<div><div>Hi all,<br></div><div><br></div><div>We have had over 450 emails on our mailing list over the past month, and I realise it is very easy to miss an important communication. I think this email which Farzaneh sent falls into that category, so I hope you do not mind me 'bumping' this to the top of your inbox again. Embedded within this email was a legal memo (also attached) which I think is a must-read. <br></div><div><br></div><div><div>This is separate from the legal memo that one of our working groups received from the law firm Wilson Sonsini Goodrich & Rosati recently, so we now have in our possession from three separate and independent sources the conclusion that WHOIS is not consistent with European data protection law. The simple summary of the attached memo, as described by ICANN, is this:<br></div><div><br></div><div><i>"The memo highlights the complexity of these issues in the domain name space, and concludes that the current open, publicly available WHOIS services cannot remain unchanged. The WHOIS system has to become adaptable to address the GDPR from the European perspective, as well as other changing regulations around the world."</i><br></div></div></div><div><br></div><div class="protonmail_signature_block"><div class="protonmail_signature_block-user"><div>—Ayden <br></div></div><div class="protonmail_signature_block-proton protonmail_signature_block-empty"><br></div></div><div><br></div><blockquote type="cite" class="protonmail_quote"><div>-------- Original Message --------<br></div><div>Subject: [NCUC-DISCUSS] Data Protection and Privacy Update - ICANN Blog by Akram Atallah, Theresa Swinehart<br></div><div>Local Time: 19 October 2017 2:15 AM<br></div><div>UTC Time: 19 October 2017 01:15<br></div><div>From: farzaneh.badii@gmail.com<br></div><div>To: NCUC-discuss <ncuc-discuss@lists.ncuc.org><br></div><div><br></div><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><span class="font" style="font-family:verdana, sans-serif">Farzaneh</span><br></div></div></div></div><div class="gmail_quote"><div><br></div><div><br></div><div bgcolor="white" lang="EN-US"><div class="m_8845088196836177488WordSection1"><p class="MsoNormal"><a href="https://www.icann.org/news/blog/data-protection-and-privacy-update">https://www.icann.org/news/<wbr>blog/data-protection-and-<wbr>privacy-update</a><u></u><u></u><br></p><p class="MsoNormal"><u></u> <u></u><br></p><p class="MsoNormal"><b><span class="size" style="font-size:24pt">Data Protection and Privacy Update<u></u><u></u></span></b><br></p><p class="MsoNormal"><img border="0" width="753" height="425" alt="ata protection privacy update 753x425 18oct17 en"><u></u><u></u><br></p><p class="MsoNormal">There has been a lot of activity since our last <a href="https://www.icann.org/news/blog/data-protection-and-privacy-progress-update-and-next-steps"> update</a> on 11 September. Here's a brief recap on where we are and a look-ahead at upcoming activities.<u></u><u></u><br></p><p class="MsoNormal">On 4 October we held a webinar to discuss data protection/privacy activities related to the European Union's <a href="http://ec.europa.eu/justice/data-protection/reform/index_en.htm">General Data Protection Regulation (GDPR)</a>. If you missed it, we have published the presentation, audio recordings and transcripts in multiple languages, and responses to unanswered
questions on our <a href="https://www.icann.org/dataprotectionprivacy">data protection/privacy page</a>. The user story matrix can also be found on this page.<u></u><u></u><br></p><p class="MsoNormal">As previously communicated, we engaged the European law firm Hamilton to provide an independent legal analysis, that will be developed in phases.<u></u><u></u><br></p><p class="MsoNormal">We are pleased to note that the first part of the initial independent legal analysis was <a href="https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en.pdf"> published</a> [PDF, 252 KB] today, which includes an appendix with the general questions we provided to Hamilton as "food for thought" in analyzing GDPR in relation to gTLD registration data.<u></u><u></u><br></p><p class="MsoNormal">This first memo focuses on potentially challenging areas with existing requirements for registries and registrars to provide open, publicly available WHOIS services. It provides
a general overview of key concepts in the GDPR (e.g. personal data, consent, the role of data controllers and processers and data protection authorities, etc.) and how these concepts relate to gTLD WHOIS services.<u></u><u></u><br></p><p class="MsoNormal">The memo highlights the complexity of these issues in the domain name space, and concludes that the current open, publicly available WHOIS services cannot remain unchanged. The
