<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Actually, the purposes you list are too generic and do not allow
the disclosing party to verify the complaint.</p>
<p>Instead, a requester should give as much detail as possible to
allow the disclosing party to make a balancing test in their
favor. <br>
</p>
<p>So instead of "Trademark Infringement", the requester should
detail specifically which trademark he believes to have been
infringed and how the domain name registration is infringing on
this trademark. This goes beyond stating that the two strings
match.</p>
<p>Instead of "in the commission of a crime" the crime at hand and
how the domain name is used in it should be detailed. <br>
</p>
<p>Simply put, the requester should be held to provide the specific
evidence he has that triggered the request in the first place. It
should not require the discloser to try and figure this out
themselves. The request should allow the discloser to check the
evidence and conclude that "Yep, this requester has made a
sufficient case that warrants discloser".</p>
<p>Volker<br>
</p>
<div class="moz-cite-prefix">Am 09.10.2019 um 22:58 schrieb Mark
Svancarek (CELA) via Gnso-epdp-team:<br>
</div>
<blockquote type="cite"
cite="mid:MWHPR21MB051226429AC0C5031D406D57D1950@MWHPR21MB0512.namprd21.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">We’re just going to create omnibus-type
purposes that we declare at the time of disclosure request. I
think I mentioned this 2 weeks ago. I doubt it is lawfully
required, but I will discuss with our data protection
attorneys.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Margie said: “My purpose is Investigation
of Trademark Infringement. But sometimes such an
investigation results in Investigation of Phishing. Those are
compatible, I don’t need to ask again.”<o:p></o:p></p>
<p class="MsoNormal">Amr sez: “Nope, ya gotta ask again.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Instead, I propose: “My purpose is to
investigate the use of a domain name in the commission of a
crime. The crimes I am investigating are trademark
infringement, phishing and malware distribution.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Of course there will be objection to this,
but I am fairly certain it’s lawful.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Gnso-epdp-team
<a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><gnso-epdp-team-bounces@icann.org></a>
<b>On Behalf Of </b>Margie Milam<br>
<b>Sent:</b> Wednesday, October 9, 2019 11:37 AM<br>
<b>To:</b> Mark Svancarek (CELA) via Gnso-epdp-team
<a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team@icann.org"><gnso-epdp-team@icann.org></a>; King, Brian
<a class="moz-txt-link-rfc2396E" href="mailto:Brian.King@markmonitor.com"><Brian.King@markmonitor.com></a>;
alexATcolevalleyconsulting.com
<a class="moz-txt-link-rfc2396E" href="mailto:alex@colevalleyconsulting.com"><alex@colevalleyconsulting.com></a>;
sdelbiancoATnetchoice.org
<a class="moz-txt-link-rfc2396E" href="mailto:sdelbianco@netchoice.org"><sdelbianco@netchoice.org></a>; Jennifer Gore
<a class="moz-txt-link-rfc2396E" href="mailto:Jennifer@winterfeldt.law"><Jennifer@winterfeldt.law></a><br>
<b>Subject:</b> [Gnso-epdp-team] FW: Updated Language
Regarding Purposes<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Ugh—suggestions for dealing with this?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">Amr Elsadr <<a
href="mailto:aelsadr@icannpolicy.ninja"
moz-do-not-send="true">aelsadr@icannpolicy.ninja</a>><br>
<b>Reply-To: </b>Amr Elsadr <<a
href="mailto:aelsadr@icannpolicy.ninja"
moz-do-not-send="true">aelsadr@icannpolicy.ninja</a>><br>
<b>Date: </b>Wednesday, October 9, 2019 at 4:34 AM<br>
<b>To: </b>Margie Milam <<a
href="mailto:margiemilam@fb.com" moz-do-not-send="true">margiemilam@fb.com</a>><br>
<b>Subject: </b>Re: Updated Language Regarding Purposes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Hi Margie, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks for this. I’m still having trouble
with the reference to Article 5.1.b, and its applicability
here. The ICO guidance on the purpose limitation principle
has only reinforced this (<a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_guide-2Dto-2Ddata-2Dprotection_guide-2Dto-2Dthe-2Dgeneral-2Ddata-2Dprotection-2Dregulation-2Dgdpr_principles_purpose-2Dlimitation_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=P8kQ3-cLXhICChBb4qTjEHvguZpoj0OFN7pjdIfsH6Y&s=Td_uk-yaqqcmbo600dsEJnKGVuVC7WiAsX-Kk43iavg&e="
moz-do-not-send="true">https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/</a>).
