We already have a fragmented system. And when European registrars were (reasonably) requesting exemptions, they were advocating fragmentation. Regardless of what the GDPR details are, we have to presume that other jurisdictions will have different rules, both more and less stringent, perhaps a lot so. Alan -- Sent from my mobile. Please excuse brevity and typos. On February 13, 2018 1:36:52 PM EST, Volker Greimann <vgreimann@key-systems.net> wrote:
That brings us back to the question whether we would want a unified DNS
system or a fractured one. I personally think 14% of the worlds registrations are quite a significant number, but even if you do not, does this mean you would prefer fragmentation of policies and rules?
Am 13.02.2018 um 19:18 schrieb John Horton via gnso-rds-pdp-wg:
+1 (to Greg)
On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:
What are the jurisdictions where gTLD registrants are located? The stats indicate that a distinct minority of gTLD registrations and registrants may qualify for GDPR protection. According to ICANN’s metrics, 14% of registrants are in the EU. The top jurisdictions are:
USA 41.0%
EU countries 14.0%
China 9.4%
Canada 4.2%
Japan 3.5%
Panama 3.3%
[other 24.6%]
These stats don’t tell us exactly how many registrations might involve GDPR (affecting that are the jurisdictions of the various parties involved in any given registartion, the fact that legal person in the EU are not due the same protection as natural persons, etc.). Still, that 14% is interesting.
The European Commission itself recently told ICANN that solutions can and should be balanced, to “preserve the proper use of WHOIS while ensuring full compliance with the (current and future) EU data protection rules”, and that GDPR only applies to the personal data of natural persons in the EU.
So, what justifies extending a particular protection regime (baseline) to all registrants worldwide, especially when a technical system can support situational-based needs? Over-compliance is not necessary, and over-compliance erodes the proper use of WHOIS. I suggest that a proper solution is to enable compliance with a rule in the situations in which the rule applies. The proper solution is not to over-apply a rule, or to apply the rule where it does not have power.
All best,
--Greg
Source:
https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2...
**********************************
Greg Aaron
Vice-President, Product Management
iThreat Cyber Group / Cybertoolbelt.com
mobile: +1.215.858.2257
**********************************
The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended
recipient,
you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us
immediately
by replying to the message and deleting it from your computer.
*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Tuesday, February 13, 2018 11:24 AM
*To:* gnso-rds-pdp-wg@icann.org
<mailto:gnso-rds-pdp-wg@icann.org>
*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
More than half the countries in the world now have comprehensive data protection laws, and the number grows every year. We found that in our research of foundation documents at the start of this WG. The tipping point took place in 2015. As it happens, Volker's approach simply does take this perspective into account.
Best, Kathy
On 2/13/2018 11:04 AM, Dotzero wrote:
Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an
approach
that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.
Michael Hammer
On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net
<mailto:vgreimann@key-systems.net>>
wrote:
I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.
Am 13.02.2018 um 15:41 schrieb Chuck:
Volker,
Are you saying that you think that RDS policies
should
be designed to comply with European regulations and then applied to all other jurisdictions in the world?
Chuck
*From:*Volker Greimann
[mailto:vgreimann@key-systems.net]
*Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs.
lawful
I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.
GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.
Ultimately, if this solution does what the EU has
been
asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.
Best,
Volker
Am 13.02.2018 um 00:04 schrieb Chuck:
Volker,
The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it
realistic?
Chuck
*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means
that
the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that
would
only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim
should
be to create one policy that can be applied to
all
or most registrations and that can be implemented by all registrars alike.
While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.
Volker
On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:
Greg/John,
I will respectfully push back on your legal over simplification of the GDPR.
The exterritorial aspect of the GDPR set
forth
in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.
Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.
As I have note previously the long term viability of the ICANN multi-stakeholder
model
is at risk as national governments continue
to
pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy
Legislation,
in fact data localization is perhaps the next biggest lurking threat to the domain name
system.
Best regards,
Michael
*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.
John Horton President and CEO, LegitScript
https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...
*Follow****Legit**Script*: LinkedIn
<http://www.linkedin.com/company/legitscript-com>
| Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> |Newsletter
<http://go.legitscript.com/Subscription-Management.html>
https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...
On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>>
wrote:
I don’t know if we arrive at the same
place.
GDPR is based on one principle. It
states
what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.
U.S. law is one based on different principles. AFAIK U.S. consumer
protection
law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside
the
box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up
to
the contract, don’t surprise people,
don’t
do certain dishonest things.
Here's the problem: if one makes the GDPR principle the ICANN standard and you
apply
it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.
The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.
For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication
of
full contact data in WHOIS is a
condition
of registering a domain name if you are a registrant in the U.S.
Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/
for more.
*From:*gnso-rds-pdp-wg
[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On
Behalf Of*Silver, Bradley via
gnso-rds-pdp-wg
*Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net
<mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org
<mailto:gnso-rds-pdp-wg@icann.org>
*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
It is true that the GDPR is prescriptive, although also rather open-ended (hence
our
current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?
There are important distinctions between the meaning of “legal basis” which
implies
that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?
*From:*gnso-rds-pdp-wg
[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On
Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.
Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.
*From:*gnso-rds-pdp-wg
[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On
Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018
7:07 PM
*To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express
and
concrete.
Specifically, GDPR Article 5(1)(b and c) states:
*Personal data shall be: 2. "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those
purposes"*(the
"purpose limitation") AND* 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..
Second, lawful and legal enter us
into
a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.
"Legal" is the term we use for
actions
expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of
actions
which are generally permissible and allowable.
The term "legal" is much more consistent with our criteria
statement
because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.
Best regards, Kathy
On 2/7/2018 10:53 AM, Sam Lanfranco
wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,
where as "legal basis" is defined by the positive, only things
whose
justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly
based
on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org
<mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>
------------------------------------------------------------------------
*/Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at/**/212.484.6000/* <tel:%28212%29%20484-6000>*//**/or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>
------------------------------------------------------------------------
This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be
legally
privileged and/or confidential. If the reader of this message is not the
intended
recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any
copies
from your computer or storage system. Thank you.
_______________________________________________
gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org
<mailto:gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0)
6894
- 9396 901 <tel:+49%206894%209396901>Fax.: +49
(0)
6894 - 9396 851
<tel:+49%206894%209396851>Email: vgreimann@key-systems.net
<mailto:vgreimann@key-systems.net>Web: www.key-systems.net
<http://www.key-systems.net> /
www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems
<http://www.facebook.com/KeySystems>www.twitter.com/key_systems
<http://www.twitter.com/key_systems>Geschäftsführer:
Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>Web: www.key-systems.net
<http://www.key-systems.net> /
www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems
<http://www.facebook.com/KeySystems>www.twitter.com/key_systems
Alexander
Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of
the
KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely
on
this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
-- John Horton President and CEO, LegitScript
*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_ |Newsletter <http://go.legitscript.com/Subscription-Management.html>
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg