I think that sounds right. I mean, let's say that there's a registrant in Japan using his or her domain name to sell shoes, and he or she uses (pick your registrar) GoDaddy. Or GMO. Or Directi. (I'd even say an EU registrar.) Simply put, the GDPR isn't intended to protect that registrant. It was designed to protect natural persons in or who have citizenship the EU. John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html> On Mon, Feb 12, 2018 at 10:42 AM, Silver, Bradley < Bradley.Silver@timewarner.com> wrote:

I agree with both Greg and John regarding the need to ensure that the WG does not endorse principles that would extend positive legal prescriptions in one territory, to another which has different laws. The proposed agreed statement, as highlighted below, contains an “if, then” qualifier. So unless I am misreading it, we are not saying that the positive obligations of the GDPR should be applied worldwide. Do we agree on that?

*Possible agreement: If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing**. *

We know that data protection laws of countries like the US do NOT positively oblige processors to have a “legal basis”. So this statement should be inapplicable as far as processing occurring in the jurisdiction of such countries. This makes the statement of limited use to us as a group, in my view. What is more useful, and where I think there would be broader consensus, is that any basis for processing should be “lawful”, which would apply to both the US, and the EU.

B

*From:* John Horton [mailto:john.horton@legitscript.com] *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron *Cc:* Silver, Bradley; gnso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow* *Legit**Script*: LinkedIn <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...> | Facebook <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitS...> | Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript...> | *Blog <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=DPLxSW4QevZ3fvbRR3M-f1vrZ7Nybgh-sxxGtLWenz8&s=7pxC_W3yu_Q0AwnnjKsWC_6pRjFzb_SuuIjcFidIYjk&e=>* | Newsletter <https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subsc...>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explain...> for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

* Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <(212)%20484-6000> or via email at **ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

* Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <(212)%20484-6000> or via email at ITServices@timewarner.com <ITServices@timewarner.com> *

Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com> > wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> >; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> _____ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <tel:(212)%20484-6000> or via email at <mailto:ITServices@timewarner.com> ITServices@timewarner.com _____ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Holly Exactly. People seem to have bad memories or a myopic view. While GDPR is the very visible elephant stomping around the room at the moment, the underlying principles within GDPR are neither new or unique to the EU. The data protection / privacy principles in the GDRP and its predecessors have been adopted by many other countries. While the US might not have formally enacted legislation in this space they’re the exception not the rule. So it’s *not* simply the EU vs the world, as some people seem to enjoy positing. It’s more a case of the US (and a couple of other countries) versus the rest of the world that has adapted privacy regimes. Either way, as others have noted, as an Irish company operating under Irish and EU law Blacknight doesn’t get to choose which regime we follow. Everything we do has to comply with Irish law and by extension EU law. Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ http://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Holly Raiche <h.raiche@internode.on.net> Date: Monday 12 February 2018 at 20:15 To: Michael Palage <michael@palage.com> Cc: "gnso-rds-pdp-wg@icann.org" <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Folks Could we please stop pretending that this is only about the GDPR and the EU. Yes, the GDPR is perhaps the most stringent on data protection. But increasingly, many other jurisdictions are enacting similar legislation. Just north of the US, Canada has very similar rules about data protection, or on the other side of the world, so does Australia (and many other countries in the Asia Pacific region as well). So increasingly, the US will be the odd man out on this issue. And there are also concerns about legal vs natural persons. In some cases (not just a few), the registrant may be a legal entity - a small business, where the details for contact are those of the registrant - personal information. So the distinction, in such cases, could lead to the publication of personal information of the legal entity. Finally, please draw a distinction between collection for legitimate purposes, and making that information public. There is no question that, particularly in many cases, registries/registrars need to contact registrants. Cases of misuse/abuse of the name are also situations where we all expect contact information will be accessible. But that is a long way from having all RDS data freely available to all, as is now the case. Holly On 13 Feb 2018, at 6:27 am, Michael Palage <michael@palage.com<mailto:michael@palage.com>> wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000<tel:(212)%20484-6000> or via email at ITServices@timewarner.com<mailto:ITServices@timewarner.com> This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

John I am not arguing to go further than the law allows. I am arguing for adherence to law that binds everyone in the relevant jurisdiction whether or not they are a ‘privacy activist’. And again - we are not talking about small percentages. We are talking about an increasing number of countries (quite apart from the EU’s 27) that have data protection laws. Holly On 13 Feb 2018, at 7:22 am, John Horton via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org> wrote:

Huh? No, I don't think I meant (sorry if I wrote unclearly) that 97% of domain name registrations are by legal entities -- can't imagine that would be the case. :) I meant that if you accept the proposition that the EU GDPR was enacted to protect natural EU residents and citizens, that's probably somewhere in the vicinity of 3% of the population, give or take a few percentage points. I think the EU accounts for something like 5% of the world's population -- you can extract from there by excluding EU legal persons and so on. Whether it's 3%, 2%, 5% or 7% isn't material -- it's a relatively small percentage of the global whole, was the point.

Holly, respectfully disagreed. It's simply not ICANN's or this group's place to be privacy activists and go further than the law requires.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Mon, Feb 12, 2018 at 11:27 AM, Michael Palage <michael@palage.com> wrote: Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com> Cc: gnso-rds-pdp-wg@icann.org

Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

Follow LegitScript: LinkedIn | Facebook | Twitter | Blog | Newsletter

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org

Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 or via email at ITServices@timewarner.com

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Tim, The plain wording of Section 3 of the GDPR makes clear its extraterritorial reach. However, I would encourage you to read Section 3.2 of the first Hamilton memo. Section 3.2. specifically states “Extraterritorial reach as described in Section 3.2.1 above will apply, for instance, when registrars and registries established outside the EU provide their domain name registration services to natural persons in the EU.” I have not meet one lawyer that has disagreed with this statement reading the extraterritorial reach of the GDPR. I would also encourage you to read the relevant recitals to Section 3 which I have reproduced in part below: Recital 22 of the GDPR states: “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” Recital 23 of the GDPR states in part ”In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.” Recital 24 may be of particular interest to DomainTools based on how you have marketed your service to track cybersquatters. This recital states “The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes. Best regards, Michael From: Chen, Tim [mailto:tim@domaintools.com] Sent: Monday, February 12, 2018 5:07 PM To: Michael Palage <michael@palage.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael, It is possible to read this statement from your reply: "The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU." to imply that you believe US entities that target or conduct business within the EU are subject to the broad mandate that Blacknight is as an Irish legal entity. But I don't want to jump to that conclusion. What is your read of how Article 3 of GDPR applies to the US entity type that you refer to in the quote above? Tim On Mon, Feb 12, 2018 at 11:27 AM, Michael Palage <michael@palage.com <mailto:michael@palage.com> > wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org> ] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com <mailto:gca@icginc.com> > Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com> > wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> >; gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> _____ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at <tel:(212)%20484-6000> 212.484.6000 or via email at <mailto:ITServices@timewarner.com> ITServices@timewarner.com _____ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Hi Michael, Thanks for your response. I guess I wasn't clear enough in my question. I've read GDPR many times and a familiar with the language. That it applies to non-EU companies processing data of EU citizens is quite clear. What is not clear is how it applies to non EU data subjects. Michele made the point that bc he runs an Irish company, it applies to all the data of all his customers regardless of where they exist. It appeared you were extending that to also apply to non-EU companies, which is not how I interpret it. Every one of those GDPR quotes you pulled uses the term 'data subjects in the EU'. Anyway, Greg Aaron captured this separately in his thread. No need to debate it further here. It seems the reason to try and apply GDPR broadly is 'convenience' and not 'law'. We can take the topic up from there as many have already done on the parallel thread. Tim On Tue, Feb 13, 2018 at 7:20 AM, Michael Palage <michael@palage.com> wrote:

Tim,

The plain wording of Section 3 of the GDPR makes clear its extraterritorial reach. However, I would encourage you to read Section 3.2 of the first Hamilton memo. Section 3.2. specifically states “Extraterritorial reach as described in Section 3.2.1 above will apply, for instance, when registrars and registries established outside the EU provide their domain name registration services to natural persons in the EU.” I have not meet one lawyer that has disagreed with this statement reading the extraterritorial reach of the GDPR. I would also encourage you to read the relevant recitals to Section 3 which I have reproduced in part below:

Recital 22 of the GDPR states: “Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.”

Recital 23 of the GDPR states in part ”In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”

Recital 24 may be of particular interest to DomainTools based on how you have marketed your service to track cybersquatters. This recital states “The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union .

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

Best regards,

Michael

*From:* Chen, Tim [mailto:tim@domaintools.com] *Sent:* Monday, February 12, 2018 5:07 PM *To:* Michael Palage <michael@palage.com> *Cc:* RDS PDP WG <gnso-rds-pdp-wg@icann *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael,

It is possible to read this statement from your reply:

"The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU."

to imply that you believe US entities that target or conduct business within the EU are subject to the broad mandate that Blacknight is as an Irish legal entity. But I don't want to jump to that conclusion. What is your read of how Article 3 of GDPR applies to the US entity type that you refer to in the quote above?

Tim

On Mon, Feb 12, 2018 at 11:27 AM, Michael Palage <michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *John Horton via gnso-rds-pdp-wg *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

[image: Image removed by sender.]

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

[image: Image removed by sender.][image: Image removed by sender.]

