Hi Melina, it is based in part on registrar experience and in part on the ICANN study on Abuse that found abuse was actually declining. The lack of automated, unreviewed access to whois data has not lead to any noticeable increase of abuse, at least I have seen nothing that counters that view. So if in the past three years it was not needed, why is it so urgent now? As for NIS2, I invite you to answer my question during the call: Why not apply the very same requirements to hosters, e.g. the parties that actually have access to the objectionable materials. You raised CSAM as an example. OK, lets go there: CSAM is not spread through a domain. It is always spread through hosting. The domain may make it easier to access, but if you remove the domain, the content is still there... -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 22, 2021 at 4:40 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:

Hi,

We want to do it both fast and right. Differentiation between natural and legal persons can achieve doing it both fast and right, and is fully in line with GDPR and NIS 2 proposal.

“*The status quo of the past three years illustrates there is no urgency.”**à* Where are you basing this argument? Do you have a link or report to share?

The past three years have revealed numerous and major problems resulting from the redacted information. This is the very reason why EC proposed NIS 2 proposal at the first place.

Any implication that all those complaints received are inexistent and that DNS abuse is an imaginary problem is disrespectful at the very least.

Best,

Melina

*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Thursday, April 22, 2021 4:10 PM *To:* Alan Greenberg <alan.greenberg@mcgill.ca> *Cc:* EPDP <gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data

Hi Alan,

do we want it fast or do we want it right? The status quo of the past three years illustrates there is no urgency.

1. I agree it is some time out yet, and we might need to clarify current disclosure rules to tide us over.

2.-3. Yes I am proposing a fee, but that is not unreasonable. The requestor is getting a service after all. And it has precedent in other public databases.Ultimately, this would be an implementation question, but having a token fee also ensures less abuse will take place.

4. I think this could be completed in time before the SSAD goes live, and this could then be quickly added. Think DLC for an AAA game.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 4:02 PM Alan Greenberg <alan.greenberg@mcgill.ca> wrote:

At 2021-04-22 09:10 AM, Volker Greimann wrote:

1. SSAD was approved by the PDPD consensus, by the GNSO council with sufficient votes and by the board. It will exist. If it does not, we will be forced back to the drawing board for another couple of years and the status quo will persist. If you prefer that over SSAD, go ahead and kill SSAD.

This is not about my trying to kill the SSAD. At this point, the Board needs to make a decision, and presumably it will not just blindly rubber-stamp the GNSO recommendations. And iyou are not addressing proposing a solution that is at best several years out to

2. This would be questions for the implementation phase, but maybe some guidance would be helpful to put people here at ease. I do not think there needs to be authentication for basic SSAD access. The terms currently in place for domain name registration are fully sufficient for that access level: Validation of format of the data, verification of email address, valid payment method. This would be my personal view.

3. As this access level would require significantly lower barriers than full access, fees for this type of requests could be lower as well. For comparison, requests for data from the German trade register cost medium one-digit EUR amounts per request. The added benefit is that this common type of request could carry a base cost load for the system, allowing lower overall costs for all requests. Only leaving SSAD for personal data would on the other hand drive up costs. The more we include in SSAD, the better the price structure should be.

OK, so you are proposing a fee-based system for such requests.

4. If we do need another PDP (not convinced that we do) this could be pre-determined and targeted. If we all agree now that we want this to happen, debate the specifics before the PDP is launched, the time needed for the actual PDP could be minimal.

Fine. Adding several more years...

5. To the contrary, there are a myrad of advantages: Use of existing infrastructure, lower overall SSAD fees, better protection of registrants, access controls, prevention of harvesting for illicit purposes (SPAM, phishing, etc) , requestor ID, reduced risk for CPs, no need to build out yet another system for a sub-category of domain names, no data transfer liability issues, etc. The list goes on and on...

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 8:02 AM Alan Greenberg via Gnso-epdp-team < gnso-epdp-team@icann.org > wrote:

There continues to be discussion regarding using the SSAD as a means

of "publishing" non-personal data.

