<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Georgia;
panose-1:2 4 5 2 5 4 5 2 3 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0in;
margin-right:0in;
margin-bottom:12.0pt;
margin-left:0in;
font-size:11.0pt;
font-family:"Georgia",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:12.0pt;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Georgia",serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Georgia",serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Georgia",serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:12.0pt;
margin-left:.5in;
mso-add-space:auto;
font-size:11.0pt;
font-family:"Georgia",serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Georgia",serif;}
p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:198903579;
mso-list-template-ids:1995762102;}
@list l1
{mso-list-id:583146561;
mso-list-template-ids:133467928;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-ansi-font-weight:bold;
mso-bidi-font-weight:bold;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:73.0pt;
text-indent:-19.0pt;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-text:"\(%4\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:777717004;
mso-list-type:hybrid;
mso-list-template-ids:-874847414 67698689 67698691 -1336368414 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:•;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:163.0pt;
text-indent:-37.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:904796538;
mso-list-template-ids:725809524;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4
{mso-list-id:958561261;
mso-list-template-ids:534392366;}
@list l4:level1
{mso-level-start-at:3;
mso-level-text:%1;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
mso-ansi-font-weight:bold;}
@list l4:level2
{mso-level-start-at:9;
mso-level-text:"%1\.%2";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.5in;
text-indent:-.25in;
mso-ansi-font-weight:bold;}
@list l4:level3
{mso-level-text:"%1\.%2\.%3";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.5in;
mso-ansi-font-weight:bold;}
@list l4:level4
{mso-level-text:"%1\.%2\.%3\.%4";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.5in;
mso-ansi-font-weight:bold;}
@list l4:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.75in;
mso-ansi-font-weight:bold;}
@list l4:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.0in;
text-indent:-.75in;
mso-ansi-font-weight:bold;}
@list l4:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-1.0in;
mso-ansi-font-weight:bold;}
@list l4:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-1.0in;
mso-ansi-font-weight:bold;}
@list l4:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-1.0in;
mso-ansi-font-weight:bold;}
@list l5
{mso-list-id:1521427293;
mso-list-template-ids:-1473742934;}
@list l6
{mso-list-id:1630938590;
mso-list-type:hybrid;
mso-list-template-ids:872196010 -1812836130 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l6:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-weight:normal;
mso-bidi-font-weight:normal;}
@list l6:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l6:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l6:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l7
{mso-list-id:1728720017;
mso-list-template-ids:402220;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";
mso-ansi-font-weight:bold;
mso-bidi-font-weight:bold;}
@list l7:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:73.0pt;
text-indent:-19.0pt;}
@list l7:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level4
{mso-level-text:"\(%4\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8
{mso-list-id:1734892567;
mso-list-template-ids:-901890282;}
@list l8:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.25in;
text-indent:-.25in;
mso-ansi-font-weight:bold;}
@list l8:level2
{mso-level-text:"%1\.%2\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.55in;
text-indent:-.3in;
mso-ansi-font-weight:normal;}
@list l8:level3
{mso-level-number-format:alpha-lower;
mso-level-text:"%3\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.85in;
text-indent:-.35in;}
@list l8:level4
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
margin-left:1.0in;
text-indent:-.25in;
mso-bidi-font-family:"Times New Roman";}
@list l8:level5
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.55in;
text-indent:-.55in;}
@list l8:level6
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.9in;
text-indent:-.65in;}
@list l8:level7
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.75in;}
@list l8:level8
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.6in;
text-indent:-.85in;}
@list l8:level9
{mso-level-text:"%1\.%2\.%3\.%4\.%5\.%6\.%7\.%8\.%9\.";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-1.0in;}
@list l9
{mso-list-id:1832981544;
