Legal basis vs. lawful
To kick off this discussion for action item #1, the proposed WG agreement read: Possible agreement: If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing. The question was raised during the meeting whether the reference should be to legal basis or should be lawful instead. Maybe I can restate the question I asked in Adobe Connect to get the conversation going: “Isn't all processing required to be lawful as otherwise it would be unlawful, or am I missing something (so basically isn't this implicit in any recommendations the WG would put forward)?” As a reminder: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteered to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. Best regards, Marika From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Lisa Phifer <lisa@corecom.com> Reply-To: Lisa Phifer <lisa@corecom.com> Date: Tuesday, February 6, 2018 at 15:33 To: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: [gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 6 February Dear all, Below please find notes from today’s RDS PDP WG meeting. To recap Action Items from today’s call: https://community.icann.org/x/9wq8B * Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. * Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy." * Note: All WG members are encouraged to participate in this week’s poll before it closes COB Saturday 10 February. Best regards, Lisa Action Items and Notes from RDS PDP WG Call – 6 February 2018 These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki. 1. Roll Call/SOI Updates * SOI Update from Klaus Stoll: Now also a Visiting Professor at Xi'an Jiaotong-Liverpool University, Suzhou * Call Handout: https://community.icann.org/download/attachments/79432439/Handout-6February-RDSWGCall.pdf[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_79432439_Handout-2D6February-2DRDSWGCall.pdf&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=s1KB6ZOoO_ArevgEdJxWLVm0iozSdTIn5T5caj13tM0&e=> * Poll Results: https://community.icann.org/download/attachments/79432439/AnnotatedResults-Poll-from-30JanuaryCall.pdf[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_79432439_AnnotatedResults-2DPoll-2Dfrom-2D30JanuaryCall.pdf&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=eDlDyUVoD0uE7rRJgrXlr43e1rTzVwDVg5KQhpFfIGE&e=> 2. Discuss list of criteria that make purposes legitimate for processing a. See GDPR definition of processing and Q2 poll results[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> * Q2 (criteria) was discussed last week, producing a revised possible agreement polled on * Results for all variants of that possible agreement ranged from 56-41% support or could live with * After considering responses and comments, the leadership proposes two possible agreements for WG consideration to address main concerns Leadership-suggested Possible agreement #1 * One main concern expressed in poll results: consistency with ICANN's mission. * Long standing topic of discussion within community. Ultimately the board interprets ICANN's mission and will do so when considering any recommended policies * Excerpts from ICANN's mission on slides 15-17 of Call Handout[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> * Given mixed poll responses that supported, opposed, and provided alternatives to this criterion, the leadership proposed this as a possible compromise: * Any purpose for processing registration data must be consistent with ICANN's mission as it relates to RDS. Any recommended purpose must be confirmed by the board with respect to consistency with ICANN's mission. * Comments and Questions: * Does "as it relates to the RDS" narrow scope of what falls within ICANN's mission for the WG's deliberation? * How do WG members interpret this possible agreement - for example, inclusion of access to registration data by law enforcement or fighting cyber-issues? * Is the phrase "as it relates to RDS" redundant and subject to misinterpretation? * Is the second sentence just trying to make people feel better or does it open the WG's recommendations to reconsideration? * The Board cannot act outside of ICANN's mission so if there would be a serious concern that this WG would be recommending anything that would be outside of ICANN's mission, the Board would need to act accordingly. * Revised Possible agreement (based on comments thus far): Any purpose for processing registration data must be consistent with ICANN's mission. * Is processing RDS data for purposes of DNS abuse investigation (including by law enforcement) consistent with ICANN mission? This is the advantage of the "not inconsistent" language we discussed last week. * Why was the proposed agreement phrased in the way it was, and what is lost by trimming the agreement? * The GAC certainly thinks that allowing DNS abuse investigation is within scope of ICANN's mission. (Which includes Germany the last time I checked.) https://www.icann.org/en/system/files/files/gdpr-comments-gac-icann-proposed-compliance-models-29jan18-en.pdf[icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_files_gdpr-2Dcomments-2Dgac-2Dicann-2Dproposed-2Dcompliance-2Dmodels-2D29jan18-2Den.pdf&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=Z7TWKS6dmimw55akD4ZLHKcULPPatJzVm6Rpkf_AesI&e=> * Several chat comments express a strong preference for "not inconsistent with" instead of the proposed revised phrasing -- some