<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoFootnoteText, li.MsoFootnoteText, div.MsoFootnoteText
{mso-style-priority:99;
mso-style-link:"Footnote Text Char";
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.FootnoteTextChar
{mso-style-name:"Footnote Text Char";
mso-style-priority:99;
mso-style-link:"Footnote Text";
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:10567286;
mso-list-template-ids:-941831928;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:163862009;
mso-list-template-ids:-274068732;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:355161539;
mso-list-template-ids:447755236;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:583146561;
mso-list-template-ids:899343574;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-weight:bold;
mso-bidi-font-weight:bold;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:73.0pt;
text-indent:-19.0pt;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-text:"\(%4\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:777717004;
mso-list-type:hybrid;
mso-list-template-ids:1187794470 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l4:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l4:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l4:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l5
{mso-list-id:797800939;
mso-list-type:hybrid;
mso-list-template-ids:99092266 -655824862 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l5:level1
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l5:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l5:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l5:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l6
{mso-list-id:1396203690;
mso-list-template-ids:1167374274;}
@list l6:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l6:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7
{mso-list-id:1620255252;
mso-list-template-ids:602695500;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Dear EPDP Phase 2 Legal Committee,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Below, please find the notes and action items from today’s call.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As a reminder, the next EPDP Phase 2 Legal Committee meeting will be <b>Tuesday, 27 August at 14:00 UTC</b>.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thank you.<o:p></o:p></p><p class=MsoNormal><br>Best regards,<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Marika, Berry, and Caitlin<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.5pt;color:black'>--<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='font-size:10.5pt;color:black'><o:p> </o:p></span></b></p><p class=MsoNormal style='margin-bottom:12.0pt'><b>EPDP Phase 2 Legal Committee Meeting #4<o:p></o:p></b></p><p class=MsoNormal style='margin-bottom:12.0pt'><b>Tuesday, 20 August 14:00 UTC<o:p></o:p></b></p><p class=MsoNormal style='margin-bottom:12.0pt'><b><u>Action Items<o:p></o:p></u></b></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraphCxSpFirst style='margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo1'><span style='color:black'>Brian to clarify the language regarding “opt out” in the second bullet point of Question 2/5.</span><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l2 level1 lfo1'>Brian and Thomas to review Question 2/5, taking into account today’s conversation, and propose new language and distribute to the Team in advance of the next Legal Committee call on Tuesday, 27 September. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo1'>Thomas to submit additional language for Question 4 with respect to whether 6(1)(f) can be deployed by non-European authorities or public authorities in the disclosure of data to them. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo1'><span style='color:black'>Support Staff to add the safeguard bullet points from Q2/5 to Q9 and submit this to the legal list for final review by the group off-line.</span><o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo1'><span style='color:black'>Margie to add a footnote to question 11, regarding SSAC-defined security practitioners. Following Margie’s addition to question 11, Support Staff to add the bullets from Q2/5 to Q11 and submit this to the Legal list for final review by the group off-line. </span><o:p></o:p></li><li class=MsoListParagraphCxSpLast style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l2 level1 lfo1'>Support Staff to build the first batch of questions to be submitted to the EPDP Team for final sign-off. <o:p></o:p></li></ol><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><b><u><span style='color:black'>Notes<o:p></o:p></span></u></b></p><p class=MsoListParagraphCxSpFirst style='margin-bottom:12.0pt;mso-add-space:auto'><o:p> </o:p></p><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-list:l3 level1 lfo2'><b>Roll Call & SOI Updates <o:p></o:p></b></li><li class=MsoListParagraphCxSpLast style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l3 level1 lfo2'><b>Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date</b><o:p></o:p></li></ol><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoListParagraphCxSpFirst style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l3 level2 lfo2'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>Substantive review of SSAD questions (beginning where LC left off last week)<o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto'><span style='color:black'><o:p> </o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpLast style='color:black;margin-bottom:12.0pt;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l4 level1 lfo3'><b>Updated Merged Questions 2 and 5</b>: LC to continue reviewing the updated text and suggest changes (if any) in advance of the next LC meeting on Tuesday, 20 August 2019. LC to be prepared to discuss the text and proposed updates during next LC call.