[Gnso-epdp-legal] [Ext] Re: Proposed agenda for Phase 2 Legal Committee Meeting #1

Caitlin Tubergen caitlin.tubergen at icann.org
Mon Jul 15 22:48:03 UTC 2019 

Hi Margie,

 

Thank you for noting the additional questions.

 

The attached annotated agenda now includes the referenced questions.

 

Please let me know if I can be of further assistance.


Best regards,


Caitlin

 

 

 

 

From: Margie Milam <margiemilam at fb.com>
Date: Monday, July 15, 2019 at 12:57 PM
To: Caitlin Tubergen <caitlin.tubergen at icann.org>, "gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
Subject: [Ext] Re: [Gnso-epdp-legal] Proposed agenda for Phase 2 Legal Committee Meeting #1

 

Hi Caitlin-

 

In prepping for tomorrow’s call, I note that the questions do not include the BC’s submitted questions.  Specifically, please see:
the BC input submitted on 24 June 19 in the following sections: A6, A8/9, A12/13, C8;
My email from May 15, 2019 listing  additional questions on the B & B Memo.  Of these, our questions related to the Possible Legal Bases are relevant to the SSAD template, and should be included in the discussion below.
 

All the best,

 

Margie Milam,

On behalf of the BC

 

_______________________________________________________________________________________________

 

>From my May 15th email:

 

Hi –

In advance of tomorrow’s call, here are comments and questions submitted on behalf of the BC:

 

Possible Legal Bases for Processing.  Our comments on the legal bases topic have been  influenced by both the 6(1)(f) memo and the recent EC communication, so we’ve broken our clarifying questions into 2 groupings, one for 6(1)(b) and one for 6(1)(e).
Performance of Contract – B&B should revisit its analysis in light of the recent EC Letter where it notes:
“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).”

This is consistent with the B&B memo that recognizes that a direct contract with the data subject is not necessary.
To identify 6(1)(b) as purpose for processing registration data, we should follow up on the B & B advice that-
“it will be necessary to require that the specific third party or at least the processing by the third party is, at least abstractly, already known to the data subject at the time the contract is concluded and that the controller, as the contractual partner, informs the data subject of this prior to the transfer to the third party”
B&B should clarify why it believes that the only basis for providing WHOIS is for the prevention of DNS abuse.  Its conclusion in Paragraph 10 does not consider the other purposes identified by the EPDP in Rec 1, and, in any event should consider the recent EC recognition that ICANN has a broad purpose to:
 

‘contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission’, which is at the core of the role of ICANN as the “guardian” of the Domain Name System.”
WHOIS in the Public Interest - Similarly, B&B should advise on the extent to which GDPR’s public interest basis 6(1)e is applicable, in light of the EC’s recognition that:
“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

 

Natural-Legal:
The EDPD should explore with B&B the possible ways of protecting against an erroneous identification as a legal person.  The policy recommendations could point to different practices that exist today (relying on the CCTLD research referenced in the EPDP Phase 1 report) that could enable the natural/legal person distinction to be made.   For example, the EPDP could propose a verification component, based on a number of indicators that can determine whether the registrant is a  legal entity.
Has B&B considered how the natural/legal person distinction is handled by ccTLDs?
With regard to concerns about emails possibly containing personal info – has B & B considered whether the risk could be mitigated if the registrant is asked if the email is  “role based” or identifies an actual individual? 
Accuracy:  Has B&B reviewed the statistics from the WHOIS ARS on accuracy levels or the findings of the 1st and 2nd WHOIS RT with regard to accuracy?  This should factor into the summary conclusions in Paragraph 21.

Thick WHOIS:  Did B&B review the GNSO’s Final Report and analysis in support of the Thick WHOIS policy recommendations?  Specifically, the consensus policy was based on recognized benefits to the Internet Ecosystem of having Thick WHOIS.  For example, under the Thick WHOIS policy, the registry is the authoritative place for domain name registration records.  

      

Mark and I look forward to discussing these issues in more detail tomorrow.

 

All the best,

Margie and Mark

 

 

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen at icann.org>
Date: Thursday, July 11, 2019 at 3:44 PM
To: "gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
Subject: [Gnso-epdp-legal] Proposed agenda for Phase 2 Legal Committee Meeting #1

 

Dear Phase 2 Legal Committee,

 

Please find below the proposed agenda for the first meeting of the Phase 2 Legal Committee, which will take place on Tuesday, 16 July at 14:00 UTC.