I believe that this discussion is a distraction that takes focus from

what we should be working on. I say this for the following reason.

1. The SSAD does not exist, it may never exist, and if the Board does

approve it, it will likely take several years to implement (remember

we are 2 years into the implementation of Phase 1, and there is no

centralized hardware/software to design and implement for that).

2. Although we specified that anyone may be accredited, it is not at

all clear the amount of time it will take, nor what fee might be

charged. And unless the system allows accreditation without

authenticating the identity, this precludes anonymous queries.

3. We specified that the SSAD must be self-funding and that the users

must pay for its operating costs. Are those in favour of using the

SSAD for public data publishing proposing fees for such requests, or

no fees, and if the latter, who will pay for this usage?

4. There are multiple details of Phase 2 Recommendation 8 for

Contracted Party Authorization that simply make no sense in this

case, yet are part of the approved policy. And changing that policy

requires a PDP.

5. There does not seem to be any benefit of routing public-data

requests through the SSAD with its myriad rules, regulations and

processes when a vanilla RDAP server will suffice.

Alan

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-t...>

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy <https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm...>) and the website Terms of Service ( https://www.icann.org/privacy/tos <https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!Rm...>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Thanks Volker. An article is to be read taking in mind also the accompanying recitals – I have already mentioned this already in my previous communication to you, but just to avoid any lack of clarity, please refer to recital 62, drafted together with article 23, which states that: “TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons” Especially for the last underlined part there is a footnote referencing to GDPR and reminding that it does not apply to data of legal persons. Trust that this was helpful. Best, Melina From: Volker Greimann <vgreimann@key-systems.net> Sent: Thursday, April 22, 2021 6:19 PM To: STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> Cc: EPDP <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data Hi Melina, I wanted to make sure if I was somehow mistaken and went back to the draft text of NIS as you asked me in the document: " The solution you propose is not in line with neither GDPR nor NIS 2 Proposal. There is a reason why both legal texts distinguish between natural and legal entities. Privacy specialists drafting these laws made this distinction for a reason. I have noticed that you are often doubting the interpretation of specific words in specific legal provisions, yet your proposed 'personal non-personal distinction is not based on any legal act (not that I know of). In case you have in mind a privacy regulation which makes a distinction between personal and non-personal data irrespective of whether the data subject is legal or natural I would be interested in reading the provision." So I looked at NIS again and it was as I remembered it: "4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data." Note it says: "which are not personal data" not "of legal entities which are not containing any personal data". The entity type is not even mentioned as a qualifier for disclosure. As you say you had a hand in writing this section, you should be aware of what it says, which is not what you claim it does. Hence my pushback on your claim. My proposal is very much in line with this requirement of NIS2 as drafted. To the letter, actually! Even NIS 2 differentiates only on data type, not on entity type here. I therefore fail to see how my proposal violates NIS2 when it matches it to the letter. As for the concerns voiced by Hadia, as long as you are clear about the consequences of the declaration in your disclaimer, e.g. state that declaring data as non-personal will result in publication in SSAD, anyone will understand that. They may not understand the difference in the type of data, but they will understand the consequence. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!VUJfl_PK...> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 22, 2021 at 4:40 PM STROUNGI Melina <Melina.STROUNGI@ec.europa.eu<mailto:Melina.STROUNGI@ec.europa.eu>> wrote: Hi, We want to do it both fast and right. Differentiation between natural and legal persons can achieve doing it both fast and right, and is fully in line with GDPR and NIS 2 proposal. “The status quo of the past three years illustrates there is no urgency.”--> Where are you basing this argument? Do you have a link or report to share? The past three years have revealed numerous and major problems resulting from the redacted information. This is the very reason why EC proposed NIS 2 proposal at the first place. Any implication that all those complaints received are inexistent and that DNS abuse is an imaginary problem is disrespectful at the very least. Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Thursday, April 22, 2021 4:10 PM To: Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> Cc: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data Hi Alan, do we want it fast or do we want it right? The status quo of the past three years illustrates there is no urgency. 1. I agree it is some time out yet, and we might need to clarify current disclosure rules to tide us over. 2.