mso-list-template-ids:-354494826;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span lang=EN-GB style='font-family:"Calibri",sans-serif'>Dear EPDP Phase 2 Legal Committee:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;text-indent:-.25in;mso-list:l9 level1 lfo10;background:white'><![if !supportLists]><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#172B4D'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif;color:black'>In response to the action item for EPDP Support Staff to circulate the portion of the Bird & Bird City Field memo that referenced the 6(1)(f) balancing test, please find the below excerpt, which starts on p. 4. For context, please find a link to the full memo here: </span><span lang=EN-GB style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#172B4D'><a href="https://community.icann.org/download/attachments/102138857/ICANN%20-%20Memo%20on%20publication%20of%20the%20City%20field%20%28130219%29.docx?version=1&modificationDate=1550152144000&api=v2"><span style='color:#0052CC;text-decoration:none'>City field.docx</span></a>.</span><span style='font-size:10.5pt;font-family:"Calibri",sans-serif;color:#172B4D'><o:p></o:p></span></p><ol style='margin-top:0in' start=3 type=1><ol style='margin-top:0in' start=9 type=1><li class=MsoListParagraphCxSpFirst style='margin-bottom:0in;margin-left:-.5in;margin-bottom:.0001pt;mso-add-space:auto;mso-list:l4 level2 lfo7;text-autospace:none'><b><span lang=EN-GB style='font-family:"Calibri",sans-serif'>Balancing test. </span></b><span lang=EN-GB style='font-family:"Calibri",sans-serif'>Satisfying the balancing test requires an assessment of the strength of the interest pursued balanced against the potential risks for data subjects. This element of the test usually requires detailed analysis of the facts and circumstances. Opinion 06/2014 provides helpful guidance on weighing each side of the balance:<o:p></o:p></span></li></ol></ol><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.85in;margin-bottom:.0001pt;mso-add-space:auto;text-autospace:none'><span lang=EN-GB style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.85in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.35in;mso-list:l8 level3 lfo6;text-autospace:none'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>Analysis of the strength of the interest:<o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.85in;margin-bottom:.0001pt;mso-add-space:auto;text-autospace:none'><span lang=EN-GB style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoListParagraphCxSpMiddle style='margin-left:.85in;mso-add-space:auto;text-autospace:none'><span style='font-family:"Calibri",sans-serif'>"<i>In general, the fact that a controller acts not only in its own legitimate (e.g. business) interest, but also in the interests of the wider community, can give more 'weight' to that interest. The more compelling the public interest or the interest of the wider community, and the more clearly acknowledged and expected it is in the community and by data subjects that the controller can take action and process data in pursuit of these interests, the more heavily this legitimate interest weighs in the balance. <o:p></o:p></i></span></p><p class=MsoListParagraphCxSpMiddle style='margin-left:.85in;mso-add-space:auto;text-autospace:none'><i><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></i></p><p class=MsoListParagraphCxSpMiddle style='margin-left:.85in;mso-add-space:auto;text-autospace:none'><span style='font-family:"Calibri",sans-serif'>"<i>On the other hand, 'private enforcement' of the law should not be used to legitimise intrusive practices that would, were they carried out by a government organisation, be prohibited pursuant to the case law of the European Court of Human Rights on grounds that the activities of the public authority would interfere with the privacy of data subjects without meeting the stringent test under Article 8(2) of the ECHR</i>"<i>.</i><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.85in;margin-bottom:.0001pt;mso-add-space:auto;text-autospace:none'><span lang=EN-GB style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.85in;margin-bottom:.0001pt;mso-add-space:auto;text-indent:-.35in;mso-list:l8 level3 lfo6;text-autospace:none'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>The WP29 lists five factors to consider when assessing the impact on data subjects:<o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:.85in;margin-bottom:.0001pt;mso-add-space:auto;text-autospace:none'><span lang=EN-GB style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=1 type=i><li class=MsoListParagraphCxSpMiddle style='margin-bottom:0in;margin-left:-1.0in;margin-bottom:.0001pt;mso-add-space:auto;mso-list:l8 level4 lfo6;text-autospace:none'><i><span lang=EN-GB style='font-family:"Calibri",sans-serif'>Assessment of impact.</span></i><span lang=EN-GB style='font-family:"Calibri",sans-serif'> The controller must consider not only adverse outcomes on individuals, but also other broader consequences for data subjects: "</span><i><span style='font-family:"Calibri",sans-serif'>R</span></i><i><span style='font-family:"Calibri",sans-serif'>elevant 'impact' is a much broader concept than harm or damage to one or more specific data subjects. 