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND *3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

*Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at **212.484.6000* <(212)%20484-6000>* or via email at * *ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

It is not possible to create one policy that would comply with every legal requirement in the world. In creating a framework for a future RDS, we will certainly need to be mindful of some basic rules, including the GDPR. I have not read any comments to suggest that we should ignore the GDPR, but rather that the positive obligations under the GDPR should not be made mandatory for the rest of the world. Those that need to comply with the GDPR, should. And those that do not, can choose what level of protection to apply. I am concerned that the vision Volker outlines is a maximalist approach which would turn ICANN into a quasi-data protection regulator. Some flexibility needs to remain for differing levels of data protection standards to be applied in accordance with national laws. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 5:30 PM To: Michael Palage Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike. While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties. Volker On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com<mailto:michael@palage.com>> wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...> | Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitS...> | Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript...> | Blog<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=...> | Newsletter<https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subsc...> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/<https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explaining-2Dthe-2Dgdpr-2Dto-2Dan-2Damerican_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=zfWvOaNveiu295fSGLGMpOBktuK2oZQcRYFQhLVeaCs&e=> for more. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> ________________________________ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000<tel:(212)%20484-6000> or via email at ITServices@timewarner.com<mailto:ITServices@timewarner.com> ________________________________ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=0qhW8UHVF7jgIiAXZv5P89-LYHkUtvv7JUSwpaXbH68&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=QEQYp9klQ038q8ruZ41RZmKAmwlq_vibuO9QeiRyjoo&s=0qhW8UHVF7jgIiAXZv5P89-LYHkUtvv7JUSwpaXbH68&e=> -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Volker, The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike. While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties. Volker On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com> > wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com <mailto:gca@icginc.com> > Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron < <mailto:gca@icginc.com> gca@icginc.com> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/> https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann < <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net>; <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _____ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at <tel:(212)%20484-6000> 212.484.6000 or via email at <mailto:ITServices@timewarner.com> ITServices@timewarner.com _____ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Don’t at least some registrars already insist on only complying with their local laws? From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Tuesday, February 13, 2018 8:58 AM To: Chuck <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here. GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again. Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable. Best, Volker Am 13.02.2018 um 00:04 schrieb Chuck: Volker, The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <michael@palage.com><mailto:michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike. While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties. Volker On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com<mailto:michael@palage.com>> wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<http://www.linkedin.com/company/legitscript-com> | Facebook<https://www.facebook.com/LegitScript> | Twitter<https://twitter.com/legitscript> | Blog<http://blog.legitscript.com/> | Newsletter<http://go.legitscript.com/Subscription-Management.html> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> ________________________________ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000<tel:%28212%29%20484-6000> or via email at ITServices@timewarner.com<mailto:ITServices@timewarner.com> ________________________________ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<http://www.key-systems.net> / www.RRPproxy.net<http://www.RRPproxy.net> www.domaindiscount24.com<http://www.domaindiscount24.com> / www.BrandShelter.com<http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<http://www.facebook.com/KeySystems> www.twitter.com/key_systems<http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Volker, Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world? Chuck From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Tuesday, February 13, 2018 5:58 AM To: Chuck <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here. GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again. Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable. Best, Volker Am 13.02.2018 um 00:04 schrieb Chuck: Volker, The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <mailto:michael@palage.com> <michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike. While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties. Volker On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com> > wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com <mailto:gca@icginc.com> > Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...> Follow LegitScript: <http://www.linkedin.com/company/legitscript-com> LinkedIn | <https://www.facebook.com/LegitScript> Facebook | <https://twitter.com/legitscript> Twitter | <http://blog.legitscript.com/> Blog | <http://go.legitscript.com/Subscription-Management.html> Newsletter <https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...> <https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...> On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron < <mailto:gca@icginc.com> gca@icginc.com> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/> https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann < <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net>; <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _____ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at <tel:%28212%29%20484-6000> 212.484.6000 or via email at <mailto:ITServices@timewarner.com> ITServices@timewarner.com _____ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

This is exactly what most ethical global corporations have been doing for years.....complying with the EU Directive and applying the same rules within the company.  It is the only logical approach to a global problem, in my view.....trying to figure out which jurisdictions are involved in your dataflows is a nightmare.... There are obvious easy discriminations that can be made, such as in breach disclosure.  Many companies would not bother reporting a data breach if they were not required by local law to do so, although I think when Choicepoint made that decision back in 2005 to only report their data breach to California residents they got some blowback (and a flurry of State legislative activity in the matter of breach disclosure) see https://www.csoonline.com/article/2118134/compliance/the-five-most--shocking.... cheers Stephanie PS what is most shocking about this old story is the similarities with the Equifax data breach last year.  Making progress in data protection is so hard, when companies refuse to take responsibility for citizens' data. On 2018-02-13 09:41, Chuck wrote:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world.  That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens.  As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications.  Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet.  However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow****Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com>  | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle.  It states what is legal.  It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation.   It’s like saying what’s inside a box.

U.S. law is one based on different principles.  AFAIK U.S. consumer protection law does not enumerate specifically what is lawful.  Instead it tends to state what is illegal, what you are _not allowed to do_.   It’s like saying what’s outside the box.   The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons.  Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.   ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect:  registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is  a condition of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Silver, Bradley via gnso-rds-pdp-wg *Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle).  But regardless of the term we use, don’t we arrive at the same place:  which is that if something that requires a legal basis is done without one, it will be unlawful?  Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law.  Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed.  The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018 7:07 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2.    "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those purposes"*(the "purpose limitation") AND* 3.    "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be  defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

  <......>

So I would prefer "legal basis" specifically in this sense: that any processing  would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack.  If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at212.484.6000 <tel:%28212%29%20484-6000>or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that. Michael Hammer On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net

wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:* Volker Greimann [mailto:vgreimann@key-systems.net <vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *John Horton via gnso-rds-pdp-wg *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; g nso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

* Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <%28212%29%20484-6000> or via email at **ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net <vgreimann@key-systems.net>

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Please note that contracted parties do not "wish" to deviate from contractual obligations, but are required to by the laws that are applicable to them. If this was a simple matter of what we wish to do, this would be easier. Volker Am 13.02.2018 um 17:09 schrieb Silver, Bradley:

I agree, Michael – any single jurisdiction should not dictate the framework.  We should of course take into account legal norms – including regulations such as the GDPR.   We should also recall that to the extent any registrar or registry wishes to deviate from their contractual WHOIS obligations (or whatever takes their place in a future RDS), because of a conflict with local privacy laws, there is a process for them to do so.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Dotzero *Sent:* Tuesday, February 13, 2018 11:04 AM *To:* Volker Greimann *Cc:* RDS PDP WG *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:* Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world.  That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications.  Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow****LegitScript*: LinkedIn <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...> | Facebook <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitS...> | Twitter <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript...> | _Blog <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=MnL0DaGK44Xa9WEHXtgiJa-Dsa_2TZ5RCXN75zMQ6c0&s=iW2nS0CscTIzmxUkn9jT-JGdeGGgEn_MJniVHKoROLE&e=>_  |Newsletter <https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subsc...>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle.  It states what is legal.  It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation.   It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful.  Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box.   The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.   ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect:  registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is  a condition of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/ <https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explain...> for more.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Silver, Bradley via gnso-rds-pdp-wg *Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle).  But regardless of the term we use, don’t we arrive at the same place:  which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law.  Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed.  The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018 7:07 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2.    "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those purposes"*(the "purpose limitation") AND* 3.    "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be  defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

  <......>

So I would prefer "legal basis" specifically in this sense: that any processing  would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at212.484.6000 <tel:%28212%29%20484-6000>or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=...> / www.RRPproxy.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.RRPproxy.net&d=DwMFa...> www.domaindiscount24.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domaindiscount24.com...> / www.BrandShelter.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.BrandShelter.com&d=D...>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_KeySyst...> www.twitter.com/key_systems <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_key-5Fsy...>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keydrive.lu&d=DwMFaQ...>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=...> / www.RRPproxy.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.RRPproxy.net&d=DwMFa...> www.domaindiscount24.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domaindiscount24.com...> / www.BrandShelter.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.BrandShelter.com&d=D...>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_KeySyst...> www.twitter.com/key_systems <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_key-5Fsy...>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keydrive.lu&d=DwMFaQ...>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack.  If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 or via email at ITServices@timewarner.com <mailto:ITServices@timewarner.com>

/*

That’s incorrect Ayden: an array of views were been expressed by stakeholders in the public comment period about the WHOIS Conflicts Procedure – some in support, some not. ICANN the organization most definitely has not taken a position on the efficacy of the procedure. To the contrary, ICANN’s general counsel, John Jeffrey’s recently suggested invoking the procedure in response to the input from Dutch DPA’s regarding data protection compliance: “this letter enables [the .frl and .amsterdam registries] to invoke the community’s Whois Conflicts Procedure, which I encourage them to do.” https://www.icann.org/en/system/files/correspondence/jeffrey-to-sprey-01nov17-en.pdf<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_correspondence_jeffrey-2Dto-2Dsprey-2D01nov17-2Den.pdf&d=DwMF-g&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=AZGJ0aXoaBD93o5lG7tXdJGhVOKkOSAKTUktNxuwbic&s=rvMJJZb6K4DexAEVKkwmQIuXRA8ogrwoZsv1uga6NGE&e=> From: Ayden Férdeline [mailto:icann@ferdeline.com] Sent: Tuesday, February 13, 2018 11:15 AM To: Silver, Bradley Cc: Dotzero; Volker Greimann; RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful There is not a process that works. Its inadequacy, I felt, was widely acknowledged both within the ICANN community and by ICANN the organisation. Ayden -------- Original Message -------- On 13 February 2018 5:09 PM, Silver, Bradley via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org>> wrote: I agree, Michael – any single jurisdiction should not dictate the framework. We should of course take into account legal norms – including regulations such as the GDPR. We should also recall that to the extent any registrar or registry wishes to deviate from their contractual WHOIS obligations (or whatever takes their place in a future RDS), because of a conflict with local privacy laws, there is a process for them to do so. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Dotzero Sent: Tuesday, February 13, 2018 11:04 AM To: Volker Greimann Cc: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that. Michael Hammer On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work. Am 13.02.2018 um 15:41 schrieb Chuck: Volker, Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world? Chuck From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Tuesday, February 13, 2018 5:58 AM To: Chuck <consult@cgomes.com><mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com><mailto:michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here. GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again. Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable. Best, Volker Am 13.02.2018 um 00:04 schrieb Chuck: Volker, The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <michael@palage.com><mailto:michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike. While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties. Volker On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com<mailto:michael@palage.com>> wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> Cc: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript [https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...] Follow LegitScript: LinkedIn<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...> | Facebook<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitS...> | Twitter<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript...> | Blog<https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=...> | Newsletter<https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subsc...> [https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&revid=0B13GfLt8zwZJQlZWOXVGbG9acC9nRGhzdEkxclFJVytCWVNjPQ] On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com<mailto:gca@icginc.com>> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/<https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explaining-2Dthe-2Dgdpr-2Dto-2Dan-2Damerican_&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=MnL0DaGK44Xa9WEHXtgiJa-Dsa_2TZ5RCXN75zMQ6c0&s=HR7E74IbLN2-Xhfn1tX5fkjRdhqvSFbEexgHkr8K64Y&e=> for more. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>>; gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKaCgA_X_fyTE&e=> ________________________________ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000<tel:%28212%29%20484-6000> or via email at ITServices@timewarner.com<mailto:ITServices@timewarner.com> ________________________________ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=MnL0DaGK44Xa9WEHXtgiJa-Dsa_2TZ5RCXN75zMQ6c0&s=jczIBTjLgtBVtedOnmeMW-_WPUnlE6ODNOmjhfCPQEg&e=> _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=MnL0DaGK44Xa9WEHXtgiJa-Dsa_2TZ5RCXN75zMQ6c0&s=jczIBTjLgtBVtedOnmeMW-_WPUnlE6ODNOmjhfCPQEg&e=> -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851<tel:+49%206894%209396851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=...> / www.RRPproxy.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.RRPproxy.net&d=DwMFa...> www.domaindiscount24.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domaindiscount24.com...> / www.BrandShelter.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.BrandShelter.com&d=D...> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_KeySyst...> www.twitter.com/key_systems<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_key-5Fsy...> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keydrive.lu&d=DwMFaQ...> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901<tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851<tel:+49%206894%209396851> Email: vgreimann@key-systems.net<mailto:vgreimann@key-systems.net> Web: www.key-systems.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=...> / www.RRPproxy.net<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.RRPproxy.net&d=DwMFa...> www.domaindiscount24.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domaindiscount24.com...> / www.BrandShelter.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.BrandShelter.com&d=D...> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_KeySyst...> www.twitter.com/key_systems<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_key-5Fsy...> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keydrive.lu&d=DwMFaQ...> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org<mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMFaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2KtbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=MnL0DaGK44Xa9WEHXtgiJa-Dsa_2TZ5RCXN75zMQ6c0&s=jczIBTjLgtBVtedOnmeMW-_WPUnlE6ODNOmjhfCPQEg&e=> ________________________________ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 or via email atITServices@timewarner.com<mailto:ITServices@timewarner.com>

