behind them. I can, thus, 100% confirm what I wrote on the two separate NIS 2 obligation on access and publication. I can also confirm that this is the message that the EC is passing and will continue to pass on to Member States. The SSAD is designed as an access and disclosure system –under NIS2 light this would mean providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (such access could entail both personal and non-personal data). Disclosure via the SSAD would not meet the NIS2 publication requirement. The publication requirement is a separate one and concerns immediate (‘without undue delay after the registration of a domain name’) publication of non-personal data of legal persons. Such data should be available not only via the SSAD but also in public. This requirement aims at addressing the current problems resulting from redacted WHOIS data, as availability of non-personal data of legal persons would be of paramount importance to the security, stability and resilience of the DNS and the ICANN community as a whole. Having clarified this I also agree with Alan’s point that, distinction between natural and legal persons not only is in line with the GDPR and NIS2, but also is in scope of EPDP Phase 2a. See here: https://community.icann.org/pages/viewpage.action?pageId=150177878 As we are confined by time limitations and an upcoming deadline that approaches very fast, I would also warmly agree with those who wish that the focus of our remaining efforts remains within the scope of Phase 2a, which concerns the distinction between legal and natural persons (i.e., should it be a requirement and what guidance could there be developed for contracted parties who wish to distinguish between legal and natural persons). Best regards, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mark Svancarek (CELA) via Gnso-epdp-team Sent: Wednesday, April 14, 2021 9:35 PM To: Becky Burr <becky.burr@board.icann.org>; Hadia <Hadia@tra.gov.eg>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] [EXTERNAL] Re: On the proposed guidance I don’t think this is an over-complication. It’s an issue which must be clarified and settled. We’ve already determined that the non-contact non-personal data will be available to anyone for any purpose. The Registrar field would be an example of such data; ICANN Lookup<https://urldefense.com/v3/__https:/lookup.icann.org/__;!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrA2tjX0T$> is an “always on” example of how such data is made freely available. We would not consider forcing a user to become accredited in order to get these data via SSAD. We would also not consider the transmission of such non-personal data to be “disclosure”. Melina can correct me if I am wrong, but I think we would call such transmission “publishing”. Now we are discussing non-personal contact data. Once again, it’s not correct to characterize the transmission of non-personal contact data as “disclosure”, and to do so implies that it’s OK to hide non-personal contact data in spite of it being unprotected by GDPR and required to be “published” under NIS2D. Given the lack of protection and the obligation to “publish”, it is unworkable if non-personal contact data is only available via SSAD, a system for disclosure which requires accreditation, codes of conduct, and fees. These non-personal data must be available both via SSAD and via sources such as ICANN Lookup<https://urldefense.com/v3/__https:/lookup.icann.org/__;!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrA2tjX0T$>. Regarding intermediation of content published on the internet, I’d point to your Vcard at Becky Burr | Harris, Wiltshire & Grannis LLP (hwglaw.com)<https://urldefense.com/v3/__https:/www.hwglaw.com/team/becky-burr/__;!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrDknq_mD$>. That is an example of personal contact data being made freely available. I don’t know the details under which you are obliged to publish it, so I won’t make a direct comparison to domain name registration contact data --- but it would be silly if the non-personal contact data of a legal person such as Walmart should be harder to acquire than the personal contact data of an attorney, which is what I think you are acquiescing to below. Finally, I think there is a meaningful distinction between what Melina is advocating (first determine if the person is legal, then look for the edge case where a legal person has submitted personal data despite being instructed not to do so) and what I think Volker is advocating (disregard legal status entirely and make no effort to ensure that legal entities submit only non-personal data). The intent of these are different and the outcomes will certainly be different. Given that Melina’s proposal is in line with my reading of the EPDP Phase 2a Charter, I assert that Melina’s approach is required. From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Becky Burr via Gnso-epdp-team Sent: Wednesday, April 14, 2021 11:33 AM To: Hadia <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [EXTERNAL] Re: [Gnso-epdp-team] On the proposed guidance I think we may be over-complicating this discussion. Sounds to me like Volker and Melina have different views on what will satisfy the NIS2 requirement that non-personal data be made "publicly available" / "published without undue delay". If I'm understanding the point of this discussion, Volker suggests that prompt disclosure of non-personal data upon receipt of an SSAD request may be sufficient. Melina suggests that non-personal data must be available for non-intermediated access in some "always on" online RDDS database. If Volker is right, the relevance of the up-front legal/natural distinction is lessened because the disclosure is driven by the character of the data (personal or not personal). I don't have a view on what NIS2 requires, although access to things that are "published" on the Internet are almost always intermediated in one way or another. Also, FWIW, I think some ccTLDs differentiate registrant types in order to satisfy nexis requirements. On Wed, Apr 14, 2021 at 8:36 AM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Dear Volker and all, First I would like to thank ICANN org for conducting additional research in relation to the ccTLDs' registration directory service policies. Having briefly looked at Appendix A, I would like to share with you some observations • None of the ccTLDs who differentiate between the data of legal and natural persons don't differentiate between the registrants' types. • Two ccTLD registries do not differentiate between the publication of the data of the legal and natural persons because they publish the data of both. • Four ccTLD registries neither make a differentiate between the registrants' types nor the registrants' registration data. • The rest of the ccTLDs who do not differentiate between the publication of the data still differentiate between the registrants' types. • It is unclear whether the ccTLD of Slovakia differentiates between the publication of the data. However the registry differentiates between the registrants' types (Legal/natural) From the policies' summary, it is clear that in order to look into the issue of differentiating between the processing of the data of legal and natural persons, we need to consider at least two types of classifications. The first is the differentiation between the registrants' types, which does not necessary lead to the publication of the data and the second is the differentiation between the data type. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of STROUNGI Melina via Gnso-epdp-team Sent: Monday, April 12, 2021 5:08 PM To: Volker Greimann Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Volker, Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications. It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations: - providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data) - publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does not relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services. It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements. Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal). Hope this helps. Happy to discuss further. Best, Melina From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Thursday, March 25, 2021 4:22 PM To: STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Melina, if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish. My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2Fwww.key-systems.net*2F__*3B!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775063266*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=*2F1Migb9wb5zfNDJAG3Id6Dw*2F7eolxxvlJBMPfLNpeLc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrGZwsKFA$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> wrote: Hi everyone, Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated. @Volker: 1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘protecting all data equally’ and that ‘you do not need to differentiate’. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)? 2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary? ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way? Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, March 24, 2021 10:07 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2Fwww.key-systems.net*2F__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775068257*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=AK7IBPEHOFl1NiLWEp7VPH8p8upYLx5wg7*2FU6Nf30No*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrDUrDbrk$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2Fwww.clarivate.com__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775073247*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=DrrkLUSB3S8KdPRdVPGkx8gzeS8G48YqqHaTlfS43dk*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrCimv1op$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwww.linkedin.com*2Fcompany*2Fclarivate__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775078238*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=1NbXEuqFX2waKAsCHo79uUvkgv37itBz*2B0m32I*2F6NRc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrB5QoOan$>, Twitter<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Ftwitter.com*2Fclarivate*3Fref_src*3Dtwsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__*3BJSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775083229*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=KZXSdWjg1kpCVgX7DBA0iLQeI1biBqmhCXPQeQgvtjg*3D&reserved=0__;JSUlJSUlJSUlJSoqKioqJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrBmPMY45$>, Facebook<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwww.facebook.com*2Fclarivate*2F__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775088219*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=*2B60h0OSoi5Q99yvek6dUUfAM119F1JZNpmjrbFVPWzA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrJk1Vond$> and