On 14 Feb 2018, at 19:37, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Michele,

One leading (US-based) registrar informed me that even though they could be more granular if they wished to, they wanted to just extend the identical (i.e., GDPR-level) protections to all registrants globally simply due to "cost-benefit analysis" -- that it was more convenient for them and less work. I personally do not consider that a valid justification, standing alone. I do not wish any registrar to incur unreasonable costs, but a registrar's profit margin goals should not drive policy.

I believe that was most in the context of legal/natural persons. While GDPR clearly doesn't apply to a legal person name/location/phone/role-account-email, manually reviewing data to assert that goes beyond reasonable in cost-benefit for a system that is fully automated today. Answering questions like the ones below require such manual review:

- Is the registrant name of a legal person ? 

- Is the registrant name of a legal person when an user informed registration by a legal person but incorrectly put his name as registrant ? 

- Is the location of the business the residence of the owner ? 

- Is the e-mail address a role-account e-mail like legal@company or a personally identifiable e-mail like johnhorton@legitscript ? 

- Is the phone number the main line of the company, an unpublished extension number or a mobile number ? 

Is manually reviewing all registration a reasonable cost in your opinion ? 

Rubens