<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Thank you Caitlin<br clear="all"></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">I would like to one more time to mention that this group was not a representative group of EPDP. NCSG was under-represented vis a vis CSG, which is unfortunate. </div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">My comments on some of the questions: </div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">"</div><ol start="2" type="1" style="margin-top:0in"><li class="gmail-m_8830451728902529051MsoListParagraph" style="margin-left:15px;color:black;margin-top:0in;margin-bottom:0.0001pt">To what extent, if any, are contracted parties liable when a third party that accesses non-public WHOIS data under an accreditation scheme where by the accessor is accredited for the stated purpose, commits to certain reasonable safeguards similar to a code of conduct regarding use of the data, but misrepresents their intended purposes for processing such data, and subsequently processes it in a manner inconsistent with the stated purpose. Under such circumstances, if there is possibility of liability to contracted parties, are there steps that can be taken to mitigate or reduce the risk of liability to the contracted parties?<span class="gmail_default" style="font-family:verdana,sans-serif">"</span></li></ol><span style="color:black"><span class="gmail_default" style="font-family:verdana,sans-serif"></span></span><div><span style="color:black"><span class="gmail_default" style="font-family:verdana,sans-serif">Why was it decided to add this question? We are supposed to have an SSAD that facilitates disclosure but also holds the abusers of WHOIS data accountable. </span><span class="gmail_default" style="font-family:verdana,sans-serif">If the law has assigned liability to this case it is to incentivize the parties to conduct the disclosure with due diligence and care and have an interest in holding the abuser accountable. By asking this question (and asking for mitigating liability in general) we are weakening the data protection system in WHOIS. I don't think that is our aim. Our aim is to facilitate disclosure and protecting domain name registrants data.</span></span></div><div><span style="color:black"><span class="gmail_default" style="font-family:verdana,sans-serif"><br></span></span></div><div><div class="gmail_default" style="font-family:verdana,sans-serif">****</div><br></div><div><span style="color:black"><span class="gmail_default" style="font-family:verdana,sans-serif"><br></span></span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail_default" style="font-family:verdana,sans-serif">Q: 3. </span>is it legally permissible under Article 6(1)(f) to:<br> define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or</blockquote><div><br></div><div> </div><div><div class="gmail_default" style="font-family:verdana,sans-serif">Didn't we specifically say that having "user groups" should not result in "automation of disclosure"? I understand that you are talking about "categories of requests" here but also you are talking about automating the "accredited parties" submission and disclosure without checking their qualifications every time. I am concerned that this might actually lead to creating user groups request/disclosure automation. </div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><span style="color:rgb(0,0,0);font-family:Arial,Helvetica,sans-serif;font-size:14.6667px">In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).</span></blockquote><div><br></div><div><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Can we please ask the question on how to perform a balancing test regardless of being able to automate disclosure/submission steps? Unless you want to ask how to carry out a balancing test while also automating the steps. If that is the case I think it should be clearer and please refrain from using the passive voice especially in Q 3. Also a general question about how to carry out the balancing test might not be a bad idea since we are in a deadlock about it. </div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Best</div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">Farzaneh </div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><br></div><div><font color="#000000" face="verdana, sans-serif"><br></font></div><div><font color="#000000" face="verdana, sans-serif"><br></font><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><font face="verdana, sans-serif">Farzaneh </font></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Aug 29, 2019 at 1:43 AM Caitlin Tubergen <<a href="mailto:caitlin.tubergen@icann.org">caitlin.tubergen@icann.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div class="gmail-m_8830451728902529051WordSection1"><p class="MsoNormal"><span style="font-size:11pt;color:black">Dear EPDP Team,<u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black">On behalf of the Phase 2 EPDP Legal Committee, please find the first set of legal questions the Legal Committee has agreed to send to outside counsel.<span class="gmail-m_8830451728902529051apple-converted-space"> </span><u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black">As a reminder, the below text has been reviewed, edited, and agreed to by a representative group of EPDP Team Members, and, as such, EPDP Leadership would ask the EPDP Team to apply the “cannot live with” standard it its review of the below questions.<u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black">Thank you.<u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black">Best regards,<u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><div style="border-top:none;border-right:none;border-left:none;border-bottom:1.5pt solid windowtext;padding:0in 0in 1pt"><p class="MsoNormal" style="border:none;padding:0in;font-variant-caps:normal;text-align:start;word-spacing:0px"><span style="font-size:11pt;color:black">Marika, Berry, and Caitlin<u></u><u></u></span></p></div><p class="MsoNormal"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px"><u><span style="font-size:11pt;color:black">Questions to Outside Counsel: Batch 1 <u></u><u></u></span></u></p><p class="MsoNormal"><u><span style="font-size:11pt;color:black"><u></u><span style="text-decoration:none"> </span><u></u></span></u></p><ol style="margin-top:0in" start="1" type="1"><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-top:0in;margin-bottom:0.0001pt;vertical-align:baseline">Consider a System for Standardized Access/Disclosure where: <u></u><u></u></li></ol><ul style="margin-top:0in" type="disc"><ul style="margin-top:0in" type="circle"><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-bottom:0.0001pt;vertical-align:baseline">contracted parties “CPs” are contractually required by ICANN to disclose registration data including personal