Bradley, I would respectfully push back on your representation that ICANN.org has not raised concerns regarding the efficacy of the current conflicts procedure. Please refer to the following excerpt from Cyrus Namazi, Vice President, Domain Name Services & Industry Engagement made during the intercessional meeting with the non-contracting parties that occurred in LA on 2-Feb-2018 Thank you Steve. This is Cyrus. So just to level set on the reason for the existence of this procedure the primary goal here behind this procedure was to ensure that all of our contracted parties have a mechanism to comply with their local jurisdictions laws in contrast with the ICANN contract so if the ICANN contract by any chance actually exposes some contracted party to end up having in the course of fulfilling up their obligations under the contract being in violation of their local law this law, this is the mechanism for them to come back to ICANN and essentially engage in a conversation to get a waiver or the provisions that the contract that are engaged in law. So this is sort of the overarching goal for this procedure. Now there are two ways that this mechanism, this procedure can be invoked. And our difficulty on the staff side on the GDD and org side has been that the bar has been set so high that in fact no one, no contracted party has actually been able to effectively successfully invoke this with one exception, the recent exception I can talk to that. And these trigger mechanisms are either whether you’re actually being prosecuted by your local law enforcement or you get a letter from your local the data protection authority and neither one of which has proven to be realistically feasible for an operator to really do. And I quite frankly sympathize with our contracted parties. So twice we have actually opened this procedure and taken it to the community in hopes of making it more realistic, more doable, more feasible. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Tuesday, February 13, 2018 11:35 AM To: Ayden Férdeline <icann@ferdeline.com> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful That’s incorrect Ayden: an array of views were been expressed by stakeholders in the public comment period about the WHOIS Conflicts Procedure – some in support, some not. ICANN the organization most definitely has not taken a position on the efficacy of the procedure. To the contrary, ICANN’s general counsel, John Jeffrey’s recently suggested invoking the procedure in response to the input from Dutch DPA’s regarding data protection compliance: “this letter enables [the .frl and .amsterdam registries] to invoke the community’s Whois Conflicts Procedure, which I encourage them to do.” <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system...> https://www.icann.org/en/system/files/correspondence/jeffrey-to-sprey-01nov1... From: Ayden Férdeline [mailto:icann@ferdeline.com] Sent: Tuesday, February 13, 2018 11:15 AM To: Silver, Bradley Cc: Dotzero; Volker Greimann; RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful There is not a process that works. Its inadequacy, I felt, was widely acknowledged both within the ICANN community and by ICANN the organisation. Ayden -------- Original Message -------- On 13 February 2018 5:09 PM, Silver, Bradley via gnso-rds-pdp-wg <gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > wrote: I agree, Michael – any single jurisdiction should not dictate the framework. We should of course take into account legal norms – including regulations such as the GDPR. We should also recall that to the extent any registrar or registry wishes to deviate from their contractual WHOIS obligations (or whatever takes their place in a future RDS), because of a conflict with local privacy laws, there is a process for them to do so. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Dotzero Sent: Tuesday, February 13, 2018 11:04 AM To: Volker Greimann Cc: RDS PDP WG Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that. Michael Hammer On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> > wrote: I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work. Am 13.02.2018 um 15:41 schrieb Chuck: Volker, Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world? Chuck From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Tuesday, February 13, 2018 5:58 AM To: Chuck <mailto:consult@cgomes.com> <consult@cgomes.com>; 'Michael Palage' <mailto:michael@palage.com> <michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here. GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again. Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable. Best, Volker Am 13.02.2018 um 00:04 schrieb Chuck: Volker, The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic? Chuck From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <mailto:michael@palage.com> <michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike. While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties. Volker On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com> > wrote: Greg/John, I will respectfully push back on your legal over simplification of the GDPR. The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU. Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities. As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system. Best regards, Michael From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <gca@icginc.com <mailto:gca@icginc.com> > Cc: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript Follow LegitScript: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.linkedin.com_company...> LinkedIn | <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_LegitS...> Facebook | <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_legitscript...> Twitter | <https://urldefense.proofpoint.com/v2/url?u=http-3A__blog.legitscript.com_&d=...> Blog | <https://urldefense.proofpoint.com/v2/url?u=http-3A__go.legitscript.com_Subsc...> Newsletter On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron < <mailto:gca@icginc.com> gca@icginc.com> wrote: I don’t know if we arrive at the same place. GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box. U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things. Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world. The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU. For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S. See <https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_explain...> https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann < <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net>; <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful? There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless? From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR. Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point. From: gnso-rds-pdp-wg [ <mailto:gnso-rds-pdp-wg-bounces@icann.org> mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable. The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _____ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at <tel:%28212%29%20484-6000> 212.484.6000 or via email at <mailto:ITServices@timewarner.com> ITServices@timewarner.com _____ This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org> gnso-rds-pdp-wg@icann.org <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg -- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: <tel:+49%206894%209396901> +49 (0) 6894 - 9396 901 Fax.: <tel:+49%206894%209396851> +49 (0) 6894 - 9396 851 <mailto:vgreimann@key-systems.net> Email: vgreimann@key-systems.net Web: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=...> www.key-systems.net / <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.RRPproxy.net&d=DwMFa...> www.RRPproxy.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domaindiscount24.com...> www.domaindiscount24.com / <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.BrandShelter.com&d=D...> www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_KeySyst...> www.facebook.com/KeySystems <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_key-5Fsy...> www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keydrive.lu&d=DwMFaQ...> www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: <tel:+49%206894%209396901> +49 (0) 6894 - 9396 901 Fax.: <tel:+49%206894%209396851> +49 (0) 6894 - 9396 851 Email: <mailto:vgreimann@key-systems.net> vgreimann@key-systems.net Web: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=...> www.key-systems.net / <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.RRPproxy.net&d=DwMFa...> www.RRPproxy.net <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.domaindiscount24.com...> www.domaindiscount24.com / <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.BrandShelter.com&d=D...> www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.facebook.com_KeySyst...> www.facebook.com/KeySystems <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.twitter.com_key-5Fsy...> www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keydrive.lu&d=DwMFaQ...> www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone. _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...> _____ Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 or via email at <mailto:ITServices@timewarner.com> ITServices@timewarner.com

Volcker, Registrars are not the only constituency with a stake in this. Michael Hammer On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann <vgreimann@key-systems.net

wrote:

Hi Mike,

no, sensible because a great number of registrars will be forced to deal with this anyway, because this will affect a great many of registrations and therefore it makes sense to take this as a basis. Of course we will then need to see if there need to be tweaks to accomodate for other jurisdictions, but as more as more countries are adopting similar regimes....

Sure it will be more restrictive than open access and some people may have a harder time than today getting at certain information, but with tiered access access would still be possible for those with overriding legitimate interests. That is the model the EU commission hinted at. Not the only model, but a working one.

Volker

Am 13.02.2018 um 17:04 schrieb Dotzero:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:* Volker Greimann [mailto:vgreimann@key-systems.net <vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *John Horton via gnso-rds-pdp-wg *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; g nso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

* Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <%28212%29%20484-6000> or via email at **ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net <vgreimann@key-systems.net>

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

let's be clear that individuals and organizations left unprotected in certain ways will be the first to be punished here, well ahead of ICANN-related organizations of any kind. On Tue, Feb 13, 2018 at 8:25 AM, benny@nordreg.se <benny@nordreg.se> wrote:

No but they will be the ones punished for other stakeholders decisions first of any -- Med vänliga hälsningar / Kind Regards / Med vennlig hilsen

Benny Samuelsen Registry Manager - Domainexpert

Nordreg AB - ICANN accredited registrar IANA-ID: 638 Phone: +46.42197000 <+46%2042%2019%2070%2000> Direct: +47.32260201 <+47%2032%2026%2002%2001> Mobile: +47.40410200 <+47%20404%2010%20200>

On 13 Feb 2018, at 17:23, Dotzero <dotzero@gmail.com> wrote:

Volcker,

Registrars are not the only constituency with a stake in this.

Michael Hammer

On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

Hi Mike,

no, sensible because a great number of registrars will be forced to deal with this anyway, because this will affect a great many of registrations and therefore it makes sense to take this as a basis. Of course we will then need to see if there need to be tweaks to accomodate for other jurisdictions, but as more as more countries are adopting similar regimes....

Sure it will be more restrictive than open access and some people may have a harder time than today getting at certain information, but with tiered access access would still be possible for those with overriding legitimate interests. That is the model the EU commission hinted at. Not the only model, but a working one.