Instagram<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwww.instagram.com*2Fclarivateofficial*2F*3Fhl*3Den__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775093210*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=Sa7BdXNYarL761YQKJ12iO4bpJGA7KRnxbbf0U*2BSXow*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrDUB4SzE$> From: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com<mailto:Brian.King@markmonitor.com>> Cc: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttp-3A__www.key-2Dsystems.net_*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DyN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775098202*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=551aTJeIVxemFuB7v4nHYCajf2dk2jNjdOPydyR27qg*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrNKeBc0L$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2Fwww.clarivate.com__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775103192*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=V7eIn*2Fz860xTmBwMZfok3du*2FMdmTQOARZzx0txxqqqo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrLnVUjxV$> | Accelerating innovation Follow us on LinkedIn<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.linkedin.com_company_clarivate*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DbTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775108183*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=7hh*2BfVJ2ZLuadR6kopyPwJcMje2xY*2BkyyrVgxMgunjM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrLgi_VAN$>, Twitter<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DsaAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775113173*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=5IoaAUjr*2FaDtrC9k9l2GK681DNs*2FAVrvNOJRK*2BC3ct0*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrNe-WaxU$>, Facebook<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.facebook.com_clarivate_*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DguRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775118165*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=q9LzDORCCWfYs38JpwBOqxDOCTCiAskOSJFBQ*2F7NnxM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrN07WyGk$> and Instagram<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775123155*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=LZUT2hJkrpqq6oAafiyY93AeZ0Y5*2BIElyT*2FvQg00xxA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrIrSbOX-$> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy [IGP_logo_gold block] Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DKB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775128150*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=H2ANPynAKDzKQLBhECzL9CcbJHMUo7*2FdSZYgEo88B64*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrHIa2d__$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.icann.org_privacy_policy*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DKI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775133136*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=NDZ*2BYKePOzPxclHZgAjRECKNiubTDgtgxx7MMCkFXVc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrH_JeK3O$>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.icann.org_privacy_tos*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DPe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775138127*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=Y8VKBeJalCINEIC7rliHsqnOyrjONW1kRDhJyAmtyL4*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrNuvNea0$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fmm.icann.org*2Fmailman*2Flistinfo*2Fgnso-epdp-team&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775148110*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=FhYhLs9ZIfeWdQo2ZKzJmRMPvbdNZAiauiOkMwRBQmc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrIlb1dRY$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.icann.org*2Fprivacy*2Fpolicy&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775148110*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=eX7HaYSvxHh7a0kVqn0LNrPkCDjoynibiuuxLo0G1kQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrFiUl0Sg$>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.icann.org*2Fprivacy*2Ftos&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775153100*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=odP*2Fh0hw7IV0xQJrwVfySMr7XGH1Ov8w*2F*2FQs3pUgAmU*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrPfl7ZbM$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hi Melina, thank you for providing further background. It is interesting to see what the author intended by each word, however as my old German teacher used to say, the interpretation of the book is only valid if the text actually supports that interpretation. In other words, the intent of the author is irrelevant if it cannot be derived from the text as written. Additionally, this is a proposal, subject to change based on the comments received, subsequent negotiations between the various EU bodies that have a role to play, and ultimately the translation into Member State laws, which you know can differ significantly in details. " Such data should be available not only via the SSAD but also in public." The actual text of the draft directive does not support this statement. How the publication is supposed to occur is not mentioned once. " availability of non-personal data of legal persons would be of paramount importance to the security, stability and resilience of the DNS and the ICANN community as a whole" I see this argument again and again, yet every single time, it lacks substantiation. In fact, the last 2-3 years have arguably demonstrated the argument to be false, as non-personal data of legal persons has not been publicly available since the very day the GDPR came into effect and yet the security, stability and resiliency of the DNS and the ICANN community has not been impacted. The sky has not fallen, the DNS has remained secure, stable and resilient, DNS abuse has declined, according to ICANNs own numbers. The ICANN community has suffered more from COVID than from GDPR-related lack of disclosure. I therefore reiterate my initial request that the perceived need for any change to existing policy must be demonstrated. " we are confined by time limitations and an upcoming deadline that approaches very fast" Full agreement here, so let's not get hung up on pointless debates but try and solve the issue at hand, which is - as Steve has so aptly pointed out - the disclosability of the data, which ultimately hinges on the question of whether a) personal information is present in the data set, or b) personal information is not present in the data set. a) is the case in both data sets of natural persons and legal persons b) is the case only in legal person data sets that contain no personal information. Consequently, a) can be disregarded for the question of disclosure (and publication) as the only relevant determination is made in b). Now, it may be _helpful_ to make the determination to exclude a large chunk of registrations from the secondary determination, but by no means is it _required_. So the first part of the charter question " should it be a requirement" can definitely be answered with a negative. The secondary part "what guidance could there be developed for contracted parties who wish to distinguish between legal and natural persons" can be discussed more broadly once we agree on the answer for the first part. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#m_4732236886042024719_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Thu, Apr 15, 2021 at 2:34 PM STROUNGI Melina via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Dear all,
Thank you for your comments. I see some very good points made by Mark, Milton, Hadia, Brian and Alan.
I believe we are – almost – all on the same page on the very basic principle of differentiating between legal and natural persons.
@Becky to reply to your message and to clarify any ambiguities on NIS2 Proposal:
I hope it may be helpful to note that I have been personally involved in the drafting of art. 23 of NIS2 Proposal and the accompanying relevant recitals and I was actively involved in the negotiations of every single word of the text and the reasons behind them. I can, thus, 100% confirm what I wrote on the two separate NIS 2 obligation on access and publication. I can also confirm that this is the message that the EC is passing and will continue to pass on to Member States.
The SSAD is designed as an access and disclosure system –under NIS2 light this would mean providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (such access could entail both personal and non-personal data).
Disclosure via the SSAD would not meet the NIS2 publication requirement. The publication requirement is a separate one and concerns immediate (‘without undue delay after the registration of a domain name’) publication of non-personal data of legal persons. Such data should be available not only via the SSAD but also in public. This requirement aims at addressing the current problems resulting from redacted WHOIS data, as availability of non-personal data of legal persons would be of paramount importance to the security, stability and resilience of the DNS and the ICANN community as a whole.
Having clarified this I also agree with Alan’s point that, distinction between natural and legal persons not only is in line with the GDPR and NIS2, but also is in scope of EPDP Phase 2a. See here: https://community.icann.org/pages/viewpage.action?pageId=150177878
As we are confined by time limitations and an upcoming deadline that approaches very fast, I would also warmly agree with those who wish that the focus of our remaining efforts remains within the scope of Phase 2a, which concerns the distinction between legal and natural persons (i.e., should it be a requirement and what guidance could there be developed for contracted parties who wish to distinguish between legal and natural persons).
Best regards, Melina
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mark Svancarek (CELA) via Gnso-epdp-team *Sent:* Wednesday, April 14, 2021 9:35 PM *To:* Becky Burr <becky.burr@board.icann.org>; Hadia <Hadia@tra.gov.eg>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] [EXTERNAL] Re: On the proposed guidance
I don’t think this is an over-complication. It’s an issue which must be clarified and settled.
We’ve already determined that the non-contact non-personal data will be available to anyone for any purpose. The Registrar field would be an example of such data; ICANN Lookup <https://urldefense.com/v3/__https:/lookup.icann.org/__;!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrA2tjX0T$> is an “always on” example of how such data is made freely available. We would not consider forcing a user to become accredited in order to get these data via SSAD. We would also not consider the transmission of such non-personal data to be “disclosure”. Melina can correct me if I am wrong, but I think we would call such transmission “publishing”.
Now we are discussing non-personal contact data. Once again, it’s not correct to characterize the transmission of non-personal contact data as “disclosure”, and to do so implies that it’s OK to hide non-personal contact data in spite of it being unprotected by GDPR and required to be “published” under NIS2D.
Given the lack of protection and the obligation to “publish”, it is unworkable if non-personal contact data is only available via SSAD, a system for disclosure which requires accreditation, codes of conduct, and fees. These non-personal data must be available both via SSAD and via sources such as ICANN Lookup <https://urldefense.com/v3/__https:/lookup.icann.org/__;!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrA2tjX0T$> .