'Impact' as used in this Opinion covers any possible (potential or actual) consequences of the data processing</span></i><span style='font-family:"Calibri",sans-serif'>".<o:p></o:p></span></li></ol></ol></ol></ol><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;mso-add-space:auto;text-autospace:none'><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=2 type=i><li class=MsoListParagraphCxSpLast style='margin-bottom:0in;margin-left:-1.0in;margin-bottom:.0001pt;mso-add-space:auto;mso-list:l8 level4 lfo6;text-autospace:none'><i><span lang=EN-GB style='font-family:"Calibri",sans-serif'>Nature of the data.</span></i><span lang=EN-GB style='font-family:"Calibri",sans-serif'> This factor requires consideration of the level of sensitivity of the data as well as whether the data is already publicly available.<o:p></o:p></span></li></ol></ol></ol></ol><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span lang=EN-GB style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=3 type=i><li class=MsoListParagraphCxSpFirst style='margin-bottom:0in;margin-left:-1.0in;margin-bottom:.0001pt;mso-add-space:auto;mso-list:l8 level4 lfo6;text-autospace:none'><i><span lang=EN-GB style='font-family:"Calibri",sans-serif'>The way the data is processed.</span></i><span lang=EN-GB style='font-family:"Calibri",sans-serif'> The manner in which the data will be processed affects the balance of interests. Of particular relevance, the WP29 states, "</span><i><span style='font-family:"Calibri",sans-serif'>whether the data are publicly disclosed or otherwise made accessible to a large number of persons</span></i><span style='font-family:"Calibri",sans-serif'>" is an important consideration if "<i>[s]eemingly innocuous data, when processed on a large scale and combined with other data may lead to inferences about more sensitive data</i>".<o:p></o:p></span></li></ol></ol></ol></ol><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:1.0in;margin-bottom:.0001pt;mso-add-space:auto;text-autospace:none'><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=4 type=i><li class=MsoListParagraphCxSpLast style='margin-bottom:0in;margin-left:-1.0in;margin-bottom:.0001pt;mso-add-space:auto;mso-list:l8 level4 lfo6;text-autospace:none'><i><span lang=EN-GB style='font-family:"Calibri",sans-serif'>The reasonable expectations of the data subject.</span></i><span lang=EN-GB style='font-family:"Calibri",sans-serif'> Whether an individual is likely to expect the processing activity will affect the balance of interests. This concept also appears in Recital 47 of the GDPR, which states, "</span><i><span style='font-family:"Calibri",sans-serif'>the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place</span></i><span style='font-family:"Calibri",sans-serif'>".<o:p></o:p></span></li></ol></ol></ol></ol><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=5 type=i><li class=MsoListParagraph style='margin-bottom:0in;margin-left:-1.0in;margin-bottom:.0001pt;mso-add-space:auto;mso-list:l8 level4 lfo6;text-autospace:none'><i><span style='font-family:"Calibri",sans-serif'>The status of the controller and data subject.</span></i><span style='font-family:"Calibri",sans-serif'> Finally, the assessment must take into consideration the negotiating power and any imbalances in authority between the controller and the data subject. Thus, this analysis changes depending on both the status and authority of the controller and the relative power of the data subject. <o:p></o:p></span></li></ol></ol></ol></ol><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'>Please let us know if we can be of further assistance.<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'>Best regards,<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:0in;margin-bottom:.0001pt;text-autospace:none'><span style='font-family:"Calibri",sans-serif'>Marika, Berry, and Caitlin<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-GB style='font-family:"Calibri",sans-serif;color:black'><o:p> </o:p></span></p></div><p class=MsoNormal><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-family:"Calibri",sans-serif'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-GB style='font-size:12.0pt;color:black'>From: </span></b><span lang=EN-GB style='font-size:12.0pt;color:black'>Caitlin Tubergen <caitlin.tubergen@icann.org><br><b>Date: </b>Tuesday, September 3, 2019 at 8:18 AM<br><b>To: </b>"gnso-epdp-legal@icann.org" <gnso-epdp-legal@icann.org><br><b>Subject: </b>Notes and action items - EPDP Phase 2 Legal Committee Meeting #6 - 3 September 2019<o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=EN-GB>Dear EPDP Phase 2 Legal Committee, </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Please find the notes and action items from today’s Legal Committee Meeting below.