data, <u></u><u></u></li><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-bottom:0.0001pt;vertical-align:baseline">data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body, <u></u><u></u></li><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-bottom:0.0001pt;vertical-align:baseline">the accreditation is carried out by third party commissioned by ICANN without CP involvement, <u></u><u></u></li><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-bottom:0.0001pt;vertical-align:baseline">disclosure takes place in an automated fashion without any manual intervention, <u></u><u></u></li><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-bottom:0.0001pt;vertical-align:baseline">data subjects are being duly informed according to ICANN’s contractual requirements of the purposes for which, and types of entities by which, personal data may be processed. CP’s contract with ICANN also requires CP to notify data subject about this potential disclosure and third-party processing before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. <u></u><u></u></li></ul></ul><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:17.25pt;margin-bottom:0.0001pt;text-indent:0.5in;vertical-align:baseline"><span style="color:black">Further, assume the following safeguards are in place <u></u><u></u></span></p><ul style="margin-top:0in" type="disc"><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-left:35.25pt;margin-bottom:0.0001pt;vertical-align:baseline">ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: <u></u><u></u></li></ul><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:152.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><u></u><span style="color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">represents that it has a lawful basis for requesting and processing the data, <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:152.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><u></u><span style="color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">provides its lawful basis, <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:152.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><u></u><span style="color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">represents that it is requesting only the data necessary for its purpose, <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:152.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><u></u><span style="color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">agrees to process the data in accordance with GDPR, and <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:152.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><u></u><span style="color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">agrees to EU standard contractual clauses for the data transfer. <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin:0in 0in 0.0001pt;vertical-align:baseline"><span style="color:black"> <u></u><u></u></span></p><ul style="margin-top:0in" type="disc"><li class="gmail-m_8830451728902529051paragraph" style="color:black;margin-left:35.25pt;margin-bottom:0.0001pt;vertical-align:baseline">ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject. <u></u><u></u></li></ul><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:53.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><span style="color:black">1. What risk or liability, if any, would the CP face for the processing activity of disclosure in this context, including the risk of a third party abusing or circumventing the safeguards?<u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:53.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><span style="color:black">2. Would you deem the criteria and safeguards outlined above sufficient to make disclosure of registration data compliant? If any risk exists, what improved or additional safeguards would eliminate<sup>1</sup> this risk? <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:53.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><span style="color:black">3. In this scenario, would the CP be a controller or a processor<sup>2</sup>, and to what extent, if at all, is the CP’s liability impacted by this controller/processor distinction? <u></u><u></u></span></p><p class="gmail-m_8830451728902529051paragraph" style="margin-right:0in;margin-left:53.25pt;margin-bottom:0.0001pt;vertical-align:baseline"><span style="color:black">4. Only answer if a risk still exists for the CP: If a risk still exists for the CP, what additional safeguards might be required to eliminate CP liability depending on the nature of the disclosure request, i.e. depending on whether data is requested e.g. by private actors pursuing civil claims or law enforcement authorities depending on their jurisdiction or the nature of the crime (misdemeanor or felony) or the associated sanctions (fine, imprisonment or capital punishment)?<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:35.25pt"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black">Footnote 1:<span class="gmail-m_8830451728902529051apple-converted-space"> </span>“<span style="background:rgb(252,252,252)">Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (</span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_media_pdf_resource-5Fcenter_wp217-5Flegitimate-2Dinterests-5F04-2D2014.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=sWyYss17bzERUGYmyRgrLIYOWeEFfEm8TK82oD0K4Yg&e=" target="_blank"><span style="color:black;background:rgb(252,252,252)">https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf</span><span class="gmail-m_8830451728902529051apple-converted-space"><span style="color:black"> </span></span><span style="color:black">[iapp.org]</span></a><span style="background:rgb(252,252,252)">)</span><u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black">Footnote 2:<span class="gmail-m_8830451728902529051apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=VLfFI2qvdMLP-znynFRMTpavBVBxa6oxjPohOdyWao0&e=" title="https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1" target="_blank"><span style="color:black">https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en [ec.europa.eu]</span></a><u></u><u></u></span></p><div style="border-top:none;border-right:none;border-left:none;border-bottom:1.5pt solid windowtext;padding:0in 0in 1pt"><p class="MsoNormal" style="border:none;padding:0in"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p></div><p class="MsoNormal"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><ol style="margin-top:0in" start="2" type="1"><li class="gmail-m_8830451728902529051MsoListParagraph" style="color:black;margin-top:0in;margin-bottom:0.0001pt">To what extent, if any, are contracted parties liable when a third party that accesses non-public WHOIS data under an accreditation scheme where by the accessor is accredited for the stated purpose, commits to certain reasonable safeguards similar to a code of conduct regarding use of the data, but misrepresents their intended purposes for processing such data, and subsequently processes it in a manner inconsistent with the stated purpose. Under such circumstances, if there is possibility of liability to contracted parties, are there steps that can be taken to mitigate or reduce the risk of liability to the contracted parties?