[Gnso-epdp-legal] Notes and action items from Phase 2 Legal Committee Meeting #1

[Caitlin Tubergen]

Dear EPDP Phase 2 Legal Committee,

 

Below, please find the notes and action items from today’s call.

 

As a reminder, the next Phase 2 Legal Committee call is scheduled for Tuesday, 23 July at 14:00 UTC.

 

Best regards,

 

Marika, Berry, and Caitlin

 

--

 

Question for ICANN org

 

1. How does the Phase 2 Legal Committee’s work relate to the Strawberry Team’s work?

 

Action Items/Conclusions

 

1. GNSO-Secs to send invite for Tuesday, 23 July at 14:00 UTC for 75 minutes, and reserve the same time/duration on a bi-weekly basis following the 23 July meeting.

 

2. With respect to question 1, the Phase 2 LC has noted this question as premature at this time and will mark the question as “on hold”. The question will be revisited once the EPDP Team has identified the purposes for disclosure. 

 

3. With respect to questions 2 and 5, Brian King to consolidate these questions into one question and, where possible, include more detail in the wording. Following receipt of Brian’s draft, evaluate the best time to pose this question to legal counsel. 

 

4. With respect to question 3, the LC notes this question will be put on hold and revisited once the EPDP Team further deliberates the meaning of accreditation.

 

5. With respect to question 4, the LC is requesting further clarity from the author (ISPCP) re: the meaning and goal of this question.

 

6. LC Members to continue discussing remaining questions on the list to see if/how questions can be consolidated and prioritized.

--

 

For reference, here is a list of the questions: 

 

1. There is a need to confirm that disclosure for legitimate purposes is not incompatible with the purposes for which such data has been collected.

 

2. Answer the controllership and legal basis question for a system for Standardized Access to Non-Public Registration Data, assuming a technical framework consistent with the TSG, and in a way that sufficiently addresses issues related to liability and risk mitigation with the goal of decreasing liability risks to Contracted Parties through the adoption of a system for Standardized Access (Suggested by IPC)

 

3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (Suggested by ISPCP)

 

4. The question of disclosure to non-EU law enforcement based on Art 6 I f GDPR should be presented to legal counsel. (Suggested by ISPCP)

 

5. Can a centralized access/disclosure model (one in which a single entity is responsible for receiving disclosure requests, conducting the balancing test, checking accreditation, responding to requests, etc.) be designed in such a way as to limit the liability for the contracted parties to the greatest extent possible?  IE - can it be opined that the centralized entity can be largely (if not entirely) responsible for the liability associated with disclosure (including the accreditation and authorization) and could the contracted parties’ liability be limited to activities strictly associated with other processing not related to disclosure, such as the collection and secure transfer of data?  If so, what needs to be considered/articulated in policy to accommodate this? (Suggested by GAC)

 

6. Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third party requestor? (Question from ICANN65 from GAC/IPC)

 

7. To what extent, if any, are contracted parties accountable when a third party misrepresents their intended processing, and how can this accountability be reduced? (BC)

 

8. BC Proposes that the EPDP split Purpose 2 into two separate purposes:
Enabling ICANN to maintain the security, stability, and resiliency of the Domain Name System in accordance with ICANN’s mission and Bylaws though the controlling and processing of gTLD registration data. 
Enabling third parties to address consumer protection, cybersecurity, intellectual property, cybercrime, and DNS abuse involving the use or registration of domain names. counsel be consulted to determine if the restated purpose 2 (as stated above) 
 

Can legal counsel be consulted to determine if the restated purpose 2 (as stated above) is possible under GDPR?   If the above language is not possible, are there suggestions that counsel can make to improve this language? (BC)

 

9. Can legal analysis be provided on how the balancing test under 6(1)(f) is to be conducted, and under which circumstances 6(1)(f) might require a manual review of a request? (BC)

 

10. If not all requests benefit from manual review, is there a legal methodology to define categories of requests (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer) which can be structured to reduce the need for manual review? (BC)

 

11. Can legal counsel be consulted to determine whether GDPR prevents higher volume access for properly credentialed cybersecurity professionals, who have agreed on appropriate safeguards?  If such access is not prohibited, can counsel provide examples of safeguards (such as pseudonymization) that should be considered? (BC)

 

12. To identify 6(1)(b) as purpose for processing registration data, we should follow up on the B & B advice that- “it will be necessary to require that the specific third party or at least the processing by the third party is, at least abstractly, already known to the data subject at the time the contract is concluded and that the controller, as the contractual partner, informs the data subject of this prior to the transfer to the third party”

 

B&B should clarify why it believes that the only basis for providing WHOIS is for the prevention of DNS abuse.  Its conclusion in Paragraph 10 does not consider the other purposes identified by the EPDP in Rec 1, and, in any event should consider the recent EC recognition that ICANN has a broad purpose to:

 

‘contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission’, which is at the core of the role of ICANN as the “guardian” of the Domain Name System.”

