On 14 Feb 2018, at 18:07, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:Thanks, Chuck. I think whatever changes are required by the GDPR can be accomplished with changes that, in my view, do not constitute a fundamental change to Whois/RDS. Beyond what I think are non-fundamental changes relating to the GDPR, I do not believe that any changes are a "must." As to your question:
- There is a limited set of registrants that is entitled to GDPR protection. There is a very large class of registrants that is not entitled to GDPR protection. There is disagreement about where this line is, but this seems to be something where consensus is possible and there's an objectively, legally correct answer.
- It is possible to protect that subset of registrants through (e.g.) complimentary privacy protection, as well as some other limited policies granting access to the data for a legitimate purpose (etc., everything we've been discussing).
- Whether a registrant is, in fact, an entity that is in the very limited class entitled to GDPR protection can be determined during the registration process, and ICANN policy can require registrars to add these fields to the registration process. Existing registrants can be asked to update their information.
- Aside from the policies requiring that those additional data fields be collected during the registration process (e.g., are you an EU citizen and other relevant questions), and that if certain answers are "TRUE" then privacy protection is automatically granted, Whois would not change. Port 43 access would continue as is, and so on.
I guess I would turn around and ask you and others if everyone agrees with these two statements:
- The GDPR applies to, and is intended to benefit, a limited set of registrants.
- Registrar convenience or business objectives is not a valid basis to support a policy change.