-3. Yes I am proposing a fee, but that is not unreasonable. The requestor is getting a service after all. And it has precedent in other public databases.Ultimately, this would be an implementation question, but having a token fee also ensures less abuse will take place. 4. I think this could be completed in time before the SSAD goes live, and this could then be quickly added. Think DLC for an AAA game. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 22, 2021 at 4:02 PM Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> wrote: At 2021-04-22 09:10 AM, Volker Greimann wrote: 1. SSAD was approved by the PDPD consensus, by the GNSO council with sufficient votes and by the board. It will exist. If it does not, we will be forced back to the drawing board for another couple of years and the status quo will persist. If you prefer that over SSAD, go ahead and kill SSAD. This is not about my trying to kill the SSAD. At this point, the Board needs to make a decision, and presumably it will not just blindly rubber-stamp the GNSO recommendations. And iyou are not addressing proposing a solution that is at best several years out to 2. This would be questions for the implementation phase, but maybe some guidance would be helpful to put people here at ease. I do not think there needs to be authentication for basic SSAD access. The terms currently in place for domain name registration are fully sufficient for that access level: Validation of format of the data, verification of email address, valid payment method. This would be my personal view. 3. As this access level would require significantly lower barriers than full access, fees for this type of requests could be lower as well. For comparison, requests for data from the German trade register cost medium one-digit EUR amounts per request. The added benefit is that this common type of request could carry a base cost load for the system, allowing lower overall costs for all requests. Only leaving SSAD for personal data would on the other hand drive up costs. The more we include in SSAD, the better the price structure should be. OK, so you are proposing a fee-based system for such requests. 4. If we do need another PDP (not convinced that we do) this could be pre-determined and targeted. If we all agree now that we want this to happen, debate the specifics before the PDP is launched, the time needed for the actual PDP could be minimal. Fine. Adding several more years... 5. To the contrary, there are a myrad of advantages: Use of existing infrastructure, lower overall SSAD fees, better protection of registrants, access controls, prevention of harvesting for illicit purposes (SPAM, phishing, etc) , requestor ID, reduced risk for CPs, no need to build out yet another system for a sub-category of domain names, no data transfer liability issues, etc. The list goes on and on... -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 22, 2021 at 8:02 AM Alan Greenberg via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> > wrote: There continues to be discussion regarding using the SSAD as a means of "publishing" non-personal data. I believe that this discussion is a distraction that takes focus from what we should be working on. I say this for the following reason. 1. The SSAD does not exist, it may never exist, and if the Board does approve it, it will likely take several years to implement (remember we are 2 years into the implementation of Phase 1, and there is no centralized hardware/software to design and implement for that). 2. Although we specified that anyone may be accredited, it is not at all clear the amount of time it will take, nor what fee might be charged. And unless the system allows accreditation without authenticating the identity, this precludes anonymous queries. 3. We specified that the SSAD must be self-funding and that the users must pay for its operating costs. Are those in favour of using the SSAD for public data publishing proposing fees for such requests, or no fees, and if the latter, who will pay for this usage? 4. There are multiple details of Phase 2 Recommendation 8 for Contracted Party Authorization that simply make no sense in this case, yet are part of the approved policy. And changing that policy requires a PDP. 5. There does not seem to be any benefit of routing public-data requests through the SSAD with its myriad rules, regulations and processes when a vanilla RDAP server will suffice. Alan _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!RmawU_eWcoe7RX3DvV2_0BnjdXdVYP6GXl95shj5pftgywU5ogWBrEplmQeLNWufRS0QDhmH$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy<https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!RmawU_eWcoe7RX3DvV2_0BnjdXdVYP6GXl95shj5pftgywU5ogWBrEplmQeLNWufRWyQLfWQ$>) and the website Terms of Service ( https://www.icann.org/privacy/tos<https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!RmawU_eWcoe7RX3DvV2_0BnjdXdVYP6GXl95shj5pftgywU5ogWBrEplmQeLNWufRRsAqMvs$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi Melina, Maybe we can try looking at this from the other end: Why does it matter to you whether we first differentiate between legal and natural and _then_ ask whether the data includes only non-personal data or whether we just ask the same question without making that differentiation first? What is your expected benefit to the interests you represent when both routes lead the exact same number of data sets being disclosed? Does it really matter to the end result? I really do not get why this needs to be such a battleground. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Thu, Apr 22, 2021 at 6:28 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:

