For your review - Clarifying Legal Questions Table
Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin
Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin
Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Georgios.TSELENTIS@ec.europa.eu Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin
This is my interpretation of the accuracy principle of the GDPR as well. As most of the GDPR, it is designed with the rights of and protections for the data subject in mind and must be interpreted under that premise. Volker Am 25.05.2019 um 15:17 schrieb Mueller, Milton L:
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _/of the data subject/_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Georgios.TSELENTIS@ec.europa.eu *Sent:* Friday, May 24, 2019 7:02 PM *To:* caitlin.tubergen@icann.org *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Caitlin Tubergen *Sent:* Wednesday, May 22, 2019 5:22 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org> > On Behalf Of Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org> > On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin
Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron:
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data
"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these:
a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate.
b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)
c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.
d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,
e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best,
--Greg
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L *Sent:* Saturday, May 25, 2019 9:18 AM *To:* Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _/of the data subject/_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu> *Sent:* Friday, May 24, 2019 7:02 PM *To:* caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Caitlin Tubergen *Sent:* Wednesday, May 22, 2019 5:22 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris
On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net> wrote:
Didn't we have (and settle) the same argument about six months ago?
This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it.
As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle.
The principles protect the data subject, not third parties.
Can we now please stop going over old settled issues?
Volker
Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best, --Greg
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Georgios.TSELENTIS@ec.europa.eu Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP)
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
The question that has gone round and round is whether, based on the requirement that data be accurate "having regard to the purposes for which they are processed", processors and controllers have an obligation to ensure accuracy in the absence of the data subject requesting a correction/change. In my mind, the GDPR presumes the data subject has an interest in having accurate data. Our evidence is that this is not always the case. Alan At 28/05/2019 12:47 PM, Chris Disspain wrote:
Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing?
Cheers,
Chris
Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam:
Hi Chris and all –
To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board.
In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: /The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System./
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org> *Date: *Tuesday, May 28, 2019 at 9:48 AM *To: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Greetings All,
I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before.
I don’t understand the connection between accuracy and GDPR.
The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information.
Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing?
Cheers,
Chris
On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Didn't we have (and settle) the same argument about six months ago?
This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it.
As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle.
The principles protect the data subject, not third parties.
Can we now please stop going over old settled issues?
Volker
Am 28.05.2019 um 18:06 schrieb Greg Aaron:
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data
"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these:
a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate.
b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)
c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.
d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,
e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best,
--Greg
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L *Sent:* Saturday, May 25, 2019 9:18 AM *To:* Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _/of the data subject/_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu> *Sent:* Friday, May 24, 2019 7:02 PM *To:* caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Caitlin Tubergen *Sent:* Wednesday, May 22, 2019 5:22 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Georgios & All – Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a decline in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu> Date: Thursday, May 30, 2019 at 4:12 AM To: "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Margie Your numbers show a decline in the accuracy of Whois reg data PRIOR to the implementation of the temp spec (June 2018 - temp spec went into effect late May 2018) That's interesting. So - all that indiscriminate public disclosure and all those policy measures intended to force registrants upon pain of death (of their registration) failed to maintain the desired level of accuracy. Very interesting indeed. Did it ever occur to you that the indiscriminate publication of Whois data might actually _cause_ much of the inaccuracy, by undermining the registrant's willingness to provide accurate data? Anyway I do not see what relevance this has to the EPDP's main project, which is to make the Whois GDPR compliant. First, the data do not measure the impact of GDPR compliance. Second, numerous people on this list have proven, again and again, that accuracy in GDPR is a data subject's right not a third party's right. Hence, ICANN policies intended to make the data accurate for third party demands have little to do with GDPR compliance. Insofar as current ICANN policy relies on GDPR-violating methods to ensure accuracy (e.g. publication of all data) those methods must be modified. Insofar as current ICANN policies designed to ensure accuracy are compliant with GDPR, then they can and will remain in place until modified by some other PDP. Ergo, ICANN's accuracy policies are not relevant to this proceeding. (Sorry, Georgios) --MM ________________________________ From: Margie Milam <margiemilam@fb.com> Sent: Thursday, May 30, 2019 12:46 PM To: Georgios.TSELENTIS@ec.europa.eu; vgreimann@key-systems.net; Mueller, Milton L Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Georgios & All – Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a decline in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu> Date: Thursday, May 30, 2019 at 4:12 AM To: "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Hi all, I boil this down to a couple key facts: 1) Data subjects have a right to data accuracy under GDPR, and 2) the data analysis shows that they're not getting it in today's registration data system (56% is a failing score by any measure, and especially in the context of fundamental rights). So accuracy falls squarely within the context of this EPDP. As it pertains to third parties, I suppose it's fair to distinguish between a data subject's _right_ and a third party's _need_ for accurate data, but third-party needs are also provided for under GDPR, so the distinction is irrelevant as to whether they're in scope for this EPDP. For example, an EBERO may not have an explicit, GDPR-given right to registration data, but the EBERO needs accurate data in order to allocate the domain name to its rightful owner when a registry implodes. This processing might be on a 6.1(a),(b),(e), or other basis; regardless, it's a GDPR-compliant processing need. A phishing victim may not have an explicit, GDPR-given right to registration data, but EU case law is clear that pursuit of a legal claim wins the 6.1(f) test over privacy interests, so the victim has a GDPR-compliant processing need for accurate data to know who to name as defendant and where to file the lawsuit. So, accuracy and third-party needs are both in scope. I'm happy to answer any questions and/or work with the legal committee to prioritize any questions to the Birdies as the EPDP team deems prudent. Brian J. King Director of Internet Policy & Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com<mailto:brian.king@markmonitor.com> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Thursday, May 30, 2019 1:47 PM To: Margie Milam <margiemilam@fb.com>; Georgios.TSELENTIS@ec.europa.eu; vgreimann@key-systems.net Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Margie Your numbers show a decline in the accuracy of Whois reg data PRIOR to the implementation of the temp spec (June 2018 - temp spec went into effect late May 2018) That's interesting. So - all that indiscriminate public disclosure and all those policy measures intended to force registrants upon pain of death (of their registration) failed to maintain the desired level of accuracy. Very interesting indeed. Did it ever occur to you that the indiscriminate publication of Whois data might