<html><head></head><body><div class="ydp8a651b9eyahoo-style-wrap" style="font-family:times new roman, new york, times, serif;font-size:13px;"><div></div>
<div dir="ltr" data-setdir="false">Dear Tara and All,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Please find my first draft in relation to the automated decision making question. Tara kindly feel free to change/add anything in here. </div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Question:</div><div dir="ltr" data-setdir="false"><div><p class="ydpa2a5a223MsoNormal" style="direction: ltr; unicode-bidi: embed;">Part of the rights that GDPR gives to
individual users are in relation to automated decision making. In the context
of gTLD registration data, automated decision making could be particularly
useful when evaluating requests for disclosure of non public registration data. The decision making
would typically involve examining the request,
the supporting documents and the
lawful basis of the controller/processor for disclosure in addition, to performing
the balancing test in case article 6(1)f is being used as the lawful basis for disclosure.
The decision would typically be based on factual information/data as well as
maybe digitally created data. The automated decision would particularly lead to
quicker and consistent decisions especially where a large number of requests
are being analyzed. </p>
<p class="ydpa2a5a223MsoNormal" style="direction: ltr; unicode-bidi: embed;">The EPDP team would appreciate Bird & Bird answers to the following:</p>
<div style="direction: ltr; unicode-bidi: embed;"><ul><li>The potential risks to the controllers/processors
associated with automated decision making especially that a margin of error
could always exist</li><li>The conditions/precautions that should be applied if automated decision making is to be used.</li><li>Could a balancing test be used to weigh up the
risks of using the results and how could this be best done.</li></ul><div><br></div><div dir="ltr" data-setdir="false">Best </div><div dir="ltr" data-setdir="false">Hadia Elminiawi</div></div>
<div style="direction: ltr; unicode-bidi: embed;"> </div></div><br></div><div><br></div>
</div><div id="ydpab07dcb0yahoo_quoted_7475710279" class="ydpab07dcb0yahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Tuesday, August 27, 2019, 10:32:33 PM GMT+2, Caitlin Tubergen <caitlin.tubergen@icann.org> wrote:
</div>
<div><br></div>
<div><br></div>
<div><div id="ydpab07dcb0yiv4799139900"><div><div class="ydpab07dcb0yiv4799139900WordSection1"><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;">Dear Phase 2 Legal Committee,</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;">Below, please find the notes and action items from today’s EPDP Phase 2 Legal Committee meeting.</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;">As a reminder, the next EPDP Phase 2 Legal Committee Meeting will be <b>Tuesday, 3 September 2019 at 14:00 UTC</b>.</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;">Thank you.</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;"><br>Best regards,</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;">Marika, Berry, and Caitlin</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="font-size:10.5pt;color:black;">--</span></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="font-size:10.5pt;color:black;"> </span></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;"><b>EPDP Phase 2 Legal Committee Meeting #5</b></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;"><b>Tuesday, 27 August 14:00 UTC</b></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;"><b><u>Action Items</u></b></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="margin-bottom:12.0pt;"><span>1.<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span>Support Staff to add the addition of Volker and Brian to the first question: what risk or liability, if any, would the CP face for the processing activity of disclosure in this context, including the risk of a third party abusing or circumventing the safeguards?</p><ol style="margin-top:0in;" start="2" type="1"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:0in;">Volker and Brian to edit the Question 4 to clarify use of pronouns and whose legal basis is being referred to. (For the question to be included in Batch 1, the updates will need to be circulated by 15:00 UTC on Wednesday, 28 August.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:0in;">Support Staff to reference safeguards within Question 11 (please see italicized text). </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:0in;">Thomas, Volker, Brian and Margie to work together on refining Question 11. Legal Committee to review updated text during the next call.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-bottom:12.0pt;margin-left:0in;">Margie to review the 6(1)(b) memo and reword Question 12/13 to add more specificity (in response to feedback from the plenary team). </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:0in;">Support Staff to create a Google Doc for additional legal questions that come up in discussions. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="margin-left:0in;">Hadia and Tara to provide draft language for a question regarding automated decision making. Following receipt of the advice for the first batch of questions, the Legal Committee will assess whether this question is necessary. </li></ol><div style="border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in;"><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;border:none;padding:0in;"> </p></div><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;"> </p><ol style="margin-top:0in;" start="1" type="1"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-bottom:12.0pt;margin-left:0in;"><b>Roll Call & SOI Updates </b></li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;"><b>Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date</b></li></ol><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="margin-left:73.0pt;"><span style="color:black;"><span>a)<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">Substantive review of SSAD questions (beginning where LC left off last week)</span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="margin-left:73.0pt;"><span style="color:black;"> </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900paragraph" style="margin-top:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;vertical-align:baseline;"><b><i><span style="font-family:Calibri, sans-serif;color:black;">Updated Merged Questions 2 and 5</span></i></b><span style="font-family:Calibri, sans-serif;color:black;"> (proposed by Brian and Thomas)</span><span style="font-family:Calibri, sans-serif;">:</span></li></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;"> </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:.25in;margin-bottom:.0001pt;text-indent:.5in;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">Consider a System for Standardized Access/Disclosure where: <span style="color:black;"></span></span></p><ul style="margin-top:0in;" type="disc"><ul style="margin-top:0in;" type="circle"><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:windowtext;">contracted parties “CPs” are contractually required by ICANN to disclose registration data including personal data, </span><span style="font-family:Calibri, sans-serif;"></span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:windowtext;">data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body, </span><span style="font-family:Calibri, sans-serif;"></span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:windowtext;">the accreditation is carried out by third party commissioned by ICANN without CP involvement, </span><span style="font-family:Calibri, sans-serif;"></span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:windowtext;">disclosure takes place in an automated fashion without any manual intervention, </span><span style="font-family:Calibri, sans-serif;"></span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:windowtext;">data subjects are being duly informed according to ICANN’s contractual requirements of the purposes for which, and types of entities by which, personal data may be processed. CP’s contract with ICANN also requires CP to notify data subject about this potential disclosure and third-party processing before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. </span><span style="font-family:Calibri, sans-serif;"></span></li></ul></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:17.25pt;margin-bottom:.0001pt;text-indent:.5in;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;">Further, assume the following safeguards are in place <span style="color:black;"></span></span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-left:35.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:windowtext;">ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: </span><span style="font-family:Calibri, sans-serif;"></span></li></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;">represents that it has a lawful basis for requesting and processing the data, <span style="color:black;"></span></span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;">provides its lawful basis, <span style="color:black;"></span></span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;">represents that it is requesting only the data necessary for its purpose, <span style="color:black;"></span></span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;">agrees to process the data in accordance with GDPR, and <span style="color:black;"></span></span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;">agrees to EU standard contractual clauses for the data transfer. <span style="color:black;"></span></span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;"> <span style="color:black;"></span></span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900paragraph" style="margin-bottom:0in;margin-left:35.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject. </span></li></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:black;">1. What risk, if any, would the CP face for the processing activity of disclosure in this context? </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;">2. Would you deem the criteria and safeguards outlined above sufficient to make disclosure of registration data compliant? If any risk exists, what improved or additional safeguards would eliminate<sup>1</sup> this risk? </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;">3. In this scenario, would the CP be a controller or a processor<sup>2</sup>, and to what extent, if at all, is the CP’s liability impacted by this controller/processor distinction? </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;">4. Only answer if a risk still exists for the CP: If a risk still exists for the CP, what additional safeguards might be required to eliminate CP liability depending on the nature of the disclosure request, i.e. depending on whether data is requested e.g. by private actors pursuing civil claims or law enforcement authorities depending on their jurisdiction or the nature of the crime (misdemeanor or felony) or the associated sanctions (fine, imprisonment or capital punishment)?</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:35.25pt;word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;">Footnote 1:<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span>“</span><span style="color:#333333;background:#FCFCFC;">Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (</span><span style="color:black;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_media_pdf_resource-5Fcenter_wp217-5Flegitimate-2Dinterests-5F04-2D2014.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=sWyYss17bzERUGYmyRgrLIYOWeEFfEm8TK82oD0K4Yg&e=" rel="nofollow" target="_blank"><span style="color:#0052CC;background:#FCFCFC;">https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf</span><span class="ydpab07dcb0yiv4799139900apple-converted-space"><span style="color:#954F72;"> </span></span><span style="color:#954F72;">[iapp.org]</span></a></span><span style="color:#333333;background:#FCFCFC;">)</span><span style="color:black;"></span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;">Footnote 2:<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=VLfFI2qvdMLP-znynFRMTpavBVBxa6oxjPohOdyWao0&e=" title="https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1" rel="nofollow" target="_blank"><span style="color:#954F72;">https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en [ec.europa.eu]</span></a></span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="color:black;">Notes from Meeting:</span></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="color:black;"> </span></b></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;">Consider adding a few words about the abuse of a system. This could be directly addressed in question 2 of this question. For example, do CPs face compliance risk with regard to data protection policy if the safeguards are circumvented by the requesting party and data is subsequently disclosed?