Volker

Am 13.02.2018 um 17:04 schrieb Dotzero:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:* Volker Greimann [mailto:vgreimann@key-systems.net <vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *John Horton via gnso-rds-pdp-wg *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; g nso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

* Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <%28212%29%20484-6000> or via email at **ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net <vgreimann@key-systems.net>

Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net <http://www.rrpproxy.net/> www.domaindiscount24.com / www.BrandShelter.com <http://www.brandshelter.com/>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

and neither will a lot of bad actors, online criminals and miscreants. On Tue, Feb 13, 2018 at 8:28 AM, Volker Greimann <vgreimann@key-systems.net> wrote:

But the only ones facing the fines or imprisonment of officers. Will you face government fines or prison if you can no longer look at whois? No? Thought so!

Am 13.02.2018 um 17:23 schrieb Dotzero:

Volcker,

Registrars are not the only constituency with a stake in this.

Michael Hammer

On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

Hi Mike,

no, sensible because a great number of registrars will be forced to deal with this anyway, because this will affect a great many of registrations and therefore it makes sense to take this as a basis. Of course we will then need to see if there need to be tweaks to accomodate for other jurisdictions, but as more as more countries are adopting similar regimes....

Sure it will be more restrictive than open access and some people may have a harder time than today getting at certain information, but with tiered access access would still be possible for those with overriding legitimate interests. That is the model the EU commission hinted at. Not the only model, but a working one.

Volker

Am 13.02.2018 um 17:04 schrieb Dotzero:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

...

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:* Volker Greimann [mailto:vgreimann@key-systems.net <vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *John Horton via gnso-rds-pdp-wg *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; g nso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

* Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at 212.484.6000 <%28212%29%20484-6000> or via email at **ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net <vgreimann@key-systems.net>

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry=gmai...> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Correct but they are the ones collecting the data so unless they are convinced of the need and legal ability they simply will not collect it. Processing only comes after collection. From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces@icann.org> on behalf of Dotzero <dotzero@gmail.com> Date: Tuesday, February 13, 2018 at 5:23 PM To: Volker Greimann <vgreimann@key-systems.net> Cc: RDS PDP WG <gnso-rds-pdp-wg@icann.org> Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Volcker,

Registrars are not the only constituency with a stake in this.

Michael Hammer

On Tue, Feb 13, 2018 at 11:13 AM, Volker Greimann <vgreimann@key-systems.net> wrote:

...

Hi Mike,

no, sensible because a great number of registrars will be forced to deal with this anyway, because this will affect a great many of registrations and therefore it makes sense to take this as a basis. Of course we will then need to see if there need to be tweaks to accomodate for other jurisdictions, but as more as more countries are adopting similar regimes....

Sure it will be more restrictive than open access and some people may have a harder time than today getting at certain information, but with tiered access access would still be possible for those with overriding legitimate interests. That is the model the EU commission hinted at. Not the only model, but a working one.

Volker

Am 13.02.2018 um 17:04 schrieb Dotzero:

...

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net> wrote:

...

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

...

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

From: Volker Greimann [mailto:vgreimann@key-systems.net] Sent: Tuesday, February 13, 2018 5:58 AM To: Chuck <consult@cgomes.com> <mailto:consult@cgomes.com> ; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

...

Volker,

The WG could recommend policies that are Œuniversally applicable to all registrations¹ but I seriously doubt that will happen in today¹s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <michael@palage.com> <mailto:michael@palage.com> Cc: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of ³One World; one Internet². This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

> > > > On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com> wrote: > > > > > > > > Greg/John, > > > > > > > > > > I will respectfully push back on your legal over simplification of the > GDPR. > > > > > > > > > > The exterritorial aspect of the GDPR set forth in Article 3 is NOT just > limited to EU residents/citizens. As Michele has noted in the past, the > GDPR requires BlackKnight as an Irish legal entity to protect all of its > customers data (EU/Non-EU) in compliance with GDPR, as well as US > entities that target and conduct business within the EU. > > > > > > > > > > Now your points about the distinction between natural and legal persons > is a fair one and one that has been noted in EU and Art 29 > communications. Could you please share the basis of your proposition > that 97% of all domain name registrations are registered by legal > entities. > > > > > > > > > > As I have note previously the long term viability of the ICANN > multi-stakeholder model is at risk as national governments continue to > pass national laws that impact the operation of the Internet. However, > the European Union is NOT alone in advancing Privacy Legislation, in > fact data localization is perhaps the next biggest lurking threat to the > domain name system. > > > > > > > > > > Best regards, > > > > > > > > > > Michael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On > Behalf Of John Horton via gnso-rds-pdp-wg > Sent: Monday, February 12, 2018 1:22 PM > To: Greg Aaron <gca@icginc.com> > Cc: gnso-rds-pdp-wg@icann.org > Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful > > > > > > > > > > > > I think Greg is right on. There's simply no justification to force a law > that is only intended to apply to a) EU residents/citizens that are b) > natural persons not using the domain name for commercial purposes, to > the remaining...what? 97% - 99% of the world's registrant population? > That would be a balanced way to implement all of this. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > John Horton > President and CEO, LegitScript > > > > > > > > > > > > > > > > Follow LegitScript: LinkedIn > <http://www.linkedin.com/company/legitscript-com> | Facebook > <https://www.facebook.com/LegitScript> | Twitter > <https://twitter.com/legitscript> | Blog > <http://blog.legitscript.com/> | Newsletter > <http://go.legitscript.com/Subscription-Management.html> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com > <mailto:gca@icginc.com> > wrote: > > > > > > > > I don¹t know if we arrive at the same place. > > > > > > > > > > GDPR is based on one principle. It states what is legal. It's explicit > about what you _are allowed to do_; granted there¹s some flexibility and > room for interpretation. It¹s like saying what¹s inside a box. > > > > > > > > > > U.S. law is one based on different principles. AFAIK U.S. consumer > protection law does not enumerate specifically what is lawful. Instead > it tends to state what is illegal, what you are _not allowed to do_. > It¹s like saying what¹s outside the box. The U.S. doesn¹t have > something like GDPR that spells out legal bases for collecting data, > i.e. the enumerated allowable reasons. Instead the trade and consumer > protection laws basically say: entities have the right to form contracts > between themselves, they should live up to the contract, don¹t surprise > people, don¹t do certain dishonest things. > > > > > > > > > > Here's the problem: if one makes the GDPR principle the ICANN standard > and you apply it to all registrations, then practices that are allowable > in one place under the law (like the U.S.) would no longer be allowed > there by ICANN policy. ICANN would be choosing one legal approach or > regime for everyone in the world. > > > > > > > > > > The alternative is to apply the GDRP only to those that it is designed > to protect: registrants in the EU. > > > > > > > > > > For example, there¹s nothing in U.S. law that prohibits a U.S. registrar > from having a contract that says publication of full contact data in > WHOIS is a condition of registering a domain name if you are a > registrant in the U.S. > > > > > > > > > > See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ > <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/> for > more. > > > > > > > > > > > > > > > > > > > > > > From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org > <mailto:gnso-rds-pdp-wg-bounces@icann.org> ] On Behalf Of Silver, > Bradley via gnso-rds-pdp-wg > Sent: Friday, February 9, 2018 2:54 PM > To: Volker Greimann <vgreimann@key-systems.net > <mailto:vgreimann@key-systems.net> >; gnso-rds-pdp-wg@icann.org > <mailto:gnso-rds-pdp-wg@icann.org> > > > > > > > > Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful > > > > > > > > > > > > > > > > It is true that the GDPR is prescriptive, although also rather > open-ended (hence our current pickle). But regardless of the term we > use, don¹t we arrive at the same place: which is that if something that > requires a legal basis is done without one, it will be unlawful? Using > Kathy¹s example, if data is processed without complying with > minimization or purpose principles, will such processing not run afoul > of the law, and hence be unlawful? > > > > > > > > > > There are important distinctions between the meaning of ³legal basis² > which implies that a law requires something to be affirmatively present, > versus ³lawful², which means that something is not prohibited by law. > Ultimately though, isn¹t ³lawfulness², the same end point, regardless? > > > > > > > > > > > > From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org > <mailto:gnso-rds-pdp-wg-bounces@icann.org> ] On Behalf Of Volker > Greimann > Sent: Friday, February 09, 2018 11:27 AM > To: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful > > > > > > > > > > > > I do not see how. Kathy's analysis seems sound. The flexibility within > the GDPR still only allows processing in very specific cicumstances, all > of which are listed in the GDPR. > > > > > > > > > > > Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: > > > > > > > Kathy¹s analysis breaks down on a practical level when one looks at the > GDPR and what it says about when data can be processed. The GDPR allows > for flexibility for what can be processed and when, and kathy¹s analysis > overlooks that point. > > > > > > > > > > > > From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org > <mailto:gnso-rds-pdp-wg-bounces@icann.org> ] On Behalf Of Kathy Kleiman > Sent: Thursday, February 8, 2018 7:07 PM > To: gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful > > > > > > > > > > > > Tx for the invitation to join, Chuck, and following up on the discussion > of Sam and Tapani, let me add that criteria for processing must be > clearer than something broadly within ICANN's mission statement and > something permissible somewhere. The requirements under law are express > and concrete. > > > > > Specifically, GDPR Article 5(1)(b and c) states: > > > Personal data shall be: > 2. "collected for specified, explicit and legitimate purposes and > not further processed in a manner that is incompatible with those > purposes" (the "purpose limitation") AND > 3. "adequate, relevant and limited to what is necessary in relation > to the purposes for which they are processed" (the "data minimisation" > requirement). [underline added] > > Thus, our first criteria of "consistent with ICANN's mission," is only > the first step and we need to go further than even the 3 criteria we are > discussing.. > > Second, lawful and legal enter us into a debate over words and I have > to agree with Sam and Tapani's analysis and let me add some of my own. > > "Legal" is the term we use for actions expressly allowed under law. How > we process personal data under the GDRP falls into this category -- of > processing expressly allowed under law. Whereas the term lawful is used > for a much broader category of actions which are generally permissible > and allowable. > > The term "legal" is much more consistent with our criteria statement > because the processing of personal data by ICANN must clearly have a > valid legal basis as expressly defined by data protection laws. > > Best regards, > Kathy > > On 2/7/2018 10:53 AM, Sam Lanfranco wrote: > > > > > Thanks Tapani, > > > I will extract from your longer message. > I deliberately kept my brief and less technical. > I think we are in agreement here and I support your position. > > > > > On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: > > The key distinction, as I understand it, is that "lawful" would be > defined by the negative, everything that some law does not prohibit, > > > > where as "legal basis" is defined by the positive, only things whose > justification can be explicitly derived from law. > > <......> > > So I would prefer "legal basis" specifically in this sense: that any > processing > would have to be explicitly based on one of the criteria, or bases, as > listed > in GDPR Article 6, or similar explicit justification in other data > protection legislation. > > > > > > > > _______________________________________________ > > gnso-rds-pdp-wg mailing list > > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailm > an_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2K > tbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n > 2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKa > CgA_X_fyTE&e=> > > > > > > > > > > _______________________________________________ > > gnso-rds-pdp-wg mailing list > > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailm > an_listinfo_gnso-2Drds-2Dpdp-2Dwg&d=DwMDaQ&c=tq9bLrSQ8zIr87VusnUS92RmR2K > tbW6AiQIx78dtRmA&r=TAA3GKe6tpWdv3RbCks6TRrjaTx9d0J3KzemA65KYpA&m=fOG1O9n > 2_DhDKrVj0wrojDKlYIsDeLHzwtDlEi-f9Ng&s=GditP_BvWvjE7xFIYot7e5akySiL4RPKa > CgA_X_fyTE&e=> > > > > > > > > > > > > > > Reminder: Any email that requests your login credentials or that asks > you to click on a link could be a phishing attack. If you have any > questions regarding the authenticity of this email or its sender, please > contact the IT Service Desk at 212.484.6000 <tel:%28212%29%20484-6000> > or via email at ITServices@timewarner.com > <mailto:ITServices@timewarner.com> > > > > > > > This message is the property of Time Warner Inc. and is intended only > for the use of the addressee(s) and may be legally privileged and/or > confidential. If the reader of this message is not the intended > recipient, or the employee or agent responsible to deliver it to the > intended recipient, he or she is hereby notified that any dissemination, > distribution, printing, forwarding, or any method of copying of this > information, and/or the taking of any action in reliance on the > information herein is strictly prohibited except by the intended > recipient or those to whom he or she intentionally distributes this > message. If you have received this communication in error, please > immediately notify the sender, and delete the original message and any > copies from your computer or storage system. Thank you. > > > > > > > > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg> > > > > > > > > > > > _______________________________________________ > gnso-rds-pdp-wg mailing list > gnso-rds-pdp-wg@icann.org > https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg > >

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry= gmail&source=g> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 <https://maps.google.com/?q=Im+Oberen+Werk+1+%0D+66386+St.+Ingbert&entry= gmail&source=g> 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

More than half the countries in the world now have comprehensive data protection laws, and the number grows every year. We found that in our research of foundation documents at the start of this WG. The tipping point took place in 2015. As it happens, Volker's approach simply does take this perspective into account. Best, Kathy On 2/13/2018 11:04 AM, Dotzero wrote:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

...

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:*Volker Greimann [mailto:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

*Follow****Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_ |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/ <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/> for more.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Silver, Bradley via gnso-rds-pdp-wg *Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018 7:07 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those purposes"*(the "purpose limitation") AND* 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at212.484.6000 <tel:%28212%29%20484-6000>or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com> Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851> Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net> Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com> Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems> CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu> This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

+1 (to Greg) On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca@icginc.com> wrote:

What are the jurisdictions where gTLD registrants are located? The stats indicate that a distinct minority of gTLD registrations and registrants may qualify for GDPR protection. According to ICANN’s metrics, 14% of registrants are in the EU. The top jurisdictions are:

USA 41.0%

EU countries 14.0%

China 9.4%

Canada 4.2%

Japan 3.5%

Panama 3.3%

[other 24.6%]

These stats don’t tell us exactly how many registrations might involve GDPR (affecting that are the jurisdictions of the various parties involved in any given registartion, the fact that legal person in the EU are not due the same protection as natural persons, etc.). Still, that 14% is interesting.

The European Commission itself recently told ICANN that solutions can and should be balanced, to “preserve the proper use of WHOIS while ensuring full compliance with the (current and future) EU data protection rules”, and that GDPR only applies to the personal data of natural persons in the EU.

So, what justifies extending a particular protection regime (baseline) to all registrants worldwide, especially when a technical system can support situational-based needs? Over-compliance is not necessary, and over-compliance erodes the proper use of WHOIS. I suggest that a proper solution is to enable compliance with a rule in the situations in which the rule applies. The proper solution is not to over-apply a rule, or to apply the rule where it does not have power.

All best,

--Greg

Source: https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2...

**********************************

Greg Aaron

Vice-President, Product Management

iThreat Cyber Group / Cybertoolbelt.com

mobile: +1.215.858.2257

**********************************

The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Kathy Kleiman *Sent:* Tuesday, February 13, 2018 11:24 AM

*To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

More than half the countries in the world now have comprehensive data protection laws, and the number grows every year. We found that in our research of foundation documents at the start of this WG. The tipping point took place in 2015. As it happens, Volker's approach simply does take this perspective into account.

Best, Kathy

On 2/13/2018 11:04 AM, Dotzero wrote:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann < vgreimann@key-systems.net> wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:* Volker Greimann [mailto:vgreimann@key-systems.net <vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *John Horton via gnso-rds-pdp-wg *Sent:* Monday, February 12, 2018 1:22 PM *To:* Greg Aaron <gca@icginc.com> *Cc:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

[image: https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...]

*Follow* *Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | Blog <http://blog.legitscript.com/> | Newsletter <http://go.legitscript.com/Subscription-Management.html>

[image: https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace.png][image: https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJTmNWbmcwOTVJMXc&r...]

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Silver, Bradley via gnso-rds-pdp-wg *Sent:* Friday, February 9, 2018 2:54 PM *To:* Volker Greimann <vgreimann@key-systems.net>; gnso-rds-pdp-wg@icann.org

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Friday, February 09, 2018 11:27 AM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Thursday, February 8, 2018 7:07 PM *To:* gnso-rds-pdp-wg@icann.org *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes"* (the "purpose limitation") AND * 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"* (the "data minimisation" requirement). [underline added]

Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a *valid legal basis* as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------

*Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at **212.484.6000* <%28212%29%20484-6000> *or via email at **ITServices@timewarner.com* <ITServices@timewarner.com> ------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net <vgreimann@key-systems.net> Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <+49%206894%209396901> Fax.: +49 (0) 6894 - 9396 851 <+49%206894%209396851> Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- John Horton President and CEO, LegitScript *Follow LegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | *Blog <http://blog.legitscript.com/>* | Newsletter <http://go.legitscript.com/Subscription-Management.html>

Japan and Canada have legislation, add another 7.7, I am looking up Panama to check.  I am confident that in the block of other countries (24.6) there will be quite a few with DP law.  (PS why on earth does Panama have such a large registration?  retired Americans? Favorable liability laws?) Stephanie On 2018-02-13 13:36, Volker Greimann wrote:

That brings us back to the question whether we would want a unified DNS system or a fractured one. I personally think 14% of the worlds registrations are quite a significant number, but even if you do not, does this mean you would prefer fragmentation of policies and rules?

Am 13.02.2018 um 19:18 schrieb John Horton via gnso-rds-pdp-wg:

...

+1 (to Greg)

On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

What are the jurisdictions where gTLD registrants are located?  The stats indicate that a distinct minority of gTLD registrations and registrants may qualify for GDPR protection. According to ICANN’s metrics, 14% of registrants are in the EU.  The top jurisdictions are:

USA                        41.0%

EU countries       14.0%

China                       9.4%

Canada                   4.2%

Japan                      3.5%

Panama                  3.3%

[other                   24.6%]

These stats don’t tell us exactly how many registrations might involve GDPR (affecting that are the jurisdictions of the various parties involved in any given registartion, the fact that legal person in the EU are not due the same protection as natural persons, etc.).  Still, that 14% is interesting.

The European Commission itself recently told ICANN that solutions can and should be balanced, to “preserve the proper use of WHOIS while ensuring full compliance with the (current and future) EU data protection rules”, and that GDPR only applies to the personal data of natural persons in the EU.

So, what justifies extending a particular protection regime (baseline) to all registrants worldwide, especially when a technical system can support situational-based needs? Over-compliance is not necessary, and over-compliance erodes the proper use of WHOIS.  I suggest that a proper solution is to enable compliance with a rule in the situations in which the rule applies.  The proper solution is not to over-apply a rule, or to apply the rule where it does not have power.

All best,

--Greg

Source: https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2...

**********************************

Greg Aaron

Vice-President, Product Management

iThreat Cyber Group / Cybertoolbelt.com

mobile: +1.215.858.2257

**********************************

The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Tuesday, February 13, 2018 11:24 AM

*To:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

More than half the countries in the world now have comprehensive data protection laws, and the number grows every year. We found that in our research of foundation documents at the start of this WG. The tipping point took place in 2015. As it happens, Volker's approach simply does take this perspective into account.

Best, Kathy

On 2/13/2018 11:04 AM, Dotzero wrote:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:*Volker Greimann [mailto:vgreimann@key-systems.net] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world.  That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...

*Follow****Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com>  | Facebook <https://www.facebook.com/LegitScript>  | Twitter <https://twitter.com/legitscript>  | Blog <http://blog.legitscript.com/>  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle.  It states what is legal.  It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_.   It’s like saying what’s outside the box.   The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.  ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect:  registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is  a condition of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Silver, Bradley via gnso-rds-pdp-wg *Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle).  But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018 7:07 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those purposes"*(the "purpose limitation") AND* 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be  defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing  would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack.  If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at/**/212.484.6000/* <tel:%28212%29%20484-6000>*//**/or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems>Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems>CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

INteresting.  And it does appear they have some data protection provisions in their E-Commerce bill, updated in 2016, but the summary I read sounded more like data retention requirements that data protection, so I would not count them until proven otherwise. cheer Stephanie On 2018-02-13 13:49, John Horton wrote:

Re: Panama -- my guess is eNom's privacy/proxy service? I don't think it's actually registrants based in Panama -- my guess is that the data just cited probably only accounts for the country in the Whois field (so if it's p/p it's not necessarily identifying the registrant's actual country -- would be interesting to exclude p/p Whois records to see what the data show). In the same vein, DomainsByProxy is generally (always?) US, I think, but I'd assume that there are registrants in other countries using DBP. Just a guess.