Regarding intermediation of content published on the internet, I’d point to your Vcard at Becky Burr | Harris, Wiltshire & Grannis LLP (hwglaw.com) <https://urldefense.com/v3/__https:/www.hwglaw.com/team/becky-burr/__;!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrDknq_mD$>. That is an example of personal contact data being made freely available. I don’t know the details under which you are obliged to publish it, so I won’t make a direct comparison to domain name registration contact data --- but it would be silly if the non-personal contact data of a legal person such as Walmart should be harder to acquire than the personal contact data of an attorney, which is what I think you are acquiescing to below.
Finally, I think there is a meaningful distinction between what Melina is advocating (first determine if the person is legal, then look for the edge case where a legal person has submitted personal data despite being instructed not to do so) and what I think Volker is advocating (disregard legal status entirely and make no effort to ensure that legal entities submit only non-personal data). The intent of these are different and the outcomes will certainly be different. Given that Melina’s proposal is in line with my reading of the EPDP Phase 2a Charter, I assert that Melina’s approach is required.
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Becky Burr via Gnso-epdp-team *Sent:* Wednesday, April 14, 2021 11:33 AM *To:* Hadia <Hadia@tra.gov.eg> *Cc:* gnso-epdp-team@icann.org *Subject:* [EXTERNAL] Re: [Gnso-epdp-team] On the proposed guidance
I think we may be over-complicating this discussion.
Sounds to me like Volker and Melina have different views on what will satisfy the NIS2 requirement that non-personal data be made "publicly available" / "published without undue delay". If I'm understanding the point of this discussion, Volker suggests that prompt disclosure of non-personal data upon receipt of an SSAD request may be sufficient. Melina suggests that non-personal data must be available for non-intermediated access in some "always on" online RDDS database. If Volker is right, the relevance of the up-front legal/natural distinction is lessened because the disclosure is driven by the character of the data (personal or not personal). I don't have a view on what NIS2 requires, although access to things that are "published" on the Internet are almost always intermediated in one way or another.
Also, FWIW, I think some ccTLDs differentiate registrant types in order to satisfy nexis requirements.
On Wed, Apr 14, 2021 at 8:36 AM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Dear Volker and all,
First I would like to thank ICANN org for conducting additional research in relation to the ccTLDs' registration directory service policies. Having briefly looked at Appendix A, I would like to share with you some observations
· None of the ccTLDs who differentiate between the data of legal and natural persons don't differentiate between the registrants' types.
· Two ccTLD registries do not differentiate between the publication of the data of the legal and natural persons because they publish the data of both.
· Four ccTLD registries neither make a differentiate between the registrants' types nor the registrants' registration data.
· The rest of the ccTLDs who do not differentiate between the publication of the data still differentiate between the registrants' types.
· It is unclear whether the ccTLD of Slovakia differentiates between the publication of the data. However the registry differentiates between the registrants' types (Legal/natural)
From the policies' summary, it is clear that in order to look into the issue of differentiating between the processing of the data of legal and natural persons, we need to consider at least two types of classifications. The first is the differentiation between the registrants' types, which does not necessary lead to the publication of the data and the second is the differentiation between the data type.
Kind regards
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *STROUNGI Melina via Gnso-epdp-team *Sent:* Monday, April 12, 2021 5:08 PM *To:* Volker Greimann *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Volker,
Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications.
It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations:
- providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data)
- publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does *not* relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services.
It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements.
Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal).
Hope this helps. Happy to discuss further.
Best,
Melina
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Thursday, March 25, 2021 4:22 PM *To:* STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Melina,
if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish.
My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2Fwww.key-systems.net*2F__*3B!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775063266*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=*2F1Migb9wb5zfNDJAG3Id6Dw*2F7eolxxvlJBMPfLNpeLc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrGZwsKFA$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:
Hi everyone,
Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated.
@Volker:
1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘*protecting all data equally’* and that ‘*you do not need to differentiate’*. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)?
2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary?
ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way?
Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting.
Best,
Melina
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 10:07 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate.
Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all.
On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address.
So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data.
But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__http*3A*2Fwww.key-systems.net*2F__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775068257*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=AK7IBPEHOFl1NiLWEp7VPH8p8upYLx5wg7*2FU6Nf30No*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrDUrDbrk$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com> wrote:
Hey Volker,
I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law.
I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data?
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
Follow us on LinkedIn <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwww.linkedin.com*2Fcompany*2Fclarivate__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775078238*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=1NbXEuqFX2waKAsCHo79uUvkgv37itBz*2B0m32I*2F6NRc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrB5QoOan$>, Twitter <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Ftwitter.com*2Fclarivate*3Fref_src*3Dtwsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__*3BJSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775083229*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=KZXSdWjg1kpCVgX7DBA0iLQeI1biBqmhCXPQeQgvtjg*3D&reserved=0__;JSUlJSUlJSUlJSoqKioqJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrBmPMY45$>, Facebook <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwww.facebook.com*2Fclarivate*2F__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775088219*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=*2B60h0OSoi5Q99yvek6dUUfAM119F1JZNpmjrbFVPWzA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrJk1Vond$> and Instagram <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.com*2Fv3*2F__https*3A*2Fwww.instagram.com*2Fclarivateofficial*2F*3Fhl*3Den__*3B!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1*24&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775093210*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=Sa7BdXNYarL761YQKJ12iO4bpJGA7KRnxbbf0U*2BSXow*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrDUB4SzE$>
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Wednesday, March 24, 2021 3:58 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Hi Milton,
Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective.
One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right?
As always, we’re happy to work with you and look forward to finding consensus.
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
Follow us on LinkedIn <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.linkedin.com_company_clarivate*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DbTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775108183*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=7hh*2BfVJ2ZLuadR6kopyPwJcMje2xY*2BkyyrVgxMgunjM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrLgi_VAN$>, Twitter <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DsaAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775113173*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=5IoaAUjr*2FaDtrC9k9l2GK681DNs*2FAVrvNOJRK*2BC3ct0*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrNe-WaxU$>, Facebook <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.facebook.com_clarivate_*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DguRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775118165*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=q9LzDORCCWfYs38JpwBOqxDOCTCiAskOSJFBQ*2F7NnxM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrN07WyGk$> and Instagram <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775123155*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=LZUT2hJkrpqq6oAafiyY93AeZ0Y5*2BIElyT*2FvQg00xxA*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrIrSbOX-$>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 11:13 AM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] On the proposed guidance
I was reading through two documents setting out in detail the proposed guidance on legal/natural.
There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it.
I was pretty supportive of the Guidance overall. I had one problem with it, though.
I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”.
The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.”
That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[image: IGP_logo_gold block]
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DKB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775128150*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=H2ANPynAKDzKQLBhECzL9CcbJHMUo7*2FdSZYgEo88B64*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrHIa2d__$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.icann.org_privacy_policy*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DKI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775133136*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=NDZ*2BYKePOzPxclHZgAjRECKNiubTDgtgxx7MMCkFXVc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrH_JeK3O$>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Furldefense.proofpoint.com*2Fv2*2Furl*3Fu*3Dhttps-3A__www.icann.org_privacy_tos*26d*3DDwMFaQ*26c*3DOGmtg_3SI10Cogwk-ShFiw*26r*3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA*26m*3DqD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8*26s*3DPe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0*26e*3D&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775138127*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=Y8VKBeJalCINEIC7rliHsqnOyrjONW1kRDhJyAmtyL4*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUlJSU!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrNuvNea0$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fmm.icann.org*2Fmailman*2Flistinfo*2Fgnso-epdp-team&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775148110*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=FhYhLs9ZIfeWdQo2ZKzJmRMPvbdNZAiauiOkMwRBQmc*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrIlb1dRY$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.icann.org*2Fprivacy*2Fpolicy&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775148110*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=eX7HaYSvxHh7a0kVqn0LNrPkCDjoynibiuuxLo0G1kQ*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrFiUl0Sg$>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.com/v3/__https:/nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.icann.org*2Fprivacy*2Ftos&data=04*7C01*7Cmarksv*40microsoft.com*7C1fa89fb70c634c80a69c08d8ff73b7e7*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C637540219775153100*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=odP*2Fh0hw7IV0xQJrwVfySMr7XGH1Ov8w*2F*2FQs3pUgAmU*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUl!!DOxrgLBm!Sw2huIQRkxq6M2CV8pdbd9i0sPsNMdZA5LTAv03ohTDsoU_C2xQIBIYdLEWoa5ygrPfl7ZbM$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#m_4732236886042024719_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
Colleagues: I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job. I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem. I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere. So here are the broad principles that I would offer up for debate: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate. Principle 1 discussion: If we cannot agree on this (or agree to abandon this principle), _nothing else will fall into place_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work. Principle 2 discussion This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits. Principle 3 discussion This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to … Principle 4 Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2. I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this.
