<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Chris,</p>
<p>it really depends what one means by the term Unified Access
Model. <br>
</p>
<p>Currently under the temp spec, we have a system that introduces
many uncertaincies as basically every contracted party is asked to
make up their own access model and define the terms of access. A
requester does not clearly know what is being required to be
granted disclosure and many contracted parties also have
difficulties defining hard and fast rules.<br>
</p>
<p>Clearly, this is unsustainable for the future, as the EC clearly
states as a requester will have to accommodate the requirements of
every single model and still will not have certaincy of the
disclosure. However this does not mean that the basic principle is
flawed.</p>
<p>Ultimately, the existing models developed by the parties will
have to be condensed or refined into a unified model with clear
rules of what is being expected of them when they make a request
and that provides for a set of requirements that when met will
result in a certain outcome. This model can still take into
account the various legal requirements a contracted party may face
under its applicable jurisdiction, but it would reduce the variety
that a requester has to put in.</p>
<p>Lets take the following example:</p>
<p>Law enforcement agencies A and B are in different jurisdictions.
A is in the jurisdiction of the contracted party holding the data,
B is not. Under a unified model, both would now be able to
immediately find out the requirements for disclosure of the data
needed for their investigation. Ideally, the template to use for
them would be the same but the output they get may be different.
All EU Member States authorities' would under such a model obtain
the ability to obtain legitimate access to the data needed to
enforce laws in compliance with the requirements and restrictions
put in place by the applicable national laws. <br>
</p>
<p>I am sure no one here is advocating or proposing we allow anyone
to circumvent the restrictions put in place by the applicable
national laws.<br>
</p>
<p>Accreditation and certification also still have a place as they
reduce the time needed to provide evidence of identity of the
requester from having to do this every time to having to do this
only every couple of years. <br>
</p>
<p>I do not see a conflict with anything I have proposed with
anything in the response letter. Nothing in that letter requires
an all-access model. <br>
</p>
<p>Developing a unified access model that meets the needs of law
enforcment and public agencies withjin the framework of their
right to access such data provided for in their applicable
national laws is absolutely doable, centrally or distributedly
implementable and consistent with the advice we just received. <br>
</p>
<p>Best regards,</p>
<p>Volker<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 03.05.2019 um 15:41 schrieb Chris
Disspain:<br>
</div>
<blockquote type="cite"
cite="mid:9E20E5D9-C562-4721-A161-99093067C3C8@disspain.uk">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div style="font-family: 'Verdana', 'Verdana'; font-size: 10pt;
color: rgba(102, 102, 102, 1.0);">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;" class="">Hi Volker,
<div class=""><br class="">
</div>
<div class="">Thanks for such a quick response commenting on
the letter. </div>
<div class=""><br class="">
</div>
<div class="">I do not agree that the selected quotes that you
have used lead to the conclusion that the EC ‘basically
support’ a view that you propound.</div>
<div class=""><br class="">
</div>
<div class="">In addition and speaking personally, I think:</div>
<div class=""><br class="">
</div>
<div class="">…."<font class="" size="3" face="Times New
Roman">we have constantly urged ICANN and the community to
develop a </font><b style="font-family: "Times New
Roman"; font-size: 12pt;" class="">unified
access model </b><font class="" size="3" face="Times New
Roman">that applies to all registries and registrars and
provides a stable, predictable,
and workable method for accessing non-public gTLD
registration data for users with a
legitimate interest or other legal basis as provided for
in the General Data Protection