actually _cause_ much of the inaccuracy, by undermining the registrant's willingness to provide accurate data? Anyway I do not see what relevance this has to the EPDP's main project, which is to make the Whois GDPR compliant. First, the data do not measure the impact of GDPR compliance. Second, numerous people on this list have proven, again and again, that accuracy in GDPR is a data subject's right not a third party's right. Hence, ICANN policies intended to make the data accurate for third party demands have little to do with GDPR compliance. Insofar as current ICANN policy relies on GDPR-violating methods to ensure accuracy (e.g. publication of all data) those methods must be modified. Insofar as current ICANN policies designed to ensure accuracy are compliant with GDPR, then they can and will remain in place until modified by some other PDP. Ergo, ICANN's accuracy policies are not relevant to this proceeding. (Sorry, Georgios) --MM ________________________________ From: Margie Milam <margiemilam@fb.com<mailto:margiemilam@fb.com>> Sent: Thursday, May 30, 2019 12:46 PM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>; Mueller, Milton L Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Georgios & All - Thank you for the reply. With regard to accuracy - please note that the latest accuracy report posted by ICANN in June, 2018 noted a decline in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate - this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>" <Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>> Date: Thursday, May 30, 2019 at 4:12 AM To: "vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>" <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>>, "milton@gatech.edu<mailto:milton@gatech.edu>" <milton@gatech.edu<mailto:milton@gatech.edu>> Cc: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all - To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I'm a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don't understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I'm missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word "accuracy" does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');... 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability')." There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information - no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data - for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than "trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests." The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there's not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word "accuracy" appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- "The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;" So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios's questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it's recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says "Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered." So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants' data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
If I may comment on this particular boiling down: 1) The accuracy in data subjects' rights is a general right that they have to ensure the data controller collects the data accurately, and keeps it so. They have a right to correct in the event of failure in this regard 2) When a data subject requests access to their data, they should not be steered to the RDS. They should get what we used to call their "file"....the whole shebang, including their financial data, correspondence etc. Of course if they only ask for certain elements of their data, fine, give a subset. That "file" is normally held by the entity with whom they transact their registrations, often a reseller. There is currently, at least in my view, a distinct lack of clarity in the relationships between accredited registrars and resellers, and it is not clear how much of that "file" the accredited registrar needs to have under its control. I think it is important that we not treat data subjects as just another requestor of data with a right provided under the GDPR. The system we are building is for third parties, and data subjects are first parties. Kind regards, Stephanie Perrin On 2019-05-30 19:19, King, Brian via Gnso-epdp-team wrote: Hi all, I boil this down to a couple key facts: 1) Data subjects have a right to data accuracy under GDPR, and 2) the data analysis shows that they’re not getting it in today’s registration data system (56% is a failing score by any measure, and especially in the context of fundamental rights). So accuracy falls squarely within the context of this EPDP. As it pertains to third parties, I suppose it’s fair to distinguish between a data subject’s _right_ and a third party’s _need_ for accurate data, but third-party needs are also provided for under GDPR, so the distinction is irrelevant as to whether they’re in scope for this EPDP. For example, an EBERO may not have an explicit, GDPR-given right to registration data, but the EBERO needs accurate data in order to allocate the domain name to its rightful owner when a registry implodes. This processing might be on a 6.1(a),(b),(e), or other basis; regardless, it’s a GDPR-compliant processing need. A phishing victim may not have an explicit, GDPR-given right to registration data, but EU case law is clear that pursuit of a legal claim wins the 6.1(f) test over privacy interests, so the victim has a GDPR-compliant processing need for accurate data to know who to name as defendant and where to file the lawsuit. So, accuracy and third-party needs are both in scope. I’m happy to answer any questions and/or work with the legal committee to prioritize any questions to the Birdies as the EPDP team deems prudent. Brian J. King Director of Internet Policy & Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com<mailto:brian.king@markmonitor.com> From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Thursday, May 30, 2019 1:47 PM To: Margie Milam <margiemilam@fb.com><mailto:margiemilam@fb.com>; Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Margie Your numbers show a decline in the accuracy of Whois reg data PRIOR to the implementation of the temp spec (June 2018 - temp spec went into effect late May 2018) That's interesting. So - all that indiscriminate public disclosure and all those policy measures intended to force registrants upon pain of death (of their registration) failed to maintain the desired level of accuracy. Very interesting indeed. Did it ever occur to you that the indiscriminate publication of Whois data might actually _cause_ much of the inaccuracy, by undermining the registrant's willingness to provide accurate data? Anyway I do not see what relevance this has to the EPDP's main project, which is to make the Whois GDPR compliant. First, the data do not measure the impact of GDPR compliance. Second, numerous people on this list have proven, again and again, that accuracy in GDPR is a data subject's right not a third party's right. Hence, ICANN policies intended to make the data accurate for third party demands have little to do with GDPR compliance. Insofar as current ICANN policy relies on GDPR-violating methods to ensure accuracy (e.g. publication of all data) those methods must be modified. Insofar as current ICANN policies designed to ensure accuracy are compliant with GDPR, then they can and will remain in place until modified by some other PDP. Ergo, ICANN's accuracy policies are not relevant to this proceeding. (Sorry, Georgios) --MM ________________________________ From: Margie Milam <margiemilam@fb.com<mailto:margiemilam@fb.com>> Sent: Thursday, May 30, 2019 12:46 PM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>; Mueller, Milton L Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Georgios & All – Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a decline in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>" <Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>> Date: Thursday, May 30, 2019 at 4:12 AM To: "vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>" <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>>, "milton@gatech.edu<mailto:milton@gatech.edu>" <milton@gatech.edu<mailto:milton@gatech.edu>> Cc: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hi Brian, this is actually a funny argument you are trying to make here. You are essentially saying registrants are getting their rights violated by themselves, since they are the ones providing the data in the first place. I would be very intrigued to see how the data subject feeling violated this way would make this argument in court. The only correct way to understand this right to accuracy is that it relates to the right of correction, which means that the processor is not entitled to change the data, must store the data provided correctly and update it if necessary or requested by the data subject. It is not the role of the processor or controller under the GDPR to tell the data subject to correct the data they themselves provided. If anything, such a requirement may be a business consideration, but it is not something flowing out of the GDPR. Best, Volker Am 31.05.2019 um 01:19 schrieb King, Brian via Gnso-epdp-team:
Hi all,
I boil this down to a couple key facts:
1) Data subjects have a right to data accuracy under GDPR, and 2) the data analysis shows that they’re not getting it in today’s registration data system (56% is a failing score by any measure, and especially in the context of fundamental rights). So accuracy falls squarely within the context of this EPDP.