Thank you, Milton, for the constructive suggestion on the principles. They make sense and you make some good points. Let’s spend some time on the inherent tension between Principle 2 and Principle 4. For one example, even if we do not impose a policy requiring CPs to override a RNH’s self-designation, it appears that law may very well require it (now or in the future). In that case, a policy prohibiting CPs from overriding an erroneous or fraudulent self-designation would be problematic. Point being: there’s something here to discuss. I’m actually encouraged by progress so far and am looking forward to continuing to come together. …if we can figure out in which Google doc we need to do our homework 😊 Brian King He/Him/His Head of Policy and Advocacy T +1 443 761 3726 Time zone: US Eastern clarivate.com<http://www.clarivate.com> | Accelerating innovation Follow us on LinkedIn<https://www.linkedin.com/company/clarivate>, Twitter<https://twitter.com/clarivate?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>, Facebook<https://www.facebook.com/clarivate/> and Instagram<https://www.instagram.com/clarivateofficial/?hl=en> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, April 14, 2021 4:12 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Colleagues: I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job. I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem. I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere. So here are the broad principles that I would offer up for debate: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate. Principle 1 discussion: If we cannot agree on this (or agree to abandon this principle), _nothing else will fall into place_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work. Principle 2 discussion This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits. Principle 3 discussion This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to … Principle 4 Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2. I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Dear Milton, Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation. Finally, I join you in being optimistic about our ability to finish this. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, April 14, 2021 10:12 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Colleagues: I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job. I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem. I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere. So here are the broad principles that I would offer up for debate: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate. Principle 1 discussion: If we cannot agree on this (or agree to abandon this principle), _nothing else will fall into place_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work. Principle 2 discussion This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits. Principle 3 discussion This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to … Principle 4 Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2. I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this.
I think we need to be cognisant of the current status quo and use that as the basis for our thoughts on the matter: 1) There is no differentiation between legal or natural contacts. 2) The redaction of all contacts is permitted and has become the de-facto standard. 3) We allow consent-based disclosure. 4) NIS 2 may at some point in the future require publication of non-personal information. This leads to two very simple follow-on questions: a) How do we identify such non-personal information? What is really necessary for this end? b) What would publication entail? For a) we and Twobirds identified voluntary self-declaration of the data submitted. As all data is redacted by default, the differentiation of the data subject category is irrelevant as it ultimately only boils down to the declaration of the data subject thatthe data contains no personal information. For b), the term "publish" is undefined. For all we know, it could mean publication in a physical print edition (it doesn't mean that though). But publication within SSAD can very well be sufficient for that definition. There is no reason whatsoever to assume differently. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Dear Milton,
Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation.
Finally, I join you in being optimistic about our ability to finish this.
Kind regards
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, April 14, 2021 10:12 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Colleagues:
I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job.
I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem.
I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere.
So here are the broad principles that I would offer up for debate:
1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights.
2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries
3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process.
4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate.
Principle 1 discussion:
If we cannot agree on this (or agree to abandon this principle), _*nothing else will fall into place*_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work.
Principle 2 discussion
This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits.
Principle 3 discussion
This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to …
Principle 4
Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2.
I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
I think we share common ground on many key issues and I would like to build on the many helpful inputs received as to what would be advisable. Goal: publish non-personal, non-protected data to the greatest extent permissible under the GDPR and within low legal risks to data controllers and processors. Note, the description below does not fully detail the advised safeguards which B&B has documented and which we’ve adopted in our prior input because my impression is that we generally agree that the safeguards are prudent. This description merely seeks to identify the key steps that must be taken to ensure that personal data is identified and protected and non-personal data is published. I also highlight the addition of a potential additional safeguard – Confirmation. I think this process incorporates what we’ve discussed and inputs received and could form a useful framework for discussion. Note: n New Registrations: This process applies to new registrations (Steve C. has some useful thoughts on how to deal with existing Registrations) n Publish: When I use the word “publish,” I mean made public directly; not via the SSAD. n Flexibility: Based on input from our Registrar colleagues, we should permit flexibility for how these steps are implemented to account for the varied business models in place. n Timing: All identifications need to take place at the time of registration or shortly thereafter (w/in the 13-day accuracy verification window) and no registration data should be published until the identification, consent, and confirmation process concludes Process: 1. A threshold identification of the registrant as a natural or legal person; a. If natural, registration info redacted b. If legal, further inquiries and advisories (safeguards): i. if the legal person identifies that it has a protected status under the GDPR 1. registration info redacted ii. If the legal person registration contains personal data, advise of consequences (publication) 1. Obtain necessary consents 2. Possible additional safeguard: Ask Registrant to Confirm any identification that will result in publication of contact data (akin to confirming a flight reservation or stock trade) a. Publish 3. If no consent a. Redact 2. Provide quick and easy opportunity to correct any mistakes I hope this is useful. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Thursday, April 15, 2021 8:35 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance I think we need to be cognisant of the current status quo and use that as the basis for our thoughts on the matter: 1) There is no differentiation between legal or natural contacts. 2) The redaction of all contacts is permitted and has become the de-facto standard. 3) We allow consent-based disclosure. 4) NIS 2 may at some point in the future require publication of non-personal information. This leads to two very simple follow-on questions: a) How do we identify such non-personal information? What is really necessary for this end? b) What would publication entail? For a) we and Twobirds identified voluntary self-declaration of the data submitted. As all data is redacted by default, the differentiation of the data subject category is irrelevant as it ultimately only boils down to the declaration of the data subject thatthe data contains no personal information. For b), the term "publish" is undefined. For all we know, it could mean publication in a physical print edition (it doesn't mean that though). But publication within SSAD can very well be sufficient for that definition. There is no reason whatsoever to assume differently. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net/> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Dear Milton, Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation. Finally, I join you in being optimistic about our ability to finish this. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, April 14, 2021 10:12 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Colleagues: I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job. I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem. I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere. So here are the broad principles that I would offer up for debate: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate. Principle 1 discussion: If we cannot agree on this (or agree to abandon this principle), _nothing else will fall into place_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work. Principle 2 discussion This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits. Principle 3 discussion This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to … Principle 4 Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2. I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Laureen, Thanks for your note. With respect to the details under legal person, we believe the issue of consent should be moot. Everyone who is named in a role in a registration must have already been informed and consented to all of the conditions involved in the role. This is a prerequisite for having a working system and is not specific to meeting a privacy regulation. The fact that this requirement is not specified in the existing contractual documentation is an error and needs to be rectified. Steve On Thu, Apr 15, 2021 at 6:28 AM Kapin, Laureen via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
I think we share common ground on many key issues and I would like to build on the many helpful inputs received as to what would be advisable.
*Goal*: publish non-personal, non-protected data to the greatest extent permissible under the GDPR and within low legal risks to data controllers and processors. Note, the description below does *not *fully detail the advised safeguards which B&B has documented and which we’ve adopted in our prior input because my impression is that we generally agree that the safeguards are prudent. This description merely seeks to identify the key steps that must be taken to ensure that personal data is identified and protected and non-personal data is published. I also highlight the addition of a potential additional safeguard – Confirmation. I think this process incorporates what we’ve discussed and inputs received and could form a useful framework for discussion.