 

Best regards,

 

Marika, Berry, and Caitlin

 

 

 

EPDP Phase 2 Legal Committee Meeting #1

Proposed Annotated Agenda

Tuesday, 16 July 14:00 UTC
Roll Call & SOI Updates 
Confirmed EPDP-Legal Team members 
Board – Leon Sanchez*
ALAC – Hadia Elminiawi
BC – Margie Milam
GAC – Laureen Kapin
IPC – Brian King
ISPCP – Thomas Rickert
NCSG – Tatiana Tropina
RrSG – Volker Greimann
RySG – Kristina Rosette 
SSAC – Tara Whalen
Staff – Dan Halloran, Caitlin Tubergen
EPDP Leadership – Janis Karklins, Rafik Dammak (ex officio participants with permission to intervene if appropriate and mostly on procedural issues)
 

*During ICANN65, Janis proposed Leon to chair the Phase 2 Legal Committee calls. Leon agreed to serve as the chair, and no EPDP Team Members registered their objection.
Review Legal Committee Process and Working Methods 
 

a)      Similar to the Phase 1 Legal Committee, if the EPDP Team identifies questions it believes are legal in nature, the Phase 2 Legal Committee will vet the questions to determine:
the questions are truly legal in nature, as opposed to a policy or policy implementation question; 
the questions are phrased in a neutral manner, avoiding both presumed outcomes as well as constituency positioning; 
the questions are both apposite and timely to the EPDP Team’s work; and
the limited budget for external legal counsel is being used responsibly. 
 

b)      Meetings of the Phase 2 Legal Committee will be open to all EPDP Team members, but only appointed members will be invited to speak. Appointed members unable to attend meetings may appoint an alternate to speak during the meeting.

 

c)       Ultimate determinations of the Phase 2 Legal Committee will be shared and signed off with the EPDP Team before questions are sent to Bird & Bird. 

 

d)      Questions/Concerns?

 
Substantive Review of Priority 1 Legal Questions Submitted to Date
 

a)      The Phase 2 Legal Committee will begin its review of questions submitted for Priority 1 items, i.e., questions submitted for SSAD. 
All draft questions previously submitted re: SSAD can be found on p. 10-11 of the SSAD worksheet [docs.google.com].
All Legal Committee members are asked to review this list of questions in advance of the meeting to determine if the questions meet the vetting requirements.
The Chair will outline the questions received to quickly triage if members believe the question is legal in nature and relevant to the Team’s work/would move the Team forward. If no members believe the question meets these criteria, the question will not be discussed further. 
When reviewing the questions, the Legal Committee should also consider potential interlinkage with the Strawberry Group questions to avoid any kind of overlap and/or determine which questions are better shared with DPAs instead of outside counsel.
 

b)      Substantive review of SSAD questions

 
Wrap and confirm next meeting to be scheduled 
a)      Confirm action items


 

For ease of reference, please find the SSAD questions submitted to date below:

 

1. There is a need to confirm that disclosure for legitimate purposes is not incompatible with the purposes for which such data has been collected.

 

2. Answer the controllership and legal basis question for a system for Standardized Access to Non-Public Registration Data, assuming a technical framework consistent with the TSG, and in a way that sufficiently addresses issues related to liability and risk mitigation with the goal of decreasing liability risks to Contracted Parties through the adoption of a system for Standardized Access (Suggested by IPC)

 

3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (Suggested by ISPCP)

 

4. The question of disclosure to non-EU law enforcement based on Art 6 I f GDPR should be presented to legal counsel. (Suggested by ISPCP)

 

5. Can a centralized access/disclosure model (one in which a single entity is responsible for receiving disclosure requests, conducting the balancing test, checking accreditation, responding to requests, etc.) be designed in such a way as to limit the liability for the contracted parties to the greatest extent possible?  IE - can it be opined that the centralized entity can be largely (if not entirely) responsible for the liability associated with disclosure (including the accreditation and authorization) and could the contracted parties’ liability be limited to activities strictly associated with other processing not related to disclosure, such as the collection and secure transfer of data?  If so, what needs to be considered/articulated in policy to accommodate this? (Suggested by GAC)

 

6. Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third party requestor? (Question from ICANN65 from GAC/IPC)

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190715/3e0959fc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EPDP Phase 2 Legal Committee Meeting 1 Annotated Agenda.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 21268 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190715/3e0959fc/EPDPPhase2LegalCommitteeMeeting1AnnotatedAgenda-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190715/3e0959fc/smime-0001.p7s>

More information about the Gnso-epdp-legal mailing list