<o:p></o:p></li></ul><p class=MsoNormal style='margin-left:1.0in'><b><i><span style='color:black'>Updated Merged Questions 2 and 5</span></i></b><i><span style='color:black'>: Consider a System for Standardized Access/Disclosure where contracted parties “CPs” are required to disclose personal data over RDAP to requestors either directly or through an intermediary request accreditation/authorization body. Assuming the following safeguards are in place, what risk, if any, would the CP face for the processing activity of disclosure in this context? If any risk exists, what improved or additional safeguards would eliminate<a name="_ftnref1"></a><a href="applewebdata://DC36EABD-CD08-4C99-90BB-7C993390CFCA#_ftn1"><span style='mso-bookmark:_ftnref1'><sup><span style='color:#954F72'>[1]</span></sup></span><span style='mso-bookmark:_ftnref1'></span></a><span style='mso-bookmark:_ftnref1'></span> this risk. In this scenario, would the CP be a controller or a processor<a name="_ftnref2"></a><a href="applewebdata://DC36EABD-CD08-4C99-90BB-7C993390CFCA#_ftn2"><span style='mso-bookmark:_ftnref2'><sup><span style='color:#954F72'>[2]</span></sup></span><span style='mso-bookmark:_ftnref2'></span></a><span style='mso-bookmark:_ftnref2'></span>, and to what extent, if at all, is the CP’s liability impacted by this controller/processor distinction? <o:p></o:p></span></i></p><p class=MsoNormal><i><span style='color:black'> <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:91.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l6 level1 lfo4'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).<o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:.5in;mso-line-height-alt:11.65pt'><i><span style='color:black'> <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:91.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l1 level1 lfo5'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:.5in;mso-line-height-alt:11.65pt'><i><span style='color:black'> <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:91.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l0 level1 lfo6'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>ICANN or its designee has validated the requestor’s identity, and required that the requestor: <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:127.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l0 level2 lfo6'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New";color:black'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>represents that it has a lawful basis for requesting and processing the data, <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:127.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l0 level2 lfo6'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New";color:black'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>provides its lawful basis,<o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:127.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l0 level2 lfo6'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New";color:black'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>represents that it is requesting only the data necessary for its purpose, <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:127.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l0 level2 lfo6'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New";color:black'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>agrees to process the data in accordance with GDPR, and <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:127.0pt;text-indent:-.25in;mso-line-height-alt:11.65pt;mso-list:l0 level2 lfo6'><![if !supportLists]><span style='font-size:10.0pt;font-family:"Courier New";color:black'><span style='mso-list:Ignore'>o<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>agrees to standard contractual clauses for the data transfer. <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:.5in;mso-line-height-alt:11.65pt'><i><span style='color:black'> <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:91.0pt;text-indent:-.25in;mso-list:l7 level1 lfo7'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i>ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject.<span style='color:black'><o:p></o:p></span></i></p><p class=MsoNormal style='margin-bottom:12.0pt;mso-line-height-alt:11.65pt'><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt;mso-line-height-alt:11.65pt'><b><span style='color:black'>Notes from Call</span></b><span style='color:black'>: <o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>The intent of the safeguards list was to be extensive but not exhaustive. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>The detailed background on the safeguards is helpful. It may be helpful to add Question 9 to this question. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>It may be helpful to add the bullets to the last version Question 9. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Action item: Support Staff to add the bullets from Question 2/5 to the end of Question 9.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Safeguards is a loaded term – there are legal safeguards, procedural safeguards, and IT safeguards. Not sure how the terms safeguards is used in the GDPR – should the safeguards be desegregated in this way?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>The safeguards list is not meant to be comprehensive, but rather, to provide background to outside counsel. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>The question was designed to include legal safeguards and procedural safeguards. Technical safeguards were purposely omitted from this list as technical safeguards would likely require a lot of work on every contracted party. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>With respect to the second bullet regarding “opt out” – could registrant opt out of having its data provided to law enforcement? What is this meant to mean?<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>The concept that was trying to be captured is that a registrant knows going into registering a domain name that data will be processed, so the registrant could choose to use P/P services or not register a domain name at all. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Proposed edit: If any risks exist, what safeguards could be implemented to mitigate this risk? <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Risk can never be eliminated but could be mitigated. If you ask for legal advice and ask for a laundry list of safeguards – what are we really asking here? Are we asking legal counsel to tell us what we have to do to mitigate the risk enough to remove liability? If that is the case, we need to sort the safeguards since legal counsel is unlikely to provide guidance on technical safeguards. Here, we are talking about processing that is quite vague, i.e., disclosure to a party. The registrant has no choice when a legal actor comes for data, but we do not what other use cases are relevant. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>What we are trying to ask here – under a scenario in which a standardized access/disclosure model is adopted, and safeguards are in place, what are the risks for contracted parties in this scenario? <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Objections to signing off this question and sending to the plenary for outside counsel? <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Suggest that the text should be clarified re: what opt out means (that a registrant knows going into registering a domain name that data may will be processed, so the registrant could choose to use P/P services or not register a domain name at all).<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Action: Brian to clarify the language regarding “opt out” in the second bullet of this question.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>What are we trying to get as an answer to this question? No lawyer in the world would be able to give you an answer that there is no risk if the criteria mentioned in the question are met. If the risk for the data subject stemming from certain processing activities is low, the measures are low for safeguard. If the risks are high, you have to take extraordinary measures to protect the data subject. Without spelling out concrete scenarios, it is unlikely we will get a positive response to this question.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Would it be best if instead of asking what the risk level outside counsel perceives under this scenario? <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Spell out what data is being requested and what safeguards are being used to protect the request – to see if the safeguards we are considering are correspondent to the risk.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>For the sake of brevity, assumed outside counsel would know some facts, like the type of data that would be in play. Does it make sense to take this back once more to think about what other facts and safeguards are appropriate to add to this question. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Adding data that is disclosed is helpful, but also discuss the grounds upon which the data is requested.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>Action item: Brian and Thomas to review this question again, taking into account today’s conversation and finetune the language.<o:p></o:p></li></ul><p class=MsoListParagraphCxSpMiddle style='margin-bottom:12.0pt;mso-add-space:auto;mso-line-height-alt:11.65pt'><span style='color:black'><o:p> </o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpLast style='color:black;mso-list:l4 level1 lfo3'><b><i>Updated Question 4 </i></b>(proposed by Brian and Volker)<i>: Under the GDPR, a data controller can disclose personal data to law enforcement of competent authority under Art 6 1 c GDPR provided the law enforcement authority has the legal authority to create a legal obligation under applicable law.<o:p></o:p></i></li></ul><p class=MsoNormal style='margin-left:91.0pt'><i><span style='color:black'><o:p> </o:p></span></i></p><ol style='margin-top:0in' start=6 type=1><ol style='margin-top:0in' start=1 type=a><ol style='margin-top:0in' start=1 type=a><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo1'><i>Can law enforcement agencies of other jurisdictions than the data controller/processor therefore not rely on Art 6 1 c GDPR as a legal basis for the data controller to disclose protected data? Under what circumstances could Art 6 1 c GDPR apply to the disclosure of data in such a context?<o:p></o:p></i></li><li class=MsoListParagraphCxSpLast style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l2 level3 lfo1'><i>Do other legal bases for disclosure exist, besides Art 6I f), that the data controller/processor can rely on for such "foreign" LEAs that lack power to legally compel the data controller/processor?<o:p></o:p></i></li></ol></ol></ol><p class=MsoNormal><b><span style='color:black'>Notes from Call:<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='color:black'><o:p> </o:p></span></b></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Propose adding one question on whether 6(1)(f) can be deployed at all by non-European authorities or public authorities in the disclosure of data to them at all. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Action: Thomas to submit additional language with respect to whether 6(1)(f) can be deployed by non-European authorities or public authorities in the disclosure of data to them. <o:p></o:p></li></ul><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto'><span style='color:black'><o:p> </o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpLast style='color:black;mso-line-height-alt:11.65pt;mso-list:l4 level1 lfo3'><b>Updated Question 9 </b>(proposed by Margie): <i>Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally permissible under Article 6(1)(f) to:<o:p></o:p></i></li></ul><p class=MsoNormal style='margin-left:1.0in'><i><span style='color:black'> <o:p></o:p></span></i></p><p class=MsoListParagraphCxSpFirst style='margin-left:1.25in;mso-add-space:auto;text-indent:-.25in;mso-list:l4 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or<o:p></o:p></span></i></p><p class=MsoListParagraphCxSpLast style='margin-left:1.25in;mso-add-space:auto;text-indent:-.25in;mso-list:l4 level1 lfo3'><![if !supportLists]><span style='font-family:Symbol;color:black'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><i><span style='color:black'>enable automated disclosures of such data, without requiring a manual review by the controller or processor of each individual disclosure request.<o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:1.25in;text-indent:3.0pt'><i><span style='color:black'><o:p> </o:p></span></i></p><p class=MsoNormal style='margin-left:1.0in'><i><span style='color:black'>In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).<o:p></o:p></span></i></p><p class=MsoNormal><i><span style='color:black'><o:p> </o:p></span></i></p><p class=MsoNormal><b><span style='color:black'>Notes from Call:<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='color:black'><o:p> </o:p></span></b></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Propose adding a bullet under the first bullet – automatically conduct the balancing test under 6(1)(f)<b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>How does this question differ from 2/5? Is this focused more on an automatic 6(1)(f) determination? Is this better as a direct piggyback question? This seems to rely on the same background information on questions 2/5.<b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Maybe make the first question focus on the legality of an accreditation system and the second question focusing on the types of requests being made <b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>The difference b/w the two questions – the first one relates more to risk, but this question was written specifically to focus on automated and high-volume requests.<b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>If this scenario is permissible, it should be that this would be automated, otherwise the system could be intentionally slowing down. <b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>You can automate accreditation and authentication and decide reputationally that certain third parties can be trusted more than others, but not sure how you can meet the requirements of any data protection legislation. You have to look at the precise case – you cannot automate the question. <b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>We cannot create a system that is abuse-proof, and this is not something we can try to create or that the law requires.<b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>It is important to spell out the automation of the 6(1)(f) balancing test<b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>There is no one-size-fits-all solution- what we are trying to find the solution for – can we have a pre-fabricated balancing test for certain scenarios? Is this is feasible, and how can it be operationalized? <b><o:p></o:p></b></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>There is value in keeping questions 2/5 separate from Question 9. After adding bullets from Q2/5, will this question be ready for the plenary? <b><o:p></o:p></b></li><li class=MsoListParagraphCxSpLast style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Action: Support staff to add the bullets from Q2/5 to Q9 and submit this to the Legal list for final review by the group off-line. <b><o:p></o:p></b></li></ul><p class=MsoNormal style='margin-left:1.0in'><span style='color:black'><o:p> </o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='mso-list:l4 level1 lfo3'><b><i><span style='color:black'>Updated Question 11</span></i></b><span style='color:black'> (proposed by Margie)<i>: </i></span><i><span style='color:black'>Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners (as defined in SSAC 101) <span style='background:yellow'>who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49)</span> and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?</span></i><span style='font-family:"Times New Roman",serif'><o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='color:black'>Notes from Call: <o:p></o:p></span></b></p><p class=MsoNormal><b><span style='color:black'><o:p> </o:p></span></b></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>The same safeguards included in Q2/5 should be repeated here.<o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>The description of who would be able to access this automated system is too broad – it could apply to anyone. This needs to be limited to specifically-defined circle of users that has to be tightly controlled. <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>This concern is more of a policy question, rather than a legal question. Would it help to remove the “including text”?