LISTSERV - NCSG-DISCUSS Archives

NCSG-DISCUSS Archives

NCSG-Discuss

NCSG-DISCUSS@LISTSERV.SYR.EDU

	LISTSERV Archives
	NCSG-DISCUSS Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Sender:	NCSG-Discuss <[log in to unmask]>
Date:	Tue, 4 May 2021 07:34:14 +0300
Content-Disposition:	inline
Reply-To:	Tapani Tarvainen <[log in to unmask]>
Subject:	Re: EPDP policy issues
MIME-Version:	1.0
Message-ID:	<[log in to unmask]>
In-Reply-To:	<[log in to unmask]> <[log in to unmask]> <[log in to unmask]> <[log in to unmask]> <[log in to unmask]>
Content-Type:	text/plain; charset=us-ascii
From:	Tapani Tarvainen <[log in to unmask]>
Parts/Attachments:	text/plain (61 lines)

On Sun, Apr 25, 2021 at 07:54:43PM +0000, Mueller, Milton L ([log in to unmask]) wrote:

> The one thing I want to prevent when it comes to legal and natural
> distinction is to enable some stakeholders to use the distinction as
> an excuse for making more registrants data public and accessible.

Entering this discussion a bit late, having read the long thread,
I find myself in perfect agreement with Milton on that point.

Indeed the very idea that the legal vs. natural person distinction
could be used that way is fundamentally broken. It is based on a
(possibly deliberate) misreading of the GDPR.

When GDPR says it doesn't apply to legal persons, it does *not* mean
that if some data is about a legal person it follows that it isn't
personal and therefore out of scope for GDPR.

What it means is that if the data is about a legal person it does
not follow that it is personal data - but it could still be, as
Mark Leiser well explained. Same piece of data can be both about
a legal and a natural person (or several) at the same time.

But this cannot be fixed by letting registrants choose whether or not
to declare themselves as legal or natural persons, or decline to do
either. Nor does it help to let registrars determine that by other
means.

The status of some data as personal or not cannot be determined on the
basis of whether or not it is about a legal person.

It could be used as a data point, but it's really a useless one.

If we divide registrants into three categories:

(1) natural persons,

(2) legal persons whose data nonetheless is personal so
    that GDPR applies and

(3) legal persons whose data is non-personal,

there's no need to distinguish between (1) and (2) and attempting to
do so will only confuse the issue. Whatever process is used to
distinguish between (2) and (3) will, if done right, automatically
take care of (1) as well.

A registrar that assumes a registrant's data is non-personal because
the registrant is a legal person will be in violation of the GDPR.

Really the only right solution is to forgo the very idea of asking
registrants if they're legal or natural persons. That distinction can
not be used in any useful way by the registrars, it can only be abused
(and almost certainly will).

I haven't followed the EPDP much so I don't know if that can still be
done there, but if not, I expect ICANN will find itself staring at the
pointy end of an EU court decision once more.

-- 
Tapani Tarvainen

ATOM RSS1 RSS2

LISTSERV.SYR.EDU