[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #4

[Margie Milam]

Hi-

I wasn’t able to sync with Hadia today, but here is my suggested revision to address her concerns:

Updated Question 9: Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally permissible under Article 6(1)(f) to:


  *   define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or
  *   enable automated disclosures of such data, without requiring a manual review by the controller or processor of each individual disclosure request.

In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).

All the best,

Margie

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen at icann.org>
Date: Friday, August 16, 2019 at 3:09 PM
To: "gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
Subject: [Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #4

Updated Question 9: Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally possible to have automated disclosures to third parties that have requested access under 6(1)(f)? If it is possible, please provide any guidance for how this can be accomplished. For example, is it legally permissible to define specific categories of requests (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer) to identify types of user groups or processing activities that reduce the need for manual review?  In addition, please describe the circumstances (if any) where a manual review is required under 6(1)(f), and any guidance for how to perform this balancing test.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190820/17b19936/attachment-0001.html>