<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi All,</p>
<p>I have spent the better part of today adding edits to our EPDP
comment. Per Amr's request, I looked closely at the UDRP and URS
issues, Questions 14, 15, and 16. Yes, there are certainly issues
we need to address -- including the publication of registrant
contact information in a decision. If the only place you learn
about a registrant is in a <i>published </i>UDRP or URS
decision, is that fair? What if the registrant wins; still
publish the personal data? What if the sole purpose of filing the
UDRP or URS is to "out" the registrant (something I am hearing
whispered about a lot in intellectual property hallways)? Also,
should the registrant's attorney and his/her contact information
be automatically published? What if it is one human rights group
helping another human rights group? <br>
</p>
<p>As the Request for Comments note, some of this should go to the
RPM WG. I agree, and in Phase 1 of our RPM WG review, involving
the URS and Trademark Clearinghouse, we have already prepared
draft policy recommendations for the URS that include amending the
rules for GDPR-related requirements. All good.<br>
</p>
<p>But what struck me as utterly disastrous is the PDDRP and RRDRP
in other questions, including Purpose 6 and in the broad buckets
of Question 14. <i>Unlike the UDRP and URS, PDDRP and RRDRP are
not proceedings against the registrant, but against the
registry! The disclosure of the personal data of thousands or
even (potentially) millions of innocent and good-faith
registrants is a stunning leap of insanity. </i>Just because
you sue GM does not mean you get the name and address of everyone
who owns a GM car (!) <br>
</p>
<p>I've explained in detail what the Trademark Post-delegation
Dispute Resolution Policy (PDDRP) and Registry Restriction Dispute
Resolution Procedure (RRDRP) in our draft comments (pasted some of
it in the "p.s." below). Everywhere I saw a grouping of UDRP, URS,
PDDRP and RRDRP (as well as "future developed domain name
registration related dispute procedures," which could mean
anything, any future type of proceeding against the registry,
registrar, ICANN or the registrant --it's a completely unbounded
term), I objected with information and discussion on behalf of
NCSG. Happy to discuss! (Note: PDDRP was the first part of our
RPM WG review at the start of Phase 1.) <br>
</p>
<p><u>Other issues</u></p>
<p>I'm also deeply troubled about the continuing collection and
processing of the street address in the RDDS. State and even city
I can understand, but street address? This is a piece of data
collected largely for the processing of credit card data, and like
credit card data, it should be kept locally by the registrars. To
transmit this data is to expose individuals and organizations
(including the many religious, philosophical, racial, ethnic,
political, trade union, health, gender, sexual orientation
directly protected under Article 9 of the GDPR) to prosecution and
persecution. The idea that every pro-democracy website and its
registrants might be requested by law enforcement in China (as a
violation of Chinese criminal law) although the registrant,
registrar and registry are all based in the US/Europe and
protected under the US First Amendment and UN Declaration of Human
Rights Article 19 has haunted me since I worked for PIR. Getting
rid of the street address, and forcing foreign governments and
agents to go through registrars and local law will provide
critical due process and procedural protections for individuals
and organizations. <br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"
id="docs-internal-guid-d08576ad-7fff-8fbb-0e53-89f96f9e9339">Whoever
wrote the response to Recommendation #2: Standardized Access was
brilliant. It is exactly right (although I would make it
emphatic): <span style="font-size:12pt;font-family:Arial;color:#ff0000;background-color:transparent;font-weight:400;font-style:normal;font-variant:normal;text-decoration:none;vertical-align:baseline;white-space:pre;white-space:pre-wrap;">"The NCSG would prefer to replace the term “Standardized Access to nonpublic Registration Data” with the term “Lawful disclosure of nonpublic registration data to third parties with legitimate interests.”" As we heard at the Public Forum in Barcelona, IP & WIPO support a general "IP request" and law enforcement wants a vague and general "we want it because we want it" request. But such a request of individuals and </span>religious,
philosophical, racial, ethnic, political, trade union, health,
gender, sexual orientation is not right or legal under GDPR. For
it does not give the information necessary to make the imporarnt
evaluation required under GDRP Article 6(f) -- including whether
the "fundamental rights and freedoms of the data subject" are put
at risk. <br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;">The
GDPR is eminently practical: the "fundamental rights and freedoms
of the data subject" (including organizations) is paramount. That
requires data and detail to weigh and balance -- not choosing a
pull down slot "IP infringement" or "law enforcement demand." <br>
<br>
<i>(GDPR Article 6:</i><i> 1. “Processing shall be lawful only if
and to the extent that at least one of the following applies:” </i><i>***
</i><i>“(f) processing is necessary for the purposes of the
legitimate interests pursued by the controller or by a third
party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject
which require protection of personal data, in particular where
the data subject is a child.”)</i></p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"><br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;">It's
getting interesting, Folks! Tx so the amazing EPDP and I hope my
hours today help! <br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;">Best,
Kathy</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"><br>
</p>
<p>p.s. More on the PDDRP and RRDPR (from the EPDP Comment): <br>
</p>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"
id="docs-internal-guid-af724936-7fff-d5f3-eb0e-978adcda20c2"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">"These are proceedings </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">against the Registry itself</span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. In the “Trademark Post-Delegation Dispute Resolution Procedure (Trademark PDDRP) (note: the only type of PDDRP that exists), the proceeding is against **the Registry** (not the Registrant). The allegation is as follows:</span></p>
<br>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;margin-left:
49.5pt;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=> ‘The Trademark PDDRP generally addresses a Registry Operator's complicity in trademark infringement on the first or second level of a New gTLD. At least 30 days prior to filing a formal complaint, a rights holder must notify the Registry of the alleged infringing conduct and express a willingness to meet to resolve the issue. Review the Trademark PDDRP [PDF, 181 KB].” </span><font