Thanks Volker.

An article is to be read taking in mind also the accompanying recitals – I have already mentioned this already in my previous communication to you, but just to avoid any lack of clarity, please refer to recital 62, drafted together with article 23, which states that:

“*TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons*”

Especially for the last underlined part there is a footnote referencing to GDPR and reminding that it does not apply to data of legal persons.

Trust that this was helpful.

Best,

Melina

*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Thursday, April 22, 2021 6:19 PM *To:* STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> *Cc:* EPDP <gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data

Hi Melina,

I wanted to make sure if I was somehow mistaken and went back to the draft text of NIS as you asked me in the document:

" *The solution you propose is not in line with neither GDPR nor NIS 2 Proposal. There is a reason why both legal texts distinguish between natural and legal entities. Privacy specialists drafting these laws made this distinction for a reason. I have noticed that you are often doubting the interpretation of specific words in specific legal provisions, yet your proposed 'personal non-personal distinction is not based on any legal act (not that I know of). In case you have in mind a privacy regulation which makes a distinction between personal and non-personal data irrespective of whether the data subject is legal or natural I would be interested in reading the provision."*

So I looked at NIS again and it was as I remembered it:

*"4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data." * Note it says: "which are not personal data" not "of legal entities which are not containing any personal data". The entity type is not even mentioned as a qualifier for disclosure. As you say you had a hand in writing this section, you should be aware of what it says, which is not what you claim it does. Hence my pushback on your claim. My proposal is very much in line with this requirement of NIS2 as drafted. To the letter, actually! Even NIS 2 differentiates only on data type, not on entity type here. I therefore fail to see how my proposal violates NIS2 when it matches it to the letter.

As for the concerns voiced by Hadia, as long as you are clear about the consequences of the declaration in your disclaimer, e.g. state that declaring data as non-personal will result in publication in SSAD, anyone will understand that. They may not understand the difference in the type of data, but they will understand the consequence.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!VUJfl_PK...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 4:40 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:

Hi,

We want to do it both fast and right. Differentiation between natural and legal persons can achieve doing it both fast and right, and is fully in line with GDPR and NIS 2 proposal.

“*The status quo of the past three years illustrates there is no urgency.”**à* Where are you basing this argument? Do you have a link or report to share?

The past three years have revealed numerous and major problems resulting from the redacted information. This is the very reason why EC proposed NIS 2 proposal at the first place.

Any implication that all those complaints received are inexistent and that DNS abuse is an imaginary problem is disrespectful at the very least.

Best,

Melina

*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Thursday, April 22, 2021 4:10 PM *To:* Alan Greenberg <alan.greenberg@mcgill.ca> *Cc:* EPDP <gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data

Hi Alan,

do we want it fast or do we want it right? The status quo of the past three years illustrates there is no urgency.

1. I agree it is some time out yet, and we might need to clarify current disclosure rules to tide us over.

2.-3. Yes I am proposing a fee, but that is not unreasonable. The requestor is getting a service after all. And it has precedent in other public databases.Ultimately, this would be an implementation question, but having a token fee also ensures less abuse will take place.