do not view the change from "not inconsistent" to "consistent" as a compromise, at least without a clearer idea of how a criterion of "consistent with" would be applied. Leadership-suggested Possible agreement #2 * Another main concern express in poll results: whether criteria will be applied using AND, OR, or AND/OR * Given mixed poll responses on this point, the leadership proposed separating this out as a standalone criterion: * If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing. * Comments and Questions: * If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing. * Difference between "legal basis" and "lawful basis" - should agreement be revised to "lawful basis" ? * Note: Art. 6 GDPR Lawfulness of processing: (1) Processing shall be lawful only if and to the extent that at least one of the following applies * "legal basis" occurs several times in GDPR. E.g., Article 13: "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: [...] the legal basis for the processing" * The terms lawful and legal differ in that the former contemplates the substance of law, whereas the latter alludes to the form of law. A lawful act is authorized, sanctioned, or not forbidden by law. A legal act is performed in accordance with the forms and usages of law, or in a technical manner. Lawful legal definition of lawful - Legal Dictionary - The Free Dictionary * Suggestion: evaluate "legal" and "lawful" as they apply to the proposed change, to be reviewed by the group for next week -- because it seems to be a substantive change with consequences * If (b) wording is not resolved then it is not possible to go through each purpose to see if that purpose satisfies (b). * It depends on the lawfulness in the jurisdictions applicable to the provider of the data (which includes applicability of the GDPR to foreign providers when handling EU data subjects data) Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. Criterion also addressed by last week's poll: "Inherent to the functionality of the DNS" * Should this be tested as a separate criterion in this week's poll? * If so, how would the proposed agreement be phrased (as an AND or and OR which applied to any purpose) -- that is, would EVERY purpose be required to be inherent to the functionality of the DNS, or would SOME be legitimate because they were inherent to the functionality of the DNS * What does “inherent to the functionality of the DNS” mean? Something required for the DNS to function at all, or to function as intended (with all the policies surrounding the DNS that have been created by ICANN) * Here are two examples from ICANN's mission from Bylaws Annexes G-1 & G-2 that I do not believe are 'inherent to the functionality of the DNS': prohibitions on warehousing of or speculation in domain names by registries or registrars; reservation of registered names in a TLD that may not be registered initially or that may not be renewed due to reasons reasonably related to (i) avoidance of confusion among or misleading of users, (ii) intellectual property, or (iii) the technical management of the DNS or the Internet (e.g., establishment of reservations of names from registration). * We have issues that involve the workings of the Internet which you could trace back (convoluted in some cases) to functionality of the DNS, but other issues that involve just the actual characters themselves in their relation to ability to use/not use that are completely unrelated to any technical thing. Those rights protections systems (UDRP and others) rely on RDS data for both rights holders AND registrants to protect their respective interests. * One possible phrasing to test: One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy. * Note that the intent of "inherent to the functionality of the DNS" was discussed at length during the 16 January call Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy." 3. Discuss list of purposes for processing based on criteria - DEFERRED 4. Confirm agreements for polling & next steps * Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. * Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy." 5. Confirm next meeting: Tuesday 13 February at 17:00 UTC Meeting Materials: https://community.icann.org/x/9wq8B
Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage – Please try to send your initial input by Wednesday this week to allow all WG members to respond and ask questions on Thursday and Friday. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Marika Konings Sent: Tuesday, February 6, 2018 1:54 PM To: gnso-rds-pdp-wg@icann.org Subject: [gnso-rds-pdp-wg] Legal basis vs. lawful Importance: High To kick off this discussion for action item #1, the proposed WG agreement read: Possible agreement: If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing. The question was raised during the meeting whether the reference should be to legal basis or should be lawful instead. Maybe I can restate the question I asked in Adobe Connect to get the conversation going: “Isn't all processing required to be lawful as otherwise it would be unlawful, or am I missing something (so basically isn't this implicit in any recommendations the WG would put forward)?” As a reminder: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteered to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. Best regards, Marika From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> > on