John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

On Tue, Feb 13, 2018 at 10:46 AM, Stephanie Perrin <stephanie.perrin@mail.utoronto.ca <mailto:stephanie.perrin@mail.utoronto.ca>> wrote:

Japan and Canada have legislation, add another 7.7, I am looking up Panama to check.  I am confident that in the block of other countries (24.6) there will be quite a few with DP law.  (PS why on earth does Panama have such a large registration?  retired Americans? Favorable liability laws?)

Stephanie

On 2018-02-13 13:36, Volker Greimann wrote:

...

That brings us back to the question whether we would want a unified DNS system or a fractured one. I personally think 14% of the worlds registrations are quite a significant number, but even if you do not, does this mean you would prefer fragmentation of policies and rules?

Am 13.02.2018 um 19:18 schrieb John Horton via gnso-rds-pdp-wg:

...

+1 (to Greg)

On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

What are the jurisdictions where gTLD registrants are located?  The stats indicate that a distinct minority of gTLD registrations and registrants may qualify for GDPR protection.  According to ICANN’s metrics, 14% of registrants are in the EU.  The top jurisdictions are:

USA                       41.0%

EU countries 14.0%

China   9.4%

Canada   4.2%

Japan   3.5%

Panama 3.3%

[other                 24.6%]

These stats don’t tell us exactly how many registrations might involve GDPR (affecting that are the jurisdictions of the various parties involved in any given registartion, the fact that legal person in the EU are not due the same protection as natural persons, etc.).  Still, that 14% is interesting.

The European Commission itself recently told ICANN that solutions can and should be balanced, to “preserve the proper use of WHOIS while ensuring full compliance with the (current and future) EU data protection rules”, and that GDPR only applies to the personal data of natural persons in the EU.

So, what justifies extending a particular protection regime (baseline) to all registrants worldwide, especially when a technical system can support situational-based needs? Over-compliance is not necessary, and over-compliance erodes the proper use of WHOIS.  I suggest that a proper solution is to enable compliance with a rule in the situations in which the rule applies.  The proper solution is not to over-apply a rule, or to apply the rule where it does not have power.

All best,

--Greg

Source: https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2... <https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2...>

**********************************

Greg Aaron

Vice-President, Product Management

iThreat Cyber Group / Cybertoolbelt.com

mobile: +1.215.858.2257 <tel:(215)%20858-2257>

**********************************

The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Tuesday, February 13, 2018 11:24 AM

*To:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

More than half the countries in the world now have comprehensive data protection laws, and the number grows every year. We found that in our research of foundation documents at the start of this WG. The tipping point took place in 2015. As it happens, Volker's approach simply does take this perspective into account.

Best, Kathy

On 2/13/2018 11:04 AM, Dotzero wrote:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an approach that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies should be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:*Volker Greimann [mailto:vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>] *Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world.  That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens.  As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...

*Follow****Legit**Script*: LinkedIn <http://www.linkedin.com/company/legitscript-com>  | Facebook <https://www.facebook.com/LegitScript>  | Twitter <https://twitter.com/legitscript>  | Blog <http://blog.legitscript.com/>  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

I don’t know if we arrive at the same place.

GDPR is based on one principle.  It states what is legal.  It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_.   It’s like saying what’s outside the box.   The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.  ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect:  registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is  a condition of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/ <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/> for more.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Silver, Bradley via gnso-rds-pdp-wg *Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle).  But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>]*On Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018 7:07 PM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those purposes"*(the "purpose limitation") AND* 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco wrote:

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be  defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing  would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

------------------------------------------------------------------------

*/Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack.  If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at/**/212.484.6000/* <tel:%28212%29%20484-6000>*//**/or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems>Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems>www.twitter.com/key_systems <http://www.twitter.com/key_systems>CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

-- John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg>

We already have a fragmented system. And when European registrars were (reasonably) requesting exemptions, they were advocating fragmentation. Regardless of what the GDPR details are, we have to presume that other jurisdictions will have different rules, both more and less stringent, perhaps a lot so. Alan -- Sent from my mobile. Please excuse brevity and typos. On February 13, 2018 1:36:52 PM EST, Volker Greimann <vgreimann@key-systems.net> wrote:

That brings us back to the question whether we would want a unified DNS

system or a fractured one. I personally think 14% of the worlds registrations are quite a significant number, but even if you do not, does this mean you would prefer fragmentation of policies and rules?

Am 13.02.2018 um 19:18 schrieb John Horton via gnso-rds-pdp-wg:

...

+1 (to Greg)

On Tue, Feb 13, 2018 at 10:09 AM Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> wrote:

What are the jurisdictions where gTLD registrants are located?  The stats indicate that a distinct minority of gTLD registrations and registrants may qualify for GDPR protection. According to ICANN’s metrics, 14% of registrants are in the EU.  The top jurisdictions are:

USA                        41.0%

EU countries       14.0%

China                       9.4%

Canada                   4.2%

Japan                      3.5%

Panama                  3.3%

[other                   24.6%]

These stats don’t tell us exactly how many registrations might involve GDPR (affecting that are the jurisdictions of the various parties involved in any given registartion, the fact that legal person in the EU are not due the same protection as natural persons, etc.).  Still, that 14% is interesting.

The European Commission itself recently told ICANN that solutions can and should be balanced, to “preserve the proper use of WHOIS while ensuring full compliance with the (current and future) EU data protection rules”, and that GDPR only applies to the personal data of natural persons in the EU.

So, what justifies extending a particular protection regime (baseline) to all registrants worldwide, especially when a technical system can support situational-based needs? Over-compliance is not necessary, and over-compliance erodes the proper use of WHOIS.  I suggest that a proper solution is to enable compliance with a rule in the situations in which the rule applies.  The proper solution is not to over-apply a rule, or to apply the rule where it does not have power.

All best,

--Greg

Source:

https://www.icann.org/resources/pages/cct-metrics-domain-name-registration-2...

...

**********************************

Greg Aaron

Vice-President, Product Management

iThreat Cyber Group / Cybertoolbelt.com

mobile: +1.215.858.2257

**********************************

The information contained in this message is privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended

recipient,

...

you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us

immediately

...

by replying to the message and deleting it from your computer.

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org <mailto:gnso-rds-pdp-wg-bounces@icann.org>] *On Behalf Of *Kathy Kleiman *Sent:* Tuesday, February 13, 2018 11:24 AM

*To:* gnso-rds-pdp-wg@icann.org

<mailto:gnso-rds-pdp-wg@icann.org>

...

*Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

More than half the countries in the world now have comprehensive data protection laws, and the number grows every year. We found that in our research of foundation documents at the start of this WG. The tipping point took place in 2015. As it happens, Volker's approach simply does take this perspective into account.

Best, Kathy

On 2/13/2018 11:04 AM, Dotzero wrote:

Volker, you assert that "it would be sensible to take GDPR as a basis and start from there". Perhaps sensible from your perspective and easier from your perspective but ICANN is an international organization - primarily dealing with technical/administrative issues - and it MUST take an

approach

...

that, as best it can, accommodates the laws and practices of various jurisdictions around the world. Your proposed approach, quite simply does not do that.

Michael Hammer

On Tue, Feb 13, 2018 at 10:54 AM, Volker Greimann <vgreimann@key-systems.net

<mailto:vgreimann@key-systems.net>>

...

wrote:

I think that it would be sensible to take the GDPR as a basis and start from there. Obviously, where it conflicts with other applicable laws, we should make sure to accomodate those as well, but as the EU Commission and others have pointed out is that compliance with GDPR does not preclude providing certain access levels to certain parties. What those levels would be and who those parties could be should be the main focus of our work.

Am 13.02.2018 um 15:41 schrieb Chuck:

Volker,

Are you saying that you think that RDS policies

should

...

be designed to comply with European regulations and then applied to all other jurisdictions in the world?

Chuck

*From:*Volker Greimann

[mailto:vgreimann@key-systems.net]

...

*Sent:* Tuesday, February 13, 2018 5:58 AM *To:* Chuck <consult@cgomes.com> <mailto:consult@cgomes.com>; 'Michael Palage' <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs.

lawful

...

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has

been

...

asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world.  That would be much simpler than policies that vary by region and users, but is it

realistic?

...

Chuck

*From:* gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Monday, February 12, 2018 2:30 PM *To:* Michael Palage <michael@palage.com> <mailto:michael@palage.com> *Cc:* gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:* Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means

that

...

the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that

would

...

only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim

should

...

be to create one policy that can be applied to

all

...

or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <michael@palage.com <mailto:michael@palage.com>> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set

forth

...

in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications.  Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder

model

...

is at risk as national governments continue

to

...

pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy

Legislation,

...

in fact data localization is perhaps the next biggest lurking threat to the domain name

system.

...

Best regards,

Michael

*From:*gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org]*On Behalf Of*John Horton via gnso-rds-pdp-wg *Sent:*Monday, February 12, 2018 1:22 PM *To:*Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>> *Cc:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this.

John Horton President and CEO, LegitScript

https://docs.google.com/uc?export=download&id=0B13GfLt8zwZJRXE5UTAtclVxdTg&r...

...

*Follow****Legit**Script*: LinkedIn

<http://www.linkedin.com/company/legitscript-com> 

...

| Facebook <https://www.facebook.com/LegitScript>  | Twitter <https://twitter.com/legitscript>  | Blog <http://blog.legitscript.com/>  |Newsletter

<http://go.legitscript.com/Subscription-Management.html>

...

https://www.legitscript.com/wp-content/uploads/2015/09/LegitScript-Workplace...

...

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <gca@icginc.com <mailto:gca@icginc.com>>

wrote:

...

I don’t know if we arrive at the same

place.

...

GDPR is based on one principle.  It

states

...

what is legal.  It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer

protection

...

law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_.   It’s like saying what’s outside

the

...

box.   The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up

to

...

the contract, don’t surprise people,

don’t

...

do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you

apply

...

it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.  ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect:  registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication

of

...

full contact data in WHOIS is  a

condition

...

of registering a domain name if you are a registrant in the U.S.

Seehttps://iapp.org/news/a/explaining-the-gdpr-to-an-american/

...

for more.

*From:*gnso-rds-pdp-wg

[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On

...

Behalf Of*Silver, Bradley via

gnso-rds-pdp-wg

...

*Sent:*Friday, February 9, 2018 2:54 PM *To:*Volker Greimann <vgreimann@key-systems.net

<mailto:vgreimann@key-systems.net>>;gnso-rds-pdp-wg@icann.org

...

<mailto:gnso-rds-pdp-wg@icann.org>

*Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence

our

...

current pickle).  But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which

implies

...

that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

*From:*gnso-rds-pdp-wg

[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On

...

Behalf Of*Volker Greimann *Sent:*Friday, February 09, 2018 11:27 AM *To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler:

Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

*From:*gnso-rds-pdp-wg

[mailto:gnso-rds-pdp-wg-bounces@icann.org]*On

...

Behalf Of*Kathy Kleiman *Sent:*Thursday, February 8, 2018

7:07 PM

...

*To:*gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> *Subject:*Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express

and

...

concrete.

Specifically, GDPR Article 5(1)(b and c) states:

*Personal data shall be: 2. "collected for_specified, explicit and legitimate purposes_and not further processed in a manner that is incompatible with those

purposes"*(the

...

"purpose limitation") AND* 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed"*(the "data minimisation" requirement). [underline added]* * Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing..

Second, lawful and legal enter us

into

...

a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own.

"Legal" is the term we use for

actions

...

expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of

actions

...

which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria

statement

...

because the processing of personal data by ICANN must clearly have a/valid legal basis/as expressly defined by data protection laws.

Best regards, Kathy

On 2/7/2018 10:53 AM, Sam Lanfranco

wrote:

...

Thanks Tapani,

I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position.

On 2/7/2018 1:07 AM, Tapani Tarvainen wrote:

The key distinction, as I understand it, is that "lawful" would be  defined by the negative, everything that some law does not prohibit,

where as "legal basis" is defined by the positive, only things

whose

...

justification can be explicitly derived from law.

<......>

So I would prefer "legal basis" specifically in this sense: that any processing  would have to be explicitly

based

...

on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

...

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org

<mailto:gnso-rds-pdp-wg@icann.org>

...

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

...

_______________________________________________

...

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

<https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

...

------------------------------------------------------------------------

...

*/Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack.  If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at/**/212.484.6000/* <tel:%28212%29%20484-6000>*//**/or via email at/**/ITServices@timewarner.com/* <mailto:ITServices@timewarner.com>

------------------------------------------------------------------------

...

This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be

legally

...

privileged and/or confidential. If the reader of this message is not the

intended

...

recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any

copies

...

from your computer or storage system. Thank you.

_______________________________________________

...

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

_______________________________________________

...

gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org

<mailto:gnso-rds-pdp-wg@icann.org>https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

...

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0)

6894

...

- 9396 901 <tel:+49%206894%209396901>Fax.: +49

(0)

...

6894 - 9396 851

<tel:+49%206894%209396851>Email: vgreimann@key-systems.net

...

<mailto:vgreimann@key-systems.net>Web: www.key-systems.net

<http://www.key-systems.net> /

...

www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems

<http://www.facebook.com/KeySystems>www.twitter.com/key_systems

...

<http://www.twitter.com/key_systems>Geschäftsführer:

...

Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 <tel:+49%206894%209396901>Fax.: +49 (0) 6894 - 9396 851 <tel:+49%206894%209396851>Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>Web: www.key-systems.net

<http://www.key-systems.net> /

...

www.RRPproxy.net <http://www.RRPproxy.net>www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems

<http://www.facebook.com/KeySystems>www.twitter.com/key_systems

...

<http://www.twitter.com/key_systems>CEO:

Alexander

...

Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of

the

...

KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely

on

...

this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org <mailto:gnso-rds-pdp-wg@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- John Horton President and CEO, LegitScript

*FollowLegitScript*: LinkedIn <http://www.linkedin.com/company/legitscript-com> | Facebook <https://www.facebook.com/LegitScript> | Twitter <https://twitter.com/legitscript> | _Blog <http://blog.legitscript.com/>_  |Newsletter <http://go.legitscript.com/Subscription-Management.html>

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

With the risk of being branded a heretic, or traitor, and burned at the stake, I would like to suggest a radical idea here. It starts from the observation that ICANN will be unable to come up with a sustainable workable solution here. This PDP-WG is going slow not because of conflicting stakeholder interests within its constituencies. It is going slow because at this level there is no tractable solution. My heretical idea is to take a page from how the International Labour Organization (ILO) approaches such global problems (e.g. labour at sea). The idea starts with the fact that the solution to this problem lies with the Registrar’s dealing collectively with their own national governments and working out a multilateral agreement on the boundaries between lawful and unlawful, and between legal and illegal, that allow them to operate globally under a compatible, if not common, set of data privacy and protection regulations. Within the context of the ILO’s more restrictive multi-stakeholder process, where stakeholders include industry, government, and organized labor, the ILO policy development process works up proposed solutions that are then feed into multilateral deliberations. The ILO operates more like a “Think Tank” in the search for multi-lateral solutions to global labor problems, solutions to be adopted by its member states in multilateral negotiations with each other and endorsed by and accepted by its industry and organized labor stakeholders. This approach would toss the work on a solution to where that work belongs, outside ICANN and in negotiations between nation states who set the data privacy and security regulations and the Registrars who must observe them. Neither of those impacts on ICANN’s core remit. ICANN could function more like a “Think Tank” expressing a broader multistakeholder view of the issues and proposed solutions. ICANN’s contracts would be easier to write, since they would focus on the stability and security of the domain name system, in a global and multilingual setting. This would also terminate the “shadow dance” and non-productive struggle between the constituency and stakeholder groups within ICANN with, and against, the roles of GAC and Registrars within the ICANN policy development process. CAG members could go home and tell their respective countries to organize to discuss data privacy and security policy with the Registrar’s. ICANN could better deploy its (probably) shrinking revenue stream and act as a “friend of the discussions”, or offer a venue for those discussions, while protecting its own remit. Lastly, this might free up some ICANN resources, and Registrar attention, to the distributed ledger technologies (DLTs: e.g. blockchain) that are likely to radically change domain name registration and transfer soon. That will likely have significant negative impact on both Registrar and ICANN revenues. Registrar's can go for revenues from more registration services. Not sure what ICANN can do, other than cut costs. Lastly, if I am to burn at the stake, please use only wood, it is a renewable resource and forests recycle the carbon. I worry about climate change. Also, you could not do it in Puerto Rico, I won't be there. Also, either pick a cold climate for collateral warmth, or bring hot dogs. Sam L. -- ------------------------------------------------ "It is a disgrace to be rich and honoured in an unjust state" -Confucius 邦有道，贫且贱焉，耻也。邦无道，富且贵焉，耻也 ------------------------------------------------ Visiting Prof, Xi'an Jiaotong-Liverpool University, China Dr Sam Lanfranco (Prof Emeritus & Senior Scholar) Econ, York U., Toronto, Ontario, CANADA - M3J 1P3 email: sam@lanfranco.net Skype: slanfranco blog: https://samlanfranco.blogspot.com Phone: +1 613-476-0429 cell: +1 416-816-2852

[I really wish that when a topic morphs, the Subject line be adjusted!] GDPR is one set of rules (potentially with multiple interpretations by the various privacy commissioners). Other jurisdictions may have other rules, perhaps with stronger privacy, perhaps less. There is nothing to say that one country might not set rules saying that all domain names must have full (current) WHOIS information public, and we would have to comply, allowing registrars/registries in that country to follow their local law. Yes, it is an ugly world and such a rule may well cause registrars/registries to set up business in that country, or NOT set up business there. And registrants might select them or avoid them. Alan At 13/02/2018 08:57 AM, Volker Greimann wrote:

I am afraid that if we create different policies for different regions, we will break the model, encourage forum shopping and encourage firewalling of entire geographic sections of the net. I hope that is not what we are doing here.

GDPR will cause some breakage of this and I see it as our mission to fix this breakage of the standard by proposing a unified model once again.

Ultimately, if this solution does what the EU has been asking for, e.g. protect legitimate use cases of registration data as well as the rights of the data subjects, there is no reason why it should not be universally applicable.

Best,

Volker

Am 13.02.2018 um 00:04 schrieb Chuck:

...

Volker,

The WG could recommend policies that are ‘universally applicable to all registrations’ but I seriously doubt that will happen in today’s world. That would be much simpler than policies that vary by region and users, but is it realistic?

Chuck

From: gnso-rds-pdp-wg [<mailto:gnso-rds-pdp-wg-bounces@icann.org>mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Monday, February 12, 2018 2:30 PM To: Michael Palage <mailto:michael@palage.com><michael@palage.com> Cc: <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Michael is right. ICANN iOS based on the thought of “One World; one Internet”. This also means that the policies it creates should be universally applicable to all registrations, if possible. IF we start creating policy that diverges, that would only lead to further fragmentation and undermine the founding ideal of ICANN itself. Our aim should be to create one policy that can be applied to all or most registrations and that can be implemented by all registrars alike.

While we will likely have a certain amount of fragmentation following May 25 as each contracted party applies its own solution, it should be our goal to overcome this and present a new unified policy that works for all contracted parties.

Volker

On 12. Feb 2018, at 20:27, Michael Palage <<mailto:michael@palage.com>michael@palage.com> wrote:

Greg/John,

I will respectfully push back on your legal over simplification of the GDPR.

The exterritorial aspect of the GDPR set forth in Article 3 is NOT just limited to EU residents/citizens. As Michele has noted in the past, the GDPR requires BlackKnight as an Irish legal entity to protect all of its customers data (EU/Non-EU) in compliance with GDPR, as well as US entities that target and conduct business within the EU.

Now your points about the distinction between natural and legal persons is a fair one and one that has been noted in EU and Art 29 communications. Could you please share the basis of your proposition that 97% of all domain name registrations are registered by legal entities.

As I have note previously the long term viability of the ICANN multi-stakeholder model is at risk as national governments continue to pass national laws that impact the operation of the Internet. However, the European Union is NOT alone in advancing Privacy Legislation, in fact data localization is perhaps the next biggest lurking threat to the domain name system.