As it pertains to third parties, I suppose it’s fair to distinguish between a data subject’s _/right/_ and a third party’s _/need/_ for accurate data, but third-party needs are also provided for under GDPR, so the distinction is irrelevant as to whether they’re in scope for this EPDP. For example, an EBERO may not have an explicit, GDPR-given right to registration data, but the EBERO needs accurate data in order to allocate the domain name to its rightful owner when a registry implodes. This processing might be on a 6.1(a),(b),(e), or other basis; regardless, it’s a GDPR-compliant processing need. A phishing victim may not have an explicit, GDPR-given right to registration data, but EU case law is clear that pursuit of a legal claim wins the 6.1(f) test over privacy interests, so the victim has a GDPR-compliant processing need for accurate data to know who to name as defendant and where to file the lawsuit.
So, accuracy and third-party needs are both in scope.
I’m happy to answer any questions and/or work with the legal committee to prioritize any questions to the Birdies as the EPDP team deems prudent.
*Brian J. King***
*Director of Internet Policy & Industry Affairs*
*MarkMonitor */ *Part of Clarivate Analytics *
Phone: +1 (443) 761-3726
brian.king@markmonitor.com <mailto:brian.king@markmonitor.com>
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L *Sent:* Thursday, May 30, 2019 1:47 PM *To:* Margie Milam <margiemilam@fb.com>; Georgios.TSELENTIS@ec.europa.eu; vgreimann@key-systems.net *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Margie
Your numbers show a decline in the accuracy of Whois reg data PRIOR to the implementation of the temp spec (June 2018 - temp spec went into effect late May 2018)
That's interesting. So - all that indiscriminate public disclosure and all those policy measures intended to force registrants upon pain of death (of their registration) failed to maintain the desired level of accuracy. Very interesting indeed.
Did it ever occur to you that the indiscriminate publication of Whois data might actually _cause_ much of the inaccuracy, by undermining the registrant's willingness to provide accurate data?
Anyway I do not see what relevance this has to the EPDP's main project, which is to make the Whois GDPR compliant. First, the data do not measure the impact of GDPR compliance. Second, numerous people on this list have proven, again and again, that accuracy in GDPR is a data subject's right not a third party's right. Hence, ICANN policies intended to make the data accurate for third party demands have little to do with GDPR compliance.
Insofar as current ICANN policy relies on GDPR-violating methods to ensure accuracy (e.g. publication of all data) those methods must be modified.
Insofar as current ICANN policies designed to ensure accuracy are compliant with GDPR, then they can and will remain in place until modified by some other PDP. Ergo, ICANN's accuracy policies are not relevant to this proceeding. (Sorry, Georgios)
--MM
------------------------------------------------------------------------
*From:*Margie Milam <margiemilam@fb.com <mailto:margiemilam@fb.com>> *Sent:* Thursday, May 30, 2019 12:46 PM *To:* Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>; vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>; Mueller, Milton L *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Georgios & All –
Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a *decline* in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system.
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>" <Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>> *Date: *Thursday, May 30, 2019 at 4:12 AM *To: *"vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>" <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>, "milton@gatech.edu <mailto:milton@gatech.edu>" <milton@gatech.edu <mailto:milton@gatech.edu>> *Cc: *"gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Volker, Milton, EPDP colleagues,
I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are _clarification questions_ not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions.
Best regards,
Georgios
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Volker Greimann *Sent:* Wednesday, May 29, 2019 6:54 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Hi Margie,
the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?).
For all other purposes reasonable steps are already being taken, as I explained in my previous mail.
Best,
Volker
Am 29.05.2019 um 18:38 schrieb Margie Milam:
Hi Chris and all –
To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board.
In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: /The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System./
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org> <mailto:chris.disspain@board.icann.org> *Date: *Tuesday, May 28, 2019 at 9:48 AM *To: *"gnso-epdp-team@icann.org" <mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org> <mailto:gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Greetings All,
I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before.
I don’t understand the connection between accuracy and GDPR.
The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information.
Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing?
