[Gnso-epdp-legal] Updated Q 2/5

[King, Brian]

Hello legal eagles,

Here is a slight revision to the Q 2/5 incorporating points from Dan and Thomas, as agreed by Brian and Thomas:


Q 2/5  Consider a System for Standardized Access/Disclosure where:



·                     contracted parties “CPs” are contractually required by ICANN to disclose registration data including personal data,

·                     data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body,

·                     the accreditation is carried out by third party commissioned by ICANN without CP involvement,

·                     disclosure takes place in an automated fashion without any manual intervention,

·                     data subjects are being duly informed according to ICANN’s contractual requirements of the purposes for which, and types of entities by which, personal data may be processed. CP’s contract with ICANN also requires CP to notify data subject about this potential disclosure and third-party processing before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.



Further, assume the following safeguards are in place

·                      ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor:

·                      represents that it has a lawful basis for requesting and processing the data, 

·                      provides its lawful basis,

·                      represents that it is requesting only the data necessary for its purpose, 

·                      agrees to process the data in accordance with GDPR, and 

·                      agrees to EU standard contractual clauses for the data transfer. 

 

·                      ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject.



1.       What risk, if any, would the CP face for the processing activity of disclosure in this context?

2.       Would you deem the criteria and safeguards outlined above sufficient to make disclosure of registration data compliant? If any risk exists, what improved or additional safeguards would eliminate1 this risk?

3.       In this scenario, would the CP be a controller or a processor2, and to what extent, if at all, is the CP’s liability impacted by this controller/processor distinction? 2

4.       Only answer if a risk still exists for the CP: If a risk still exists for the CP, what additional safeguards might be required to eliminate CP liability depending on the nature of the disclosure request, i.e. depending on whether data is requested e.g. by private actors pursuing civil claims or law enforcement authorities depending on their jurisdiction or the nature of the crime (misdemeanor or felony) or the associated sanctions (fine, imprisonment or capital punishment)?

Footnote 1: “Here it is important to highlight the special role that safeguards may play in reducing the undue impact on the data subjects, and thereby changing the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden.“ (https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf)

Footnote 2: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190821/7656d385/attachment-0001.html>