[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #4

Tara Whalen tjwhalen at gmail.com
Tue Aug 20 15:36:03 UTC 2019 

Thanks, Hadia.

>From the SSAC side, we're trying to work out how to best ask questions
about automation as well; some of this seems to be in Q9 but also in Q11. I
know there is re-drafting underway so there may be some places where items
shift from one Q to the other.

Q11 -- in the agenda version -- includes the text "would any automated
disclosure carry a potential for liability of the disclosing party, or the
controllers or processors of such data?" As many folks mentioned today, we
can't really eliminate liability, but we may wish for automation not to
unduly *increase* it.  Instead, the question should  be about  *how to
satisfy the GDPR’s balancing test* aka how to comply with the law, hence
getting legal advice from the experts. A compliant solution is key for
mitigating risk and everybody--including the contracted parties, of
course--has to operate within the legal requirements.

There are a few threads in Q11 that could be teased apart -- some might end
up in other questions, of course, and these don't have to appear as-is
below, or in their own separate sub-points. But there are some elements
worth making explicit.

Overall, it looks like this question is asking:

   - is any automated decision-making possible in this area?  If so, under
   what conditions and considerations?

Likely that is not concise enough for a B&B question but it seemed to me to
be what we're trying to get at, so might help as a basic guide to our final
draft.

As discussed today about the trusted third parties and their requests: what
if there are routine and definable situations -- could those be automated,
under limited circumstances?


   - Is it is possible to define specific situations in which a legitimate
   third-party interest overrides the interests or fundamental rights and
   freedoms of a data subject? In such cases, the legitimate interest would be
   defined and stated, the requesting party and the data controller would have
   a common understanding of the necessity of the processing, and the
   receiving third party would be subject to safeguards.

This next item may be included in Q9? On the call, there was the
clarification about large numbers of requests (as key difference between Q9
and Q11), which might not yet be explicit in the text:

   - Can a data controller rely on advice or assertions that come from a
   qualified and trusted third party in order to help satisfy 6(f)’s balancing
   test?  If it is possible, then what are the considerations?  What if any
   legal agreements need to be place? If this is not possible, why not?

Q9 is going to further address safeguards, I believe; I will review the
updated text.


Also, one much more specific element: about disclosure in situations
involving fraud + criminal activity cases, as described in the WG use cases
under review in the EPDP discussions:


   - Does GDPR prohibit third parties from reporting criminal activities
   discerned via their requests to law enforcement authorities?  Does GDPR
   provide for exemptions that prevent [suspected/accused] registrants from
   being informed of relevant data requests in criminal investigations?

---
That's a lot of text, I know, but I hope that's clearer than trying to hash
it out verbally on the phone call. Thanks for all your hard drafting work
so far; we're getting a lot closer to the goal! --TW


On Tue, Aug 20, 2019 at 11:12 AM Hadia El Miniawi via Gnso-epdp-legal <
gnso-epdp-legal at icann.org> wrote:

>
> Hi All,
>
> Following Today's discussion and as suggested during the call, I propose
> explicitly mentioning the automation of the balancing test in our question
>
> Updated Question 9: Assuming that there is a policy that allows accredited
> parties to access non-public WHOIS data through an SSAD (and requires the
> accredited party to commit to certain reasonable safeguards similar to a
> code of conduct), is it legally permissible under Article 6(1)(f) to:
>
> (1)define specific categories of requests from accredited parties (e.g.
> rapid response to a malware attack or contacting a non-responsive IP
> infringer), for which there can be automated submissions for non-public
> WHOIS data, without having to manually verify the qualifications of the
> accredited parties for each individual disclosure request
> (2)Automate the balancing test required under Article 6(1) f
> (3)Automate disclosures of such data, without requiring a manual review by
> the controller or processor of each individual disclosure request.
>
>
> In addition, if it is not possible to automate any of these steps, please
> provide guidance in relation to the preferable process
> On Monday, August 19, 2019, 9:59:36 PM EDT, Margie Milam <
> margiemilam at fb.com> wrote:
>
>
> Hi-
>
>
>
> I wasn’t able to sync with Hadia today, but here is my suggested revision
> to address her concerns:
>
>
>
> *Updated Question 9**: Assuming that there is a policy that allows
> accredited parties to access non-public WHOIS data through an SSAD (and
> requires the accredited party to commit to certain reasonable safeguards
> similar to a code of conduct), is it legally permissible under Article
> 6(1)(f) to:*
>
>
>
>    - *define specific categories of requests from accredited parties
>    (e.g. rapid response to a malware attack or contacting a non-responsive IP
>    infringer), for which there can be **automated submissions for
>    non-public WHOIS data, without having to manually verify the qualifications
>    of the accredited parties for each individual disclosure request, and/or*
>    - *enable automated disclosures of such data, without requiring a
>    manual review by the controller or processor of each individual disclosure
>    request.*
>
>
>
> *In addition, if it is not possible to automate any of these steps, please
> provide any guidance for how to perform the balancing test under Article
> 6(1)(f).*
>
>
>
> All the best,
>
>
>
> Margie
>
>
>
> *From: *Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> on behalf of
> Caitlin Tubergen <caitlin.tubergen at icann.org>
> *Date: *Friday, August 16, 2019 at 3:09 PM
> *To: *"gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
> *Subject: *[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal
> Committee Meeting #4
>
>
>
> *Updated Question 9**: Assuming that there is a policy that allows
> accredited parties to access non-public WHOIS data through an SSAD (and
> requires the accredited party to commit to certain reasonable safeguards
> similar to a code of conduct), is it legally possible to have automated
> disclosures to third parties that have requested access under 6(1)(f)? If
> it is possible, please provide any guidance for how this can be
> accomplished. For example, is it legally permissible to define specific
> categories of requests (e.g. rapid response to a malware attack or
> contacting a non-responsive IP infringer) to identify types of user groups
> or processing activities that reduce the need for manual review?  In
> addition, please describe the circumstances (if any) where a manual review
> is required under 6(1)(f), and any guidance for how to perform this
> balancing test.*
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190820/2d018bab/attachment-0001.html>

More information about the Gnso-epdp-legal mailing list