Cheers,
Chris
On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Didn't we have (and settle) the same argument about six months ago?
This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it.
As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle.
The principles protect the data subject, not third parties.
Can we now please stop going over old settled issues?
Volker
Am 28.05.2019 um 18:06 schrieb Greg Aaron:
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data
"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these:
a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate.
b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)
c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.
d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,
e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best,
--Greg
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L *Sent:* Saturday, May 25, 2019 9:18 AM *To:* Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _/of the data subject/_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu> *Sent:* Friday, May 24, 2019 7:02 PM *To:* caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Caitlin Tubergen *Sent:* Wednesday, May 22, 2019 5:22 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Margie, Thanks for providing that perspective and sighting the ICANN findings from June 2018. I do think it’s important to point out that although Phase 2 Cycle 6 of Whois ARS reported 56% of domains passed all operability tests for all contacts/fields, that does not mean that the data is 44% non-contactable. As indicated in the Phase 2 reporting summary page (https://whois.icann.org/en/whois-ars-phase-2-reporting), since December 2015: a. 98% or more of domains are contactable through one or more methods (email or telephone of contacts) b. 87 to 99% of postal addresses are operable c. 90%+ email addresses are operable There can be a number of factors which may result in false positives for failures, which the registrars have shared previously but could include missing country codes (which can be easily determined from other registration data), overly strict postal address testing (requiring state/province for countries where that is optional), and anti-spam email server measures. It’s important to paint a picture for the team that reflects the true picture of the accuracy findings as we move forward with our Phase 2 work. Have a good weekend all! Regards, Matt From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Margie Milam <margiemilam@fb.com> Date: Thursday, May 30, 2019 at 10:46 AM To: "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu>, "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Georgios & All – Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a decline in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu> Date: Thursday, May 30, 2019 at 4:12 AM To: "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Hi Matt – Thanks for sharing those findings. Those findings don’t help us in Phase 2 because under the new policy, the requester does not automatically get all the contact fields, but only certain fields necessary to satisfy the purpose. So for example, if a requester only gets access to an email address that is inaccurate, the fact that the registrar has an accurate phone number isn’t helpful to the requester, if it isn’t able to access that field. We’ll need to look at accuracy at each field, and suggest we hear from ICANN Org to explain the methodology & issues they have seen using the criteria from the ARS, as well as the registrar experience, to see whether it is possible to improve these accuracy levels. Margie From: Matt Serlin <matt@brandsight.com> Date: Friday, May 31, 2019 at 1:55 PM To: Margie Milam <margiemilam@fb.com>, "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu>, "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Margie, Thanks for providing that perspective and sighting the ICANN findings from June 2018. I do think it’s important to point out that although Phase 2 Cycle 6 of Whois ARS reported 56% of domains passed all operability tests for all contacts/fields, that does not mean that the data is 44% non-contactable. As indicated in the Phase 2 reporting summary page (https://whois.icann.org/en/whois-ars-phase-2-reporting), since December 2015: a. 98% or more of domains are contactable through one or more methods (email or telephone of contacts) b. 87 to 99% of postal addresses are operable c. 90%+ email addresses are operable There can be a number of factors which may result in false positives for failures, which the registrars have shared previously but could include missing country codes (which can be easily determined from other registration data), overly strict postal address testing (requiring state/province for countries where that is optional), and anti-spam email server measures. It’s important to paint a picture for the team that reflects the true picture of the accuracy findings as we move forward with our Phase 2 work. Have a good weekend all! Regards, Matt From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Margie Milam <margiemilam@fb.com> Date: Thursday, May 30, 2019 at 10:46 AM To: "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu>, "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Georgios & All – Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a decline in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu> Date: Thursday, May 30, 2019 at 4:12 AM To: "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Volker, Milton, EPDP colleagues, I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are clarification questions not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions. Best regards, Georgios From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Wednesday, May 29, 2019 6:54 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Margie, the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?). For all other purposes reasonable steps are already being taken, as I explained in my previous mail. Best, Volker Am 29.05.2019 um 18:38 schrieb Margie Milam: Hi Chris and all – To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board. In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System. All the best, Margie From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org><mailto:chris.disspain@board.icann.org> Date: Tuesday, May 28, 2019 at 9:48 AM To: "gnso-epdp-team@icann.org"<mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Greetings All, I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before. I don’t understand the connection between accuracy and GDPR. The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information. Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing? Cheers, Chris On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Didn't we have (and settle) the same argument about six months ago? This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it. As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle. The principles protect the data subject, not third parties. Can we now please stop going over old settled issues? Volker Am 28.05.2019 um 18:06 schrieb Greg Aaron: Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Accuracy in all fields was never the stated goals of ICANNs policy. Contactibility was what all these policies were after as it was understood that fully accuracy in all fields can likely never be achieved. The WHOIS ARS has shown that all policies and contractual provisions have actually contributed to an overall increase in contactibility in _every_ iteration of the ARS. It is understood that contactibility has now again suffered as not all information is available to every requester anymore, but that is not the result of ICANN policies failing or bad will of any actor (CPs, registrants, etc) but rather the direct result of legal obligations resulting from data protection legislation. At this time, the main means of contactibility is through email, as the temp spec and its successor allow for contact to happen through this contact, either by redirect or by webform. And for that contact, the accuracy rating of the the ARS is over 90%. Best, Volker Am 31.05.2019 um 23:42 schrieb Margie Milam:
Hi Matt –
Thanks for sharing those findings. Those findings don’t help us in Phase 2 because under the new policy, the requester does not automatically get all the contact fields, but only certain fields necessary to satisfy the purpose. So for example, if a requester only gets access to an email address that is inaccurate, the fact that the registrar has an accurate phone number isn’t helpful to the requester, if it isn’t able to access that field.