<b></b></li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Perhaps a separate question should be included. Frame this question more generally – to what extent in order to protect the CPs and ICANN from liability, the safeguards need to be audited and enforced? <b></b></li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Any system, no matter how strict the safeguards are, there is a potential these can be circumvented or do not prevent all conceivable abuse. If disclosure happens that would be considered a violation, would the safeguards being in place prevent liability or risk to the CPs? Expand the language of number 2 by adding one sentence here. <b></b></li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Proposed addition: Would CPs be liable in case abuse of this system by third parties? <b></b></li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;">Can sufficient safeguards being in place shield CPs from risk in case of unlawful disclosures?</li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">General point: our goal shouldn’t be to eliminate any potential for abuse. Consider updating question 1 – what risk or liability, if any, would the CP face for the processing activity of disclosure in this context, including the risk of a third party abusing or circumventing the safeguards? </span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">Action: Add the addition of Volker, Brian to the first question: what risk or liability, if any, would the CP face for the processing activity of disclosure in this context, including the risk of a third party abusing or circumventing the safeguards? </span></li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraph" style="color:black;"><b><i>Updated Question 4 </i></b>(proposed by Brian and Volker, with addition from Thomas)<i>: </i>Under the GDPR, a data controller can disclose personal data to law enforcement of competent authority under Art 6 1 c GDPR provided the law enforcement authority has the legal authority to create a legal obligation under applicable law.</li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:91.0pt;"><span style="color:black;"> </span></p><ol style="margin-top:0in;" start="1" type="1"><ol style="margin-top:0in;" start="1" type="a"><ol style="margin-top:0in;" start="1" type="a"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;">Can law enforcement agencies of other jurisdictions than the data controller/processor therefore not rely on Art 6 1 c GDPR as a legal basis for the data controller to disclose protected data? Under what circumstances could Art 6 1 c GDPR apply to the disclosure of data in such a context?</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Do other legal bases for disclosure exist, besides Art 6I f), that the data controller/processor can rely on for such "foreign" LEAs that lack power to legally compel the data controller/processor?</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;">Given that European public authorities cannot use Art. 6 I f GDPR as a legal basis for processing carried out in the performance of their tasks, these need to use e.g. Art. 6 I c GDPR and need to have a European legal basis. In the light of this, is it possible for non-EU-based law enforcement authorities to use Art. 6 I f GDPR as a legal basis, since Art. 6 I c GDPR does not seem to be available for them?</li></ol></ol></ol><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="color:black;">Notes from Meeting</span></b><span style="color:black;">: </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;">There are some pronouns included, but it’s not clear whether the question is referring to the disclosing party or the law enforcement agency. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">The updated question is very difficult to understand.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">It may help to clarify the pronouns.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;">Action: Volker and Brian to edit the Question 4 to clarify use of pronouns and whose legal basis is being referred to. </li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraph" style="color:black;"><b><i>Updated Question 11</i></b> (proposed by Margie)<i>: </i>Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners<sup>1 </sup>(as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?</li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:71.25pt;"><i><span style="color:black;">For purposes of this question, please assume the following safeguards are in place: </span></i></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:71.25pt;"><i><span style="color:black;"> </span></i></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:71.25pt;"><i><span style="color:black;">• Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).</span></i></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:71.25pt;"><i><span style="color:black;">• CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.</span></i></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-left:35.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><i><span style="font-family:Calibri, sans-serif;">ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: </span></i></li></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><i><span style="font-family:Calibri, sans-serif;color:black;">represents that it has a lawful basis for requesting and processing the data, </span></i></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><i><span style="font-family:Calibri, sans-serif;color:black;">provides its lawful basis, </span></i></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><i><span style="font-family:Calibri, sans-serif;color:black;">represents that it is requesting only the data necessary for its purpose, </span></i></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><i><span style="font-family:Calibri, sans-serif;color:black;">agrees to process the data in accordance with GDPR, and </span></i></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><i><span style="font-family:Calibri, sans-serif;color:black;">agrees to EU standard contractual clauses for the data transfer. </span></i></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:1.0in;word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:1.0in;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:1.0in;"><span style="color:black;">Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="color:black;"> </span></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="color:black;">Notes from Meeting</span></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><span style="color:black;"> </span></b></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;">It may be helpful to refer back to the previous question? Add further bullet points to Question 11. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">The wording of security practitioners is too broad. In order for the question to be helpful, we will need to figure out who is in the circle of practitioners. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Action: Support staff to reference safeguards within this question (please see italicized text). </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Security practitioners is too open – this definition needs to be tied down to make it an answerable question. The question should be more focused on the risk.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">This question is meant to address the situation with properly-credentialed security practitioners – the way to reduce the scope is through the accreditation of the security practitioners. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">This question is not ready for submission to outside counsel.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Action: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review in the next call.</li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">This question has two aspects: ask if only we install certain safeguards whether unlimited access to the data can be granted to security researchers. That is a good question for us to ask. The other aspect of this – if the first question is answered negatively, if it is not possible to allow accreditation-based access to queries </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;">This is not intended to be a security researcher generally – for use in investigations and mitigation activities to protect their network, information systems or services</li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="margin-bottom:12.0pt;"><b><span style="color:black;">Updated Question 12 and 13</span></b><span style="color:black;">: LC to review simplified question before sending to EPDP Team for sign off: In light of the<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span><a href="https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf" title="https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf" rel="nofollow" target="_blank"><span style="color:#954F72;">3 May 2019 correspondence from the European Commission</span></a>, are any updates on the<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span><a href="https://community.icann.org/download/attachments/102138857/6%281%29%28b%29%20Memo.docx?version=1&modificationDate=1548874809000&api=v2" rel="nofollow" target="_blank"><span style="color:#954F72;">previous memo on 6(1)(b)</span></a><span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span>necessary?<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span><span class="ydpab07dcb0yiv4799139900apple-converted-space"></span></li><ul style="margin-top:0in;" type="circle"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="margin-bottom:12.0pt;"><span style="color:black;">Based on the feedback during the plenary call (question is too broad), would the LC like to propose updated wording to this question?</span></li></ul></ul><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;"><span class="ydpab07dcb0yiv4799139900apple-converted-space"><b><span style="color:black;">Notes from Meeting:</span></b></span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-bottom:12.0pt;margin-left:0in;"><span class="ydpab07dcb0yiv4799139900apple-converted-space">EPDP Plenary noted during last week’s call that this language is too broad.</span></li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-bottom:12.0pt;margin-left:0in;"><span class="ydpab07dcb0yiv4799139900apple-converted-space">Margie to take a fresh look at the memo and make the question more specific. </span></li></ul><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-bottom:12.0pt;"><b> </b></p><ul type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;"><b><i>Question 6: </i></b><i>Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)<b></b></i></li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:1.5in;"><span style="color:black;">Note: awaiting updated text from Brian/Georgios</span></p><ul type="disc"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;">Brian and Georgios still trying to connect. Brian and Laureen will chat on the law enforcement question, so perhaps they can discuss this question for the next call. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Support Staff to create a Google Doc for additional legal questions that come up in discussions. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">Does the group support a standalone question in reference to automation? The group needs more clarity on automation. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">It is OK to think about automation, but it seems difficult to ask this question. The answer, though, will likely be “it depends”. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="color:black;margin-left:0in;">How is this question not already going to be answered by the response to merged question 2/5 and the response to 11. Perhaps add more into the questions about automation. </li><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;">Hadia and Tara to provide draft language for a question regarding automated decision making. Following receipt of the advice for the first batch of questions, the team will assess whether this question </li></ul><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-bottom:12.0pt;"><b><span style="color:black;"> </span></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoFootnoteText" style="margin-right:0in;margin-bottom:0in;margin-left:310.0pt;margin-bottom:.0001pt;"><a name="_ftn1"></a><a><span><span class="ydpab07dcb0yiv4799139900MsoFootnoteReference"><sup><span style="font-size:12.0pt;font-family:Calibri, sans-serif;color:#954F72;">[1]</span></sup></span></span><span></span></a><span></span><span class="ydpab07dcb0yiv4799139900apple-converted-space"><span style="font-size:12.0pt;color:black;"> </span></span><span style="font-size:12.0pt;color:black;">“Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (<a href="https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf" title="https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf" rel="nofollow" target="_blank"><span style="color:#954F72;">https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf</span></a>)</span></p><p class="ydpab07dcb0yiv4799139900MsoFootnoteText" style="margin-right:0in;margin-bottom:0in;margin-left:310.0pt;margin-bottom:.0001pt;"><a name="_ftn2"></a><a><span><span