4. I think this could be completed in time before the SSAD goes live, and this could then be quickly added. Think DLC for an AAA game.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 4:02 PM Alan Greenberg <alan.greenberg@mcgill.ca> wrote:

At 2021-04-22 09:10 AM, Volker Greimann wrote:

1. SSAD was approved by the PDPD consensus, by the GNSO council with sufficient votes and by the board. It will exist. If it does not, we will be forced back to the drawing board for another couple of years and the status quo will persist. If you prefer that over SSAD, go ahead and kill SSAD.

This is not about my trying to kill the SSAD. At this point, the Board needs to make a decision, and presumably it will not just blindly rubber-stamp the GNSO recommendations. And iyou are not addressing proposing a solution that is at best several years out to

2. This would be questions for the implementation phase, but maybe some guidance would be helpful to put people here at ease. I do not think there needs to be authentication for basic SSAD access. The terms currently in place for domain name registration are fully sufficient for that access level: Validation of format of the data, verification of email address, valid payment method. This would be my personal view.

3. As this access level would require significantly lower barriers than full access, fees for this type of requests could be lower as well. For comparison, requests for data from the German trade register cost medium one-digit EUR amounts per request. The added benefit is that this common type of request could carry a base cost load for the system, allowing lower overall costs for all requests. Only leaving SSAD for personal data would on the other hand drive up costs. The more we include in SSAD, the better the price structure should be.

OK, so you are proposing a fee-based system for such requests.

4. If we do need another PDP (not convinced that we do) this could be pre-determined and targeted. If we all agree now that we want this to happen, debate the specifics before the PDP is launched, the time needed for the actual PDP could be minimal.

Fine. Adding several more years...

5. To the contrary, there are a myrad of advantages: Use of existing infrastructure, lower overall SSAD fees, better protection of registrants, access controls, prevention of harvesting for illicit purposes (SPAM, phishing, etc) , requestor ID, reduced risk for CPs, no need to build out yet another system for a sub-category of domain names, no data transfer liability issues, etc. The list goes on and on...

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 8:02 AM Alan Greenberg via Gnso-epdp-team < gnso-epdp-team@icann.org > wrote:

There continues to be discussion regarding using the SSAD as a means

of "publishing" non-personal data.

I believe that this discussion is a distraction that takes focus from

what we should be working on. I say this for the following reason.

1. The SSAD does not exist, it may never exist, and if the Board does

approve it, it will likely take several years to implement (remember

we are 2 years into the implementation of Phase 1, and there is no

centralized hardware/software to design and implement for that).

2. Although we specified that anyone may be accredited, it is not at

all clear the amount of time it will take, nor what fee might be

charged. And unless the system allows accreditation without

authenticating the identity, this precludes anonymous queries.

3. We specified that the SSAD must be self-funding and that the users

must pay for its operating costs. Are those in favour of using the

SSAD for public data publishing proposing fees for such requests, or

no fees, and if the latter, who will pay for this usage?

4. There are multiple details of Phase 2 Recommendation 8 for

Contracted Party Authorization that simply make no sense in this

case, yet are part of the approved policy. And changing that policy

requires a PDP.

5. There does not seem to be any benefit of routing public-data

requests through the SSAD with its myriad rules, regulations and

processes when a vanilla RDAP server will suffice.

Alan

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-t...>

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy <https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm...>) and the website Terms of Service ( https://www.icann.org/privacy/tos <https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!Rm...>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hadia, I addressed Melina since I responded to her mail, but the question can and should be answered by anyone advocating for the differentiation. What do you want to achieve by mandatory differentiation of registrant type if you are getting the same end result without it due to the remaining need to also differentiate by data content? The studies and guidance speak to risk, but I have a hard time believing that the IPC, BC and ALAC are in any way motivated by CP risk. So what is it? If the output is identical, why ask the additional question? If this question cannot or will not be answered... -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Sat, Apr 24, 2021 at 4:08 PM Hadia Abdelsalam Mokhtar EL miniawi < Hadia@tra.gov.eg> wrote:

Dear Volker,

Albeit your email is addressing Melina and while noting that I am not by any means trying to provide an answer to your question included herein, I just can’t help being surprised that you are still asking this question despite the legal guidance received and the ICANN study conducted.