*Note:*
n *New Registrations: *This process applies to new registrations (Steve C. has some useful thoughts on how to deal with existing Registrations)
n *Publish: *When I use the word “publish,” I mean made public directly; not via the SSAD.
n *Flexibility: *Based on input from our Registrar colleagues, we should permit flexibility for how these steps are implemented to account for the varied business models in place.
n *Timing: *All identifications need to take place at the time of registration or shortly thereafter (w/in the 13-day accuracy verification window) and no registration data should be published until the identification, consent, and confirmation process concludes
*Process:*
1. A threshold identification of the registrant as a natural or legal person;
a. If natural, registration info redacted
b. If legal, further inquiries and advisories (safeguards):
i. if the legal person identifies that it has a protected status under the GDPR
1. registration info redacted
ii. If the legal person registration contains personal data, advise of consequences (publication)
1. Obtain necessary consents
2. *Possible additional safeguard*: *Ask Registrant to Confirm any identification that will result in publication of contact data *(akin to confirming a flight reservation or stock trade)
a. Publish
3. If no consent
a. Redact
2. Provide quick and easy opportunity to correct any mistakes
I hope this is useful.
Kind regards,
Laureen Kapin
Counsel for International Consumer Protection
Federal Trade Commission
(202) 326-3237
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Thursday, April 15, 2021 8:35 AM *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
I think we need to be cognisant of the current status quo and use that as the basis for our thoughts on the matter:
1) There is no differentiation between legal or natural contacts.
2) The redaction of all contacts is permitted and has become the de-facto standard.
3) We allow consent-based disclosure.
4) NIS 2 may at some point in the future require publication of non-personal information.
This leads to two very simple follow-on questions:
a) How do we identify such non-personal information? What is really necessary for this end?
b) What would publication entail?
For a) we and Twobirds identified voluntary self-declaration of the data submitted. As all data is redacted by default, the differentiation of the data subject category is irrelevant as it ultimately only boils down to the declaration of the data subject thatthe data contains no personal information.
For b), the term "publish" is undefined. For all we know, it could mean publication in a physical print edition (it doesn't mean that though). But publication within SSAD can very well be sufficient for that definition. There is no reason whatsoever to assume differently.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Dear Milton,
Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation.
Finally, I join you in being optimistic about our ability to finish this.
Kind regards
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, April 14, 2021 10:12 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Colleagues:
I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job.
I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem.
I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere.
So here are the broad principles that I would offer up for debate:
1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights.
2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries
3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process.
4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate.
Principle 1 discussion:
If we cannot agree on this (or agree to abandon this principle), _*nothing else will fall into place*_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work.
Principle 2 discussion
This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits.
Principle 3 discussion
This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to …
Principle 4
Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2.
I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
I would like to draw the team’s attention back to the other proposed guidance document: https://docs.google.com/document/d/1YyiBmtcpa5PxsPnKDXZFfU0WEPVhgjN5ySv9KvQb... I’m not sure why it’s been largely ignored for the last month but I think this guidance does address the necessary issues around assisting Contracted Parties who do differentiate on Legal vs. Natural. There’s no need to discuss contractual amendments (which I think are out of scope for this team) and I think Volker made some very good points in the other fork on this same email thread. -- Sarah Wyld, CIPP/E Policy & Privacy Manager Tucows swyld@tucows.com +1.416 535 0123 Ext. 1392 From: Steve Crocker via Gnso-epdp-team Sent: April 15, 2021 9:36 AM To: Kapin, Laureen Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Laureen, Thanks for your note. With respect to the details under legal person, we believe the issue of consent should be moot. Everyone who is named in a role in a registration must have already been informed and consented to all of the conditions involved in the role. This is a prerequisite for having a working system and is not specific to meeting a privacy regulation. The fact that this requirement is not specified in the existing contractual documentation is an error and needs to be rectified. Steve On Thu, Apr 15, 2021 at 6:28 AM Kapin, Laureen via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote: I think we share common ground on many key issues and I would like to build on the many helpful inputs received as to what would be advisable. Goal: publish non-personal, non-protected data to the greatest extent permissible under the GDPR and within low legal risks to data controllers and processors. Note, the description below does not fully detail the advised safeguards which B&B has documented and which we’ve adopted in our prior input because my impression is that we generally agree that the safeguards are prudent. This description merely seeks to identify the key steps that must be taken to ensure that personal data is identified and protected and non-personal data is published. I also highlight the addition of a potential additional safeguard – Confirmation. I think this process incorporates what we’ve discussed and inputs received and could form a useful framework for discussion. Note: New Registrations: This process applies to new registrations (Steve C. has some useful thoughts on how to deal with existing Registrations) Publish: When I use the word “publish,” I mean made public directly; not via the SSAD. W Flexibility: Based on input from our Registrar colleagues, we should permit flexibility for how these steps are implemented to account for the varied business models in place. d Timing: All identifications need to take place at the time of registration or shortly thereafter (w/in the 13-day accuracy verification window) and no registration data should be published until the identification, consent, and confirmation process concludes Process: 1. A threshold identification of the registrant as a natural or legal person; a. If natural, registration info redacted b. If legal, further inquiries and advisories (safeguards): i. if the legal person identifies that it has a protected status under the GDPR 1. registration info redacted ii. If the legal person registration contains personal data, advise of consequences (publication) 1. Obtain necessary consents 2. Possible additional safeguard: Ask Registrant to Confirm any identification that will result in publication of contact data (akin to confirming a flight reservation or stock trade) a. Publish 3. If no consent a. Redact 2. Provide quick and easy opportunity to correct any mistakes I hope this is useful. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Thursday, April 15, 2021 8:35 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance I think we need to be cognisant of the current status quo and use that as the basis for our thoughts on the matter: 1) There is no differentiation between legal or natural contacts. 2) The redaction of all contacts is permitted and has become the de-facto standard. 3) We allow consent-based disclosure. 4) NIS 2 may at some point in the future require publication of non-personal information. This leads to two very simple follow-on questions: a) How do we identify such non-personal information? What is really necessary for this end? b) What would publication entail? For a) we and Twobirds identified voluntary self-declaration of the data submitted. As all data is redacted by default, the differentiation of the data subject category is irrelevant as it ultimately only boils down to the declaration of the data subject thatthe data contains no personal information. For b), the term "publish" is undefined. For all we know, it could mean publication in a physical print edition (it doesn't mean that though). But publication within SSAD can very well be sufficient for that definition. There is no reason whatsoever to assume differently. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. Virus-free. www.avast.com On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote: Dear Milton, Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation. Finally, I join you in being optimistic about our ability to finish this. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, April 14, 2021 10:12 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Colleagues: I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job. I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem. I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere. So here are the broad principles that I would offer up for debate: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate. Principle 1 discussion: If we cannot agree on this (or agree to abandon this principle), _nothing else will fall into place_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work. Principle 2 discussion This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits. Principle 3 discussion This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to … Principle 4 Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2. I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Virus-free. www.avast.com _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
" Everyone who is named in a role in a registration must have already been informed and consented to all of the conditions involved in the role. " This is the ideal. Sadly, this ideal is very often not the case. Employees are named by other employees without their knowledge, or remain named long after they leave. From the experience as a registrar dealing with registrants every day, this ideal is an assumption that does not survive contact with reality. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 15, 2021 at 3:36 PM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Laureen,
Thanks for your note. With respect to the details under legal person, we believe the issue of consent should be moot. Everyone who is named in a role in a registration must have already been informed and consented to all of the conditions involved in the role. This is a prerequisite for having a working system and is not specific to meeting a privacy regulation. The fact that this requirement is not specified in the existing contractual documentation is an error and needs to be rectified.
Steve
On Thu, Apr 15, 2021 at 6:28 AM Kapin, Laureen via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
I think we share common ground on many key issues and I would like to build on the many helpful inputs received as to what would be advisable.
*Goal*: publish non-personal, non-protected data to the greatest extent permissible under the GDPR and within low legal risks to data controllers and processors. Note, the description below does *not *fully detail the advised safeguards which B&B has documented and which we’ve adopted in our prior input because my impression is that we generally agree that the safeguards are prudent. This description merely seeks to identify the key steps that must be taken to ensure that personal data is identified and protected and non-personal data is published. I also highlight the addition of a potential additional safeguard – Confirmation. I think this process incorporates what we’ve discussed and inputs received and could form a useful framework for discussion.
