Thanks Kris. Chuck From: Kris Seeburn [mailto:seeburn.k@gmail.com] Sent: Friday, March 2, 2018 11:12 PM To: Chuck <consult@cgomes.com> Cc: Metalitz, Steven <met@msk.com>; Beth Bacon <bbacon@pir.org>; GNSO-RDS-pdp-5@icann.org Subject: Re: [Gnso-rds-pdp-5] FW: DT5 Answers to Questions - FirstDraft for DT Review Importance: High Last but the the least we should really ties these areas to the Legal group it would make the sense that is required. If i am not wrong the legal group in abu dhabi was also in agreement. On Mar 3, 2018, at 10:58, Kris Seeburn <seeburn.k@gmail.com <mailto:seeburn.k@gmail.com> > wrote: response and comment in line: On Mar 2, 2018, at 23:57, Chuck < <mailto:consult@cgomes.com> consult@cgomes.com> wrote: <https://www.boxbe.com/overview> <http://www.boxbe.com/stfopen?tc_serial=37163575794&tc_rand=700416312&utm_sou...> This message is eligible for Automatic Cleanup! ( <mailto:consult@cgomes.com> consult@cgomes.com) <https://www.boxbe.com/popup?url=https%3A%2F%2Fwww.boxbe.com%2Fcleanup%3Fkey%...> Add cleanup rule | <http://blog.boxbe.com/general/boxbe-automatic-cleanup?tc_serial=37163575794&...> More info Thanks for all the responses. Beth asked several questions in her redline version that I would like to answer in addition to the responses that Steve gave. And I also respond to Steve’s suggested edits. Question 1 * Note that we shouldn’t edit the question because all DTs are responding to the same question. It is certainly possible that the questions could have been worded better but we should leave them as is for now. No issues and makes sense we don’t have much time to play around now. So i’d leave it. * Beth first asked, “Does this refer to the public info set?” Steve answered correctly; it does not. The question refers to any data elements that would be collected and/or accessed for the proposed Regulatory Purpose whether they are in the Minimum Public Data Set or not.Agreed with steve. And also ensure the word processed does not get in it. * She also said, “I think we could say that a registrant needs to be contactable but not necessarily publicly identifiable.” That is correct except the word ‘publicly’ should be deleted as Steve said in his response. There are times when simply identifying the contact would be all that is needed. There are other times when communication with the contact might be necessary. Am in line with steve on this and it matches the GDPR requirements and all other countries who are adoting fast track like UK which took GDPR made some little changes under the ICO. * I think Steve is right about jurisdiction; if no one objects to his edits, they will be included in the next draft. To limit the issues that can come up ICANN can literally push forward a new RAA which also lays responsibility on the third parties. Question 2 * Steve responded to Beth’s concern about ‘entity’s legal jurisdiction’. Does everyone including Beth agree with Steve’s response: “Wouldn’t knowing the registrant’s jurisdiction be relevant to the regulator regardless of the jurisdiction of the registrar?” If so, I will leave the wording as is, although additional edits are still welcome. Well i feel it is important to know but the fact that these could be EU citizens or companies does not change. But different jurisdictions must be put forward. Example can be questions like one may be an EU citizen but also a double citizenship which one prevails? I’ve had no proper answer in Brussels on it but the EU takes priority. Th situation is more troublesome because many EU companies or citizen have websites elsewhere in the world so the registrar/registries should be very warry about those and ensure that their database is audited to ensure that EU citizens and orgs are identified and be sure that if a breach does happen the EU data protection commissioner is averted within the 72 hours. That was put in place in case something happens on a friday and the only time to discuss is the monday. Question 3 * Beth asked, “Is this the requesting entity or the registrant?” Again Steve answered correctly: “. . . it is those listed in in 1(a)(b) and (c) . . .” Perfectly right. * Does anyone disagree with Beth’s suggestion to change ‘would be expected’ to ‘could’ in all three bullets? Note that Steve agreed. If we have consensus on that, I think it would be good to include some version of their comments in our final deliverable. Let us know if you have thoughts on that.Would could be interpreted as too hard so the word “could” makes sense but as they become hit they would know that they will have to do what is expected. * In the last main bullet for registries, Beth says, “Rys are able to set their own internal policies wrt how they respond to LEA, or other regulatory requests as appropriate to how the request is made and jurisdictional requirement.” I think her statement is correct, but I am not sure what to do with the last four sub-bullets. Depending on registries individual policies for dealing with LEAs, would the four possible actions apply in some cases? Would it help to change the third bullet to something like this: “Domain name registries could do any or all the following depending on their own internal policies regarding how they respond to LEAs or other regulatory requests:” Or would it be better to just add a comment similar to Beth’s in our final deliverable? Ideas are welcome. I think put beth’s comment and also suggest that ideas are welcomed to close on this one. Kris Seeburn <mailto:seeburn.k@gmail.com> seeburn.k@gmail.com * <http://www.linkedin.com/in/kseeburn/> www.linkedin.com/in/kseeburn/ "Life is a Beach, it all depends at how you look at it" <KeepItOn_Social_animated.gif> Kris Seeburn seeburn.k@gmail.com <mailto:seeburn.k@gmail.com> * www.linkedin.com/in/kseeburn/ <http://www.linkedin.com/in/kseeburn/> "Life is a Beach, it all depends at how you look at it"