Regulation (GDPR). The European Commission considers this
to be both </font><b style="font-family: "Times New
Roman"; font-size: 12pt;" class="">vital and
urgent,</b><font class="" size="3" face="Times New Roman">
and we urge ICANN and the community to develop and
implement a pragmatic
and workable access model in the shortest timeframe
possible, to which we will
contribute actively.”…..</font></div>
<div class=""><br class="">
</div>
<div class="">….clearly shows that the EC supports a UAM which
by definition means that the concept of a UAM is perfectly
acceptable under GDPR.</div>
<div class=""><br class="">
</div>
<div class="">I think:</div>
<div class=""><br class="">
</div>
<div class="">…."<span style="font-size: 12pt; font-family:
"Times New Roman";" class="">As the Commission
already noted, <b class="">the current situation</b>
where access to non-public
registration data for public policy objectives is left at
the discretion of registries and
registrars <b class="">affects the EU </b></span><span
style="font-size: 12pt; font-family: "Times New
Roman";" class=""><b class="">Member States
authorities’ ability to obtain legitimate access to
</b></span><span style="font-size: 12pt; font-family:
"Times New Roman";" class=""><b class="">non-public
registration data </b>necessary to enforce the law
online, including in relation to
the fight against cybercrime. </span><font class=""
size="3" face="Times New Roman">The need to ensure
effective and secure treatment of third
party access requests requires therefore ICANN and the
community developing a <b class="">unified</b>
method for accessing non-public gTLD registration
data.”…..</font></div>
<div class=""><br class="">
</div>
<div class="">….clearly demonstrates that the EC is unhappy
with the status quo and that in their view a UAM is
essential.</div>
<div class=""><br class="">
</div>
<div class="">and I think:</div>
<div class=""><br class="">
</div>
<div class="">…."<span style="font-family: "Times New
Roman"; font-size: 12pt;" class="">Accordingly, we
consider that a clear distinction needs to be made between
ICANN's
own purposes for processing personal data and the purposes
pursued by the third parties
in accessing the data. </span><span style="font-size:
12pt; font-family: "Times New Roman";" class="">For
this reason, we would recommend revising the formulation
of
purpose two by excluding the second part of the purpose "</span><span
style="font-size: 12pt; font-family: "Times New
Roman,Italic";" class="">through enabling responses
to
lawful data disclosure requests" </span><span
style="font-size: 12pt; font-family: "Times New
Roman";" class="">and <b class="">maintaining a
broader purpose</b> to </span><span style="font-size:
12pt; font-family: "Times New Roman,Italic";"
class="">"contribute to the
maintenance of the security, stability, and resiliency of
the Domain Name System in
accordance with ICANN's mission"</span><span
style="font-size: 12pt; font-family: "Times New
Roman";" class="">, which is at the core of the role
of ICANN as the
</span><span style="font-size: 12pt; font-family:
"Times New Roman";" class="">“guardian” of the D</span><span
style="font-size: 12pt; font-family: "Times New
Roman";" class="">omain Name System.</span></div>
<div class="page" title="Page 2">
<div class="layoutArea">
<div class="column">
<p class="">…..means that the EC’s view is that attempts
to narrow ICANN’s purpose are counter-productive and
the current wording needs to be revisited.</p>
</div>
</div>
</div>
<div class=""><br class="">
</div>
<div class=""><span style="color: rgb(148, 67, 251);" class=""><br
class="">
</span></div>
<div class=""><span style="color: rgb(148, 67, 251);" class="">Cheers,</span><br
class="">
<div class=""><span id="um_signature_marker_begin" class="">
<div style="font-family: 'Verdana', 'Verdana';
font-size: 10pt; color: rgba(102, 102, 102, 1.0);"
class="">
<div dir="auto" style="caret-color: rgb(0, 0, 0);
color: rgb(0, 0, 0); letter-spacing: normal;
orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-size-adjust:
auto; -webkit-text-stroke-width: 0px;
text-decoration: none; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;" class="">
