[Gnso-epdp-team] REVISED: Question for legal advisors

Greg Aaron greg at illumintel.com
Mon Jul 29 19:21:54 UTC 2019 

Dear Alan, Mark, legal team:

 

Yes, this issue is a vital one to ask the legal advisers, and we must make
sure they understand the issue.  An additional way to explain it is below.
Feel free to adapt or include any of this suggested language below if you
like.

 

<snip>

 

6(f) says that processing is lawful if it "is necessary for the purposes of
the legitimate interests pursued by the controller or by a third party,
except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject."   

This language describes a general requirement that must be met.  It does not
describe any specific decision-making process or the threshold that must be
reached to satisfy the balancing test in any specific case.

 

Question: can a data controller rely on advice or assertions that come from
a qualified and trusted party in order to satisfy 6(f)'s balancing test?
If it is possible, then what are the considerations?  If not, why?  

 

Example: a third party is trying to mitigate a phishing attack.  This third
party is the victim of the attack, or is defending its customers.  GDPR
Recital 49 says that processing personal data for such a purpose
"constitutes a legitimate interest of the data controller concerned."  The
third party makes a data request to the controller.  The third party is in
some way accredited, its identity and subject matter expertise are known to
the data controller, and the third party makes representations about the
legitimacy and accuracy of its request.  Can the data processor rely on this
information and relationship?

 

</snip>

 

(And I also assume what you wrote --  accreditation could be withdrawn, the
requestor is following data minimization practices, etc. etc.)

 

BTW, am hoping to move away from "security researcher" as a blanket term to
include those involved in operational security, for some previously
explained reasons.

 

Thanks,

--Greg

 

 

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Alan
Greenberg
Sent: Wednesday, July 24, 2019 11:18 PM
To: EPDP <gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] REVISED: Question for legal advisors

 

At Mark's suggestion, I have reformatted/reworded this for additional
(hopefully) clarity.

==============

Background:

If information is to be requested released to third parties, the controller
or other party(ies) must decide whether the need for the data outweighs the
data subject's right to privacy.

If the decision is made by a human, the competing needs/rights can be
carefully weighed to decide whether the request should be honoured. If we
are to consider any form of automated decision process, it is unlikely that
we can build a sufficiently robust artificial intelligence engine to carry
out the balancing operation. That raises the question of to what extent,
based on appropriate accreditation processes, can we rely on the vetting
during accreditation and the commitments made by the requester in order to
be accredited can be relied upon.

Examples:

As a simple case, if a UDRP provider (who is authenticated as such) makes a
request claiming it is for an ongoing UDRP process, can it be presumed that
it is an authentic request and simply grant it.

For a more nuanced situation, if a cyber security researcher who has been
properly accredited (the Anti-Phishing WG as an example) makes a request for
specific data, can we assume that given the process under which they are
accredited, we can be assured that they need this data, have no practical
alternative way of addressing the issue, and will only use/store the data
appropriately

Perhaps other specific cases should be cited in the question, but we do need
guidance in the general case. 

Summary:

Without being able to rely on the reputation and assurances of the
requester, I do not see how ANY automated process will be possible.

Question:

If a requester is properly vetted (accredited, authenticated) and has
provided assurances they understand they may only request data that meets
the balance test (ie their need is sufficiently great that it warrants
releasing to them otherwise redacted data), can an automated system presume
that the GDPR balancing test has been satisfied?

Of course, accreditation could be revoked if it comes to light that
inappropriate requests are being made.


At 24/07/2019 04:27 PM, Alan Greenberg wrote:



As requested during the last meeting, here is a question to go to the Legal
Committee looking for a clear legal opinion.

===============================

If information is to be requested released to third parties, the controller
or other party(ies) must decide whether the need for the data outweighs the
data subject's right to privacy.

If the decision is made by a human, the competing needs/rights can be
carefully weighed to decide whether the request should be honoured. If we
are to consider any form of automated decision process, it is unlikely that
we can build a sufficiently robust artificial intelligence engine to carry
out the balancing operation. That raises the question of to what extent,
based on appropriate accreditation processes, can we rely on the vetting
during accreditation and the commitments made by the requester in order to
be accredited can be relied upon.

Specifically, if a requester is properly vetted and provides assurances (and
proof?) they understand the balancing that must be done, can the automated
system presume that the balancing test has been satisfied.

Of course, accreditation could be revoked if it comes to light that
inappropriate requests are being made.

In one simple case, if a UDRP provider (who is authenticated as such) make a
request claiming it is for an ongoing UDRP process, can it be presumed that
it is an authentic request and simply grant it.

A less clear case is that of a cyber security researcher who has been
properly accredited (the Anti-Phishing WG as an example).

Perhaps other specific cases should be cited in the question, but we do need
guidance in the general case. Without being able to rely on the reputation
and assurances of the requester, I do not see how ANY automated process will
be possible.

Alan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190729/adad4300/attachment.html>

More information about the Gnso-epdp-team mailing list