*Note:*
n *New Registrations: *This process applies to new registrations (Steve C. has some useful thoughts on how to deal with existing Registrations)
n *Publish: *When I use the word “publish,” I mean made public directly; not via the SSAD.
n *Flexibility: *Based on input from our Registrar colleagues, we should permit flexibility for how these steps are implemented to account for the varied business models in place.
n *Timing: *All identifications need to take place at the time of registration or shortly thereafter (w/in the 13-day accuracy verification window) and no registration data should be published until the identification, consent, and confirmation process concludes
*Process:*
1. A threshold identification of the registrant as a natural or legal person;
a. If natural, registration info redacted
b. If legal, further inquiries and advisories (safeguards):
i. if the legal person identifies that it has a protected status under the GDPR
1. registration info redacted
ii. If the legal person registration contains personal data, advise of consequences (publication)
1. Obtain necessary consents
2. *Possible additional safeguard*: *Ask Registrant to Confirm any identification that will result in publication of contact data *(akin to confirming a flight reservation or stock trade)
a. Publish
3. If no consent
a. Redact
2. Provide quick and easy opportunity to correct any mistakes
I hope this is useful.
Kind regards,
Laureen Kapin
Counsel for International Consumer Protection
Federal Trade Commission
(202) 326-3237
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Thursday, April 15, 2021 8:35 AM *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
I think we need to be cognisant of the current status quo and use that as the basis for our thoughts on the matter:
1) There is no differentiation between legal or natural contacts.
2) The redaction of all contacts is permitted and has become the de-facto standard.
3) We allow consent-based disclosure.
4) NIS 2 may at some point in the future require publication of non-personal information.
This leads to two very simple follow-on questions:
a) How do we identify such non-personal information? What is really necessary for this end?
b) What would publication entail?
For a) we and Twobirds identified voluntary self-declaration of the data submitted. As all data is redacted by default, the differentiation of the data subject category is irrelevant as it ultimately only boils down to the declaration of the data subject thatthe data contains no personal information.
For b), the term "publish" is undefined. For all we know, it could mean publication in a physical print edition (it doesn't mean that though). But publication within SSAD can very well be sufficient for that definition. There is no reason whatsoever to assume differently.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Dear Milton,
Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation.
Finally, I join you in being optimistic about our ability to finish this.
Kind regards
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, April 14, 2021 10:12 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Colleagues:
I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job.
I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem.
I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere.
So here are the broad principles that I would offer up for debate:
1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights.
2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries
3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process.
4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate.
Principle 1 discussion:
If we cannot agree on this (or agree to abandon this principle), _*nothing else will fall into place*_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work.
Principle 2 discussion
This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits.
Principle 3 discussion
This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to …
Principle 4
Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2.
I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Virus-free. www.avast.com <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Dear Volker, For this very same reason, publishing legal persons data based on self-designation puts you at a lower risk compared to consent. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Thursday, April 15, 2021 4:10 PM To: Steve Crocker Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance " Everyone who is named in a role in a registration must have already been informed and consented to all of the conditions involved in the role. " This is the ideal. Sadly, this ideal is very often not the case. Employees are named by other employees without their knowledge, or remain named long after they leave. From the experience as a registrar dealing with registrants every day, this ideal is an assumption that does not survive contact with reality. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net/> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 15, 2021 at 3:36 PM Steve Crocker via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Laureen, Thanks for your note. With respect to the details under legal person, we believe the issue of consent should be moot. Everyone who is named in a role in a registration must have already been informed and consented to all of the conditions involved in the role. This is a prerequisite for having a working system and is not specific to meeting a privacy regulation. The fact that this requirement is not specified in the existing contractual documentation is an error and needs to be rectified. Steve On Thu, Apr 15, 2021 at 6:28 AM Kapin, Laureen via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: I think we share common ground on many key issues and I would like to build on the many helpful inputs received as to what would be advisable. Goal: publish non-personal, non-protected data to the greatest extent permissible under the GDPR and within low legal risks to data controllers and processors. Note, the description below does not fully detail the advised safeguards which B&B has documented and which we’ve adopted in our prior input because my impression is that we generally agree that the safeguards are prudent. This description merely seeks to identify the key steps that must be taken to ensure that personal data is identified and protected and non-personal data is published. I also highlight the addition of a potential additional safeguard – Confirmation. I think this process incorporates what we’ve discussed and inputs received and could form a useful framework for discussion. Note: • New Registrations: This process applies to new registrations (Steve C. has some useful thoughts on how to deal with existing Registrations) • Publish: When I use the word “publish,” I mean made public directly; not via the SSAD. • Flexibility: Based on input from our Registrar colleagues, we should permit flexibility for how these steps are implemented to account for the varied business models in place. • Timing: All identifications need to take place at the time of registration or shortly thereafter (w/in the 13-day accuracy verification window) and no registration data should be published until the identification, consent, and confirmation process concludes Process: 1. A threshold identification of the registrant as a natural or legal person; a. If natural, registration info redacted b. If legal, further inquiries and advisories (safeguards): i. if the legal person identifies that it has a protected status under the GDPR 1. registration info redacted ii. If the legal person registration contains personal data, advise of consequences (publication) 1. Obtain necessary consents 2. Possible additional safeguard: Ask Registrant to Confirm any identification that will result in publication of contact data (akin to confirming a flight reservation or stock trade) a. Publish 3. If no consent a. Redact 2. Provide quick and easy opportunity to correct any mistakes I hope this is useful. Kind regards, Laureen Kapin Counsel for International Consumer Protection Federal Trade Commission (202) 326-3237 From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Thursday, April 15, 2021 8:35 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance I think we need to be cognisant of the current status quo and use that as the basis for our thoughts on the matter: 1) There is no differentiation between legal or natural contacts. 2) The redaction of all contacts is permitted and has become the de-facto standard. 3) We allow consent-based disclosure. 4) NIS 2 may at some point in the future require publication of non-personal information. This leads to two very simple follow-on questions: a) How do we identify such non-personal information? What is really necessary for this end? b) What would publication entail? For a) we and Twobirds identified voluntary self-declaration of the data submitted. As all data is redacted by default, the differentiation of the data subject category is irrelevant as it ultimately only boils down to the declaration of the data subject thatthe data contains no personal information. For b), the term "publish" is undefined. For all we know, it could mean publication in a physical print edition (it doesn't mean that though). But publication within SSAD can very well be sufficient for that definition. There is no reason whatsoever to assume differently. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net/> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> On Thu, Apr 15, 2021 at 1:52 PM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Dear Milton, Thank you for your constructive thoughts. I believe we have a lot to build on. In relation to principle one, I think we all agree that some legal data subjects would want to publish their data in the RDDS, but without your first principle they can only do this through consent. The legal memo received lately from Bird & Bird explains that if CPs publish the data of legal persons based on consent they are at a higher risk than if they publish the data of legal persons based on self-designation. In the latter case CPs might only be liable if they fail to address a complaint. So the question always was: what is the benefit of labeling the data as belonging to a natural or legal person? Of course we all know that GDPR protects the data of natural persons and not legal persons, but the important answer now is that the distinction significantly reduces the liability of CPs. In addition, the distinction is helpful in performing the balancing test in case the data is not published and I am sure if we look into individual use cases we can find much more benefits. Moreover, it could prove to be useful regarding possible upcoming regulations. I would also add that the level of protection assigned to the data elements suggested by Steve provides additional safe guards and flexibility in the implementation. Finally, I join you in being optimistic about our ability to finish this. Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, April 14, 2021 10:12 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] On the proposed guidance Colleagues: I have only gotten time to review the latest Guidance document and the surrounding debate today. Apologies, but there is a lot going on in my day job. I am disappointed to see that we seem to be going backwards. I see divergence rather than convergence on the way we are approaching the problem. I see no point in adding more noise to the current document via the Comments function. What I would like to try to do is articulate some broad principles about how to deal with the legal/natural distinction. If we can agree on those principles, it will be relatively easy to complete the document. If we cannot/do not agree on those principles, additional wordsmithing and debates over terms will not get us anywhere. So here are the broad principles that I would offer up for debate: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate. Principle 1 discussion: If we cannot agree on this (or agree to abandon this principle), _nothing else will fall into place_. Ever. So let’s settle that. Steve and Volker I suspect will disagree with this principle. Steve has argued that the L/N distinction is “not a central concern” and all that matters is whether the registrant’s data is to be made available to anyone. If he is right, we can discard the guidance altogether, because we already have a recommendation to allow the RNH to consent to the publication of their data. Volker has also suggested that it is personal data we need to differentiate, not L/N . I disagree with Steve and Volker on this and so do most of the rest of the group. L/N distinction is a central concern to certain stakeholder groups in the EPDP, because a) GDPR and other data protection laws do not protect it and this process is all about bringing RDS into compliance with privacy law; b) Legal person data could be published and it would provide easier access to their registration data. As a NCSG member I can find no basis for objecting to the publication of WalMart’s, Kroger’s or the local hardware store’s registration data. Any concerns about PII are addressed by principles 2 and 3. Steve is approaching this as an engineer, but this is a policy process, and we will not obtain agreement on a solution unless certain stakeholders are satisfied. If they think it is a central concern, it’s a central concern, that’s how policy/politics work. Principle 2 discussion This is the key principle that keeps NCSG and CPH satisfied. Registrants are in control of how they are designated. Yes, this means that some people will lie. That is just something we will have to accept. One cannot erase that possibility without creating a system that is too burdensome and costly as to outweigh any benefits. Principle 3 discussion This is something everyone seems to agree on already. But it is good to make it explicit, then we can work out how specific our guidance can get, so as to conform to … Principle 4 Avoid being overly prescriptive, but ensure that the other 3 principles are honored. So yes, Volker, we give you maximum flexibility to implement in accordance with different business models, but you can NOT make a designation for a RNH, because it violates principle 2. I truly believe that if we can come to agreement on these 4 principles and use them as the basis for drafting guidance, we can actually finish this. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. [https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Dear Becky and All, Albeit, the thread andthe discussion is in relation to NIS2. Mypoint is that the upfront distinction between natural and legal persons, whichwe are trying to avoid, is what almost all registries do, whether theydifferentiate between the data or not. We also need to remember that the legalguidance that we received from Bird & Bird suggests that if CPs publishlegal persons' data based on consent they are at a higher risk than if theypublish legal persons data based on registrant self-designation. Bird &Bird goes further to say that in the latter case; they might only be liable ifthey fail to address a complaint. So, we have legal advicesaying that registrant self designation (legal/natural) reduces the CPs liability and a study that shows ALL registries that differentiate between the data differentiate between registrant types first. Yet we insist that the correct way forwardis to just differentiate between the data (including personal information/not includingpersonal information) - I fail to see the logic behind this. BestHadia On Wednesday, April 14, 2021, 08:32:55 PM GMT+2, Becky Burr via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote: I think we may be over-complicating this discussion. Sounds to me like Volker and Melina have different views on what will satisfy the NIS2 requirement that non-personal data be made "publicly available" / "published without undue delay". If I'm understanding the point of this discussion, Volker suggests that prompt disclosure of non-personal data upon receipt of an SSAD request may be sufficient. Melina suggests that non-personal data must be available for non-intermediated access in some "always on" online RDDS database. If Volker is right, the relevance of the up-front legal/natural distinction is lessened because the disclosure is driven by the character of the data (personal or not personal). I don't have a view on what NIS2 requires, although access to things that are "published" on the Internet are almost always intermediated in one way or another. Also, FWIW, I think some ccTLDs differentiate registrant types in order to satisfy nexis requirements. On Wed, Apr 14, 2021 at 8:36 AM Hadia Abdelsalam Mokhtar EL miniawi via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote: Dear Volker and all, First I would like to thank ICANN org for conducting additional research in relation to the ccTLDs' registration directory service policies. Having briefly looked at Appendix A, I would like to share with you some observations · None of the ccTLDs who differentiate between the data of legal and natural persons don't differentiate between the registrants' types. · Two ccTLD registries do not differentiate between the publication of the data of the legal and natural persons because they publish the data of both. · Four ccTLD registries neither make a differentiate between the registrants' types nor the registrants' registration data. · The rest of the ccTLDs who do not differentiate between the publication of the data still differentiate between the registrants' types. · It is unclear whether the ccTLD of Slovakia differentiates between the publication of the data. However the registry differentiates between the registrants' types (Legal/natural)
From the policies' summary, it is clear that in order to look into the issue of differentiating between the processing of the data of legal and natural persons, we need to consider at least two types of classifications. The first is the differentiation between the registrants' types, which does not necessary lead to the publication of the data and the second is the differentiation between the data type.
Kind regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org]On Behalf Of STROUNGI Melina via Gnso-epdp-team Sent: Monday, April 12, 2021 5:08 PM To: Volker Greimann Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Volker, Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications. It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations: - providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data) - publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does not relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services. It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements. Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal). Hope this helps. Happy to discuss further. Best, Melina From: Volker Greimann <vgreimann@key-systems.net> Sent: Thursday, March 25, 2021 4:22 PM To: STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Melina, if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish. My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina <Melina.STROUNGI@ec.europa.eu> wrote: Hi everyone, Setting aside various points raised below which are notcorrect, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated. @Volker: 1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘protecting all data equally’ and that ‘you do not need to differentiate’. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)? 2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary? ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way? Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org>On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, March 24, 2021 10:07 PM To: King, Brian <Brian.King@markmonitor.com> Cc: Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate. Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all. On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address. So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data. But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com> wrote: Hey Volker, I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law. I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data? Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com | Accelerating innovation Follow us on LinkedIn,Twitter,Facebook and Instagram From: Volker Greimann <vgreimann@key-systems.net> Sent: Wednesday, March 24, 2021 3:58 PM To: King, Brian <Brian.King@markmonitor.com> Cc: Mueller, Milton L <milton@gatech.edu>;gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] On the proposed guidance Hi Brian, the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote: Hi Milton, Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective. One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right? As always, we’re happy to work with you and look forward to finding consensus. Brian J. King He/Him/His Head of Policy and Advocacy, Intellectual Property Group T +1 443 761 3726 Time zone: US Eastern Time clarivate.com | Accelerating innovation Follow us on LinkedIn,Twitter,Facebook and Instagram From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org>On Behalf Of Mueller, Milton L via Gnso-epdp-team Sent: Wednesday, March 24, 2021 11:13 AM To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] On the proposed guidance I was reading through two documents setting out in detail the proposed guidance on legal/natural. There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it. I was pretty supportive of the Guidance overall. I had one problem with it, though. I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”. The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.” That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hi Melania, I disagree that publication of said non-personal data could not also occur in or through SSAD - the language is broad enough to allow for publication in SSAD. Also: " domain registration data of legal persons which are not personal data" equals " domain registration data which is not personal data" in my book, so why go the extra step? -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Mon, Apr 12, 2021 at 5:07 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:
Hi Volker,
Thank you for your comments. I thought we had clarified these points during the EPDP discussions but seeing your latest reactions on the guidance doc, I would like to add a few – hopefully – helpful clarifications.
It is very positive to see that the NIS2 Proposal is taken into account; please note that NIS2 Proposal imposes two separate obligations:
- providing access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers (this would mean disclosure via the SSAD and could entail both personal and non-personal data)
- publication, without undue delay after the registration of a domain name, of domain registration data of legal persons which are not personal data (see recital 62 and article 23 (4)). This does *not* relate to SSAD – the publication requirement is a separate one and concerns providing data in the publicly accessible Registration Data Directory Services.
It is hard to see how your vision, as currently phrased in your email below, meets any of these two requirements.