The explanation of what the principle is, as well as the
checklist associated with it all indicate to me that it is
applicable to the Data Controller, not a 3rd party/Requestor
for disclosure/access.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">My thinking is that if we are to proceed
as you have suggested in your email below, the process needs
to loop in the Data Controller, somehow. Some reasons why
this might be necessary:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1. It shouldn’t be up to the 3rd party to
determine what additional purposes are or are not
compatible. Ultimately, the Data Controller and Processor
will be held accountable by the data subject, and possibly
liable by a DPA for errors in judgment on this, so should be
looped in.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2. If the Controller is not (at a
minimum) informed of additional purposes for which the
personal data will be processed, I’m not sure how the
Controller will track and keep records of how the data that
was disclosed will be or was processed.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3. If the Data Subject requests access to
a report on how its personal data has been processed, it
would need to make this request to the Controller with which
it is familiar (likely the registrar). If the Controller is
not involved in the decision to process the personal data
for additional compatible purposes, it will not be in a
position to provide the Data Subject with a complete report
on how the data was, or is being, processed, at least not
until (or if) an audit is conducted.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So let’s say there is a scenario where a
Requestor has been granted disclosure/access to the personal
data for a specific purpose, then discovers that there
is(are) additional purpose(s) for which the personal data
needs to be processed further. This could be for compatible
purposes, or other unrelated ones (but still fulfilling the
requirements of a legitimate interest of the Requestor and
supported by a legal basis).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">It’d make sense to me, that in this kind
of scenario, some follow-up to the original request for
disclosure be available where the Requestor communicates the
need for further processing in the SSAD, and that there is
some need for the Controller to make a decision on wether to
grant permission for this additional processing.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Also, since this would be a follow-up to
a previously approved disclosure request, it might make
sense that the follow-up is flagged for a quicker response
time of the request for additional processing of the
personal data for additional purposes (compatible or
unrelated). This could possibly be reflected in Building
Blocks G and K?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I know this adds an administrative layer,
and slightly slows things down, but it provides more
certainty in the process as a whole, doesn’t it? I believe
it would be necessary in order to protect the rights of all
parties involved, as well as provide the transparency in
processing that you referred to in your proposed amendment
to subsection C of Building Block D.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If you agree with any of this, in
principle, we can try some wordsmithing of the proposed
amendment. If you have concerns, let’s try to address them
first.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks again, Margie.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Amr<o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Oct 8, 2019, at 6:53 PM, Margie
Milam <<a href="mailto:margiemilam@fb.com"
moz-do-not-send="true">margiemilam@fb.com</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi Amr –<span
style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Following up on today’s homework
– here’s a link to information from the UK
Information Office that can help guide the drafting
of this section:<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_guide-2Dto-2Ddata-2Dprotection_guide-2Dto-2Dthe-2Dgeneral-2Ddata-2Dprotection-2Dregulation-2Dgdpr_principles_purpose-2Dlimitation_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=P8kQ3-cLXhICChBb4qTjEHvguZpoj0OFN7pjdIfsH6Y&s=Td_uk-yaqqcmbo600dsEJnKGVuVC7WiAsX-Kk43iavg&e="
moz-do-not-send="true"><span
style="color:#954F72">https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/</span></a><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Here’s what I suggest:<span
style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">The building block should use
this language:<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">“not incompatible with the
original purpose, provided the new purpose is fair,
lawful and transparent.”<span
style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">The policy recommendation would
also need to include specific disclosures to the
registrant, describing the common purposes for 3<sup>rd</sup><span
class="apple-converted-space"> </span>party
access, so that the transparency requirement is met.<span
style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Margie<span
style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>