We’ll need to look at accuracy at each field, and suggest we hear from ICANN Org to explain the methodology & issues they have seen using the criteria from the ARS, as well as the registrar experience, to see whether it is possible to improve these accuracy levels.
Margie
*From: *Matt Serlin <matt@brandsight.com> *Date: *Friday, May 31, 2019 at 1:55 PM *To: *Margie Milam <margiemilam@fb.com>, "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu>, "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> *Cc: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Margie,
Thanks for providing that perspective and sighting the ICANN findings from June 2018.
I do think it’s important to point out that although Phase 2 Cycle 6 of Whois ARS reported 56% of domains passed all operability tests for all contacts/fields, that does *not* mean that the data is 44% non-contactable. As indicated in the Phase 2 reporting summary page (https://whois.icann.org/en/whois-ars-phase-2-reporting), since December 2015:
a. 98% or more of domains are contactable through one or more methods (email or telephone of contacts)
b. 87 to 99% of postal addresses are operable
c. 90%+ email addresses are operable
There can be a number of factors which may result in false positives for failures, which the registrars have shared previously but could include missing country codes (which can be easily determined from other registration data), overly strict postal address testing (requiring state/province for countries where that is optional), and anti-spam email server measures.
It’s important to paint a picture for the team that reflects the true picture of the accuracy findings as we move forward with our Phase 2 work.
Have a good weekend all!
Regards,
Matt
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Margie Milam <margiemilam@fb.com> *Date: *Thursday, May 30, 2019 at 10:46 AM *To: *"Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu>, "vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> *Cc: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Georgios & All –
Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a *decline* in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system.
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu> *Date: *Thursday, May 30, 2019 at 4:12 AM *To: *"vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> *Cc: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Volker, Milton, EPDP colleagues,
I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are _clarification questions_ not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions.
Best regards,
Georgios
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann *Sent:* Wednesday, May 29, 2019 6:54 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Hi Margie,
the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?).
For all other purposes reasonable steps are already being taken, as I explained in my previous mail.
Best,
Volker
Am 29.05.2019 um 18:38 schrieb Margie Milam:
Hi Chris and all –
To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European Commission in its recent comments to the Board.
In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: /The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System./
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org> <mailto:chris.disspain@board.icann.org> *Date: *Tuesday, May 28, 2019 at 9:48 AM *To: *"gnso-epdp-team@icann.org" <mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org> <mailto:gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Greetings All,
I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before.
I don’t understand the connection between accuracy and GDPR.
The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information.
Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing?
Cheers,
Chris
On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Didn't we have (and settle) the same argument about six months ago?
This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it.
As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle.
The principles protect the data subject, not third parties.
Can we now please stop going over old settled issues?
Volker
Am 28.05.2019 um 18:06 schrieb Greg Aaron:
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data
"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these:
a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate.
b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)
c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.
d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,
e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best,
--Greg
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L *Sent:* Saturday, May 25, 2019 9:18 AM *To:* Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _/of the data subject/_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu> *Sent:* Friday, May 24, 2019 7:02 PM *To:* caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Caitlin Tubergen *Sent:* Wednesday, May 22, 2019 5:22 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Not sure why you conflate the inaccuracy rate of the ARS (which acually shows an increase in overall contactibility of the registrants IIRC) with GDPR compliance. A database filled with 100% inaccurate data would be fully GDPR compliant as there is no personal data in it. How useful that data then is for any of the purposes is another question though. If anything, the functionality of the DNS with an error rate that high might even call into question the validity of the purposes for collection and processing in the first place, but I am sure we don't want to go there. Best, Volker Am 30.05.2019 um 18:46 schrieb Margie Milam:
Georgios & All –
Thank you for the reply. With regard to accuracy – please note that the latest accuracy report posted by ICANN in June, 2018 noted a *decline* in accuracy rates. It reported that only 56% of domains passed all operability tests, a decrease from Cycle 5 (63% in Dec 2017). With a 44% inaccuracy rate – this points to the need for us to examine whether the current rules/policies incorporated in the ICANN contracts are robust enough to produce a GDPR compliant system.
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Georgios.TSELENTIS@ec.europa.eu" <Georgios.TSELENTIS@ec.europa.eu> *Date: *Thursday, May 30, 2019 at 4:12 AM *To: *"vgreimann@key-systems.net" <vgreimann@key-systems.net>, "milton@gatech.edu" <milton@gatech.edu> *Cc: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Volker, Milton, EPDP colleagues,
I am reading with great interest the reactions to the clarification questions we sent, in particular regarding accuracy. The mere fact that the community has different understandings as to what exactly it means in the WHOIS policy reform under GDPR begs for asking those questions and not putting the issue (again) under the carpet. We might come with an outcome that current accuracy measures are sufficient for WHOIS GDPR compliance, or that we need more to do. Anyhow at this stage those are _clarification questions_ not a policy per se so I would welcome first the legal counsel to provide some informed opinion before any community jumping to conclusions.
Best regards,
Georgios
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann *Sent:* Wednesday, May 29, 2019 6:54 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Hi Margie,
the risk of the poor registrant losing his domain name due to inaccurate whois data is actually entirely of ICANNs making as contracted parties certainly do not need this data set for the purposes of maintaining the registration. We have account data for that. The only reason whois inaccuracies can cause a registrant to lose his domain is ICANN policies and contractual obligations regarding failures to update inaccurate data and registrars opting for deletion instead of deactivation (do such registrars still exist?).
For all other purposes reasonable steps are already being taken, as I explained in my previous mail.
