[Gnso-epdp-legal] Notes and action items - EPDP Phase 2 Legal Committee Meeting #3

Caitlin Tubergen caitlin.tubergen at icann.org
Tue Aug 6 18:07:30 UTC 2019 

EPDP Phase 2 Legal Committee Meeting #3

Action Items

1.      Updated Merged Questions 2 and 5: LC to continue reviewing the updated text and suggest changes (if any) in advance of the next LC meeting on Tuesday, 20 August 2019. LC to be prepared to discuss the text and proposed updates during next LC call.
Updated Question 4: Brian and Volker to work together on redrafting question 4, specifically with respect to clarifying whose legal basis for processing the question refers to.
3.      Updated Question 7: As no objections were received, this question will be forwarded to the EPDP Team for sign-off and, pending no objection, forwarded to outside counsel for its review.
Updated Question 9: Hadia and Margie to work together to redraft the question to clarify ambiguities. (Note: in redrafting Q9, Hadia and Margie may want to consider the text of updated Q2/5.
5.      Updated Question 11: Question on hold for now. Margie to update the text of the question to include a specific use case.

6.      Updated Question 12: LC to review simplified question before sending to EPDP Team for sign off: In light of the 3 May 2019 correspondence from the European Commission, are any updates on the previous memo on 6(1)(b) necessary? 

Notes

Proposed Agenda

Tuesday, 6 August 14:00 UTC

1.      Roll Call & SOI Updates 

2.      Continued Substantive Review of Updated Priority 1 (SSAD) Legal Questions Submitted to Date

a)      Substantive review of updated SSAD questions 

 
Thank you to Brian and Margie for delivering their homework
The first updated question is the merged questions 2 and 5:
 

Updated Merged Questions 2 and 5: Consider a System for Standardized Access/Disclosure where contracted parties “CPs” are required to disclose personal data over RDAP to requestors either directly or through an intermediary request accreditation/authorization body. Assuming the following safeguards are in place, what risk, if any, would the CP face for the processing activity of disclosure in this context? If any risk exists, what improved or additional safeguards would eliminate[1] this risk. In this scenario, would the CP be a controller or a processor[2], and to what extent, if at all, is the CP’s liability impacted by this controller/processor distinction? 

 
Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
 
CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. 
 
ICANN or its designee has validated the requestor’s identity, and required that the requestor: 
represents that it has a lawful basis for requesting and processing the data, 
provides its lawful basis,
represents that it is requesting only the data necessary for its purpose, 
agrees to process the data in accordance with GDPR, and 
agrees to standard contractual clauses for the data transfer. 
 
ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject. 
 

LC Feedback:
Will the Team be making a decision on this legal question today? It is very long – would it be possible to have a few extra days to review the question.

Yes, the Team can have extra time to review the questions. For now, the Team can continue with the rest of the questions and allow everyone to respond in advance of the next LC call.
 

Updated Question 4: European LEAs need to have a legal basis for requesting disclosure. Based on that, they approach the contracted party, which can then disclose based on Art. 6 I c GDPR to fulfil a legal obligation.

 

Where no legal basis for requesting data exists, no disclosure can take place.

 

Art. 6 I c GDPR is limited to European laws. As a consequence, non-EU LEA cannot use a European legal basis for requesting data and the contracted party can therefore not disclose based on 6 I c GDPR.

 

That would leave us with disclosure based on 6 I f GDPR and to the potentially problematic situation in which a domestic European LEA must be able to base its request on a national law while non-EU LEA “only” needs to have a legitimate interest. Remember that even public authorities must not base their processing on 6 I f GDPR in performing their core activities. I trust there is common understanding that investigating crime is the core activity of LEAs and thus it might be a contradiction to have domestic European LEAs blocked from basing their requests on 6 I f GDPR, while non-EU LEA can use that para as a legal basis and also to have the contracted party disclose based on 6 I f GDPR, while in domestic EU cases, only 6 I c GDPR would be applicable.

 

Remember that disclosing data to LEA is much more impactful for the data subject than in civil cases and that therefore, the law makers have included the aforementioned safeguards into the GDPR, which we might be bypassing by using 6 I f GDPR.

 

I am not saying this cannot be made work, but we should get confirmation that such disclosure is lawful.

 

LC Feedback: 
The Team should be really clear about whose legal basis for the processing activity applies. The second sentence in the fourth paragraph – when we are talking about LEA processing vs. the process of disclosing to the LEA. 

Action: Brian and Volker to work together on redrafting question 4, specifically with respect to clarifying whose legal basis for processing the question refers to.
 