 

13.  B&B should advise on the extent to which GDPR’s public interest basis 6(1)e is applicable, in light of the EC’s recognition that:

“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

--

 

Notes and Action Items

 
Roll Call and SOI Updates
Review Legal Committee Process and Working Methods
 

Questions/Concerns from Legal Committee

 
Could these calls be recorded? 
Yes, all Legal Committee calls are recorded.
Suggestion to make the calls on an as-needed basis. Recommend reserving this time on a bi-weekly basis to meet, but will cancel meetings if not needed and will cancel the meeting if it is not needed.
Action item: Calls to be scheduled every other Tuesday for 75 minutes, but will end early if possible. GNSO-Secs to send out invites accordingly.
 

 
Substantive Review of Priority 1 Legal Questions Submitted to Date
 

1. There is a need to confirm that disclosure for legitimate purposes is not incompatible with the purposes for which such data has been collected.

 
Do not under this question b/c GDPR Art. 5(b) requires that the data cannot be processed in a manner that is incompatible for the purposes for which such data has been collected.
This question is too broad.
Not sure it is necessary to go back to the Team for further clarification. Instead, note that the LC has deemed this question to be too broad to move forward.
Before this question is forwarded to outside counsel, the EPDP Team needs to define the purposes for disclosure, and these purposes need to be matched to the purposes for collection, so it is too early to ask this question. 
Where possible, the LC may crystallize and frame questions as legal issues. This question seems premature at this point in the EPDP Team’s work, but could be visited toward the end of the Team’s work.
Action: LC notes it is too early to send this question to B&B as the purposes for disclosure have not yet been identified by the EPDP Team. This question will be marked as on hold and can be revisited when the Team is further along in its work.
 

2. Answer the controllership and legal basis question for a system for Standardized Access to Non-Public Registration Data, assuming a technical framework consistent with the TSG, and in a way that sufficiently addresses issues related to liability and risk mitigation with the goal of decreasing liability risks to Contracted Parties through the adoption of a system for Standardized Access (Suggested by IPC)

 
The EPDP Team needs to first define the system and agree to it before asking this question.
The LC could collect questions to review at the end and send to outside counsel.
Question 2 and Question 5 are the “million-dollar questions”. The Team could assume a set of facts and then ask legal questions based upon those facts. It may be helpful to assume facts in the LC that are sufficiently detailed to receive legal advice. 
The LC should think about what type of question it can pose that will identify the boundaries of what the EPDP Team needs to keep in mind. Are there specific policy recommendations that would result in risks that cannot be mitigated? There may be value in finding out what the parameters are so that the Team is knowingly making policy recommendations with the knowledge of what the legal risks are.
It may be helpful to redraft the question.
The Team should ultimately care about the EDPB’s question, rather than a question for one lawyer.
How does the LC’s work relate to the Strawberry Team’s work?
Action: ICANN org to come back in writing with the answer to relation of the EPDP Team’s work with the Strawberry Team’s work?
Action: Brian King to consolidate questions two and five into one question, with more detail in the wording. From there, evaluate the best time to pose this question to legal counsel.
 

3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (Suggested by ISPCP)

 
First, the Team should agree on what accreditation-based disclosure means.
The answer to this question appears to be no – not sure the LC has to go back to the plenary team. 
Perhaps this question could be included in questions 2 and 5. 
Action: this question could be put on hold until the Team further deliberates the accreditation question.
 

4. The question of disclosure to non-EU law enforcement based on Art 6 I f GDPR should be presented to legal counsel. (Suggested by ISPCP)

 
Action: this question needs additional detail.
Action: LC to review the remainder of the questions and see if any questions can be consolidated and how the questions can be prioritized.
Next call will be 23 July, with bi-weekly calls starting after that.
 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190716/79cf799b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190716/79cf799b/smime-0001.p7s>