Best,
Volker
Am 29.05.2019 um 18:38 schrieb Margie Milam:
Hi Chris and all –
To answer your question, the legal advice provided by Bird & Bird on accuracy addresses this issue and notes that there is a positive obligation on the controller to ensure the data is accurate depending on the circumstances and the consequences of processing inaccurate data. It also notes that a controller may have to get independent confirmation where the impact is particularly significant. In addition, the issue of data accuracy as part of a GDPR compliant system was also raised by the European
Commission in its recent comments to the Board.
In the case of domain names, the consequence of inaccurate data affects not just the registrant (who could lose its domain name), but those that may be trying to resolve technical issues, cyber-crime or consumer protection issues. We also have numerous studies conducted by ICANN over the last decade that show unacceptable levels of accuracy in the WHOIS system. This is why the question of accuracy was pushed to Phase 2 in our Phase 1 Final Report so that we could explore these issues further. See Footnote 6 where it says: /The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System./
All the best,
Margie
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris.disspain@board.icann.org> <mailto:chris.disspain@board.icann.org> *Date: *Tuesday, May 28, 2019 at 9:48 AM *To: *"gnso-epdp-team@icann.org" <mailto:gnso-epdp-team@icann.org> <gnso-epdp-team@icann.org> <mailto:gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Greetings All,
I’m a little confused by this discussion. Apologies in advance if the below is wrong or naive or has been covered before.
I don’t understand the connection between accuracy and GDPR.
The regulations govern a registrars right to collect the data and what they can do with it. Assuming they have that right under GDPR, the registrants obligation to provide them with *accurate* data is not governed by GDPR but rather the contractual relationship between registrar and registrant and the registrar is entitled to require accurate information from the registrant pursuant to that. The registrar can also require the updating of changed information and/or proactively seek re-confirmation of accuracy. And ICANN, in its contract with a registrar, can require that registrar to require the registrant to provide accurate information.
Other than governing the right to collect the information (and what can be done with it) does GDPR have some other role that I’m missing?
Cheers,
Chris
On 28 May 2019, at 17:23, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Didn't we have (and settle) the same argument about six months ago?
This principle is a protection of the data subject. When we create personal data from the data provided to us by the data subject or a third party, we must ensure we store it accurately and our processing does not falsify it.
As such, the contractual provision that the data subject must provide to us accurate data (and keep uit updated when it changes) and the confirmation of the accuracy by the data subject is sufficient for our purposes and therefore reasonable in accordance with this principle.
The principles protect the data subject, not third parties.
Can we now please stop going over old settled issues?
Volker
Am 28.05.2019 um 18:06 schrieb Greg Aaron:
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data
"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these:
a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate.
b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)
c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.
d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,
e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best,
--Greg
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> <mailto:gnso-epdp-team-bounces@icann.org> *On Behalf Of *Mueller, Milton L *Sent:* Saturday, May 25, 2019 9:18 AM *To:* Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _/of the data subject/_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Georgios.TSELENTIS@ec.europa.eu <mailto:Georgios.TSELENTIS@ec.europa.eu> *Sent:* Friday, May 24, 2019 7:02 PM *To:* caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org> *Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Caitlin Tubergen *Sent:* Wednesday, May 22, 2019 5:22 PM *To:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=hwQnHWrq0qIdx6kVhoowbCd4SZ1nSrXYOX7R9KBc0JM&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=KsnUZFZN_ds3hfDU81KaQh1PouUijCAV1NUDwpIOsAg&e=> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=FwUQq5l0Y2FAOewYgUPeC3ZpkOkUcsYGbDQDGdrn51g&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=i8lF_vDhT_peOZsF_kHctAAjfsmIBrNuFvOup8q3LFs&s=DIqsoPEEZERBjh2YW7dICqGWkBj7ALzyba1voyOPzMk&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=14PnxLXVFMTIGWWbF7k0KG1crIpW38SedNJjX9-zNn0&e=>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=D1dN_llu6Tbkcs62nPs2bv31b8e3lKufIbEiylp3GdI&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=JH0Fkze6xob9fbzReu0Azcu6-Rq2iStP-ZCyB_jFoCo&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=6ugXFDtMSp5TN-tGQMAzXjvDtHOuYWQWQNcAzRH3LdY&s=UhiYqnRvRppumnSvfFWK9c32gZOekoZ1T3kbYAo1WAI&e=>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Hi Milton and All, Milton, there are certainly other aspects to accuracy under GDPR than the one you mention. As Greg mentions article 5 of the GDPR “ Principles relating to processing of personal data” says Personal data shall be: (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); According to the Information Commissioner’s Office's (ICO) organizations' guide to data protection, the ICO recommends that organizations consider the following checklist: o ensure the accuracy of any personal data they create. o have appropriate processes in place to check the accuracy of the data they collect, and that they record the source of that data. o have a process in place to identify when they need to keep the data updated to properly fulfill their purpose, and that they update it as necessary. o If they need to keep a record of a mistake, they clearly identify it as a mistake. o Their records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts. o Comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data. o As a matter of good practice, they keep a note of any challenges to the accuracy of the personal data. The ICO goes on to explain what is new under GDPR, with regard to the accuracy principle, stating that the accuracy principle under GDPR is very similar to the fourth principle of the 1998 Act with two differences 1.The GDPR principle includes a clearer proactive obligation to take reasonable steps to delete or correct inaccurate personal data. 2.The GDPR does not explicitly distinguish between personal data that they create and personal data that someone else provides. However, the ICO says that the main difference in practice between the GDPR and the previous act is that individuals have a stronger right to have inaccurate personal data corrected under the right to rectification, which is the point you make. As for when is personal data accurate or inaccurate, the ICO says, “you must be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not” Given all the above, I certainly do not know why we do not have a common understanding of the matter. However, further legal clarification could help us. Kind regards Hadia ________________________________ From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Greg Aaron <greg@illumintel.com> Sent: 28 May 2019 18:06 To: 'Mueller, Milton L'; Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin
Hi Hadia and all, it is interestion how one can read the same source (the ICO guide) and come to opposite interpretations of the same provision. The key point is that nothing in the entire article (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-g...) refers to any third party rights for accuracy. Instead, the accuracy principle is always linked either to the purposes or to the right of the data subject to rectify. The requirement of accuracy is directly proportional to the purposes of the processing in the first place: /Does personal data always have to be up to date?/ // /This depends on what you use the information for. If you use the information for a purpose that relies on it remaining current, you should keep it up to date. (...) In other cases, it will be equally obvious that you do not need to update information./ What is the actual obligation? /In practice, this means that you must:/ // * /take reasonable steps to ensure the accuracy of any personal data;/ * /ensure that the source and status of personal data is clear; / * /carefully consider any challenges to the accuracy of information; and/ * /consider whether it is necessary to periodically update the information./ Nothing in the accuracy principle requires the controller or processor to actively monitor accuracy or enforce it against the data subject. It is reactive ("/Consider challenges/"), not active: /In some cases it is reasonable to rely on the individual to tell you when their personal data has changed, such as when they change address or other contact details. It may be sensible to periodically ask individuals to update their own details, but you do not need to take extreme measures to ensure your records are up to date, unless there is a corresponding privacy risk which justifies this./ At this time, the obligations of contracted parties with regard to accuracy of data (verification, validation, accuracy reminders, etc) already amply overcomply with this requirement. Updates occur when the data subject updates their data. Finally, the principle also allows for erasure and no longer effective for its purpose of inaccurate data. I am not sure that is the outcome you are looking for. The accuracy principle therefore cannot be abused into creating new obligations, at best it can justify the existing practices with regard to accuracy arising from the RAA and certain policies. But in the end, all of these will have to be reviewed with an eye toward their reasonableness and necessity for the purpose. Best, Volker Am 29.05.2019 um 18:15 schrieb Hadia Abdelsalam Mokhtar EL miniawi:
Hi Milton and All,
Milton, there are certainly other aspects to accuracy under GDPR than the one you mention.
As Greg mentions article 5 of the GDPR “ Principles relating to processing of personal data” says
Personal data shall be:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
According to the Information Commissioner’s Office's (ICO) organizations' guide to data protection, the ICO recommends that organizations consider the following checklist:
o ensure the accuracy of any personal data they create. o have appropriate processes in place to check the accuracy of the data they collect, and that they record the source of that data. o have a process in place to identify when they need to keep the data updated to properly fulfill their purpose, and that they update it as necessary. o If they need to keep a record of a mistake, they clearly identify it as a mistake. o Their records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts. o Comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data. o As a matter of good practice, they keep a note of any challenges to the accuracy of the personal data.
The ICO goes on to explain what is new under GDPR, with regard to the accuracy principle, stating that the accuracy principle under GDPR is very similar to the fourth principle of the 1998 Act with two differences
1.The GDPR principle includes a clearer proactive obligation to take reasonable steps to delete or correct inaccurate personal data.
2.The GDPR does not explicitly distinguish between personal data that they create and personal data that someone else provides.
However, the ICO says that the main difference in practice between the GDPR and the previous act is that individuals have a stronger right to have inaccurate personal data corrected under the right to rectification, which is the point you make.
As for when is personal data accurate or inaccurate, the ICO says, “you must be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not”
Given all the above, I certainly do not know why we do not have a common understanding of the matter. However, further legal clarification could help us.
Kind regards
Hadia
________________________________ From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Greg Aaron <greg@illumintel.com> Sent: 28 May 2019 18:06 To: 'Mueller, Milton L'; Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best, --Greg
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu; caitlin.tubergen@icann.org Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP)
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Hi Volker and all, I certainly do not see us coming to opposite interpretations, I totally agree that accuracy is linked to the purposes for which the data is processed and to the rights of the data subject and not only to the rights of the data subjects as previously suggested by some. We are still yet to examine our purposes in relation to accuracy. Surely no one would like to push for extra unnecessary obligations. Kind regards Hadia ________________________________ From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Volker Greimann <vgreimann@key-systems.net> Sent: 29 May 2019 18:40 To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Hi Hadia and all, it is interestion how one can read the same source (the ICO guide) and come to opposite interpretations of the same provision. The key point is that nothing in the entire article (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-g...) refers to any third party rights for accuracy. Instead, the accuracy principle is always linked either to the purposes or to the right of the data subject to rectify. The requirement of accuracy is directly proportional to the purposes of the processing in the first place: Does personal data always have to be up to date? This depends on what you use the information for. If you use the information for a purpose that relies on it remaining current, you should keep it up to date. (...) In other cases, it will be equally obvious that you do not need to update information. What is the actual obligation? In practice, this means that you must: * take reasonable steps to ensure the accuracy of any personal data; * ensure that the source and status of personal data is clear; * carefully consider any challenges to the accuracy of information; and * consider whether it is necessary to periodically update the information. Nothing in the accuracy principle requires the controller or processor to actively monitor accuracy or enforce it against the data subject. It is reactive ("Consider challenges"), not active: In some cases it is reasonable to rely on the individual to tell you when their personal data has changed, such as when they change address or other contact details. It may be sensible to periodically ask individuals to update their own details, but you do not need to take extreme measures to ensure your records are up to date, unless there is a corresponding privacy risk which justifies this. At this time, the obligations of contracted parties with regard to accuracy of data (verification, validation, accuracy reminders, etc) already amply overcomply with this requirement. Updates occur when the data subject updates their data. Finally, the principle also allows for erasure and no longer effective for its purpose of inaccurate data. I am not sure that is the outcome you are looking for. The accuracy principle therefore cannot be abused into creating new obligations, at best it can justify the existing practices with regard to accuracy arising from the RAA and certain policies. But in the end, all of these will have to be reviewed with an eye toward their reasonableness and necessity for the purpose. Best, Volker Am 29.05.2019 um 18:15 schrieb Hadia Abdelsalam Mokhtar EL miniawi: Hi Milton and All, Milton, there are certainly other aspects to accuracy under GDPR than the one you