<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1258489804;
mso-list-type:hybrid;
mso-list-template-ids:1987901942 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">Hi Team, <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I agree that understanding the legal implications and limits of "semi-automated" processing is important as we collaborate on how to automate the SSAD process to the greatest extent permitted. The good news from a resource and timing
perspective is that we already have a memo from Bird & Bird on automation (opinion
<a href="https://community.icann.org/download/attachments/117604842/ICANN-EPDP%20-%20Question%203%20-%2010th%20September%202019%5B1%5D.pdf?version=1&modificationDate=1568143539000&api=v2">
here</a>, summary of key points <a href="https://docs.google.com/document/d/1rV0Iwo6HCABfP8oaxPC_u_D-vvjud15b/edit">
here</a> on pg. 98) that provides both the legal framework for assessing these questions and directly addresses the question of potential categories of requests for automation.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText" style="margin-bottom:6.0pt">Although we can characterize the entire system as a "semi-automated" SSAD, the ultimate question we are asking is can we allow the SSAD to make a specific decision in a fully automated manner. Here is the
basic framework that Bird & Bird provided to answer that question:<o:p></o:p></p>
<p class="MsoPlainText" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>GDPR does not permit decisions based solely on automated processing which produce legal or similarly significant effects on the data subject.<o:p></o:p></p>
<p class="MsoPlainText" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>In most instances, a decision to release information via the SSAD will not in itself have a legal effect on the data subject. For our purposes, the question is whether the decision has a “similarly significant” effect on the data
subject.<o:p></o:p></p>
<p class="MsoPlainText" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>It may be possible to determine categories of requests where the decision to disclose data would not have a "similarly significant" effect. For example, the disclosure of administrative contact details for non-natural registrants
in response to malware attacks or IP infringement would not have a "similarly significant” effect.<o:p></o:p></p>
<p class="MsoPlainText" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>In other situations, disclosure of registrant data about a natural person may be much more likely to have a "similarly significant” effect. Considerable care would need to be taken over such analysis.<o:p></o:p></p>
<p class="MsoPlainText" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:6.0pt;margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>For decisions more likely to have a "similarly significant” effect, human review or oversight is necessary. Token human involvement does not suffice. For the human review element to count, the controller must ensure meaningful
oversight by someone who has the authority and competence to change the decision.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in;text-indent:-.25in;mso-list:l0 level1 lfo1">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Processes not involving a decision about the registrant can also be automated without producing “similarly significant” effects, for example authentication of an accredited requestor.<o:p></o:p></p>
<p class="MsoPlainText" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoPlainText">I think the takeaway (at least based on the state of the law today) is that most decisions short of the ultimate decision whether or not to disclose data can be fully automated, but that most decisions involving disclosing registrant
data of a natural person will require meaningful human review. To be clear, this shouldn’t foreclose the possibility of a model that evolves towards further automation of disclosure decisions, or individual controllers automating their own decision-making
processes based on their assessment of the risks. <o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hopefully this is helpful as we continue these discussions.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks,<o:p></o:p></p>
<p class="MsoPlainText">Matt<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<br>
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mark Svancarek (CELA) via Gnso-epdp-team<br>
Sent: Tuesday, January 21, 2020 11:16 AM<br>
To: Amr Elsadr <aelsadr@icannpolicy.ninja>; gnso-epdp-team@ICANN.org<br>
Subject: Re: [Gnso-epdp-team] [EXTERNAL] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird</p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hi, I also apologize for sending this in after the deadline. I didn't see any need to change any of the existing proposes questions.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">My concern is not about the questions already being readied for submission. Rather, I am concerned that we aren't asking about the implications and limits of semi-automated processing of disclosure requests.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">By "semi-automated processing", I mean processing which is mostly automated but which contains triggers which pass requests off to a human. Examples might be "your credentials are valid but I have never received a request from you",
"the nature or volume of requests has suddenly changed", the data subject is a child", or "your credentials indicate that you are LEA from a jurisdiction of concern".<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">All of the models we have discussed can support semi-automated request processing.
<o:p></o:p></p>
<p class="MsoPlainText">- In the centralized model, the automation could happen at the central authorizer.
<o:p></o:p></p>
<p class="MsoPlainText">- In the hybrid model, each CP could utilize automated processing within their own systems.
<o:p></o:p></p>
<p class="MsoPlainText">- And we've had further suggestions for additional hybridization in the recent calls, where CPs pool resources to share an authorizer, or where a central authorizer automates a portion of the requests and hands off some subset of them
back to the CP for processing.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">-----Original Message-----<o:p></o:p></p>
<p class="MsoPlainText">From: Gnso-epdp-team <<a href="mailto:gnso-epdp-team-bounces@icann.org"><span style="color:windowtext;text-decoration:none">gnso-epdp-team-bounces@icann.org</span></a>> On Behalf Of Amr Elsadr<o:p></o:p></p>
<p class="MsoPlainText">Sent: Monday, January 20, 2020 1:55 AM<o:p></o:p></p>
<p class="MsoPlainText">To: Mark Svancarek via Gnso-epdp-team <<a href="mailto:gnso-epdp-team@icann.org"><span style="color:windowtext;text-decoration:none">gnso-epdp-team@icann.org</span></a>><o:p></o:p></p>
<p class="MsoPlainText">Subject: [EXTERNAL] [Gnso-epdp-team] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hi,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Apologies for not sending these in before the deadline, but attached is the NCSG Team feedback on the Batch 2 legal questions proposed by the Legal Committee to be sent to Bird & Bird.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Thanks.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Amr<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">Gnso-epdp-team mailing list<o:p></o:p></p>
<p class="MsoPlainText"><a href="mailto:Gnso-epdp-team@icann.org"><span style="color:windowtext;text-decoration:none">Gnso-epdp-team@icann.org</span></a><o:p></o:p></p>
<p class="MsoPlainText"><a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team"><span style="color:windowtext;text-decoration:none">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</span></a><o:p></o:p></p>
<p class="MsoPlainText">_______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy"><span style="color:windowtext;text-decoration:none">https://www.icann.org/privacy/policy</span></a>)
and the website Terms of Service (<a href="https://www.icann.org/privacy/tos"><span style="color:windowtext;text-decoration:none">https://www.icann.org/privacy/tos</span></a>). You can visit the Mailman link above to change your membership status or configuration,
including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.<o:p></o:p></p>
</div>
</body>
</html>