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>As a reminder, the next Legal Committee meeting will be on Tuesday, 3 September at 14:00 UTC.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Best regards,</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Marika, Berry, and Caitlin</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>--</span><span lang=EN-GB><o:p></o:p></span></p><div style='border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in'><p class=MsoNormal><b><u><span lang=EN-GB>Action Items</span></u></b><span lang=EN-GB><o:p></o:p></span></p></div><div style='border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in'><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraphCxSpFirst style='margin-left:0in;mso-add-space:auto;mso-list:l6 level1 lfo1'><span lang=EN-GB>Thomas, Volker, Brian and Margie to work together on refining Q11 <span style='color:black'>and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September.</span><o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l6 level1 lfo1'><span lang=EN-GB style='color:black'>Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September. </span><span lang=EN-GB><o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l6 level1 lfo1'><span lang=EN-GB style='color:black'>Brian and Georgios to review and refine Q6 and submit updated language to the Legal Committee in advance of the next call on Tuesday, 17 September.</span><span lang=EN-GB><o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='margin-left:0in;mso-add-space:auto;mso-list:l6 level1 lfo1'><span lang=EN-GB style='color:black'>EPDP Support Staff to review the Phase 1 Bird & Bird City Field memo and circulate the relevant text regarding carrying out the balancing test to the Legal Committee for further review to assess whether a further legal question needs to be asked. </span><span lang=EN-GB><o:p></o:p></span></li><li class=MsoListParagraphCxSpLast style='margin-left:0in;mso-add-space:auto;mso-list:l6 level1 lfo1'><span lang=EN-GB style='color:black'>EPDP Support Staff to circulate the agreed-upon clarifications to Bird & Bird following today’s meeting. León to note the clarifications to the plenary team on Thursday, 5 September during the Legal Committee update.</span><span lang=EN-GB><o:p></o:p></span></li></ol><p class=MsoNormal style='margin-left:.25in'><b><span lang=EN-GB>Proposed Annotated Agenda – EPDP Phase 2 Legal Committee Meeting</span></b><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.25in'><b><span lang=EN-GB>3 September 2019 </span></b><span lang=EN-GB><o:p></o:p></span></p></div><ol style='margin-top:0in' start=1 type=1><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'><b><span lang=EN-GB>Roll Call & SOI Updates </span></b><span lang=EN-GB><o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'><b><span lang=EN-GB>Discussion of Bird & Bird Clarification Questions to Batch 1 Questions</span></b><span lang=EN-GB><o:p></o:p></span></li></ol><p class=MsoListParagraphCxSpMiddle><b><span lang=EN-GB style='color:black'> </span></b><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpLast style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>Is Q2 asking a different question to those in the first set of questions? Q1(1), in particular, asks us to consider "the risk of a third party abusing or circumventing the safeguards" – that seems similar to what Q2 is asking.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ol style='margin-top:0in' start=2 type=1><ol style='margin-top:0in' start=1 type=a><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Proposed response: Thank you for clarifying. It is not a different question from Q1(1), rather it's a specific concern we would like Bird and Bird to address in your response to Q1(1).<o:p></o:p></span></li></ul></ol></ol></ol></ol><p class=MsoNormal style='margin-left:.5in'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpFirst style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>In the first set of questions, one assumption is that "data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body" – we assume that even for a "direct" disclosure, the request is still going to come in via the SSAD, and will still be evaluated as all other requests would be; the key difference is just in terms of the final step (data would be sent directly to the requestor by the CP, not via ICANN org / ICANN org's designee).</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ol style='margin-top:0in' start=2 type=1><ol style='margin-top:0in' start=2 type=a><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Yes, this is an assumption you can make. <o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>The question that the team is asking about disclosure in an SSAD system. Yes, assume that even for a direct disclosure the request is still coming in through an SSAD.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Disclosure is envisaged to take place without any manual interaction with the contracted party. The contracted party would not intervene in this instance.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Proposed answer: Yes, your assumption is correct. We confirm data will be requested through an SSAD without any interaction from the contracted parties. <o:p></o:p></span></li></ul></ol></ol></ol></ol><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto'><b><span lang=EN-GB style='color:black'> </span></b><span lang=EN-GB><o:p></o:p></span></p><ol style='margin-top:0in' start=3 type=1><li class=MsoListParagraphCxSpLast style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'><b><span lang=EN-GB>Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date</span></b><span lang=EN-GB><o:p></o:p></span></li></ol><p class=MsoNormal><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraph style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>Substantive review of SSAD questions (beginning where LC left off last week)</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><li class=MsoListParagraph style='mso-list:l2 level1 lfo3'><b><span lang=EN-GB style='color:black;border:solid windowtext 1.0pt;padding:0in'>Updated Question 11 </span></b><span lang=EN-GB style='color:black;border:solid windowtext 1.0pt;padding:0in'> </span><span lang=EN-GB style='color:black'>(proposed by Margie)<i>: </i>Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners<sup>1 </sup>(as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?</span><span lang=EN-GB><o:p></o:p></span></li></ul><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:71.25pt'><span lang=EN-GB style='color:black'>For purposes of this question, please assume the following safeguards are in place: </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:71.25pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ul style='margin-top:0in' type=disc><ul style='margin-top:0in' type=circle><li class=MsoListParagraphCxSpFirst style='color:black;mso-list:l2 level2 lfo3'><span lang=EN-GB>Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-list:l2 level2 lfo3'><span lang=EN-GB>CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.<o:p></o:p></span></li><li class=MsoListParagraphCxSpLast style='color:black;mso-list:l2 level2 lfo3'><span lang=EN-GB style='color:windowtext'>ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: </span><span lang=EN-GB><o:p></o:p></span></li></ul></ul><p class=paragraph style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:163.0pt;margin-bottom:.0001pt;text-indent:-37.0pt;mso-list:l2 level3 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>•<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>represents that it has a lawful basis for requesting and processing the data, </span><span lang=EN-GB><o:p></o:p></span></p><p class=paragraph style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:163.0pt;margin-bottom:.0001pt;text-indent:-37.0pt;mso-list:l2 level3 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>•<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>provides its lawful basis, </span><span lang=EN-GB><o:p></o:p></span></p><p class=paragraph style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:163.0pt;margin-bottom:.0001pt;text-indent:-37.0pt;mso-list:l2 level3 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>•<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>represents that it is requesting only the data necessary for its purpose, </span><span lang=EN-GB><o:p></o:p></span></p><p class=paragraph style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:163.0pt;margin-bottom:.0001pt;text-indent:-37.0pt;mso-list:l2 level3 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>•<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>agrees to process the data in accordance with GDPR, and </span><span lang=EN-GB><o:p></o:p></span></p><p class=paragraph style='mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:0in;margin-left:163.0pt;margin-bottom:.0001pt;text-indent:-37.0pt;mso-list:l2 level3 lfo3;vertical-align:baseline'><![if !supportLists]><span lang=EN-GB style='font-family:"Calibri",sans-serif'><span style='mso-list:Ignore'>•<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='font-family:"Calibri",sans-serif'>agrees to EU standard contractual clauses for the data transfer. </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:1.0in'><span lang=EN-GB style='color:black'>Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-GB> </span></b><span lang=EN-GB><o:p></o:p></span></p><div style='border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in'><p class=MsoNormal><b><span lang=EN-GB>Status: </span></b><span lang=EN-GB>Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB>Action item: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p></div><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-GB style='color:black;border:solid windowtext 1.0pt;padding:0in'>Updated Question 12 and 13 </span></b><span lang=EN-GB style='color:black'>: </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><b><span lang=EN-GB style='color:black'>Background:<span class=apple-converted-space> </span></span></b><span lang=EN-GB style='color:black'>The<span class=apple-converted-space> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_correspondence_odonohue-2Dto-2Dmarby-2D03may19-2Den.