class="ydpab07dcb0yiv4799139900MsoFootnoteReference"><sup><span style="font-size:12.0pt;font-family:Calibri, sans-serif;color:#954F72;">[2]</span></sup></span></span><span></span></a><span></span><span class="ydpab07dcb0yiv4799139900apple-converted-space"><span style="font-size:12.0pt;color:black;"> </span></span><span style="font-size:12.0pt;color:black;"><a href="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en" title="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en" rel="nofollow" target="_blank"><span style="color:#954F72;">https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en</span></a></span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:1.0in;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraph" style="margin-left:73.0pt;"><span style="color:black;"><span>b)<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">Agree on next steps</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><ol style="margin-top:0in;" start="3" type="1"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;"><b>Wrap and confirm next meeting to be scheduled </b></li></ol><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:73.0pt;"><span style="color:black;"><span>a)<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">Confirm action items</span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="margin-left:73.0pt;"><span style="color:black;"><span>b)<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">The next LC Meeting will take place on Tuesday, 3 September at 14:00 UTC.</span></p><span style="font-size:12.0pt;font-family:Calibri, sans-serif;color:black;"><br clear="all"></span><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;">__________________</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><u><span style="color:black;">Batch 1</span></u></b></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><b><u><span style="color:black;"><span style="text-decoration:none;"> </span></span></u></b></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:black;">1. (Formerly Q2/5) Consider a System for Standardized Access/Disclosure where: </span></p><ul style="margin-top:0in;" type="disc"><ul style="margin-top:0in;" type="circle"><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">contracted parties “CPs” are contractually required by ICANN to disclose registration data including personal data, </span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body, </span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">the accreditation is carried out by third party commissioned by ICANN without CP involvement, </span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">disclosure takes place in an automated fashion without any manual intervention, </span></li><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">data subjects are being duly informed according to ICANN’s contractual requirements of the purposes for which, and types of entities by which, personal data may be processed. CP’s contract with ICANN also requires CP to notify data subject about this potential disclosure and third-party processing before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. </span></li></ul></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:17.25pt;margin-bottom:.0001pt;text-indent:.5in;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;">Further, assume the following safeguards are in place </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-left:35.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: </span></li></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;color:black;">represents that it has a lawful basis for requesting and processing the data, </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;color:black;">provides its lawful basis, </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;color:black;">represents that it is requesting only the data necessary for its purpose, </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;color:black;">agrees to process the data in accordance with GDPR, and </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:152.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="font-family:Calibri, sans-serif;color:black;">agrees to EU standard contractual clauses for the data transfer. </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;"> </span></p><ul style="margin-top:0in;" type="disc"><li class="ydpab07dcb0yiv4799139900paragraph" style="color:black;margin-bottom:0in;margin-left:35.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;">ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject. </span></li></ul><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:black;">1. What risk or liability, if any, would the CP face for the processing activity of disclosure in this context, including the risk of a third party abusing or circumventing the safeguards? </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;"><span style="font-family:Calibri, sans-serif;color:black;">2. Would you deem the criteria and safeguards outlined above sufficient to make disclosure of registration data compliant? If any risk exists, what improved or additional safeguards would eliminate<sup>1</sup> this risk? </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;">3. In this scenario, would the CP be a controller or a processor<sup>2</sup>, and to what extent, if at all, is the CP’s liability impacted by this controller/processor distinction? </span></p><p class="ydpab07dcb0yiv4799139900paragraph" style="margin-right:0in;margin-bottom:0in;margin-left:53.25pt;margin-bottom:.0001pt;vertical-align:baseline;word-spacing:0px;"><span style="font-family:Calibri, sans-serif;color:black;">4. Only answer if a risk still exists for the CP: If a risk still exists for the CP, what additional safeguards might be required to eliminate CP liability depending on the nature of the disclosure request, i.e. depending on whether data is requested e.g. by private actors pursuing civil claims or law enforcement authorities depending on their jurisdiction or the nature of the crime (misdemeanor or felony) or the associated sanctions (fine, imprisonment or capital punishment)?</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:35.25pt;word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;">Footnote 1:<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span>“</span><span style="color:#333333;background:#FCFCFC;">Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (</span><span style="color:black;"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_media_pdf_resource-5Fcenter_wp217-5Flegitimate-2Dinterests-5F04-2D2014.