SSAC response re EPDP homework - due Wed 24 February
Folks, In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy. The attached memo suggests a simpler and more comprehensive approach. Thanks, Steve
Hi Steve, thank you for your helpful proposal. I think it misses the mark on two essential points however: 1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following: a) contains personal information b) does not contain personal information This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person. 2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information. Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute. One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status. Best, -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Folks,
In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy.
The attached memo suggests a simpler and more comprehensive approach.
Thanks,
Steve
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Volker, Thanks. I agree partly. The real issue is whether contact data is to be made available to requesters. The default for natural persons is no and the default for legal persons is yes. There are definitely circumstances where the default does not apply. Some natural persons may wish for their contact information to be available, and some legal persons may wish their contact information not to be available. I disagree with the idea that personal contact information contained in a legal person's registration should result in protecting that information. Instead, it is the obligation of the legal person to not put personal information if they do not want it available. Otherwise, it must be presumed they have chosen to make it visible. With respect to your comment about not front loading the information gathering, I believe the picture I presented definitely includes your idea. In my picture, either the preliminary step or the later step might be null. Steve On Wed, Feb 24, 2021 at 9:41 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Hi Steve, thank you for your helpful proposal.
I think it misses the mark on two essential points however: 1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following: a) contains personal information b) does not contain personal information This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person.
2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information.
Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute.
One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status.
Best, -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Folks,
In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy.
The attached memo suggests a simpler and more comprehensive approach.
Thanks,
Steve
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hi Steve, thanks for your feedback. The issue is indeed whether contact data can be made available to requester (and if so, by what process). However the default should be based on the requirements of the GDRP (and confirmed again in the draft of the NIS II) that _personal information_ should be protected. We cannot make the presumption of consent you propose as it has no basis in law and continues to present a legal risk. I feel the only way to make progress at this stage is to abandon the legal vs natural debate and focus on the data instead and find ways to make that workable. As guidance. Thank you for clarifying that the steps may in fact be null. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Feb 24, 2021 at 4:01 PM Steve Crocker <steve@shinkuro.com> wrote:
Volker,
Thanks. I agree partly. The real issue is whether contact data is to be made available to requesters. The default for natural persons is no and the default for legal persons is yes. There are definitely circumstances where the default does not apply. Some natural persons may wish for their contact information to be available, and some legal persons may wish their contact information not to be available.
I disagree with the idea that personal contact information contained in a legal person's registration should result in protecting that information. Instead, it is the obligation of the legal person to not put personal information if they do not want it available. Otherwise, it must be presumed they have chosen to make it visible.
With respect to your comment about not front loading the information gathering, I believe the picture I presented definitely includes your idea. In my picture, either the preliminary step or the later step might be null.
Steve
On Wed, Feb 24, 2021 at 9:41 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Hi Steve, thank you for your helpful proposal.
I think it misses the mark on two essential points however: 1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following: a) contains personal information b) does not contain personal information This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person.
2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information.
Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute.
One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status.
Best, -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Folks,
In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy.
The attached memo suggests a simpler and more comprehensive approach.
Thanks,
Steve
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Volker, It seems to me the intent and purpose of the law is to protect the privacy of individuals, i.e. natural persons, when they are acting in their capacity as an individual. If they are acting in a capacity related to a business, it is under the control of the business how to present contact information. I think it is both overreach and impractical to tell businesses they are not allowed to publish contact information for key roles. Businesses are very experienced in controlling how much data is available about their key people. For example, it is quite common for a business to list board members and key executives on their web pages but not to publish phone numbers, home addresses or even email addresses for those people. Steve On Wed, Feb 24, 2021 at 10:45 AM Volker Greimann <vgreimann@key-systems.net> wrote:
Hi Steve, thanks for your feedback.
The issue is indeed whether contact data can be made available to requester (and if so, by what process). However the default should be based on the requirements of the GDRP (and confirmed again in the draft of the NIS II) that _personal information_ should be protected. We cannot make the presumption of consent you propose as it has no basis in law and continues to present a legal risk. I feel the only way to make progress at this stage is to abandon the legal vs natural debate and focus on the data instead and find ways to make that workable. As guidance.
Thank you for clarifying that the steps may in fact be null.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 4:01 PM Steve Crocker <steve@shinkuro.com> wrote:
Volker,
Thanks. I agree partly. The real issue is whether contact data is to be made available to requesters. The default for natural persons is no and the default for legal persons is yes. There are definitely circumstances where the default does not apply. Some natural persons may wish for their contact information to be available, and some legal persons may wish their contact information not to be available.
I disagree with the idea that personal contact information contained in a legal person's registration should result in protecting that information. Instead, it is the obligation of the legal person to not put personal information if they do not want it available. Otherwise, it must be presumed they have chosen to make it visible.