Regarding your other point, I believe that it does matter to whom the data belongs. Data of natural persons are personal data and therefore should always be protected by default (unless there is consent) and data of legal persons are not protected, so in principle they should be disclosed (unless they contain personal data in which case you may decide to further distinguish and publish only the non-personal data of the legal persons – as also required by the NIS2 Proposal).
Hope this helps. Happy to discuss further.
Best,
Melina
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Thursday, March 25, 2021 4:22 PM *To:* STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Melina,
if we differentiated between personal and non-personal data only, it would not matter whom the data belonged to, e.g. a legal person record that contains personal information would be treated as the default: Do not publish.
My vision is that the differentiation would only make a difference in the handling of that data within SSAD where interested parties would be granted quick access to such non-personal data, as required by NIS2.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!S4qH_9yVum0x39KcAPU39X1TMMihgXMy-hSb7xObqmhFvANUMMPXI3VHvYWHCiYE40qLD3GD$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Thu, Mar 25, 2021 at 1:19 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:
Hi everyone,
Setting aside various points raised below which are not correct, for the benefit of continuation of a constructive discussion I would like to raise some clarification questions to which written input would be very much appreciated.
@Volker:
1) I am confused. I understand you and Sarah propose to have a distinction between personal and non-personal data, correct? Yet, below you suggest ‘*protecting all data equally’* and that ‘*you do not need to differentiate’*. So in conclusion what are you proposing? Should you differentiate between personal and non-personal data or you should not differentiate at all (which would mean that you publish zero information)?
2) In case yours and Sarah’s proposal to distinguish only between personal and non-personal data is still valid: i. Would you consider making such distinction a requirement or still voluntary?
ii. How exactly would you envisage doing such a distinction in practice? Would you for instance ask the registrants to specify which data are personal or not? Would you have a dedicated team checking manually all data? Any other way?
Thanks for clarifying these points as it would be very useful in view of our today’s EDPP plenary meeting.
Best,
Melina
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 10:07 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
That approach is actually very compliant with data protection law. Overprotection is not an issue. If you simply protect all data equally in a way that would be compliant, you do not need to differentiate.
Accuracy is shown by demonstrating that the data is unchanged from the time it was created and how it was created, by showing that the data subject has contractually agreed to only provide accurate data (and correct if outdated), and has been provided with an annual opportunity to review the data. That is the level accuracy that is relevant under the accuracy principle of the GDPR, after all.
On top of that (Bonus round for extra points here) the data collection process ensured that only properly formatted data was collected and the registrant has been required to verify his email address.
So reasonable steps to ensure the accuracy have been taken, the data subject can request a correction at any time and we will take action on any indication of inaccuracy of the data.
But the real problem isn't actually inaccurate data, in our experience. It is accurate data of the wrong data subject.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQO0zZyZM$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 9:48 PM King, Brian <Brian.King@markmonitor.com> wrote:
Hey Volker,
I suppose my point (and I think I’m also paraphrasing an intervention made by Melina previously) is that approach is not likely to be compliant with data protection law.
I accept that the concept of accuracy as a policy matter is not within our remit, but let’s use accuracy as a data protection principle – how could a controller reasonably demonstrate to a DPA that the controller’s data is accurate, for example, if the controller has not even assessed whether the data is personal data?
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.com/v3/__https:/www.linkedin.com/company/clarivate__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCvxAWKN$>, Twitter <https://urldefense.com/v3/__https:/twitter.com/clarivate?ref_src=twsrc*5Egoogle*7Ctwcamp*5Eserp*7Ctwgr*5Eauthor__;JSUlJSU!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQD240Aw8$>, Facebook <https://urldefense.com/v3/__https:/www.facebook.com/clarivate/__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQE3OR2v4$> and Instagram <https://urldefense.com/v3/__https:/www.instagram.com/clarivateofficial/?hl=en__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQJ4vFbZ1$>
*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Wednesday, March 24, 2021 3:58 PM *To:* King, Brian <Brian.King@markmonitor.com> *Cc:* Mueller, Milton L <milton@gatech.edu>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] On the proposed guidance
Hi Brian,
the easiest way to comply with data protection law is to simply treat all registration data as if it were personal data. No chance of ever running afoul data protection law if you do that correctly and it is pretty easy to demonstrate as well.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=yN8BHspGj3eYe2CXQepAVOhufF1uWv8Ut-PpDdaFw-k&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Mar 24, 2021 at 5:47 PM King, Brian via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Hi Milton,
Thank you for the constructive intervention. Your point is well taken, and I can certainly see that from the RNH perspective.
One feature of data protection law related to your point is that it requires data controllers and processors to be able to demonstrate compliance with the law. A controller or processor could doubtfully demonstrate compliance with data protection law if they had not determined whether they were actually processing personal data. In fact, data protection professionals will tell you that you absolutely must determine what personal data you’re processing as the first step toward compliance with data protection law. It seems the policy question is: what, if anything, should contracted parties be required to do based on the status of the data? Is that right?
As always, we’re happy to work with you and look forward to finding consensus.
*Brian J. King* *He/Him/His*
Head of Policy and Advocacy, Intellectual Property Group
T +1 443 761 3726
Time zone: US Eastern Time
clarivate.com <https://urldefense.com/v3/__http:/www.clarivate.com__;!!DOxrgLBm!TNAiZf3EyheqvXxgQ3E8rqWa-Dt70SexlB2mim32VULbMMjhxTpKlwqpqS_s7mXWQCW5YUXp$> | Accelerating innovation
Follow us on LinkedIn <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_clarivate&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=bTH9-uZa1ulAV7ltM77Kkw6zYbSjQTDRiIhZ5aILoQA&e=>, Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_clarivate-3Fref-5Fsrc-3Dtwsrc-255Egoogle-257Ctwcamp-255Eserp-257Ctwgr-255Eauthor&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=saAKJDKaijH6v2xkw6R0-WBownX8UIKXMN5zKsYPT58&e=>, Facebook <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_clarivate_&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=guRk82NQpoUPMKHhfkk8hBOD7LbP-ZT0VnzGOCoIzBI&e=> and Instagram <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_clarivateofficial_-3Fhl-3Den&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=ZZCjD7Z4CkwSecYOp5AXLrFBuQ3VgvD5E7kSFZsW9L4&e=>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L via Gnso-epdp-team *Sent:* Wednesday, March 24, 2021 11:13 AM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] On the proposed guidance
I was reading through two documents setting out in detail the proposed guidance on legal/natural.
There seems to be more than one Google doc on this and I am not sure which one is the latest or most official, though I suspect it is the one with various people’s comments crawling all over it.
I was pretty supportive of the Guidance overall. I had one problem with it, though.
I liked the description of HOW the differentiation needed to take place. But in describing WHEN differentiation takes place and WHO would do it, it sets out 3 “high level scenarios”.
The first two are ok. The third scenario (listed as #5 in the document) is that the Registrar does it for the RNH, based on “inferences.”
That option just doesn’t fly for those of us representing RNH’s in this process. We cannot have a registrant’s disclosure status or person type determined FOR them by someone else. If we can strike that part of the guidance, I think we can be on our way to a much broader consensus.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[image: IGP_logo_gold block]
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KB-Bo9xYcTsaV-lrfJIsfRxB7i_yekkMNRTbi8IUx2s&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=KI3v50SXH9pcgbjslcb50spSZuwJHRD7_CnwSf_bcXc&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=qD32H8OIbs1z3Y2bdkOzGc3mUHIMW_Xp_6ZhFqwuQa8&s=Pe4S6hYEUMqw6Eq9DWqbMeaOGnw2zVXTDobhF5xUuY0&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
participants (12)
-
Becky Burr
-
Hadia Abdelsalam Mokhtar EL miniawi
-
Hadia El Miniawi
-
ICANN
-
Kapin, Laureen
-
King, Brian
-
Mark Svancarek (CELA)
-
Mueller, Milton L
-
Sarah Wyld
-
Steve Crocker
-
STROUNGI Melina
-
Volker Greimann