[Gnso-epdp-legal] For your review: First batch of questions to be sent to EPDP Team for final sign-off

[King, Brian]

Hi Team,

I suggest that the first batch of questions we submit to the team must include Q 2/5 as an “anchor question” since it really solicits the million-dollar answer we need: is such a thing possible without CP liability?

With that answer, it makes sense to build on the concept by asking Q 7 (what if there’s fraud in such a system?) and Q 9 (can such a system be automated?), but these questions don’t stand alone well without the anchor question.

So, I’d like to finish the requested tweaks to Q 2/5 by COB tomorrow and get this group’s buy-in quickly so we can get a complete Batch 1 including Q 2/5 to the plenary ASAP. Ok?

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> On Behalf Of Caitlin Tubergen
Sent: Tuesday, August 20, 2019 2:38 PM
To: gnso-epdp-legal at icann.org
Subject: [Gnso-epdp-legal] For your review: First batch of questions to be sent to EPDP Team for final sign-off

Apologies for the additional email, but please indicate by Wednesday, 21 August at 16:00 UTC if you disagree with the inclusion of Q9 in the first batch.

EPDP Leadership would like to send the first batch of questions to the EPDP Team for its review in advance of Thursday’s meeting.

Thank you.

Best regards,

Marika, Berry, and Caitlin




From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org<mailto:gnso-epdp-legal-bounces at icann.org>> on behalf of Caitlin Tubergen <caitlin.tubergen at icann.org<mailto:caitlin.tubergen at icann.org>>
Date: Tuesday, August 20, 2019 at 9:52 AM
To: "gnso-epdp-legal at icann.org<mailto:gnso-epdp-legal at icann.org>" <gnso-epdp-legal at icann.org<mailto:gnso-epdp-legal at icann.org>>
Subject: [Gnso-epdp-legal] First batch of questions to be sent to EPDP Team for final sign-off

Dear EPDP Phase 2 Legal Committee,

Below, please find the first batch of questions to be sent to the EPDP Team for its final sign-off. Please note, as per the action item from today’s meeting, the requested bullet points from Q2/5 were added to Q9. As there was no objection on the call, we have included the question below, but please do let us know if you would prefer to continue discussing Q9 on this list before presenting to the plenary team on Thursday.

There is time reserved in Thursday’s plenary agenda, during which León has kindly offered to present the below questions to the plenary team.

Batch 1


  1.  (Formerly Q7) To what extent, if any, are contracted parties liable when a third party that accesses non-public WHOIS data under an accreditation scheme where by the accessor is accredited for the stated purpose, commits to certain reasonable safeguards similar to a code of conduct regarding use of the data, but misrepresents their intended purposes for processing such data, and subsequently processes it in a manner inconsistent with the stated purpose.  Under such circumstances, if there is possibility of liability to contracted parties, are there steps that can be taken to mitigate or reduce the risk of liability to the contracted parties?



  1.  (Formerly Q9) Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally permissible under Article 6(1)(f) to:


  *   define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or
  *   enable automated disclosures of such data, without requiring a manual review by the controller or processor of each individual disclosure request.
In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).

For reference, please refer to the following potential safeguards:


  *   Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
  *   CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
  *   ICANN or its designee has validated the requestor’s identity, and required that the requestor:

o   represents that it has a lawful basis for requesting and processing the data,

o   provides its lawful basis,

o   represents that it is requesting only the data necessary for its purpose,

o   agrees to process the data in accordance with GDPR, and

o   agrees to standard contractual clauses for the data transfer.

  *   ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject.


3. (Formerly Q12/13) In light of the 3 May 2019 correspondence from the European Commission<https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf>, are any updates on the previous memo on 6(1)(b)<https://community.icann.org/download/attachments/102138857/6%281%29%28b%29%20Memo.docx?version=1&modificationDate=1548874809000&api=v2> necessary?

Thank you.

Best regards,

Marika, Berry, and Caitlin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190820/d8d45e54/attachment-0001.html>