With respect to your comment about not front loading the information gathering, I believe the picture I presented definitely includes your idea. In my picture, either the preliminary step or the later step might be null.
Steve
On Wed, Feb 24, 2021 at 9:41 AM Volker Greimann < vgreimann@key-systems.net> wrote:
Hi Steve, thank you for your helpful proposal.
I think it misses the mark on two essential points however: 1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following: a) contains personal information b) does not contain personal information This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person.
2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information.
Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute.
One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status.
Best, -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Folks,
In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy.
The attached memo suggests a simpler and more comprehensive approach.
Thanks,
Steve
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Hi Steve, there is a difference between consent-based disclosure and disclosure due to presumed non-personal data. The intent and purpose of the law is to protect personal information, regardless of how it is obtained and where it may hide. The publication of key staff details is in many cases a regulatory requirement and in all other cases consent-based, but in those cases, it is the companies that take the risk of ensuring their publication or data on their websites complies with their legal obligations. Just last week I had to deal with a guy who wanted us to shut down a domain name because he was still listed as CFO on a failed cryptocurrency ICO homepage that he had left last year because he felt the use of his name and image violated his rights under the GDPR... He was right, of course, but it was not our obligation to correct that wrong. Best, -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Feb 24, 2021 at 4:57 PM Steve Crocker <steve@shinkuro.com> wrote:
Volker,
It seems to me the intent and purpose of the law is to protect the privacy of individuals, i.e. natural persons, when they are acting in their capacity as an individual. If they are acting in a capacity related to a business, it is under the control of the business how to present contact information. I think it is both overreach and impractical to tell businesses they are not allowed to publish contact information for key roles. Businesses are very experienced in controlling how much data is available about their key people. For example, it is quite common for a business to list board members and key executives on their web pages but not to publish phone numbers, home addresses or even email addresses for those people.
Steve
On Wed, Feb 24, 2021 at 10:45 AM Volker Greimann < vgreimann@key-systems.net> wrote:
Hi Steve, thanks for your feedback.
The issue is indeed whether contact data can be made available to requester (and if so, by what process). However the default should be based on the requirements of the GDRP (and confirmed again in the draft of the NIS II) that _personal information_ should be protected. We cannot make the presumption of consent you propose as it has no basis in law and continues to present a legal risk. I feel the only way to make progress at this stage is to abandon the legal vs natural debate and focus on the data instead and find ways to make that workable. As guidance.
Thank you for clarifying that the steps may in fact be null.
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 4:01 PM Steve Crocker <steve@shinkuro.com> wrote:
Volker,
Thanks. I agree partly. The real issue is whether contact data is to be made available to requesters. The default for natural persons is no and the default for legal persons is yes. There are definitely circumstances where the default does not apply. Some natural persons may wish for their contact information to be available, and some legal persons may wish their contact information not to be available.
I disagree with the idea that personal contact information contained in a legal person's registration should result in protecting that information. Instead, it is the obligation of the legal person to not put personal information if they do not want it available. Otherwise, it must be presumed they have chosen to make it visible.
With respect to your comment about not front loading the information gathering, I believe the picture I presented definitely includes your idea. In my picture, either the preliminary step or the later step might be null.
Steve
On Wed, Feb 24, 2021 at 9:41 AM Volker Greimann < vgreimann@key-systems.net> wrote:
Hi Steve, thank you for your helpful proposal.
I think it misses the mark on two essential points however: 1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following: a) contains personal information b) does not contain personal information This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person.
2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information.
Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute.
One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status.
Best, -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Folks,
In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy.
The attached memo suggests a simpler and more comprehensive approach.
