Versions Compared

Old Version 20

changes.mady.by.user Caitlin Tubergen

Saved on

compared with

New Version 21

changes.mady.by.user Marika Konings

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

      The Board reaffirmed the Temporary Specification with no changes on 21 August 2018.

Temporary Specification Terminology ClarificationClarifications

1. When ICANN refers to “security” as part of its mission - can ICANN describe what types of security are included??

...

 For reference, Section 5.5.16(i) of the Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation (also called the Cookbook) states that “the registrant “organization” would be required to be published (if applicable) so that registrations of legal entities would readily include the name of the entity.”

...

12. Has ICANN given any thought to scenarios where the „Organization“ field might contain personal information? 2.) As the Organization field shall be populated on an optional basis, has ICANN given any thought to a consent requirement or, where another legal basis than Art. 6 I a GDPR was considered, what legal basis shall be applicable based on what rationale?

The organization field, which is an optional field, was one of the topics of discussion among the community during the development of the Cookbook. See sections 5.4 and 5.5 of the Cookbook.

Additionally, the 5 July 2018 letter from the European Data Protection Board states: “The GDPR does not apply to the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.” Recital 14 of the GDPR states: “This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.”

Registrars have always been obligated to inform and obtain consent from the registrants regarding what data elements are collected, what data elements are  published, what data elements are optional, and the intended uses and recipients of the data. (See for example Section II.J.7.b in the 1999 RAA and Section 3.7.7.4 of the 2013 RAA.)

The Temporary Specification relies on 6(1)(f) as the legal basis for the mandatory publication of certain fields, including registrant organization. As noted in our original response, the registrant organization field refers to a legal person and not a natural person. The registrant may give consent for publication of additional fields, for example, the registrant name field.

In considering the applicability of the possible legal bases and after consultations with the community, it was determined that 6(1)(f) was the most appropriate legal basis to support the stated goal of complying with the GDPR while maintaining the existing WHOIS to the greatest extent possible.


EPDB Advice

  1. Can ICANN summarize in some searchable form the contacts and engagements with the EDPB and/or other DPAs in relation to the Temporary Specification for gTLD Registration Data?

...