<o:p></o:p></li><li class=MsoListParagraphCxSpLast style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Action: Margie to add a footnote to the question regarding security practitioners. Following Margie’s added footnote, Support Staff to add the bullets from Q2/5 to Q11 and submit this to the Legal list for final review by the group off-line. <b><o:p></o:p></b></li></ul><p class=MsoNormal><b><span style='font-family:"Times New Roman",serif'><o:p> </o:p></span></b></p><p class=MsoNormal style='margin-left:.75in'><o:p> </o:p></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpFirst style='color:black;margin-bottom:12.0pt;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l4 level1 lfo3'><b>Updated Question 12 and 13</b>: LC to review simplified question before sending to EPDP Team for sign off: In light of the<span class=apple-converted-space> </span><span style='color:windowtext'><a href="https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf" title="https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf"><span style='color:#954F72'>3 May 2019 correspondence from the European Commission</span></a></span>, are any updates on the<span class=apple-converted-space> </span><span style='color:windowtext'><a href="https://community.icann.org/download/attachments/102138857/6%281%29%28b%29%20Memo.docx?version=1&modificationDate=1548874809000&api=v2"><span style='color:#954F72'>previous memo on 6(1)(b)</span></a></span><span class=apple-converted-space> </span>necessary?<span class=apple-converted-space> </span><span class=apple-converted-space><o:p></o:p></span></li></ul><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:1.0in;mso-add-space:auto;mso-line-height-alt:11.65pt'><span class=apple-converted-space><span style='color:black'><o:p> </o:p></span></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='color:black;margin-bottom:12.0pt;margin-left:0in;mso-add-space:auto;mso-line-height-alt:11.65pt;mso-list:l5 level1 lfo8'>This question will be sent to the EPDP Team for final sign-off. <span class=apple-converted-space><o:p></o:p></span></li></ul><p class=MsoListParagraphCxSpMiddle style='margin-bottom:12.0pt;mso-add-space:auto;mso-line-height-alt:11.65pt'><b><o:p> </o:p></b></p><ul type=disc><li class=MsoListParagraphCxSpLast style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-add-space:auto;mso-list:l4 level1 lfo3'><b><i>Question 6: </i></b><i>Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)<b><o:p></o:p></b></i></li></ul><p class=MsoNormal style='margin-bottom:12.0pt;mso-line-height-alt:11.65pt'><b><span style='color:black'><o:p> </o:p></span></b></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoFootnoteText style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:310.0pt;margin-bottom:.0001pt'><a name="_ftn1"></a><a href="applewebdata://68B0E022-B472-4D73-B3D4-09BBCC4682C7#_ftnref1"><span style='mso-bookmark:_ftn1'><span class=MsoFootnoteReference><sup><span style='font-size:12.0pt;font-family:"Calibri",sans-serif;color:#954F72'>[1]</span></sup></span></span><span style='mso-bookmark:_ftn1'></span></a><span style='mso-bookmark:_ftn1'></span><span class=apple-converted-space><span style='font-size:12.0pt;color:black'> </span></span><span style='font-size:12.0pt;color:black'>“Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (</span><a href="https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf" title="https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf"><span style='font-size:12.0pt;color:#954F72'>https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf</span></a><span style='font-size:12.0pt;color:black'>)<o:p></o:p></span></p><p class=MsoFootnoteText style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:310.0pt;margin-bottom:.0001pt'><a name="_ftn2"></a><a href="applewebdata://68B0E022-B472-4D73-B3D4-09BBCC4682C7#_ftnref2"><span style='mso-bookmark:_ftn2'><span class=MsoFootnoteReference><sup><span style='font-size:12.0pt;font-family:"Calibri",sans-serif;color:#954F72'>[2]</span></sup></span></span><span style='mso-bookmark:_ftn2'></span></a><span style='mso-bookmark:_ftn2'></span><span class=apple-converted-space><span style='font-size:12.0pt;color:black'> </span></span><a href="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en" title="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en"><span style='font-size:12.0pt;color:#954F72'>https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en</span></a><span style='font-size:12.0pt;color:black'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-left:1.0in'><o:p> </o:p></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoListParagraphCxSpFirst style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l3 level2 lfo2'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>Discussion on submission of questions – submit as complete batch or as available?<o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Is there an objection to submit questions in batches, or should they be submitted in batches? <o:p></o:p></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l5 level1 lfo8'>Action: Support Staff to build the first batch of questions to be submitted to the EPDP Team. <o:p></o:p></li></ul><p class=MsoListParagraphCxSpLast style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l3 level2 lfo2'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>c)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>Agree on next steps<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><ol style='margin-top:0in' start=3 type=1><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l3 level1 lfo2'><b>Wrap and confirm next meeting to be scheduled <o:p></o:p></b></li></ol><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l3 level2 lfo2'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>Confirm action items<o:p></o:p></span></p><p class=MsoListParagraphCxSpLast style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l3 level2 lfo2'><![if !supportLists]><span style='color:black'><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='color:black'>The next LC Meeting will take place on Tuesday, 27 August at 14:00 UTC.<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>