<div style="font-family: Verdana, Verdana;
font-size: 10pt; color: rgb(102, 102, 102);"
class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px; word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px; word-wrap: break-word; -webkit-nbsp-mode:
space; line-break: after-white-space;"
class="">
<p class="p3" style="margin: 0px; font-style:
normal; font-variant-ligatures: normal;
font-variant-caps: normal;
font-variant-east-asian: normal;
font-variant-position: normal; font-weight:
normal; font-size: 13px; line-height:
normal; font-family: Verdana; color:
rgb(148, 67, 251); min-height: 16px;
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;"><br
class="">
</p>
<p class="p2" style="margin: 0px; font-style:
normal; font-variant-ligatures: normal;
font-variant-caps: normal;
font-variant-east-asian: normal;
font-variant-position: normal; font-weight:
normal; font-size: 13px; line-height:
normal; font-family: Verdana; color:
rgb(148, 67, 251); letter-spacing: normal;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;">CD</p>
</div>
</div>
</div>
</div>
</div>
<span id="um_signature_marker_end" class=""></span></span></div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 3 May 2019, at 15:29, Volker Greimann
<<a href="mailto:vgreimann@key-Systems.net"
class="" moz-do-not-send="true">vgreimann@key-Systems.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<p class="">Thank you Chris for forwarding this. <br
class="">
</p>
<p class="">As expected, the response is very
helpful in providing further clarity in how future
disclosure models should work and it is also very
helpful that they provided a quick response just
in time to the tstart of our deliberations. <br
class="">
</p>
<p class="">By stating that access should be enabled
"<i class=""><u class="">upon request </u>(...) <u
class="">showing a legitimate interest</u>,
provided both the controller (...) and the third
party <u class="">have a legal basis </u>for
such processing (...)" </i>they basically
support a point many participants of Phase 1 have
been making all along in this debate:</p>
<p class=""><u class="">Disclosure can only work on
a per-request basis and each such request must
show both the legitimate interest for the
disclosure and the legal basis for the
processing activity requested for all parties
involved in the disclosure.</u></p>
<p class="">This explicitly excludes any concepts of
"all-access" models where a requester need only
acquire some form of certification or
accreditation prior to being restored to the
access to the whois of yore. I therefore propose
that we abandon these concepts at the start of our
deliberations to avoid wasting time on ultimately
futile debates. <br class="">
</p>
<p class="">Another shortcut we could use to save
time is to initially focus our discussions of the
UDM (Unified Disclosure Model) by looking
exclusively at those parties with the best legal
basis for disclosure: national law enforcement
agencies and other public authorities in the same
jurisdiction as the data controller. Once we have
a model for these parties, the rest can follow
from there. Obviously, the disclosure methods
these parties have legal rights to (that turn into
legal obligations for the data compliance) would
vary on the legal bases of their appropriate
jurisdictions and that is ultimately something
that we would need to ask the individual GAC
members to provide for example. <br class="">
</p>
<p class="">For example, we could start out by
asking a GAC members to provide data on how
individual law enforcement bodies and public
authorities have to go about in their specific
jurisdiction with obtaining data from comparable
data controllers, like telephone companies,
internet access providers or hosting providers.
Are there special processes that entities would
need to follow? If so, could our model be based on
these processes for these jurisdictions? If, for
example, a local police has to obtain a court
warrant or subpoena to demand disclosure personal
data held by a webhoster, is that not also
sufficiently equivalent to a demand towards a
contracted party? This does mean we would have to
vary our model by jurisdiction, but ultimately it
seems to be the most legally sound way to operate.