“Why does it matter to you whether we first differentiate between legal and natural and _then_ ask whether the data includes only non-personal data or whether we just ask the same question without making that differentiation first”

Hadia

*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Friday, April 23, 2021 5:03 PM *To:* STROUNGI Melina <Melina.STROUNGI@ec.europa.eu> *Cc:* EPDP <gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data

Hi Melina,

Maybe we can try looking at this from the other end:

Why does it matter to you whether we first differentiate between legal and natural and _then_ ask whether the data includes only non-personal data or whether we just ask the same question without making that differentiation first?

What is your expected benefit to the interests you represent when both routes lead the exact same number of data sets being disclosed?

Does it really matter to the end result?

I really do not get why this needs to be such a battleground.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 6:28 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:

Thanks Volker.

An article is to be read taking in mind also the accompanying recitals – I have already mentioned this already in my previous communication to you, but just to avoid any lack of clarity, please refer to recital 62, drafted together with article 23, which states that:

“*TLD registries and the entities providing domain name registration services for them should make publically available domain name registration data that fall outside the scope of Union data protection rules, such as data that concern legal persons*”

Especially for the last underlined part there is a footnote referencing to GDPR and reminding that it does not apply to data of legal persons.

Trust that this was helpful.

Best,

Melina

*From:* Volker Greimann <vgreimann@key-systems.net> *Sent:* Thursday, April 22, 2021 6:19 PM *To:* STROUNGI Melina (CNECT) <Melina.STROUNGI@ec.europa.eu> *Cc:* EPDP <gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data

Hi Melina,

I wanted to make sure if I was somehow mistaken and went back to the draft text of NIS as you asked me in the document:

" *The solution you propose is not in line with neither GDPR nor NIS 2 Proposal. There is a reason why both legal texts distinguish between natural and legal entities. Privacy specialists drafting these laws made this distinction for a reason. I have noticed that you are often doubting the interpretation of specific words in specific legal provisions, yet your proposed 'personal non-personal distinction is not based on any legal act (not that I know of). In case you have in mind a privacy regulation which makes a distinction between personal and non-personal data irrespective of whether the data subject is legal or natural I would be interested in reading the provision."*

So I looked at NIS again and it was as I remembered it:

*"4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data." * Note it says: "which are not personal data" not "of legal entities which are not containing any personal data". The entity type is not even mentioned as a qualifier for disclosure. As you say you had a hand in writing this section, you should be aware of what it says, which is not what you claim it does. Hence my pushback on your claim. My proposal is very much in line with this requirement of NIS2 as drafted. To the letter, actually! Even NIS 2 differentiates only on data type, not on entity type here. I therefore fail to see how my proposal violates NIS2 when it matches it to the letter.

As for the concerns voiced by Hadia, as long as you are clear about the consequences of the declaration in your disclaimer, e.g. state that declaring data as non-personal will result in publication in SSAD, anyone will understand that. They may not understand the difference in the type of data, but they will understand the consequence.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!VUJfl_PK...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 4:40 PM STROUNGI Melina < Melina.STROUNGI@ec.europa.eu> wrote:

Hi,

We want to do it both fast and right. Differentiation between natural and legal persons can achieve doing it both fast and right, and is fully in line with GDPR and NIS 2 proposal.

“*The status quo of the past three years illustrates there is no urgency.”**à* Where are you basing this argument? Do you have a link or report to share?

The past three years have revealed numerous and major problems resulting from the redacted information. This is the very reason why EC proposed NIS 2 proposal at the first place.

Any implication that all those complaints received are inexistent and that DNS abuse is an imaginary problem is disrespectful at the very least.

Best,

Melina

*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Thursday, April 22, 2021 4:10 PM *To:* Alan Greenberg <alan.greenberg@mcgill.ca> *Cc:* EPDP <gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] SSAD as a means of publishing non-personal data

Hi Alan,

do we want it fast or do we want it right? The status quo of the past three years illustrates there is no urgency.