<u></u><u></u></li></ol><div style="border-top:none;border-right:none;border-left:none;border-bottom:1.5pt solid windowtext;padding:0in 0in 1pt"><p class="MsoNormal" style="border:none;padding:0in"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p></div><p class="gmail-m_8830451728902529051MsoListParagraph"><span style="color:black"><u></u> <u></u></span></p><ol style="margin-top:0in" start="3" type="1"><li class="gmail-m_8830451728902529051MsoListParagraphCxSpLast" style="color:black;margin-top:0in;margin-bottom:0.0001pt">(Formerly Q9) Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally permissible under Article 6(1)(f) to:<u></u><u></u></li></ol><p class="MsoNormal"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpFirst" style="margin-right:0in;margin-left:0.75in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or<u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpLast" style="margin-right:0in;margin-left:0.75in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">enable automated disclosures of such data, without requiring a manual review by the controller or processor of each individual disclosure request.<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.5in"><span style="font-size:11pt;color:black">In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">For reference, please refer to the following potential safeguards: <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black"> <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpFirst" style="margin-right:0in;margin-left:0.75in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).<u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:0.75in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:0.75in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">ICANN or its designee has validated the requestor’s identity, and required that the requestor: <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:1.25in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:"Courier New";color:black"><span>o<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">represents that it has a lawful basis for requesting and processing the data, <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:1.25in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:"Courier New";color:black"><span>o<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">provides its lawful basis,<u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:1.25in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:"Courier New";color:black"><span>o<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">represents that it is requesting only the data necessary for its purpose, <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:1.25in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:"Courier New";color:black"><span>o<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">agrees to process the data in accordance with GDPR, and <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpMiddle" style="margin-right:0in;margin-left:1.25in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:"Courier New";color:black"><span>o<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">agrees to standard contractual clauses for the data transfer. <u></u><u></u></span></p><p class="gmail-m_8830451728902529051MsoListParagraphCxSpLast" style="margin-right:0in;margin-left:0.75in;margin-bottom:0.0001pt"><u></u><span style="font-size:10pt;font-family:Symbol;color:black"><span>·<span style="font:7pt "Times New Roman""> </span></span></span><u></u><span style="color:black">ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject.<u></u><u></u></span></p><div style="border-top:none;border-right:none;border-left:none;border-bottom:1.5pt solid windowtext;padding:0in 0in 1pt"><p class="MsoNormal" style="border:none;padding:0in"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p></div><p class="MsoNormal"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><ol style="margin-top:0in" start="4" type="1"><li class="gmail-m_8830451728902529051MsoListParagraphCxSpFirst" style="color:black;margin-top:0in;margin-bottom:0.0001pt">Under the GDPR, a data controller can disclose personal data to law enforcement of competent authority under Art. 6 1 c GDPR provided the law enforcement authority has the legal authority to create a legal obligation under applicable law. Certain commentators have interpreted “legal obligation” to apply only to legal obligations grounded in EU or Member State law.<u></u><u></u></li></ol><p class="gmail-m_8830451728902529051MsoListParagraphCxSpLast" style="margin-right:0in;margin-left:0.5in;margin-bottom:0.0001pt"><span style="color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">As to the data controller:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">a. Consequently, does it follow that the data controller may not rely on Art. 6 1 c GDPR to disclose personal data to law enforcement authorities outside the data controller’s jurisdiction? Alternatively, are there any circumstances in which data controllers could rely on Art. 6 1 c GDPR to disclose personal data to law enforcement authorities outside the data controller’s jurisdiction?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">b. May the data controller rely on any other legal bases, besides Art. 6 I f GDPR, to disclose personal data to law enforcement authorities outside the data controller’s jurisdiction?<u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">As to the law enforcement authority: <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">Given that Art. 6 1 GDPR states that European public authorities cannot use Art. 6 I f GDPR as a legal basis for processing carried out in the performance of their tasks, these public authorities need to have a legal basis so that disclosure can take place based on another legal basis (e.g. Art. 6 I c GDPR). <u></u><u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><p class="MsoNormal" style="margin-left:0.25in"><span style="font-size:11pt;color:black">c. In the light of this, is it possible for non-EU-based law enforcement authorities to rely on Art. 6 I f GDPR as a legal basis for their processing? In this context, can the data controller rely on Art. 6 1 f GDPR to disclose the personal data? If non-EU-based law enforcement authorities cannot rely on Art. 6 1 f GDPR as a legal basis for their processing, on what lawful basis can non-EU-based law enforcement rely?<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt;color:black"><u></u> <u></u></span></p></div></div>
_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div>