Updated Question 7: To what extent, if any, are contracted parties liable when a third party that accesses non-public WHOIS data under an accreditation scheme where by the accessor is accredited for the stated purpose, commits to certain reasonable safeguards similar to a code of conduct regarding use of the data, but misrepresents their intended purposes for processing such data, and subsequently processes it in a manner inconsistent with the stated purpose.  Under such circumstances, if there is possibility of liability to contracted parties, are there steps that can be taken to mitigate or reduce the risk of liability to the contracted parties? (BC)

 

            LC Feedback:
No objection to the proposed wording.

Close this question so that it can be forwarded to Legal Counsel. 
 

Updated Question 9: Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally possible to have automated disclosures to third parties that have requested access under 6(1)(f)? If it is possible, please provide any guidance for how this can be accomplished. For example, is it legally permissible to define specific categories of requests (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer) to identify types of user groups or processing activities that reduce the need for manual review?  In addition, please describe the circumstances (if any) where a manual review is required under 6(1)(f), and any guidance for how to perform this balancing test.

 

            LC Feedback:
In the last sentence can text about a manual review for disclosure be added to this question? 
Question is confusing as written. What do we mean by automated disclosure?
We are asking legal counsel whether we can build a mechanism that would provide the requestors with information without the need to go through a balancing test with each and every request a “legitimate requestor” makes. Can this process be automated, or does it need to be manual?
Action item: Hadia and Margie to work together to redraft the question to clarify any ambiguities.

There may be commonalities in the updated, merged Question 2 and 5
 

Updated Question 11: Can legal counsel be consulted to determine whether GDPR prevents fast automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners (as defined in SSAC 101), who have agreed on appropriate safeguards?  If such access is not prohibited, can counsel provide examples of safeguards (such as pseudonymization) that should be considered? (BC)

 

            LC Feedback:
The question is much clearer than it was before, but the answer to the first clause is yes, legal counsel can be consulted.
Perhaps change “can legal counsel…” to “does GDPR prevent fast …”
This question seems like a fishing expedition. Does GDPR prevent – probably not, but how would that work in practice. It may not be the best use of the limited outside counsel budget.
This question is very relevant to the use cases the Team is currently working on.
Once questions have been signed off by the Legal Committee, the questions will be sent to the EPDP Team for its review.
Perhaps the question could be reworded to clothe it in a strong use case
This is an important question, but it would be helpful to use an example rather than asking such a general question – perhaps local law enforcement in its own jurisdiction could be a good example, rather than asking for general legal advice. 
Action: Margie to update question to include a specific use case.

Question on hold for now.
 

Updated Question 12: Under B&B’s memo regarding the applicability of 6(1)(b) as purpose for processing registration data, B & B cites from German commentators that state that it is possible to rely on a contract with the data subject even if controller is not a party to the contract.  In that situation, the memo notes that- “it will be necessary to require that the specific third party or at least the processing by the third party is, at least abstractly, already known to the data subject at the time the contract is concluded and that the controller, as the contractual partner, informs the data subject of this prior to the transfer to the third party.”  Could legal advice be sought on whether an appropriate notice could be drafted to notify the registrant that its non-public WHOIS data will be disclosed to third parties for the purposes identified in ICANN’s policy.

 

Under the same memo, B&B’s analysis in Section b focuses on only 1 purpose for processing data (DNS abuse), instead of examining all of the purposes identified in the Phase 1 Final Report.   In light of the recent EC letters and input to ICANN that clarified how GDPR could be applied to the new WHOIS policy, B&B’s prior legal advice should be reexamined and updated.  For example, in light of the EC’s recognition that ICANN has a broad purpose to:

 

‘contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission’, which is at the core of the role of ICANN as the “guardian” of the Domain Name System.”

 

and that:

 

“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

 

legal advice should be obtained on the applicability of each of the possible legal bases under 6(1) (a-f)) to support the disclosure to third parties under an SSAD of nonpublic WHOIS data.

            LC Feedback:
Would asking for this update be useful for the Team’s work in Phase 2?
The wording of the question may be leading. 
The wording of the question could be simplified – maybe ask B&B to update the previous advice in light of the new letters from the European Commission.
Action item: simplify the language of the question – and include analysis on legal basis from 6(1)(a) to 6(1)(f). 
b)      Agree on next steps

 

3.      Wrap and confirm next meeting to be scheduled 

 

a)      Confirm action items

b)      The next LC Meeting will take place on Tuesday, 20 August at 14:00 UTC.

 

 

 

 

 

 

 

 


[1] “Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf)

[2] https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190806/5203e5f3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190806/5203e5f3/smime-0001.p7s>

More information about the Gnso-epdp-legal mailing list