behalf of Lisa Phifer <lisa@corecom.com <mailto:lisa@corecom.com> > Reply-To: Lisa Phifer <lisa@corecom.com <mailto:lisa@corecom.com> > Date: Tuesday, February 6, 2018 at 15:33 To: "gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> " <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: [gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 6 February Dear all, Below please find notes from today’s RDS PDP WG meeting. To recap Action Items from today’s call: <https://community.icann.org/x/9wq8B> https://community.icann.org/x/9wq8B * Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. * Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy." * Note: All WG members are encouraged to participate in this week’s poll before it closes COB Saturday 10 February. Best regards, Lisa Action Items and Notes from RDS PDP WG Call – 6 February 2018 These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki. 1. Roll Call/SOI Updates * SOI Update from Klaus Stoll: Now also a Visiting Professor at Xi'an Jiaotong-Liverpool University, Suzhou * Call Handout: <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> https://community.icann.org/download/attachments/79432439/Handout-6February-RDSWGCall.pdf[community.icann.org] * Poll Results: <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> https://community.icann.org/download/attachments/79432439/AnnotatedResults-Poll-from-30JanuaryCall.pdf[community.icann.org] 2. Discuss list of criteria that make purposes legitimate for processing a. See GDPR definition of processing and <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> Q2 poll results[community.icann.org] * Q2 (criteria) was discussed last week, producing a revised possible agreement polled on * Results for all variants of that possible agreement ranged from 56-41% support or could live with * After considering responses and comments, the leadership proposes two possible agreements for WG consideration to address main concerns Leadership-suggested Possible agreement #1 * One main concern expressed in poll results: consistency with ICANN's mission. * Long standing topic of discussion within community. Ultimately the board interprets ICANN's mission and will do so when considering any recommended policies * Excerpts from ICANN's mission on slides 15-17 of <https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_dow...> Call Handout[community.icann.org] * Given mixed poll responses that supported, opposed, and provided alternatives to this criterion, the leadership proposed this as a possible compromise: * Any purpose for processing registration data must be consistent with ICANN's mission as it relates to RDS. Any recommended purpose must be confirmed by the board with respect to consistency with ICANN's mission. * Comments and Questions: * Does "as it relates to the RDS" narrow scope of what falls within ICANN's mission for the WG's deliberation? * How do WG members interpret this possible agreement - for example, inclusion of access to registration data by law enforcement or fighting cyber-issues? * Is the phrase "as it relates to RDS" redundant and subject to misinterpretation? * Is the second sentence just trying to make people feel better or does it open the WG's recommendations to reconsideration? * The Board cannot act outside of ICANN's mission so if there would be a serious concern that this WG would be recommending anything that would be outside of ICANN's mission, the Board would need to act accordingly. * Revised Possible agreement (based on comments thus far): Any purpose for processing registration data must be consistent with ICANN's mission. * Is processing RDS data for purposes of DNS abuse investigation (including by law enforcement) consistent with ICANN mission? This is the advantage of the "not inconsistent" language we discussed last week. * Why was the proposed agreement phrased in the way it was, and what is lost by trimming the agreement? * The GAC certainly thinks that allowing DNS abuse investigation is within scope of ICANN's mission. (Which includes Germany the last time I checked.) <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system...> https://www.icann.org/en/system/files/files/gdpr-comments-gac-icann-proposed-compliance-models-29jan18-en.pdf[icann.org] * Several chat comments express a strong preference for "not inconsistent with" instead of the proposed revised phrasing -- some do not view the change from "not inconsistent" to "consistent" as a compromise, at least without a clearer idea of how a criterion of "consistent with" would be applied. Leadership-suggested Possible agreement #2 * Another main concern express in poll results: whether criteria will be applied using AND, OR, or AND/OR * Given mixed poll responses on this point, the leadership proposed separating this out as a standalone criterion: * If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing. * Comments and Questions: * If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing. * Difference between "legal basis" and "lawful basis" - should agreement be revised to "lawful basis" ? * Note: Art. 6 GDPR Lawfulness of processing: (1) Processing shall be lawful only if and to the extent that at least one of the following applies * "legal basis" occurs several times in GDPR. E.g., Article 13: "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: [...] the legal basis for the processing" * The