<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Courier New \;color\:black";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle32
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">Thank you, Volker.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">I would not add the language you suggest about not conducting a balancing test. Rather, I think the balancing test would be made in an automated fashion in this case, or at least that’s what
we should ask. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">I would also not strike the bullet language about disclosure being required, as it sounds like indemnification will not be required with ICANN as the “sole decider.”
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">I don’t think I mind striking “legal authority” but it is important to be clear that this question is asking about entities with a legal obligation, and thus probably a 6.1.c. basis for their
own processing. I like the SSAC 101 and the UK ICO definitions and examples of such entities, and am happy to discuss. Perhaps the question boils down to whether the following math problem adds up:
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">Requestor has such a legal obligation (perhaps 6.1.c. basis for their own processing)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">+<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">Safeguards (accreditation, notice to data subject, data minimization, AUP for the requestor including representations around further use and retention)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">=<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">Automated decision in favor of disclosure<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext">This is my understanding of what we’re getting at. Let’s ask B&B if we have enough above the = or alternatively if we need more safeguards and controls to arrive at a correct equation.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:10.0pt">Brian J. King
</span></b><span lang="EN-GB" style="font-size:10.0pt"> <br>
Director of Internet Policy and Industry Affairs<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="font-size:10.0pt">T +1 443 761 3726</span><u><span style="font-size:10.0pt;color:#0563C1"><a href="http://www.markmonitor.com"><span lang="EN-GB"><br>
</span>markmonitor.com</a></span></u><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:windowtext"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span lang="EN-GB" style="font-size:10.0pt">MarkMonitor<br>
</span></b><span lang="EN-GB" style="font-size:10.0pt">Protecting companies and consumers in a digital world<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:windowtext">From:</span></b><span style="font-size:11.0pt;color:windowtext"> Gnso-epdp-legal <gnso-epdp-legal-bounces@icann.org>
<b>On Behalf Of </b>Volker Greimann<br>
<b>Sent:</b> Tuesday, October 15, 2019 9:22 AM<br>
<b>To:</b> gnso-epdp-legal@icann.org<br>
<b>Subject:</b> [Gnso-epdp-legal] Fwd: Re: Updated Question 11<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi all, <span style="font-size:11.0pt"><o:p></o:p></span></p>
<p>in response to Beckys request, I am resending my original message requesting changes.<o:p></o:p></p>
<p>Best,<o:p></o:p></p>
<p>Volker<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
-------- Weitergeleitete Nachricht -------- <o:p></o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>Betreff: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Re: [Gnso-epdp-legal] Updated Question 11<o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>Datum: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Tue, 1 Oct 2019 17:57:19 +0200<o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>Von: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Volker Greimann <a href="mailto:vgreimann@key-systems.net"><vgreimann@key-systems.net></a><o:p></o:p></p>
</td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="right" style="text-align:right"><b>An: <o:p></o:p></b></p>
</td>
<td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="mailto:gnso-epdp-legal@icann.org">gnso-epdp-legal@icann.org</a><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<p>Dear team, <o:p></o:p></p>
<p>please find attached a first commentary on the proposed question 11 outlining some issues and proposing some edits.<o:p></o:p></p>
<p>Best,<o:p></o:p></p>
<p>volker<o:p></o:p></p>
<div>
<p class="MsoNormal">Am 01.10.2019 um 15:56 schrieb Margie Milam:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi-</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Here’s my proposal based on prior discussions with Brian, Thomas & Volker. Please note that this language is not reviewed yet by Thomas, Brian & Volker, but I am sharing for the purposes of discussion today.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">__________________________</span><o:p></o:p></p>
<p class="MsoNormal"><b><u>Updated Question 11</u></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal"><i>Status: Thomas, Volker, Brian and Margie to work together on refining this question in advance of the next LC call on Tuesday, 1 October.</i><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal">(Previous text proposed by Margie)<i>: </i>Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners<sup>1 </sup><span style="background:yellow;mso-highlight:yellow">(<s>as
defined in SSAC 101</s>)</span> who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect
their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such
data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?
<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="background:yellow;mso-highlight:yellow">In addition, does GDPR prohibit the SSAD to be designed to enable reverse lookups based on contact fields associated with domain names that have been identified as being used for DNS
abuse, such as phishing, malware and or similar type of attacks? What are the risks associated with reverse lookups, and if it is possible to conduct reverse lookups, are there steps that can be taken to mitigate any perceived risks?</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">For purposes of this question, please assume the following safeguards are in place: <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:71.25pt"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:1.5in;text-indent:-.25in">
<span style="font-size:10.0pt;font-family:"Courier New ;color:black",serif">o</span><span style="font-size:7.0pt"> </span>Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:1.5in;text-indent:-.25in">
<span style="font-size:10.0pt;font-family:"Courier New ;color:black",serif">o</span><span style="font-size:7.0pt"> </span>CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal
data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder.
CP has done so.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:1.5in;text-indent:-.25in">
<span style="font-size:10.0pt;font-family:"Courier New ;color:black",serif">o</span><span style="font-size:7.0pt"> </span>ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline">
• represents that it has a lawful basis for requesting and processing the data, <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline">
• provides its lawful basis, <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline">
• represents that it is requesting only the data necessary for its purpose, <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline">
• agrees to process the data in accordance with GDPR, and <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-left:163.0pt;text-indent:-37.0pt;vertical-align:baseline">
• agrees to EU standard contractual clauses for the data transfer. <o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal"><span style="background:yellow;mso-highlight:yellow">Footnote 1:
<s>SSAC defines</s> “security practitioners” <s>in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems
that negatively affect services and users online. </s></span><span style="font-size:11.0pt;background:yellow;mso-highlight:yellow"> are entities that have either legal authority and/or legal responsibility to protect their technology/network/infrastructure,
such as national CERTs, and also DSPs. (See the UK ICO (</span><span style="background:yellow;mso-highlight:yellow"><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_digital-2Dservice-2Dproviders_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=avDrp6cxNXTZKuZCGeGUDM-Cgi0HhyR9IzaQzQAiu3Y&e=">https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/</a>)
since these types of companies appear to have security obligations (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_security-2Drequirements_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=5R4dCyK71voQGm83RO7mPQTr5MU4wMXYqIbyvBJCJUE&e=">https://ico.org.uk/for-organisations/the-guide-to-nis/security-requirements/</a>).</span>
<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Gnso-epdp-legal mailing list<o:p></o:p></pre>
<pre><a href="mailto:Gnso-epdp-legal@icann.org">Gnso-epdp-legal@icann.org</a><o:p></o:p></pre>
<pre><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dlegal&d=DwMDaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=KG5MFWU2-JvaxtUF0XnWQGtBmZC2TVHP0zw9h7qtbhY&s=0-w_IQmUX66vip81ZSLj5p-FIHYWVP3Nx-1aNjeTHek&e=">https://mm.icann.org/mailman/listinfo/gnso-epdp-legal</a><o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMDaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=KG5MFWU2-JvaxtUF0XnWQGtBmZC2TVHP0zw9h7qtbhY&s=sGcgXAj77oDTF6RRWe_qMeEMuKXxjPBsNl6a90eieiI&e=">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMDaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=KG5MFWU2-JvaxtUF0XnWQGtBmZC2TVHP0zw9h7qtbhY&s=8aJG1DoCfzv8oTPiE3KvWykw821oWvQ0azMx1mFCTks&e=">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<o:p></o:p></pre>
</blockquote>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong><span style="font-family:"Calibri",sans-serif">KEY-SYSTEMS GMBH</span></strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net&d=DwMDaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=KG5MFWU2-JvaxtUF0XnWQGtBmZC2TVHP0zw9h7qtbhY&s=BU6BKqsQqUkGy3YuVXsZ4iOkHD_yUtW7sTS8pvVeNf4&e=">
www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.<o:p></o:p></span></p>
</div>
</div>
</div>
</body>
</html>