<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Hadia and all,</p>
<p>it is interestion how one can read the same source (the ICO
guide) and come to opposite interpretations of the same provision.
<br>
</p>
<p>The key point is that nothing in the entire article
(<a class="moz-txt-link-freetext" href="https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/accuracy/?q=fine">https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/accuracy/?q=fine</a>)
refers to any third party rights for accuracy. Instead, the
accuracy principle is always linked either to the purposes or to
the right of the data subject to rectify.<br>
</p>
<p>The requirement of accuracy is directly proportional to the
purposes of the processing in the first place:</p>
<h3><i>Does personal data always have to be up to date?</i></h3>
<i>
</i>
<p><i>This depends on what you use the information for. If you use
the information for a purpose that relies on it remaining
current, you should keep it up to date. (...) In other cases, it
will be equally obvious that you do not need to update
information.</i></p>
<p>What is the actual obligation?</p>
<p><i>In practice, this means that you must:</i></p>
<i>
</i>
<ul>
<li><i>take reasonable steps to ensure the accuracy of any
personal data;</i></li>
<li><i>ensure that the source and status of personal data is
clear;<br>
</i></li>
<li><i>carefully consider any challenges to the accuracy of
information; and</i></li>
<li><i>consider whether it is necessary to periodically update the
information.</i></li>
</ul>
Nothing in the accuracy principle requires the controller or
processor to actively monitor accuracy or enforce it against the
data subject. It is reactive ("<i>Consider challenges</i>"), not
active:
<p><i>In some cases it is reasonable to rely on the individual to
tell you when their personal data has changed, such as when they
change address or other contact details. It may be sensible to
periodically ask individuals to update their own details, but
you do not need to take extreme measures to ensure your records
are up to date, unless there is a corresponding privacy risk
which justifies this.</i></p>
<p>At this time, the obligations of contracted parties with regard
to accuracy of data (verification, validation, accuracy reminders,
etc) already amply overcomply with this requirement. Updates occur
when the data subject updates their data.</p>
<p>Finally, the principle also allows for erasure and no longer
effective for its purpose of inaccurate data. I am not sure that
is the outcome you are looking for. <br>
</p>
<p>The accuracy principle therefore cannot be abused into creating
new obligations, at best it can justify the existing practices
with regard to accuracy arising from the RAA and certain policies.
But in the end, all of these will have to be reviewed with an eye
toward their reasonableness and necessity for the purpose.<br>
</p>
<p>Best,</p>
<p>Volker<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">Am 29.05.2019 um 18:15 schrieb Hadia
Abdelsalam Mokhtar EL miniawi:<br>
</div>
<blockquote type="cite" cite="mid:1559146678669.85920@tra.gov.eg">
<pre class="moz-quote-pre" wrap="">Hi Milton and All,
Milton, there are certainly other aspects to accuracy under GDPR than the one you mention.
As Greg mentions article 5 of the GDPR “ Principles relating to processing of personal data” says
Personal data shall be:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
According to the Information Commissioner’s Office's (ICO) organizations' guide to data protection, the ICO recommends that organizations consider the following checklist:
o ensure the accuracy of any personal data they create.
o have appropriate processes in place to check the accuracy of the data they collect, and that they record the source of that data.
o have a process in place to identify when they need to keep the data updated to properly fulfill their purpose, and that they update it as necessary.
o If they need to keep a record of a mistake, they clearly identify it as a mistake.
o Their records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.
o Comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data.
o As a matter of good practice, they keep a note of any challenges to the accuracy of the personal data.
The ICO goes on to explain what is new under GDPR, with regard to the accuracy principle, stating that the accuracy principle under GDPR is very similar to the fourth principle of the 1998 Act with two differences
1.The GDPR principle includes a clearer proactive obligation to take reasonable steps to delete or correct inaccurate personal data.
2.The GDPR does not explicitly distinguish between personal data that they create and personal data that someone else provides.
However, the ICO says that the main difference in practice between the GDPR and the previous act is that individuals have a stronger right to have inaccurate personal data corrected under the right to rectification, which is the point you make.
As for when is personal data accurate or inaccurate, the ICO says, “you must be clear about what you intend the record of the personal data to show. What you use it for may affect whether it is accurate or not”
Given all the above, I certainly do not know why we do not have a common understanding of the matter. However, further legal clarification could help us.
Kind regards
Hadia
________________________________
From: Gnso-epdp-team <a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><gnso-epdp-team-bounces@icann.org></a> on behalf of Greg Aaron <a class="moz-txt-link-rfc2396E" href="mailto:greg@illumintel.com"><greg@illumintel.com></a>
Sent: 28 May 2019 18:06
To: 'Mueller, Milton L'; <a class="moz-txt-link-abbreviated" href="mailto:Georgios.TSELENTIS@ec.europa.eu">Georgios.TSELENTIS@ec.europa.eu</a>; <a class="moz-txt-link-abbreviated" href="mailto:caitlin.tubergen@icann.org">caitlin.tubergen@icann.org</a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a>
Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Milton, no, the word “accuracy” does not appear only in GDPR Article 18. It appears most prominently in Article 5, which says:
Art. 5 GDPR Principles relating to processing of personal data
"1. Personal data shall be: ... (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);…
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
There has been discussion in legal and GDPR compliance communities that the above means all of these:
a) Controllers have some responsibilities to take positive steps to ensure data collected from subjects is accurate.
b) Organizations must allow data subjects to rectify inaccuracies. (Your point.)
c) The data controller must carefully consider any challenges to the accuracy of information – no matter where that challenge comes from.
d) Organizations must identify essential steps to erase or rectify inaccurate data without delay. And,
e) Within some limits, the parties to a Date Sharing Agreement are free to agree on terms and conditions applicable to their sharing of data – for example specific obligations and warranties about the accuracy and completeness of data.