terms lawful and legal differ in that the former contemplates the substance of law, whereas the latter alludes to the form of law. A lawful act is authorized, sanctioned, or not forbidden by law. A legal act is performed in accordance with the forms and usages of law, or in a technical manner. Lawful legal definition of lawful - Legal Dictionary - The Free Dictionary * Suggestion: evaluate "legal" and "lawful" as they apply to the proposed change, to be reviewed by the group for next week -- because it seems to be a substantive change with consequences * If (b) wording is not resolved then it is not possible to go through each purpose to see if that purpose satisfies (b). * It depends on the lawfulness in the jurisdictions applicable to the provider of the data (which includes applicability of the GDPR to foreign providers when handling EU data subjects data) Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. Criterion also addressed by last week's poll: "Inherent to the functionality of the DNS" * Should this be tested as a separate criterion in this week's poll? * If so, how would the proposed agreement be phrased (as an AND or and OR which applied to any purpose) -- that is, would EVERY purpose be required to be inherent to the functionality of the DNS, or would SOME be legitimate because they were inherent to the functionality of the DNS * What does “inherent to the functionality of the DNS” mean? Something required for the DNS to function at all, or to function as intended (with all the policies surrounding the DNS that have been created by ICANN) * Here are two examples from ICANN's mission from Bylaws Annexes G-1 & G-2 that I do not believe are 'inherent to the functionality of the DNS': prohibitions on warehousing of or speculation in domain names by registries or registrars; reservation of registered names in a TLD that may not be registered initially or that may not be renewed due to reasons reasonably related to (i) avoidance of confusion among or misleading of users, (ii) intellectual property, or (iii) the technical management of the DNS or the Internet (e.g., establishment of reservations of names from registration). * We have issues that involve the workings of the Internet which you could trace back (convoluted in some cases) to functionality of the DNS, but other issues that involve just the actual characters themselves in their relation to ability to use/not use that are completely unrelated to any technical thing. Those rights protections systems (UDRP and others) rely on RDS data for both rights holders AND registrants to protect their respective interests. * One possible phrasing to test: One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy. * Note that the intent of "inherent to the functionality of the DNS" was discussed at length during the 16 January call Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy." 3. Discuss list of purposes for processing based on criteria - DEFERRED 4. Confirm agreements for polling & next steps * Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement. * Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy." 5. Confirm next meeting: Tuesday 13 February at 17:00 UTC Meeting Materials: <https://community.icann.org/x/9wq8B> https://community.icann.org/x/9wq8B
Using a set theory/Venn diagram approach here is my one shot comment here: We are taking about the act of "processing" here. The universe of processes can be divided into Lawful and Unlawful. None of the Unlawful are Legal. Of the Lawful some are coded into law (and may have forms/procedures that must accompany processing). They are Legal (in a technical sense). Legal is an identifiable subset within Lawful. Here if one wants to cast the "right to process" with a wide net, go for Lawful. If one wants to cast the "right to process" with a narrow net, go for Legal. If one wants Integrity, well that is a whole other kettle of fish. As I read that, if one wants to restrict access to Law Enforcement Agencies and Court Orders, one goes for Legal. If one wants access by misc. security interests, detectives, fraud hunters, etc. one goes for Lawful. Sam L. -- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道,贫且贱焉,耻也。邦无道,富且贵焉,耻也 ------------------------------------------------ Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852
Hi Sam, I think you have half of it right but not all. Comments inline. On Tue, Feb 06, 2018 at 05:41:03PM -0500, Sam Lanfranco (sam@lanfranco.net) wrote:
Using a set theory/Venn diagram approach here is my one shot comment here:
We are taking about the act of "processing" here. The universe of processes can be divided into Lawful and Unlawful. None of the Unlawful are Legal. Of the Lawful some are coded into law (and may have forms/procedures that must accompany processing). They are Legal (in a technical sense). Legal is an identifiable subset within Lawful.
Yes. But in some cases Lawful implies Legal, or requires it.
Here if one wants to cast the "right to process" with a wide net, go for Lawful. If one wants to cast the "right to process" with a narrow net, go for Legal. If one wants Integrity, well that is a whole other kettle of fish.
Yes. But:
As I read that, if one wants to restrict access to Law Enforcement Agencies and Court Orders, one goes for Legal. If one wants access by misc. security interests, detectives, fraud hunters, etc. one goes for Lawful.