Best regards,

Michael

From: gnso-rds-pdp-wg [<mailto:gnso-rds-pdp-wg-bounces@icann.org>mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of John Horton via gnso-rds-pdp-wg Sent: Monday, February 12, 2018 1:22 PM To: Greg Aaron <<mailto:gca@icginc.com>gca@icginc.com> Cc: <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I think Greg is right on. There's simply no justification to force a law that is only intended to apply to a) EU residents/citizens that are b) natural persons not using the domain name for commercial purposes, to the remaining...what? 97% - 99% of the world's registrant population? That would be a balanced way to implement all of this. John Horton President and CEO, LegitScript

Follow LegitScript: <http://www.linkedin.com/company/legitscript-com>LinkedIn | <https://www.facebook.com/LegitScript>Facebook | <https://twitter.com/legitscript>Twitter | <http://blog.legitscript.com/>Blog | <http://go.legitscript.com/Subscription-Management.html>Newsletter

On Mon, Feb 12, 2018 at 9:57 AM, Greg Aaron <<mailto:gca@icginc.com>gca@icginc.com> wrote: I don’t know if we arrive at the same place.

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box. The U.S. doesn’t have something like GDPR that spells out legal bases for collecting data, i.e. the enumerated allowable reasons. Instead the trade and consumer protection laws basically say: entities have the right to form contracts between themselves, they should live up to the contract, don’t surprise people, don’t do certain dishonest things.

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy. ICANN would be choosing one legal approach or regime for everyone in the world.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

For example, there’s nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

See <https://iapp.org/news/a/explaining-the-gdpr-to-an-american/>https://iapp.org/news/a/explaining-the-gdpr-to-an-american/ for more.

From: gnso-rds-pdp-wg [<mailto:gnso-rds-pdp-wg-bounces@icann.org>mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Silver, Bradley via gnso-rds-pdp-wg Sent: Friday, February 9, 2018 2:54 PM To: Volker Greimann <<mailto:vgreimann@key-systems.net>vgreimann@key-systems.net>; <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

It is true that the GDPR is prescriptive, although also rather open-ended (hence our current pickle). But regardless of the term we use, don’t we arrive at the same place: which is that if something that requires a legal basis is done without one, it will be unlawful? Using Kathy’s example, if data is processed without complying with minimization or purpose principles, will such processing not run afoul of the law, and hence be unlawful?

There are important distinctions between the meaning of “legal basis” which implies that a law requires something to be affirmatively present, versus “lawful”, which means that something is not prohibited by law. Ultimately though, isn’t “lawfulness”, the same end point, regardless?

From: gnso-rds-pdp-wg [<mailto:gnso-rds-pdp-wg-bounces@icann.org>mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Volker Greimann Sent: Friday, February 09, 2018 11:27 AM To: <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

I do not see how. Kathy's analysis seems sound. The flexibility within the GDPR still only allows processing in very specific cicumstances, all of which are listed in the GDPR.

Am 09.02.2018 um 16:45 schrieb Victoria Sheckler: Kathy’s analysis breaks down on a practical level when one looks at the GDPR and what it says about when data can be processed. The GDPR allows for flexibility for what can be processed and when, and kathy’s analysis overlooks that point.

From: gnso-rds-pdp-wg [<mailto:gnso-rds-pdp-wg-bounces@icann.org>mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Thursday, February 8, 2018 7:07 PM To: <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful

Tx for the invitation to join, Chuck, and following up on the discussion of Sam and Tapani, let me add that criteria for processing must be clearer than something broadly within ICANN's mission statement and something permissible somewhere. The requirements under law are express and concrete. Specifically, GDPR Article 5(1)(b and c) states: Personal data shall be: 2. "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes" (the "purpose limitation") AND 3. "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (the "data minimisation" requirement). [underline added] Thus, our first criteria of "consistent with ICANN's mission," is only the first step and we need to go further than even the 3 criteria we are discussing.. Second, lawful and legal enter us into a debate over words and I have to agree with Sam and Tapani's analysis and let me add some of my own. "Legal" is the term we use for actions expressly allowed under law. How we process personal data under the GDRP falls into this category -- of processing expressly allowed under law. Whereas the term lawful is used for a much broader category of actions which are generally permissible and allowable.

The term "legal" is much more consistent with our criteria statement because the processing of personal data by ICANN must clearly have a valid legal basis as expressly defined by data protection laws. Best regards, Kathy On 2/7/2018 10:53 AM, Sam Lanfranco wrote: Thanks Tapani, I will extract from your longer message. I deliberately kept my brief and less technical. I think we are in agreement here and I support your position. On 2/7/2018 1:07 AM, Tapani Tarvainen wrote: The key distinction, as I understand it, is that "lawful" would be defined by the negative, everything that some law does not prohibit, where as "legal basis" is defined by the positive, only things whose justification can be explicitly derived from law. <......> So I would prefer "legal basis" specifically in this sense: that any processing would have to be explicitly based on one of the criteria, or bases, as listed in GDPR Article 6, or similar explicit justification in other data protection legislation.

_______________________________________________

gnso-rds-pdp-wg mailing list

<mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________

gnso-rds-pdp-wg mailing list

<mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org

https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

---------- Reminder: Any email that requests your login credentials or that asks you to click on a link could be a phishing attack. If you have any questions regarding the authenticity of this email or its sender, please contact the IT Service Desk at <tel:%28212%29%20484-6000>212.484.6000 or via email at <mailto:ITServices@timewarner.com>ITServices@timewarner.com ---------- This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the intended recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you. _______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

_______________________________________________ gnso-rds-pdp-wg mailing list <mailto:gnso-rds-pdp-wg@icann.org>gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 <mailto:vgreimann@key-systems.net>Email: vgreimann@key-systems.net

Web: <http://www.key-systems.net>www.key-systems.net / www.RRPproxy.net <http://www.domaindiscount24.com>www.domaindiscount24.com / www.BrandShelter.com

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: <http://www.facebook.com/KeySystems>www.facebook.com/KeySystems www.twitter.com/key_systems

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP <http://www.keydrive.lu>www.keydrive.lu

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: <mailto:vgreimann@key-systems.net>vgreimann@key-systems.net

Web: <http://www.key-systems.net>www.key-systems.net / www.RRPproxy.net <http://www.domaindiscount24.com>www.domaindiscount24.com / www.BrandShelter.com

Follow us on Twitter or join our fan community on Facebook and stay updated: <http://www.facebook.com/KeySystems>www.facebook.com/KeySystems www.twitter.com/key_systems

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP <http://www.keydrive.lu>www.keydrive.lu

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Microsoft-Exchange-Diagnostics:

1;YQXPR0101MB1589;27:Ga5LygSUnZxLRDrrqk26gs5xsZiIqS2xtjalNER59Ud7uLFPiggPCUE2uiZiMk37t9ofGXJiL1NeDtvz55qfniYXPIdMKek/EzfmmNEbt/8FtMaChTQPkmFvWu6iXTv8 X-Microsoft-Antispam-Message-Info:

D43nmLDk/koUDJeAVxvI/mzQMGHvTT63oiYllZXniJgNGrJYX7hCbjyL8SNcS6GMmx7y0ldDyrx/dMoI+gm2owNCs3Zeo9FPmotTLqYVxm0xqLkMIqGeNiYAwg3GBxVhTsZWAA9nbomAVBGQDILNYQ==

_______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

Tapani, It seems to me that it is possible to have 'one RDS' that includes gated access to accommodate different requirements by jurisdiction. RDAP certainly allows for this; it might get complicated, but I think it is possible. Chuck -----Original Message----- From: gnso-rds-pdp-wg [mailto:gnso-rds-pdp-wg-bounces@icann.org] On Behalf Of Tapani Tarvainen Sent: Monday, February 12, 2018 11:26 AM To: gnso-rds-pdp-wg@icann.org Subject: Re: [gnso-rds-pdp-wg] Legal basis vs. lawful On Mon, Feb 12, 2018 at 05:57:06PM +0000, Greg Aaron (gca@icginc.com) wrote:

GDPR is based on one principle. It states what is legal. It's explicit about what you _are allowed to do_; granted there’s some flexibility and room for interpretation. It’s like saying what’s inside a box.

Yes. In other words, GDPR says that processing personal data is in effect forbidden by default, only allowed when expressly allowed.

U.S. law is one based on different principles. AFAIK U.S. consumer protection law does not enumerate specifically what is lawful. Instead it tends to state what is illegal, what you are _not allowed to do_. It’s like saying what’s outside the box.

Yes. There even processing personal data is allowed by default, whenever something doesn't explicitly forbid it. (I note that this his how things usually work in Europe as well, but processing personal data has deliberately been made an exception.)

Here's the problem: if one makes the GDPR principle the ICANN standard and you apply it to all registrations, then practices that are allowable in one place under the law (like the U.S.) would no longer be allowed there by ICANN policy.

Would it? Regardless of what we do with RDS, I thought it'd only mean that's what ICANN would *require*. I didn't think it'd forbid other things. That is, a US-based, US-only-serving registrar could go on using also old public-to-all whois alongside the new RDS with its annoying restrictions. Europeans would have to stick with RDS only, or add other, GDPR-compliant things if they like. Others could add whatever their laws allow or require. Have I missed something? Is there a plan to put in registry agreements something to the effect that "besides having to maintain RDS, you are also not allowed to do anything else that would violate GDPR"?

ICANN would be choosing one legal approach or regime for everyone in the world.

That ICANN would have to do in any case. If we are to have one RDS, it must be based on one legal approach. Moreover, it must be designed so it is usable (almost) everywhere. So it must satisfy the strictest legal restrictions (almost) anywhere. And EU is too big to fit in that "(almost)". Even if we ignore the fact that quite a few other countries in the world are following EU example here.

The alternative is to apply the GDRP only to those that it is designed to protect: registrants in the EU.

In practice how?

For example, there's nothing in U.S. law that prohibits a U.S. registrar from having a contract that says publication of full contact data in WHOIS is a condition of registering a domain name if you are a registrant in the U.S.

As I said I don't see how that would stop being the case. Those registrars would have to bear the cost of maintaining two parallel systems, RDS and WHOIS, sure. But the alternative of allowing such registrars opt out of RDS if they prefer WHOIS, let alone designing a new but different RDS-like system for them, would put the burden of having to use two different systems to all users of RDS/WHOIS. And ICANN and registries would face extra complications as well. I don't think that'd be a good idea. Of course the third alternative is to give up requiring anything of the kind and let markets and legislators sort it out. In practice I expect that'd lead to WHOIS disappearing without successor. I don't like that idea either. -- Tapani Tarvainen _______________________________________________ gnso-rds-pdp-wg mailing list gnso-rds-pdp-wg@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg