
<div dir="ltr">Colleagues,<div><br></div><div>In preparation for our discussion tomorrow, I created my own summary of the Bird & Bird memo and our recommendations on next steps.  I don't propose to use this instead of the Executive Summary provided by Bird & Bird but wanted to share in the event that (i) Janis can take away more then the fact that it is in [American][lawyer] English and/or (ii) any of you might disagree with the way I have characterized the memo and our recommendations to the plenary.  </div><div><br></div><div>B</div><div><br></div><div><p class="MsoNormal" align="center" style="text-align:center;margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">Summary of Bird &

Bird Memo on Automation Use Cases</p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">The legal committee has reviewed Bird & Bird’s draft

memorandum on proposed automation use cases based on a common set of

assumptions provided by the EPDP.  Two

“scenarios” were contemplated for each use case: </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">     

</span></span>In <u>Scenario 1</u> the SSAD/Central Gateway

would make an automated “recommendation” to the relevant CP, which could accept

or reject the recommendation; </p>


<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif"><span style="font-family:Symbol">·<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">     

</span></span>In <u>Scenario 2</u>, the decision to disclose

would be taken by the Central Gateway rather than the CP (either with or

without accessing the actual registrant data before making the decision).  </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"><u>Summary of Bird & Bird Memo</u></p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">Noting that the structure and content of Art. 22 GDPR remains

unclear despite EDPB guidance, the Bird & Bird memo recalls that under GDPR

“solely automated” decisions can take place in the SSAD context only where:</p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 0.25in;font-size:12pt;font-family:Calibri,sans-serif">1.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>The GDPR does not apply because the requested

data is not personal data;</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.25in;font-size:12pt;font-family:Calibri,sans-serif">2.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>The decision does not have a legal or similarly

significant effect;</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.25in;font-size:12pt;font-family:Calibri,sans-serif">3.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>A Member State derogation applies; or</p>


<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 0.0001pt 0.25in;font-size:12pt;font-family:Calibri,sans-serif">4.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>An applicable Member State law authorizes the

decision.</p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">Where none of those conditions apply, there must be

meaningful human involvement in the decision making process.  </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">Bird & Bird concludes that:</p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">1.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>A decision to disclose information by the SSAD/Central

Gateway is likely to involve processing of personal information, even in the

case where the Central Gateway does not have access to the underlying

registrant data.  (Disclosure of city

data is a possible exception.)</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">2.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Only Scenario 1.a. (automated recommendation to

CP) does not rise to the level of  “solely automated processing.” </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">3.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>While there are potential Member State

derogations/authorizations, they are not uniform and/or uniformly available in

this context.</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">4.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Accordingly, with respect to automated SSAD/Central

Gateway use cases, the question is likely to turn on whether or not the

processing involves a decision with “legal or similarly significant effect.”

Based on the information provided, Bird & Bird concluded that some of the

scenarios clearly involve a decision with legal or similar significant effects;

some of the scenarios clearly do not; and in the many cases where it is unclear,

additional work is needed.</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">a.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>In this regard, Bird & Bird was asked to

provide guidance with respect to the meaning of “legal or similarly significant

effect.”  The memo notes that the term is

undefined but involves an “elevated threshold.” Bird & Bird was also asked

to opine on the role of the legal concept of proximate cause (roughly speaking,

an action that produces foreseeable consequences without intervention from a

third party) when considering whether a decision to release personal

information about a registrant results in a legal or similarly significant

effect on the data subject.  In this regard,

given sparse authority one way or the other, Bird & Bird recommended

consultation with EDPB/DPAs as to whether or not automated Central Gateway

actions might be permitted as actions taken only in preparation for a decision

involving legal significance and therefore not, in themselves, subject to

Article 22.  </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">b.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Bird & Bird provided a useful summary table (attached)

laying out: the four use cases where, in its view, disclosure would not have a

legal/similarly significant effect;  the

four use cases where it clearly would have that effect; and the six use cases

where this was unclear.  </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">5.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>With respect to the unclear cases, Bird &

Bird provided a list of safeguards including, among other things, consultation

with DPAs and better scoping of each use case and its legal basis.  </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">6.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>With respect to the relationship between a

Contracted Party and SSAD/Central Gateway, Bird & Bird concluded that there

is no scenario in which it would be plausible to argue that CPs are mere

processors.  Further, Bird & Bird

concluded:</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">a.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Under Scenario 1, where the ultimate decision to

disclose personal information about a registrant lies with the CP, the CP and

SSAD/Central Gateway would most likely be considered joint controllers.</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">b.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Under Scenario 2, where SSAD/Central Gateway

(rather than the CP) makes the ultimate disclosure decision, Bird & Bird

opined that it is possible that a CP would be found to be a controller for

purposes of the disclosure of data to ICANN/Central Gateway but not for

disclosure to the third party requesting the data.   (That is not determinative as to whether the

CP would have liability for transfer of data to SSAD/Central Gateway in the

event of wrongful disclosure.)</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif">7.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>With respect to CP liability, Bird & Bird

stated:</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 38.55pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">a.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Where CPs are joint controllers with

SSAD/Central Gateway it is important to clearly allocate tasks and

responsibilities by way of an agreement.</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">b.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>CPs can only avoid joint and several liability

to individuals by demonstrating that they were not in any way involved in the

event giving rise to the damage; the situation is less clear with respect to

liability to DPAs.</p>


<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 0.0001pt 74.55pt;font-size:12pt;font-family:Calibri,sans-serif">c.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Scenario 2 (where SSAD/Central Gateway makes

disclosure decision) presents “lower risk” of liability to CPs, i.e., gives

them a relatively better argument regarding no involvement/lower degree of

responsibility for decision. </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"><u>Recommendations on Next Steps</u></p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"><u><span style="text-decoration-line:none"> </span></u></p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif">The Legal Committee has asked ICANN Org to develop proposals

for ways in which the following use cases (identified by Bird & Bird as not

rising to the level of having a legal or similarly significant effect on data

subjects) might be automated:</p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<p class="gmail-MsoListParagraphCxSpFirst" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif">1.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Access to registrant data by a DPA for purposes

of investigating a data protection infringement allegedly affecting the

registrant;</p>


<p class="gmail-MsoListParagraphCxSpMiddle" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif">2.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>Requests for city field only for the purposes of

(i) evaluating whether to pursue a claim or (ii) statistics;</p>


<p class="gmail-MsoListParagraphCxSpLast" style="margin:0in 0in 0.0001pt 0.5in;font-size:12pt;font-family:Calibri,sans-serif">3.<span style="font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:"Times New Roman"">    

</span>The registrant record contains no personal data.</p>


<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:12pt;font-family:Calibri,sans-serif"> </p>


<span style="font-size:12pt;font-family:Calibri,sans-serif">The Legal Committee commends the use cases

identified by Bird & Bird as “unclear” to the small group working on </span><br></div></div>