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=QByFqrfGsimsUqARjmh9tGVvwXBjAR0IbkSD0eVdiYg&s=EdXqx7ByC1uX-5j8DO06GVnRLxI1FCbAryQMnKVef7Q&e="><span style='color:#954F72'>recent EC Letter [icann.org]</span></a><span class=apple-converted-space> </span>provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><i><span lang=EN-GB style='color:black'>“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).</span></i><span lang=EN-GB style='color:black'>”</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-GB style='color:black'>and</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><i><span lang=EN-GB style='color:black'>“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”</span></i><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in;caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal style='caret-color: rgb(0, 0, 0);font-variant-caps: normal;orphans: auto;text-align:start;widows: auto;-webkit-text-size-adjust: auto;-webkit-text-stroke-width: 0px;word-spacing:0px'><b><span lang=EN-GB style='color:black'>Questions:</span></b><span lang=EN-GB><o:p></o:p></span></p><ul type=disc><li class=MsoListParagraphCxSpFirst style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l3 level1 lfo4'><span lang=EN-GB>In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)? <o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l3 level1 lfo4'><span lang=EN-GB>To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: <i>“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”</i><o:p></o:p></span></li></ul><ol start=3 type=1><ol start=1 type=a><ol start=1 type=1><ol start=1 type=1><ul type=disc><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Still having trouble seeing how the EC statement would change the 6(1)(b) memo. 6(1)(e) requires some sort of underlying law in a member state to enable the entity to process data under that exception – that does not seem relevant for ICANN, particularly in light of Recital 45. <o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>The memo may not change, but it’s worthwhile to at least pose the question, especially since the memo came out before the EC letter.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Problem with this question – as long as the law does not change, unclear why the EC’s letter will change the previous advice here.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>The question may need to be tweaked to be made clearer, the answer is not clear and should be asked. Another thing that makes this an important question to ask is that we still do not have an agreed-upon Purpose 2. Clarification on this question could assist in moving the team forward.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>It may be worth getting clarity on this question. One alternative that could help the question be more productive – there has been guidance from the EDPB re: online data subjects in May 2019. This is binding guidance and may change the legal analysis. <o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>If the team wants B&B to consider other inputs, the question could be tweaked to include other inputs.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Action item: Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Team in advance of the next call on Tuesday, 17 September. <o:p></o:p></span></li></ul></ol></ol></ol></ol><div style='border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in'><p class=MsoListParagraphCxSpMiddle style='margin-left:1.0in;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p></div><ul type=disc><li class=MsoListParagraphCxSpLast style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-add-space:auto;mso-list:l2 level1 lfo3'><b><span lang=EN-GB style='border:solid windowtext 1.0pt;padding:0in'>Question 6 </span></b><b><i><span lang=EN-GB>: </span></i></b><span lang=EN-GB>Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)<o:p></o:p></span></li></ul><div style='border:none;border-bottom:solid windowtext 1.5pt;padding:0in 0in 1.0pt 0in'><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b><span lang=EN-GB style='color:black'>Status</span></b><span lang=EN-GB style='color:black'>: Awaiting updated text from Brian/Georgios</span><span lang=EN-GB><o:p></o:p></span></p></div><ol start=4 type=1><li class=MsoListParagraphCxSpFirst style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'><span lang=EN-GB>Additional questions/issues raised for discussion<o:p></o:p></span></li></ol><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>Suggestion from Farzaneh: Add a general question about how to carry out the balancing test </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ol style='margin-top:0in' start=4 type=1><ol style='margin-top:0in' start=1 type=a><ol style='margin-top:0in' start=1 type=1><ol style='margin-top:0in' start=1 type=1><ul style='margin-top:0in' type=disc><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Need a volunteer from the EPDP to draft this.