How far the above extend, and how they apply to RDS data, is a Phase 2 subject for exploration.
GDPR certainly discourages the submission or maintenance of data that is incorrect or misleading. And Article 5 seems to mean more than “trust implicitly whatever the data subject says, and correct the data only if the data subject itself requests.” The GDPR may contain some balancing mechanisms here, and proportionality is a general principle of EU law.
So, given all that, and because there’s not a common understanding within our group, these issues are definitely good ones to ask Bird & Bird about.
All best,
--Greg
From: Gnso-epdp-team <a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><gnso-epdp-team-bounces@icann.org></a> On Behalf Of Mueller, Milton L
Sent: Saturday, May 25, 2019 9:18 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:Georgios.TSELENTIS@ec.europa.eu">Georgios.TSELENTIS@ec.europa.eu</a>; <a class="moz-txt-link-abbreviated" href="mailto:caitlin.tubergen@icann.org">caitlin.tubergen@icann.org</a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a>
Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Georgios and colleagues:
I think the questions related to accuracy below are not worth sending to the lawyers.
They are based on a fundamental misconception, one which we have identified many times. Accuracy in GDPR and other data protection law is a right _of the data subject_, not a right of third parties to accurate data about the data subject.
To prove this, beyond a shadow of the doubt, let me note that the word “accuracy” appears in GDPR in only two places, in Art 18.
Article 18, Right to restriction of processing:
-----------------------------------------------------------
“The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies: the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;”
So data subjects can contest the accuracy of data about them, or require controllers to verify its accuracy. There is NO OTHER reference to accuracy in the entire GDPR.
Georgios’s questions are based on the assumption that third parties have a right to accurate contact data about the data subject. That assumption was embedded in the old Whois and pre-GDPR Whois accuracy policies, all of which were predicated on indiscriminate publication of the contact data to any and all third parties. That regime is gone. And it’s recognized even by the most militant pro-surveillance interests that such indiscriminate disclosure is illegal.
Likewise, Georgios asks about liability under Article 82 of GDPR. Again all we need to do is actually read Art 82 to find the answer:
Article 82 says “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” So this is a right of PERSONS (data subjects) to compensation based on illegal acts of controllers and processors of THEIR data. It is not a right of third parties to accurate information about the data subject, and it certainly creates no liability for controllers or processors for the inaccuracy of the registrants’ data.
Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
From: Gnso-epdp-team <<a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team-bounces@icann.org">gnso-epdp-team-bounces@icann.org</a><a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><mailto:gnso-epdp-team-bounces@icann.org></a>> On Behalf Of <a class="moz-txt-link-abbreviated" href="mailto:Georgios.TSELENTIS@ec.europa.eu">Georgios.TSELENTIS@ec.europa.eu</a><a class="moz-txt-link-rfc2396E" href="mailto:Georgios.TSELENTIS@ec.europa.eu"><mailto:Georgios.TSELENTIS@ec.europa.eu></a>
Sent: Friday, May 24, 2019 7:02 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:caitlin.tubergen@icann.org">caitlin.tubergen@icann.org</a><a class="moz-txt-link-rfc2396E" href="mailto:caitlin.tubergen@icann.org"><mailto:caitlin.tubergen@icann.org></a>
Cc: <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team@icann.org"><mailto:gnso-epdp-team@icann.org></a>
Subject: Re: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear Caitlin, colleagues,
Please find below questions on the topics of the legal memos from the GAC:
Accuracy
. If current verification statistics provide that a large number of data is inaccurate isn't that a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?
. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?
. Can you provide an analysis on the third-parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors?
. How does the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV pf the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?
. While in the first place it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLD?
Natural or non-natural persons
. How is the (inaccurate or accurate) designation by the registrant about her status as non-natural person considered personal data information? If it's not is the analysis about whether the accuracy principle applies relevant?
. How would the analysis provided take into account the possibility for registrants who are natural persons to "opt-in" for a full publication of their personal data? Indeed it might be the case that some of these registrants might wish to ensure their details are available on WHOIS.
Technical contact
Most of the issue for not allowing this seems to be around the inability to verify if the RNH has obtained consent from the technical contact. When the CP's verify the email address could consent also be confirmed for the term of the registration?
General question:
. How could anonymisatio/pseudonymisation techniques be of help in complying with the GDPR while also allowing for additional disclosure of certain data elements? E.g. use of anonymised/pseudonymised emails and names, in particular in the context of registrations by legal persons.
Apologies again for the delay of our submission.
Georgios Tselentis (GAC-EPDP)
From: Gnso-epdp-team <<a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team-bounces@icann.org">gnso-epdp-team-bounces@icann.org</a><a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><mailto:gnso-epdp-team-bounces@icann.org></a>> On Behalf Of Caitlin Tubergen
Sent: Wednesday, May 22, 2019 5:22 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team@icann.org"><mailto:gnso-epdp-team@icann.org></a>
Subject: [Gnso-epdp-team] For your review - Clarifying Legal Questions Table
Dear EPDP Team,
Following up on an action item from our last meeting, please find attached a table which organizes the clarifying legal questions received to date. We will discuss the table during our next meeting.
Please note that the deadline for submitting additional clarifying questions is before 14:00 UTC on Thursday, 23 May. If additional questions come in before the deadline, we will update the table accordingly.
Thank you.
Best regards,
Marika, Berry, and Caitlin
_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>