This is also supported by the letter, which
states: "<i class="">Instead, they need to rely on
another legal basis, which is normally provided
for in national law.</i>" It is the job of the
GAC to tell us what this legal basis is in each
instance and it is our job to reflect this basis
in our model for access of the entities so
entitled.<br class="">
</p>
<p class="">Best regards,</p>
<p class="">Volker Greimann<br class="">
</p>
<p class=""><br class="">
</p>
<div class="moz-cite-prefix">Am 03.05.2019 um 13:10
schrieb Chris Disspain:<br class="">
</div>
<blockquote type="cite"
cite="mid:73F2C0D3-F5EC-42D2-BA2D-4897F8FE6BCB@disspain.uk"
class="">
<meta http-equiv="content-type"
content="text/html; charset=UTF-8" class="">
<div style="font-family: 'Verdana', 'Verdana';
font-size: 10pt; color: rgba(102, 102, 102,
1.0);" class="">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; line-break:
after-white-space;" class="">Hello All,
<div class=""><br class="">
</div>
<div class="">As you will know, on 26 April
Göran Marby wrote to the European Commission
seeking additional information regarding
their comments of 17 April. That letter is
attached for ease of reference. </div>
<div class=""><br class="">
</div>
<div class="">A response has now been received
from the Commission and I attach that for
your information. <br class="">
<div class=""><span
id="um_signature_marker_begin" class="">
<div style="font-family: 'Verdana',
'Verdana'; font-size: 10pt; color:
rgba(102, 102, 102, 1.0);" class="">
<div dir="auto" style="caret-color:
rgb(0, 0, 0); letter-spacing:
normal; text-align: start;
text-indent: 0px; text-transform:
none; white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;
text-decoration: none; word-wrap:
break-word; -webkit-nbsp-mode:
space; line-break:
after-white-space;" class="">
<div class="">
<div style="font-family: Verdana,
Verdana; font-size: 10pt; color:
rgb(102, 102, 102);" class="">
<div style="letter-spacing:
normal; text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break:
after-white-space;" class="">
<div style="letter-spacing:
normal; text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px; word-wrap: break-word;
-webkit-nbsp-mode: space;
line-break:
after-white-space;" class="">
<div style="margin: 0px;
font-style: normal;
font-variant-ligatures:
normal; font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal; font-weight:
normal; font-size: 12px;
line-height: normal;
font-family: Helvetica;
min-height: 14px;
letter-spacing: normal;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class=""><br
class="Apple-interchange-newline">
<br class="">
</div>
<div style="margin: 0px;
font-style: normal;
font-variant-ligatures:
normal; font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal; font-weight:
normal; font-size: 13px;
line-height: normal;
font-family: Verdana;
color: rgb(148, 67, 251);
letter-spacing: normal;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">Cheers,</div>
<div style="margin: 0px;
font-style: normal;
font-variant-ligatures:
normal; font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal; font-weight:
normal; font-size: 13px;
line-height: normal;
font-family: Verdana;
color: rgb(148, 67, 251);
min-height: 16px;
letter-spacing: normal;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class=""><br
class="">
</div>
<div style="margin: 0px;
font-style: normal;
font-variant-ligatures:
normal; font-variant-caps:
normal;
font-variant-east-asian:
normal;
font-variant-position:
normal; font-weight:
normal; font-size: 13px;
line-height: normal;
font-family: Verdana;
color: rgb(148, 67, 251);
letter-spacing: normal;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class="">CD</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org" moz-do-not-send="true">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" moz-do-not-send="true">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></pre>
</blockquote>
<div class="moz-signature">-- <br class="">
Volker A. Greimann<br class="">
General Counsel and Policy Manager<br class="">
<strong style="border-bottom: 3px solid #5C46B5"
class="">KEY-SYSTEMS GMBH</strong><br class="">
<br class="">
T: +49 6894 9396901<br class="">
M: +49 6894 9396851<br class="">
F: +49 6894 9396851<br class="">
W: <a class="moz-txt-link-abbreviated"
href="http://www.key-systems.net/"
moz-do-not-send="true">www.key-systems.net</a><br
class="">
<br class="">
Key-Systems GmbH is a company registered at the
local court of Saarbruecken, Germany with the
registration no. HR B 18835<br class="">
CEO: Alexander Siffrin<br class="">
<br class="">
Part of the CentralNic Group PLC (LON: CNIC) a
company registered in England and Wales with
company number 8576358.</div>
</div>
_______________________________________________<br
class="">
Gnso-epdp-team mailing list<br class="">
<a href="mailto:Gnso-epdp-team@icann.org" class=""
moz-do-not-send="true">Gnso-epdp-team@icann.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>