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Alan Woods sent around an informal how-to, Alan pointed out there is already guidance from the City Field memo about what goes into the 6(1)(f) balancing test. <o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level5 lfo2'><span lang=EN-GB>Action: EPDP Support Staff to review the City Field memo and include the relevant text regarding carrying out the balancing test for Legal Committee to review.<o:p></o:p></span></li></ul></ol></ol></ol></ol><p class=MsoListParagraphCxSpMiddle style='margin-left:2.5in;mso-add-space:auto'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;line-height:11.65pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>Draft question from Hadia: </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:73.0pt;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:73.0pt;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'>Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:73.0pt;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:73.0pt;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'>The EPDP team would appreciate Bird & Bird answers to the following:</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:73.0pt;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ul type=circle><ol start=1 type=a><ol start=1 type=1><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;line-height:11.65pt;mso-list:l7 level3 lfo5'><span lang=EN-GB>The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;line-height:11.65pt;mso-list:l7 level3 lfo5'><span lang=EN-GB>The conditions/precautions that should be applied if automated decision making is to be used.<o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;line-height:11.65pt;mso-list:l7 level3 lfo5'><span lang=EN-GB>Could a balancing test be used to weigh up the risks of using the results and how could this be best done.<o:p></o:p></span></li></ol></ol></ul><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'>Note: Legal Committee agreed to review legal advice received from first batch of questions and assess whether this question, or a permutation thereof, is needed.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.0in;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ol start=4 type=1><ol start=2 type=a><ol start=1 type=1><ol start=1 type=1><ul type=disc><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;line-height:11.65pt;mso-list:l1 level5 lfo2'><span lang=EN-GB>This question seems similar to questions included in Batch 1. <o:p></o:p></span></li><li class=MsoListParagraphCxSpMiddle style='color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:0in;mso-add-space:auto;line-height:11.65pt;mso-list:l1 level5 lfo2'><span lang=EN-GB>Proposal to review Hadia’s draft text once the advice from Batch 1 is returned. <o:p></o:p></span></li></ul></ol></ol></ol></ol><p class=MsoListParagraphCxSpMiddle style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:1.5in;mso-add-space:auto;line-height:11.65pt'><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpLast style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>c)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>Agree on next steps</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><ol style='margin-top:0in' start=5 type=1><li class=MsoListParagraphCxSpFirst style='color:black;margin-left:0in;mso-add-space:auto;mso-list:l1 level1 lfo2'><b><span lang=EN-GB>Wrap and confirm next meeting to be scheduled </span></b><span lang=EN-GB><o:p></o:p></span></li></ol><p class=MsoListParagraphCxSpMiddle style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>a)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>Confirm action items</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoListParagraphCxSpLast style='margin-left:73.0pt;mso-add-space:auto;text-indent:-19.0pt;mso-list:l1 level2 lfo2'><![if !supportLists]><span lang=EN-GB><span style='mso-list:Ignore'>b)<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-GB style='color:black'>The next LC Meeting will take place on Tuesday, 17 September at 14:00 UTC.</span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-family:"Times New Roman",serif;color:black'> </span><span lang=EN-GB><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB> <o:p></o:p></span></p></div></body></html>