1. I agree it is some time out yet, and we might need to clarify current disclosure rules to tide us over.

2.-3. Yes I am proposing a fee, but that is not unreasonable. The requestor is getting a service after all. And it has precedent in other public databases.Ultimately, this would be an implementation question, but having a token fee also ensures less abuse will take place.

4. I think this could be completed in time before the SSAD goes live, and this could then be quickly added. Think DLC for an AAA game.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 4:02 PM Alan Greenberg <alan.greenberg@mcgill.ca> wrote:

At 2021-04-22 09:10 AM, Volker Greimann wrote:

1. SSAD was approved by the PDPD consensus, by the GNSO council with sufficient votes and by the board. It will exist. If it does not, we will be forced back to the drawing board for another couple of years and the status quo will persist. If you prefer that over SSAD, go ahead and kill SSAD.

This is not about my trying to kill the SSAD. At this point, the Board needs to make a decision, and presumably it will not just blindly rubber-stamp the GNSO recommendations. And iyou are not addressing proposing a solution that is at best several years out to

2. This would be questions for the implementation phase, but maybe some guidance would be helpful to put people here at ease. I do not think there needs to be authentication for basic SSAD access. The terms currently in place for domain name registration are fully sufficient for that access level: Validation of format of the data, verification of email address, valid payment method. This would be my personal view.

3. As this access level would require significantly lower barriers than full access, fees for this type of requests could be lower as well. For comparison, requests for data from the German trade register cost medium one-digit EUR amounts per request. The added benefit is that this common type of request could carry a base cost load for the system, allowing lower overall costs for all requests. Only leaving SSAD for personal data would on the other hand drive up costs. The more we include in SSAD, the better the price structure should be.

OK, so you are proposing a fee-based system for such requests.

4. If we do need another PDP (not convinced that we do) this could be pre-determined and targeted. If we all agree now that we want this to happen, debate the specifics before the PDP is launched, the time needed for the actual PDP could be minimal.

Fine. Adding several more years...

5. To the contrary, there are a myrad of advantages: Use of existing infrastructure, lower overall SSAD fees, better protection of registrants, access controls, prevention of harvesting for illicit purposes (SPAM, phishing, etc) , requestor ID, reduced risk for CPs, no need to build out yet another system for a sub-category of domain names, no data transfer liability issues, etc. The list goes on and on...

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*

T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!RmawU_eW...>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.

On Thu, Apr 22, 2021 at 8:02 AM Alan Greenberg via Gnso-epdp-team < gnso-epdp-team@icann.org > wrote:

There continues to be discussion regarding using the SSAD as a means

of "publishing" non-personal data.

I believe that this discussion is a distraction that takes focus from

what we should be working on. I say this for the following reason.

1. The SSAD does not exist, it may never exist, and if the Board does

approve it, it will likely take several years to implement (remember

we are 2 years into the implementation of Phase 1, and there is no

centralized hardware/software to design and implement for that).

2. Although we specified that anyone may be accredited, it is not at

all clear the amount of time it will take, nor what fee might be

charged. And unless the system allows accreditation without

authenticating the identity, this precludes anonymous queries.

3. We specified that the SSAD must be self-funding and that the users

must pay for its operating costs. Are those in favour of using the

SSAD for public data publishing proposing fees for such requests, or

no fees, and if the latter, who will pay for this usage?

4. There are multiple details of Phase 2 Recommendation 8 for

Contracted Party Authorization that simply make no sense in this

case, yet are part of the approved policy. And changing that policy

requires a PDP.

5. There does not seem to be any benefit of routing public-data

requests through the SSAD with its myriad rules, regulations and

processes when a vanilla RDAP server will suffice.

Alan

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-t...>

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy <https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm...>) and the website Terms of Service ( https://www.icann.org/privacy/tos <https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!Rm...>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.