WHOIS system has to become adaptable to address the GDPR from the European perspective, as well as other changing regulations around the world.<u></u><u></u><br></p><p class="MsoNormal">Since GDPR will likely effect how WHOIS data is displayed, it could impact our ability to maintain a single global WHOIS system. In turn, this will likely impact either ICANN's
agreements or its ability to enforce contractual compliance of its agreements using a single and consistent approach. In the short term, we need to work together to understand the scope of this impact and find the right balance between maintaining the current
WHOIS services and compliance with local laws.<u></u><u></u><br></p><p class="MsoNormal">On the engagement front we continued to interact with a range of stakeholders to raise awareness about ICANN's privacy- and data protection- related work. We participated in the
annual <a href="https://www.privacyconference2017.org/eng/index.html">international DPAs conference</a> in Hong Kong, the European Commission's High Level Group on Internet Governance and the <a href="https://www.centr.org/events/upcoming-events/58th-centr-general-assembly.html"> CENTR General Assembly</a> in Brussels, where GDPR was a major topic of discussion. These events provided a further opportunity to hear many perspectives and learn about existing practices in this area.<u></u><u></u><br></p><p class="MsoNormal">Next up is <a href="https://meetings.icann.org/en/abudhabi60">ICANN60</a>, which will be held in Abu Dhabi, and is just around the corner. We encourage you to attend the cross-community <a href="https://schedule.icann.org/event/CbHj/cross-community-session-general-data-protection-regulation-gdpr-implications-for-icann"> "General Data Protection Regulation (GDPR) Implications for ICANN"</a> session, which is planned for Thursday, 2 November at 10:30am local time (UTC +4). Remote participation is offered if you can't be there in person.<u></u><u></u><br></p><p class="MsoNormal"><b><span class="size" style="font-size:13.5pt">A Look Ahead<u></u><u></u></span></b><br></p><p class="MsoNormal">ICANN, like many other organizations, is looking at the new regulation to see how it is relevant and determine how best to comply with the new framework with respect to the data
we collect and process for internal and external services, as well as the implications for the ICANN community and its policies and procedures more widely.<u></u><u></u><br></p><p class="MsoNormal">As a reminder, this legal analysis is intended to serve as building block for community discussions about how to approach GDPR issues in the domain name space.<u></u><u></u><br></p><p class="MsoNormal">Here's where we need help from the multistakeholder community:<u></u><u></u><br></p><p class="MsoNormal">Please review the initial legal analysis and provide feedback. This includes identifying possible questions, and how best to interact with data protection agencies and others to
get to the next step of the analysis.<u></u><u></u><br></p><p class="MsoNormal">It will be helpful to receive your feedback at the earliest opportunity, so as to inform the upcoming discussions at ICANN60, and to feed into future iterations of the legal analysis.
Either reach out to us directly or email <a href="mailto:gdpr@icann.org">gdpr@icann.org</a>.<u></u><u></u><br></p><p class="MsoNormal">For those of you traveling to Abu Dhabi, we wish you safe travels and look forward to seeing you in person. If you aren't making the trip, we hope you will participate remotely.<u></u><u></u><br></p><p class="MsoNormal"><u></u> <u></u><br></p><div><div><p class="MsoNormal"><span class="size" style="font-size:12pt"><u></u> <u></u></span><br></p><p class="MsoNormal"><span class="size" style="font-size:9pt">David A. Olive<br> Senior Vice President<u></u><u></u></span></p><p class="MsoNormal" style="margin-bottom:12.0pt"><span class="size" style="font-size:9pt">Policy Development Support</span><span class="font" style="font-family:PMingLiU, serif"><span class="size" style="font-size:9pt"><br> </span></span><span class="size" style="font-size:9pt">Internet Corporation for Assigned Names and Numbers (ICANN)<u></u><u></u></span></p></div><p class="MsoNormal"><u></u> <u></u><br></p></div></div></div><div><br></div><div>______________________________<wbr>_________________<br></div><div>So-ac-sg-cleaders mailing list<br></div><div><a href="mailto:So-ac-sg-cleaders@icann.org">So-ac-sg-cleaders@icann.org</a><br></div><div><a href="https://mm.icann.org/mailman/listinfo/so-ac-sg-cleaders" rel="noreferrer">https://mm.icann.org/mailman/<wbr>listinfo/so-ac-sg-cleaders</a><br></div><div><br></div></div></div></blockquote><div><br></div>