color="#000000"><a
href="https://newgtlds.icann.org/en/program-status/pddrp"
style="text-decoration:none;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://newgtlds.icann.org/en/program-status/pddrp</span></a><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></font></p>
<br>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">"To the extent in a PDDPR that the </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Registry</span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is also the registrant of domain names used for abuse, it is likely those domain names will be used as part of the pattern of conduct of the </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Registry</span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. But to the extent that there may be thousands or even millions of innocent domain name registrants within a gTLD accused of complicity with trademark infringement at a registry-scale, there is absolutely no waiver of interest and no relinquishing of privacy for the purpose of pursuit of an arbitration against an entirely different third party (the Registry). Accordingly, processing the personal data of registrants for the purpose of “coordinating, operationalizing and facilitating” a PDDRP dispute between a trademark owner and an </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">ICANN Registry</span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> cannot be one which </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">by definition </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">includes the registration data of all registrants -- </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">domain name registrants are not accused in the PDDRP</span></p>
<br>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">"Ditto for the Registry Restriction Dispute Resolution Procedure (RRDRP) which is similarly a proceeding in the New gTLD Applicant Guidebook </span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: italic; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">against the Registry itself</span><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and the allegation is as follows:</span></p>
<br>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;margin-left:
49.5pt;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">=> “The RRDRP is intended to address circumstances in which a community-based New gTLD Registry Operator deviates from the registration restrictions outlined in its Registry Agreement.” </span><font
color="#000000"><a
href="https://newgtlds.icann.org/en/program-status/pddrp"
style="text-decoration:none;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://newgtlds.icann.org/en/program-status/pddrp</span></a><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></font></p>
<br>
<p dir="ltr"
style="line-height:1.2;margin-top:0.5pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial; background-color: transparent; font-weight: 400; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">"The proceeding for an RRDRP, as with the PDDRP above, is expressly against the Registry. In the future, there may be thousands or even millions of innocent domain name registrants completely in compliance with the community-based standards of a community-based gTLD. It is absolutely inconsistent with the GDPR or with an notion of registrant privacy and protection to deep all registrants of a gTLD have consented or in any way agreed to the disclosure of their personal information should the titans (large organizations and registries) fight in a RRDRP. There is no legal basis for the RDDS disclosure of the data of innocent and good faith registrants in a PDDRP or RRDRP proceeding."</span></p>
<br>
<p><br>
</p>
<div class="moz-cite-prefix">On 12/13/2018 10:00 PM, Ayden Férdeline
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:-WrRnrS0KYweYgEP7xSVMaL8EUIkKeNFIhiny4ODwdiPvdCU97CatHKWvuR9yAwFc6bNSORp42NzgvM-qYd0SPwG3iNckdpZSz53eGJAOlw=@ferdeline.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>I support the submission of this comment.<br>
</div>
<div><br>
</div>
<div class="protonmail_signature_block">
<div class="protonmail_signature_block-user">
<div>Ayden <br>
</div>
</div>
<div class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br>
</div>
</div>
<div><br>
</div>
<div>‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐<br>
</div>
<div> On Thursday, 13 December 2018 20:59, Rafik Dammak
<a class="moz-txt-link-rfc2396E" href="mailto:rafik.dammak@gmail.com"><rafik.dammak@gmail.com></a> wrote:<br>
</div>
<div> <br>
</div>
<blockquote type="cite" class="protonmail_quote">
<div dir="ltr">
<div>Hi all,<br>
</div>
<div><br>
</div>
<div>this is critical and urgent. The deadline for submission
is quite strict. <br>
</div>
<div>please review and comment the draft response to EPDP
initial report.<br>
</div>
<div><br>
</div>
<div>Best Regards,<br>
</div>
<div><br>
</div>
<div>Rafik<br>
</div>
<div>
<div><br>
</div>
<div class="gmail_quote">
<div dir="ltr">---------- Forwarded message ---------<br>
</div>
<div><br>
</div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>Hi all,<br>
</div>
<div><br>
</div>
<div>The representatives to EPDP team prepared a
draft comment from NCSG on the initial report. You
can find it here <a
href="https://docs.google.com/a/mozillafoundation.org/document/d/1iRZUXqSUJ2FaPEeytbH28wJmRamsmio-kzijQmBF2IE/edit"
target="_blank" moz-do-not-send="true">https://docs.google.com/a/mozillafoundation.org/document/d/1iRZUXqSUJ2FaPEeytbH28wJmRamsmio-kzijQmBF2IE/edit</a>
. You can find the initial report here <a
href="https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-initial-2018-11-21-en"
target="_blank" moz-do-not-send="true">https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-initial-2018-11-21-en</a>.
The deadline for submission is the 21st December.<br>
</div>
<div><br>
</div>
<div>The public comment is using google form, that
explains why the draft may look long as it
includes the questions and explanation. Our draft
responses are in red.<br>
</div>
<div>This public comment is an important milestone
for EPDP and for NCSG to submit the comment. It is
also important to encourage to have more input.<br>
</div>
<div><br>
</div>
<div>Best Regards,<br>
</div>
<div><br>
</div>
<div>Rafik<br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
NCSG-PC mailing list
<a class="moz-txt-link-abbreviated" href="mailto:NCSG-PC@lists.ncsg.is">NCSG-PC@lists.ncsg.is</a>
<a class="moz-txt-link-freetext" href="https://lists.ncsg.is/mailman/listinfo/ncsg-pc">https://lists.ncsg.is/mailman/listinfo/ncsg-pc</a>
</pre>
</blockquote>
</body>
</html>