No. Private actors can have legal basis for access and processing, too. The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. That does not mean a very specific, detailed justification - the law does not need to explicitly mention DNS for DNS-based things to have legal basis in this sense. In the GDPR this is pretty clear. For example, Article 13, "Information to be provided where personal data are collected from the data subject" says, inter alia, "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: [...] (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;" So not only does there have to be a legal basis but it has to be explicitly provided to the person whose data is being collected. Article 6, "Lawfulness of processing", lists possible legal bases. And it is exhaustive, it says "Processing shall be lawful only if and to the extent that at least one of the following applies". This interpretation of "legal basis" is further supported later in the same article by wordings like "The basis for processing referred to in point (c) and (e) ...". So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. -- Tapani Tarvainen
Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
Thanks for this explanation, Sam and Tapani. On this basis I am most comfortable with the existing text; that is, any purpose must satisfy at least one 'legal basis' for processing. Kind regards, Ayden -------- Original Message -------- On 7 February 2018 4:53 PM, Sam Lanfranco <sam@lanfranco.net> wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
Not to derail the conversation here and turn this into a GDPR crash course. But, I think the below is relevant regarding the current discussion. https://gdpr-info.eu/chapter-1/ Now we discussed purposes in the past regarding scientific or historical whois research. But how does that work under the GDPR? https://gdpr-info.eu/art-89-gdpr/ So this gives us some more information on how that can work, though one has to keep in mind the derogations on a member state level. I use https://www.twobirds.com/en/hot-topics/general-data-protection-regulation/gd... to keep track regarding the derogations on a member state level (EU). But there are more trackers out there (ping me off list). Again this is a straightforward tool to zoom in on the relevant articles and suitable recitals under the GDPR. And if we as a group want to make the purposes to work for processing personal data I think it helps when look at those articles, or we will make the wrong assumptions. And keep in mind the GDPR originated from the EU 95/46 directives, and these are based on some really old data protection principles. I understand the desire to discuss our purposes, and it is natural we feel they are justified due to its history, but we need to get prepped for the many data protection laws that are in effect and make sure they match with the law. Hope this helps, Theo Geurts On 7-2-2018 19:15, Ayden Férdeline wrote:
Thanks for this explanation, Sam and Tapani. On this basis I am most comfortable with the existing text; that is, any purpose must satisfy at least one 'legal basis' for processing.
Kind regards, Ayden
-------- Original Message -------- On 7 February 2018 4:53 PM, Sam Lanfranco <sam@lanfranco.net> wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Let me chime in to say that I very much appreciate the discussion that is occurring on the list on this topic. Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Ayden Férdeline Sent: Wednesday, February 7, 2018 10:16 AM To: Sam Lanfranco <sam@lanfranco.net> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Thanks for this explanation, Sam and Tapani. On this basis I am most comfortable with the existing text; that is, any purpose must satisfy at least one 'legal basis' for processing. Kind regards, Ayden -------- Original Message -------- On 7 February 2018 4:53 PM, Sam Lanfranco <sam@lanfranco.net <mailto:sam@lanfranco.net> > wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
To add a little levity to the discussion: https://www.teachprivacy.com/gdpr-cartoon-lawful-processing/ Michael Hammer On Wed, Feb 7, 2018 at 6:01 PM, Chuck <consult@cgomes.com> wrote:
Let me chime in to say that I very much appreciate the discussion that is occurring on the list on this topic.
Chuck
*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Ayden Férdeline *Sent:* Wednesday, February 7, 2018 10:16 AM *To:* Sam Lanfranco <sam@lanfranco.net> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Thanks for this explanation, Sam and Tapani. On this basis I am most comfortable with the existing text; that is, any purpose must satisfy at least one 'legal basis' for processing.
Kind regards,
Ayden
-------- Original Message --------
On 7 February 2018 4:53 PM, Sam Lanfranco <sam@lanfranco.net> wrote:
Thanks Tapani,
I will extract from your longer message.
I deliberately kept my brief and less technical.
I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,
where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: *Personal data shall be: ** **2. "collected for _specified, explicit and legitimate purposes _and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * **3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a /valid legal basis/ as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
Thank you for this, Kathy. I find this explanation very helpful and agree with your analysis. Best wishes, Ayden Férdeline -------- Original Message -------- On 9 February 2018 1:06 AM, Kathy Kleiman <kathy@kathykleiman.com> wrote:
Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.
Specifically, GDPR Article 5(1)(b and c) states:
Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added]
Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..
Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.
"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.
The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws.
Best regards, Kathy
On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org
Interesting article about ICANN and GDPR - https://www.theregister.co.uk/2018/02/09/icann_whois_gdpr/ Michael Hammer
Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:
Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.
*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful
Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.
Specifically, GDPR Article 5(1)(b and c) states:
*Personal data shall be: 2. "collected for _specified, explicit and legitimate purposes _and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..
Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.
"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.
The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a /valid legal basis/ as expressly defined by data protection laws.
Best regards, Kathy
On 2/7/2018 10:53 AM, Sam Lanfranco wrote:
Thanks Tapani,
I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.
On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:
The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,
where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.
<......>
So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> ________________________________ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 or via email at ITServices@timewarner.com<mailto:ITServices@timewarner.com> ====================================================================== This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.
participants (11)
-
Ayden Férdeline -
Chuck -
Dotzero -
Kathy Kleiman -
Marika Konings -
Sam Lanfranco -
Silver, Bradley -
Tapani Tarvainen -
theo geurts -
Victoria Sheckler -
Volker Greimann