<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Dear team, <br>
</p>
<p>please find attached a first commentary on the proposed question
11 outlining some issues and proposing some edits.</p>
<p>Best,</p>
<p>volker<br>
</p>
<div class="moz-cite-prefix">Am 01.10.2019 um 15:56 schrieb Margie
Milam:<br>
</div>
<blockquote type="cite"
cite="mid:D1C5ED34-8B96-42A4-BD8F-F3C682C5B0FD@fb.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:583146561;
mso-list-template-ids:-1330353286;}
@list l0:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-ansi-font-weight:bold;
mso-bidi-font-weight:bold;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:73.0pt;
text-indent:-19.0pt;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-text:"\(%4\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:777717004;
mso-list-type:hybrid;
mso-list-template-ids:-874847414 67698689 67698691 -1336368414 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:•;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:163.0pt;
text-indent:-37.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.5in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.0in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.5in;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.0in;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.5in;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:5.0in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:841047307;
mso-list-type:hybrid;
mso-list-template-ids:-165763228 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:1.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.25in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:2.75in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.25in;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:3.75in;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.25in;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:4.75in;
text-indent:-.25in;
font-family:Wingdings;}
@list l3
{mso-list-id:1503819312;
mso-list-type:hybrid;
mso-list-template-ids:1794656090 67567631 67567641 67567643 67567631 67567641 67567643 67567631 67567641 67567643;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l3:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l4
{mso-list-id:1728720017;
mso-list-template-ids:402220;}
@list l4:level1
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";
mso-ansi-font-weight:bold;
mso-bidi-font-weight:bold;}
@list l4:level2
{mso-level-number-format:alpha-lower;
mso-level-text:"%2\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:73.0pt;
text-indent:-19.0pt;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-text:"\(%4\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi-<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Here’s my
proposal based on prior discussions with Brian, Thomas &
Volker. Please note that this language is not reviewed yet
by Thomas, Brian & Volker, but I am sharing for the
purposes of discussion today.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">__________________________<o:p></o:p></span></p>
<p class="MsoNormal"><b><u><span style="color:black">Updated
Question 11</span></u></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:1.0in"><span
style="color:black"> </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="color:black">Status:
Thomas, Volker, Brian and Margie to work together on
refining this question in advance of the next LC call on
Tuesday, 1 October.</span></i><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:1.0in"><span
style="color:black"> </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">(Previous text
proposed by Margie)<i>: </i>Is it permissible under GDPR to
provide fast, automated, and non-rate limited responses (as
described in SSAC 101) to nonpublic WHOIS data for properly
credentialed security practitioners<sup>1 </sup><span
style="background:yellow;mso-highlight:yellow">(<s>as
defined in SSAC 101</s>)</span> who are responsible for
defense against e-crimes (including network operators,
providers of online services, commercial security services,
cyber-crime investigators) for use in investigations and
mitigation activities to protect their network, information
systems or services (as referenced in GDPR Recital 49) and
have agreed on appropriate safeguards? Or would any
automated disclosure carry a potential for liability of the
disclosing party, or the controllers or processors of such
data? Can counsel provide examples of safeguards (such as
pseudonymization/anonymization) that should be considered?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="color:black;background:yellow;mso-highlight:yellow">In
addition, does GDPR prohibit the SSAD to be designed to
enable reverse lookups based on contact fields associated
with domain names that have been identified as being used
for DNS abuse, such as phishing, malware and or similar type
of attacks? What are the risks associated with reverse
lookups, and if it is possible to conduct reverse lookups,
are there steps that can be taken to mitigate any perceived
risks?</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">For purposes of
this question, please assume the following safeguards are in
place: <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:71.25pt"><span
style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:1.5in;text-indent:-.25in">
<span style="font-size:10.0pt;font-family:"Courier
New";color:black">o</span><span
style="font-size:7.0pt;font-family:"Times New
Roman",serif;color:black"> </span><span
style="color:black">Disclosure is required under CP’s
contract with ICANN (resulting from Phase 2 EPDP policy).</span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:1.5in;text-indent:-.25in">
<span style="font-size:10.0pt;font-family:"Courier
New";color:black">o</span><span
style="font-size:7.0pt;font-family:"Times New
Roman",serif;color:black"> </span><span
style="color:black">CP’s contract with ICANN requires CP to
notify the data subject of the purposes for which, and types
of entities by which, personal data may be processed. CP is
required to notify data subject of this with the opportunity
to opt out before the data subject enters into the
registration agreement with the CP, and again annually via
the ICANN-required registration data accuracy reminder. CP
has done so.</span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:1.5in;text-indent:-.25in">
<span style="font-size:10.0pt;font-family:"Courier
New";color:black">o</span><span
style="font-size:7.0pt;font-family:"Times New
Roman",serif;color:black"> </span><span
style="color:black">ICANN or its designee has
validated/verified the requestor’s identity, and required in
each instance that the requestor: </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline"><span
style="color:black">• represents that it
has a lawful basis for requesting and processing the data, </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline"><span
style="color:black">• provides its
lawful basis, </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline"><span
style="color:black">• represents that it
is requesting only the data necessary for its purpose, </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline"><span
style="color:black">• agrees to process
the data in accordance with GDPR, and </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline"><span
style="color:black">• agrees
to EU standard contractual clauses for the data transfer. </span><span
style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span
style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="color:black;background:yellow;mso-highlight:yellow">Footnote
1:
<s>SSAC defines</s> “security practitioners” <s>in SSAC 101
as those who have a responsibility to perform specific
types of functions (as specified in Section 3) related to
the identification and mitigation of malicious activity,
and the correction of problems that negatively affect
services and users online. </s></span><span
style="font-size:11.0pt;background:yellow;mso-highlight:yellow"> are
entities that have either legal authority and/or legal
responsibility to protect their
technology/network/infrastructure, such as national CERTs,
and also DSPs. (See the UK ICO (</span><span
style="background:yellow;mso-highlight:yellow"><a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_digital-2Dservice-2Dproviders_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=avDrp6cxNXTZKuZCGeGUDM-Cgi0HhyR9IzaQzQAiu3Y&e="
moz-do-not-send="true">https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/</a>)
since these types of companies appear to have security
obligations (<a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_security-2Drequirements_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=5R4dCyK71voQGm83RO7mPQTr5MU4wMXYqIbyvBJCJUE&e="
moz-do-not-send="true">https://ico.org.uk/for-organisations/the-guide-to-nis/security-requirements/</a>).</span>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"><span
style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-legal mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-legal@icann.org">Gnso-epdp-legal@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-legal">https://mm.icann.org/mailman/listinfo/gnso-epdp-legal</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>