[GNSO-Accuracy-ST] Potential Additional Questions to ICANN Org

Becky Burr becky.burr at board.icann.org
Tue Mar 1 15:26:42 UTC 2022

Michael -

Respectfully, and without taking a position on whether these questions are
relevant or timely, I think the questions need to be more nuanced to
produce useful answers.

   - Does ICANN have a legitimate *and proportionate *interest in
accessing *individual
   registration records in response to credible complaints* that the data
   is inaccurate? If so, is a DPA required to access data in such situations?
   What happens if the registrar receiving the access request disagrees with
   ICANN's application of the balancing test, i.e., does ICANN have the
   contractual authority to enforce its access request?
   - Does ICANN have a legitimate *and proportionate* interest in *proactively
   *acquiring *bulk access* to registrant data to undertake an accuracy
   audit, even with respect to data for which it has no basis to question its
   accuracy?  If so, is a DPA necessary to do so?  What happens if the
   registrar receiving the access request disagrees with ICANN's application
   of the balancing test, i.e., does ICANN have the contractual authority to
   enforce its access request?

It is important to keep in mind that a legitimate interest is necessary *but
not sufficient* under GDPR.  The processing necessary to satisfy a
legitimate interest must be proportionate, i.e., not outweighed by the
privacy rights of the individual data subject(s).  As a result, the two
situations (access to a single record based on reasonable grounds to
believe the data is inaccurate v. proactive access without individualized
suspicion) are quite different from a data protection perspective, with the
first being far less complicated to defend.  In addition, a CP's
contractual obligations, e.g., under the RAA, may be different in those

FWIW, I think the DPA issue is a bit of a red herring here.   Presumably,
ICANN's requests for one-off data can be handled in the same way that
anyone else's access request is handled, e.g., if the data is to be
transferred outside of the EU by imposing controller to controller Standard
Contractual Clauses as the terms and conditions of such access on a
case-by-case basis.  If the EDPB were to confirm that ICANN's* bulk access*
to data for proactive checking was legitimate and proportionate, it's clear
to me that a narrowly focused DPA between ICANN and CPs applicable to data
access for the specific purpose of checking accuracy (e.g., prohibiting
onward transfer, etc.) could be crafted.  The real question is whether (i)
the temp spec /epdp phase 1 policy obligating CPs to provide reasonable
access for legitimate and proportionate purposes encompasses bulk access or
(ii) some other provision of the agreements produces an obligation to
provide bulk access.

Apologies for being pedantic here.  None of us can say with any certainty
what GDPR does or does not permit as that determination is ultimately made
by individual data protection authorities and/or the EDPB.  We are asking
ICANN for its views on what GDPR would permit in specific circumstances, so
the relevant circumstances should be articulated precisely to produce
useful answers.


On Thu, Feb 24, 2022 at 5:12 PM Michael Palage <michael at palage.com> wrote:

> Hello Everyone,
> Over the past couple of weeks there has been a recurring theme in our
> calls and in some of the side discussions that I have had with some members
> regarding about how the potential lack of a Data Processing Agreement
> between ICANN Org and the Contracting Parties might negatively impact our
> future work and/or recommendations.
> Therefore I would like to propose to the group for their consideration the
> following additional questions that we may want to propose to ICANN Org as
> we continue our work:
> •            “Is ICANN able to access registration data under the GDPR on
> the basis that it has a legitimate interest in checking the accuracy of the
> data?  Has ICANN ever received or plans to receive legal advice on this
> particular topic?
> •            Does ICANN believe that the Data Protection Agreement between
> itself and the Contracted Parties is a necessary legal requirement for
> requesting and receiving this data, and if so for what legal reason?"
> As always I welcome any thoughts and or considerations?
> Best regards,
> Michael
> _______________________________________________
> GNSO-Accuracy-ST mailing list
> GNSO-Accuracy-ST at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-accuracy-st
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-accuracy-st/attachments/20220301/8d548134/attachment-0001.html>

More information about the GNSO-Accuracy-ST mailing list