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=sWyYss17bzERUGYmyRgrLIYOWeEFfEm8TK82oD0K4Yg&e=" rel="nofollow" target="_blank"><span style="color:#0052CC;background:#FCFCFC;">https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf</span><span class="ydpab07dcb0yiv4799139900apple-converted-space"><span style="color:#954F72;"> </span></span><span style="color:#954F72;">[iapp.org]</span></a></span><span style="color:#333333;background:#FCFCFC;">)</span><span style="color:black;"></span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;">Footnote 2:<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=VLfFI2qvdMLP-znynFRMTpavBVBxa6oxjPohOdyWao0&e=" title="https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1" rel="nofollow" target="_blank"><span style="color:#954F72;">https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en [ec.europa.eu]</span></a></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraph" style="margin-left:1.5in;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="word-spacing:0px;"><span style="color:black;"> </span></p><ol style="margin-top:0in;" start="2" type="1"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="color:black;margin-left:0in;">(Formerly Q7)<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span>To what extent, if any, are contracted parties liable when a third party that accesses non-public WHOIS data under an accreditation scheme where by the accessor is accredited for the stated purpose, commits to certain reasonable safeguards similar to a code of conduct regarding use of the data, but misrepresents their intended purposes for processing such data, and subsequently processes it in a manner inconsistent with the stated purpose. Under such circumstances, if there is possibility of liability to contracted parties, are there steps that can be taken to mitigate or reduce the risk of liability to the contracted parties?</li></ol><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="word-spacing:0px;"><span style="color:black;"> </span></p><ol style="margin-top:0in;" start="3" type="1"><li class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="color:black;margin-left:0in;">(Formerly Q9) Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally permissible under Article 6(1)(f) to:</li></ol><p class="ydpab07dcb0yiv4799139900MsoNormal" style="word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="margin-left:.75in;"><span style="font-size:10.0pt;font-family:Symbol;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or</span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="margin-left:.75in;"><span style="font-size:10.0pt;font-family:Symbol;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">enable automated disclosures of such data, without requiring a manual review by the controller or processor of each individual disclosure request.</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:.5in;word-spacing:0px;"><span style="color:black;">In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).</span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:.25in;word-spacing:0px;"><span style="color:black;">For reference, please refer to the following potential safeguards:<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoNormal" style="margin-left:.25in;word-spacing:0px;"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpFirst" style="margin-left:.75in;"><span style="font-size:10.0pt;font-family:Symbol;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).</span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:.75in;"><span style="font-size:10.0pt;font-family:Symbol;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:.75in;"><span style="font-size:10.0pt;font-family:Symbol;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">ICANN or its designee has validated the requestor’s identity, and required that the requestor:<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:1.25in;"><span style="font-size:10.0pt;font-family:Courier New;color:black;"><span>o<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">represents that it has a lawful basis for requesting and processing the data,<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:1.25in;"><span style="font-size:10.0pt;font-family:Courier New;color:black;"><span>o<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">provides its lawful basis,</span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:1.25in;"><span style="font-size:10.0pt;font-family:Courier New;color:black;"><span>o<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">represents that it is requesting only the data necessary for its purpose,<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:1.25in;"><span style="font-size:10.0pt;font-family:Courier New;color:black;"><span>o<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">agrees to process the data in accordance with GDPR, and<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:1.25in;"><span style="font-size:10.0pt;font-family:Courier New;color:black;"><span>o<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">agrees to standard contractual clauses for the data transfer.<span class="ydpab07dcb0yiv4799139900apple-converted-space"> </span></span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpMiddle" style="margin-left:.75in;"><span style="font-size:10.0pt;font-family:Symbol;color:black;"><span>·<span style="font-style: normal; font-weight: normal; font-stretch: normal; font-size: 7pt; line-height: normal; font-family: Times New Roman;"> </span></span></span><span style="color:black;">ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject.</span></p><p class="ydpab07dcb0yiv4799139900MsoListParagraphCxSpLast" style="margin-left:.75in;word-spacing:0px;"><span style="color:black;"> </span></p><span style="font-size:12.0pt;font-family:Calibri, sans-serif;color:black;"><br clear="all"></span><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"><span style="font-size:11.0pt;font-family:Times New Roman, serif;color:black;"> </span></p><p class="ydpab07dcb0yiv4799139900MsoNormal"> </p></div></div></div>_______________________________________________<br>Gnso-epdp-legal mailing list<br><a href="mailto:Gnso-epdp-legal@icann.org" rel="nofollow" target="_blank">Gnso-epdp-legal@icann.org</a><br><a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-legal" rel="nofollow" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-legal</a><br>_______________________________________________<br>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="nofollow" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="nofollow" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</div>
</div>
</div></body></html>