[Gnso-epdp-legal] contractual necessity advice [B&B-M.FID11020712]

Fri Jan 25 19:55:32 UTC 2019

Hello Legal Team:

I just received these responses from Bird & Bird. I have not read or scanned them yet. 

Gabe Maldoff intended to accompany Ruth to Toronto but was unable to due to a conflict.  It was always intended that he be part of the team assisting us.

I intend to follow up later today with the additional questions we are forming as it is essential we get them out in some form. 

Now that we have responses to each of the three questions, let’s read together and think about next steps today: e.g., follow-up questions, a report for plenary. Email discussion is welcome. 

Best regards,

Kurt

> On Jan 25, 2019, at 11:45 AM, Gabe Maldoff <Gabe.Maldoff at twobirds.com> wrote:
> 
> Hi Kurt,
>  
> By way of introduction, I'm a privacy and data protection associate at Bird & Bird London and Ruth has asked me to assist with some of the questions that have come up.
>  
> The notes of advice on questions 1 and 2 are now attached.
>  
> As a short summary:
>  
> 1.    In answer to the first question, in cases where the RNH and the technical contact are not the same person, relying on the RNH to provide notice on the registrar's behalf will not meet GDPR's notice requirements if the RNH fails to provide the notice. While this may provide grounds for a contractual claim against the RNH, it is unlikely to provide a viable defence under the GDPR. Moreover, this arrangement will make it difficult for registrars to demonstrate that notice has been provided. If notice is not effectively provided, this could affect the legitimate interests analysis, since technical contacts may not "reasonably expect" the manner in which their data will be processed. If relying on consent, such an arrangement would make it difficult to document that consent has been provided.
>  
> 2.    On the second question, we conclude that the relevant parties could be subject to liability if a registrant wrongly self-identifies as a legal person (and not a natural person) and the registrant's data is disclosed in reliance on this self-identification. To reduce the risks, we propose several solutions, such as focus group testing of the registration process to minimise the risk of errors and technical tools (if feasible) to verify the information provided. We also recommend providing clear notice to data subjects of the consequences for them of the designation as either a legal or a natural person as well as a way for data subjects to easily correct a mistaken classification. One way to do this effectively would be to send a follow-up email after registration to the listed contacts – this could also help with the notice issue addressed in question 1.
>  
> If you have any questions, please let us know.
>  
> Best regards,
> Ruth & Gabe
>  
>  
> Gabe Maldoff
>  
> Associate
> Attorney (New York)
> Bird & Bird
> gabe.maldoff at twobirds.com <mailto:gabe.maldoff at twobirds.com>
>  
> Direct   +44 (0)20 7982 6442
> Tel       +44 (0)20 7415 6000
> Fax      +44 (0)20 7415 6111
>  
> Bird & Bird LLP
> 12 New Fetter Lane
> London EC4A 1JP
> United Kingdom
>  
> twobirds.com <http://www.twobirds.com/>
>  
> 
>  
>  
>  
> From: Ruth Boardman 
> Sent: 23 January 2019 09:39
> To: Kurt Pritz (kurt at kjpritz.com <mailto:kurt at kjpritz.com>)
> Cc: Daniel Halloran; Gabe Maldoff
> Subject: contractual necessity advice [B&B-M.FID11042763]
>  
> Hello Kurt,
>  
> The advice on this question is attached.
>  
> You may find a short summary helpful. This is:
>  
> a) it is not clear if the contractual necessity condition can only apply where there is a contract between data controller and data subject, or whether the contract could be between another person and the data subject. (For example, so that ICANN or a registry could argue that their processing is necessary for the contract between the registrar and the RNH/data subject).  In countries where we have checked, there are no cases on point. Some data protection authorities interpret the provision narrowly. However, there is also guidance arguing for a more liberal approach. We think a more liberal approach is correct – but this is untested.
>  
> b) What is 'necessary' is interpreted strictly. We do not think that the EPDP could successfully argue that preventing DNS abuses is'necessary' for the contract with the RNH. There is guidance from the Article 29 Working Party on this which has examples somewhat similar to ICANN's situation. 
>  
> If you have questions, do let me know.
>  
> Best regards,
>  
> Ruth
> 
> BIRD & BIRD 
> 
> 
> For information on the international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses (together "Bird & Bird"), our offices, our members and partners, regulatory information, complaints procedure and the use of e-mail see www.twobirds.com/LN <http://www.twobirds.com/LN> 
> 
> For our privacy policy, including the types of personal information we collect, how we collect and process that information, who we may share it with in relation to the services we provide and certain rights and options that you have in this respect, see www.twobirds.com/LNPrivacy <http://www.twobirds.com/LNPrivacy>. Click here <https://sites-twobirds.vuture.net/5/52/landing-pages/unsubscribe-blank.asp> if you would like to opt-out of receiving marketing communications from Bird & Bird. Opting out of receiving marketing communications will not affect our continuing communications with you for the provision of our legal services.
> 
> Any e-mail sent from Bird & Bird may contain information which is confidential and/or privileged. Unless you are the intended recipient, you may not disclose, copy or use it; please notify the sender immediately and delete it and any copies from your systems. You should protect your system from viruses etc.; we accept no responsibility for damage that may be caused by them. 
> 
> For the terms on which we receive from, hold for or make available to a client or third party client money see www.twobirds.com/CM <http://www.twobirds.com/CM> 
> 
> Bird & Bird LLP, a limited liability partnership, registered in England and Wales with registered number OC340318, with its registered office and principal place of business at 12 New Fetter Lane, London EC4A 1JP, is authorised and regulated by the Solicitors Regulation Authority, whose professional rules and code may be found at www.sra.org.uk/handbook/ <http://www.sra.org.uk/handbook/> 
> 
> A list of members of Bird & Bird LLP and of any non-members who are designated as partners, being lawyers or other professionals with equivalent standing or qualifications, and of their respective professional qualifications, is open to inspection at its registered office.
> 
> <ICANN - Memo on Question 2.DOCX><ICANN - Memo on Question 1.DOCX>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190125/c769ada1/attachment-0001.html>