Thanks,
Steve
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ( https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
- Re-sending as I see that not everyone had been in cc - Thanks Volker and Steve. Just a small remark from my side on the first essential point raised by Volker: This is precisely the concern of contracted parties that we aimed at addressing at our revised GAC proposal. If you see our proposal, at first level we have the distinction between natural and legal entities (which of course cannot be skipped) and at second level the further distinction between: a) data of legal entities containing personal information and b) data of legal entities which do not contain personal information. Data related to entities that are designated as natural entities under step 1 would not be published, so a further distinction wouldn’t be necessary for those. We trust that the above addresses your concern Volker. And of course we can find ways together on how to make this work. Talk soon! Best, Melina From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Volker Greimann via Gnso-epdp-team Sent: Wednesday, February 24, 2021 3:41 PM To: Steve Crocker <steve@shinkuro.com<mailto:steve@shinkuro.com>> Cc: SSAC-EPDP-WP <ssac-epdp-wp@icann.org<mailto:ssac-epdp-wp@icann.org>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] SSAC response re EPDP homework - due Wed 24 February Hi Steve, thank you for your helpful proposal. I think it misses the mark on two essential points however: 1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following: a) contains personal information b) does not contain personal information This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person. 2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information. Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute. One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status. Best, -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hNCXDYkk$> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached. On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Folks, In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy. The attached memo suggests a simpler and more comprehensive approach. Thanks, Steve _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hJ_REMos$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hKqRmHUw$>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hF8pyzEJ$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
In truth I have not had the full opportunity to read the document, but merely reacting to some of the back and forth here. I think Steve, that the simple response regarding businesses competency to publish their key role contacts is simply by acknowledging the fact that in our case, they are not the ones publishing, the registry or registrar is. This remains our risk, and we are trying to control that; we cannot have our fates in the hand of the internal process and legal awareness of one of any of the legal entities who are registrants. Bird & Bird's 2nd Legal memo on consent is pretty helpful in establishing that delineation. ( https://community.icann.org/download/attachments/111388744/ICANN%20memo%2013%20March%202020%20-%20consent.docx?version=1&modificationDate=1584121399000&api=v2 ) *"However, the controller will not be discharged from its obligations under the GDPR and – if the registrant has not met its obligations and/or does not provide a copy of the consent on request – then the controller will not be able to demonstrate that consent requirements are met, so this will impact on controller's compliance with GDPR." * Warm regards, Alan [image: Donuts Inc.] <http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ Donuts Ground Floor Le Pole House Ship Street Great Dublin 8 <https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Wed, Feb 24, 2021 at 4:06 PM STROUNGI Melina via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
- Re-sending as I see that not everyone had been in cc -
Thanks Volker and Steve.
Just a small remark from my side on the first essential point raised by Volker:
This is precisely the concern of contracted parties that we aimed at addressing at our revised GAC proposal.
If you see our proposal, at first level we have the distinction between natural and legal entities (which of course cannot be skipped) and at second level the further distinction between: a) data of legal entities containing personal information and b) data of legal entities which do not contain personal information.
Data related to entities that are designated as natural entities under step 1 would not be published, so a further distinction wouldn’t be necessary for those.
We trust that the above addresses your concern Volker. And of course we can find ways together on how to make this work.
Talk soon!
Best,
Melina
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Volker Greimann via Gnso-epdp-team *Sent:* Wednesday, February 24, 2021 3:41 PM *To:* Steve Crocker <steve@shinkuro.com> *Cc:* SSAC-EPDP-WP <ssac-epdp-wp@icann.org>; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] SSAC response re EPDP homework - due Wed 24 February
Hi Steve,
thank you for your helpful proposal.
I think it misses the mark on two essential points however:
1) Legal vs natural is the wrong differentiation. I believe we already moved past this on the legal team, and are close to agreeing the correct differentiation would be the following:
a) contains personal information
b) does not contain personal information
This, we believe is the correct differentiation as even the data provided by a legal entity can contain or consist of personal information of a natural person.
2) Our role at this stage is not to make or propose binding rules but to provide guidance for those parties that chose to differentiate between data sets containing and not containing personal information.
Regarding your point of inferred status, I feel this goes too far as well as we do not currently believe that the quality of the data field is sufficient for any automated inferral of status. Cases where the status is inferred by the contents of this field do exist, but are usually limited to manual review in case of ownership disputes, where the contents of the field may prove the deciding factor in determining the right of ownership or control over a domain name in cases of dispute.
One further suggestion is not to front-load the determination in the registration or initial data-gathering process, but allow for a larger degree of flexibility by also including post-registration determination of status.
Best,
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <https://urldefense.com/v3/__http:/www.key-systems.net/__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hNCXDYkk$>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 24, 2021 at 11:39 AM Steve Crocker via Gnso-epdp-team < gnso-epdp-team@icann.org> wrote:
Folks,
In our view, the proposal has two substantial flaws. First, it is overly specific as to the process *all* contracted registrars must use to determine whether the registrant is a legal vs a natural person. Second, it includes procedures for verifying the accuracy of the data for legal persons. The procedure is unnecessary for determining whether the registrant is a legal person. If the eventual policy requires a high degree of accuracy of a legal person's name and address, that's a separate matter and should be dealt with in that part of the policy.
The attached memo suggests a simpler and more comprehensive approach.
Thanks,
Steve
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.com/v3/__https:/mm.icann.org/mailman/listinfo/gnso-epdp-team__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hJ_REMos$> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.com/v3/__https:/www.icann.org/privacy/policy__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hKqRmHUw$>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.com/v3/__https:/www.icann.org/privacy/tos__;!!DOxrgLBm!QLaJJAgxLCncaOTRibshBFoWs4A7m2R5CAe4PqZIyk3cldtLhiVkYpuKMVICbdA5hF8pyzEJ$>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
participants (4)
-
Alan Woods
-
Steve Crocker
-
STROUNGI Melina
-
Volker Greimann