mention. As Greg mentions article 5 of the GDPR “ Principles relating to processing of personal data” says Personal data shall be: (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); According to the Information Commissioner’s Office's (ICO) organizations' guide to data protection, the ICO recommends that organizations consider the following checklist: o ensure the accuracy of any personal data they create. o have appropriate processes in place to check the accuracy of the data they collect, and that they record the source of that data. o have a process in place to identify when they need to keep the data updated to properly fulfill their purpose, and that they update it as necessary. o If they need to keep a record of a mistake, they clearly identify it as a mistake. o Their records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts. o Comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data. o As a matter of good practice, they keep a note of any challenges to the accuracy of the personal data. The ICO goes on to explain what is new under GDPR, with regard to the accuracy principle, stating that the accuracy principle under GDPR is very similar to the fourth principle of the 1998 Act with two differences 1.The GDPR principle includes a clearer proactive obligation to take reasonable steps to delete or correct inaccurate personal data. 2.The GDPR does not explicitly distinguish between personal data that they create and personal data that someone else provides. However, the ICO says that the main difference in practice between the GDPR and the previous act is that individuals have a stronger right to have inaccurate personal data corrected under the right to rectification, which is the point you make. As for when is personal data accurate or inaccurate, the ICO says, “you must be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not” Given all the above, I certainly do not know why we do not have a common understanding of the matter. However, further legal clarification could help us. Kind regards Hadia ________________________________ From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> on behalf of Greg Aaron <greg@illumintel.com><mailto:greg@illumintel.com> Sent: 28 May 2019 18:06 To: 'Mueller, Milton L'; Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says: Art. 5 GDPR Principles relating to processing of personal data "1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);… 2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” There has been discussion in legal and GDPR compliance communities that the above means all of these: a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate. b) Organizations must allow data subjects to rectify inaccuracies. (Your point.) c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from. d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And, e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data. How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration. GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law. So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Saturday, May 25, 2019 9:18 AM To: Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu>; caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Georgios and colleagues: I think the questions related to accuracy below are not worth sending to the lawyers. They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject. To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18. Article 18, Right to restriction of processing: ----------------------------------------------------------- “The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;” So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR. Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal. Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer: Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Georgios.TSELENTIS@ec.europa.eu<mailto:Georgios.TSELENTIS@ec.europa.eu><mailto:Georgios.TSELENTIS@ec.europa.eu><mailto:Georgios.TSELENTIS@ec.europa.eu> Sent: Friday, May 24, 2019 7:02 PM To: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear Caitlin, colleagues, Please find below questions on the topics of the legal memos from the GAC: Accuracy . If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? . According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? . Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? . How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? . While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD? Natural or non-natural persons . How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant? . How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS. Technical contact Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration? General question: . How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons. Apologies again for the delay of our submission. Georgios Tselentis (GAC-EPDP) From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org><mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Caitlin Tubergen Sent: Wednesday, May 22, 2019 5:22 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org><mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table Dear EPDP Team, Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting. Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly. Thank you. Best regards, Marika, Berry, and Caitlin _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
A few questions regarding these questions: Am 25.05.2019 um 01:02 schrieb Georgios.TSELENTIS@ec.europa.eu:
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
*Accuracy*
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
Please clarify the accuracy principle with regard to the obligations of the data controller/data processor. For example, is this principle directed at protecting third parties from the provision of inaxccurate data by the data subject or at protecting the data subject against incorrect processing by the processor/controller? Does the principle provide for an obligation of the data processor/controller to verify the accuracy of the data provided by the data subject and make corrections without input from the data subject?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
This question is too general as it clearly depends on the purpose and cannot be answered without looking at each purpose individually.
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities?
Do we really need to throw money at this obvious answer: Sub-processors of proessors are bound by the same obligations under the GDPR as the processors.
*Natural or non-natural persons*
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
As the data provided by the non-natural person registrant can contain personal information of a natural person, can a differentiation only by self-designated status of the registrant grant absolute legal protection to contracted parties against claims for unwanted publication of personal data contained in the data provided by the non-natural person?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
What steps would be required to ensure that any opt-in solution is sufficient consent for the publication of all data that may be contained in a registration data set?
*Technical contact *
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
Is confirmation of consent obtained by email sufficient in all cases to assume consent for publication of the personal information of a data subject even if no verification of ownership of that email address by the data subject can be performed?
*General question:*
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Can anonymised/pseudonymised versions email (addresse)s and names themselves be considered personal data, and if so, under what circumstances?
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
participants (12)
-
Alan Greenberg
-
Caitlin Tubergen
-
Chris Disspain
-
Georgios.TSELENTIS@ec.europa.eu
-
Greg Aaron
-
Hadia Abdelsalam Mokhtar EL miniawi
-
King, Brian
-
Margie Milam
-
Matt Serlin
-
Mueller, Milton L
-
Stephanie Perrin
-
Volker Greimann