[Gnso-epdp-legal] q11 updated language

[epdp at gdpr.ninja]

All,

our small drafting team consisting of Margie, Brian, Volker and myself met
briefly in Montreal and we now suggest the following language for q11. A few
points need discussion by our group, but we will leave that to our call.

 

Best,

Thomas

 

In order to inform our group's discussion on whether reverse lookups by any
accredited party be allowed and be part of our policy recommendations, we
would like to understand better whether reverse lookups can be compliant
with GDPR in the following scenarios.

In our current deliberations it was agreed that, disclosure requests relate
to non-public registration data for a given domain name: a query is made for
one domain name and - if disclosure is permissible - non-public registration
data is returned for this very domain name.

Reverse lookups are different in that a query is made for any data element
that is not publicly available in the registration data, but may be present
as part of the non-public registration data. This may include e-mail
addresses, a registered name holder name or a phone number. If reverse
lookups were allowed, the SSAD could then potentially return numerous domain
names associated with the given data element and resulting in the disclosure
of non-public registration data for multiple domain names as well as other
personal information contained in the domain names themselves or the use
thereof. For example, a reverse query for a domain name holder may not only
return his business domain names but also those used for private purposes.
Further, a query for a more generic string sch as "John Smith" as registered
name holder name may return results for multiple registered name holders. 

Reverse lookups can be helpful to investigate patterns of abusive or
criminal behavior. 

Our group recognizes that reverse lookups can be more impactful for data
subjects. Hence, we are seeking your advice on a staggered approach to limit
disclosure to what is necessary for the requestor to conduct their work
while limiting the impact on the data subjects involved.

Scenario 1:

1.	The accredited requestor must:

a.	provide evidence that multiple (alternative suggestion: at least
one) domain name(s) are involved in illegal / abusive conduct
b.	identify at least one domain name for which it believes is involved
in the illegal /abusive conduct and 
c.	cite an appropriate legal basis under GDPR to support its request,
as well as all other information required for submitting "ordinary requests"
to the SSAD.

For example, victims of online fraud often share their experiences in online
fora. Credible information published by multiple users in a trusted forum
suggesting that a data element is linked to multiple domain names could
suffice as a basis for triggering a reverse lookup. These requirements (a-c)
are intended to prevent the reverse lookups from being misused as mere
"fishing expeditions" or based on guesses. The SSAD will initially only
produce the number of domain names associated with the given data elements
by TLD and by registrar. No further information will be returned. This shall
help the requestor to determine whether there is smoke or there is fire. 

2.	If the requestor wishes to proceed, a manual review / balancing of
rights is required to determine whether investigating the alleged abusive
behavior or criminal activity allows the disclosure of information on
multiple domain names and whether proceeding to the next steps already
unjustifiably impacts the rights of the data subjects involved. This may be
the case where multiple domain names are used (for example) to publicize
political speech and where the requestor might try to suppress such free
speech or help convict those exercising free speech Or in other cases where
the impact on the data subject outbalances the legitimate interests of the
requestor.
3.	If the manual review and balancing test is affirmative, only a list
of domain names is returned, not the non-public registration data for all
listed domain names. 
4.	The requestor may then proceed to file disclosure requests for
individual domain names and these will be dealt with according to "ordinary"
disclosure requests for individual domain names.

Scenario 2:

Dispute Resolution Providers appointed by ICANN, e.g. for UDRP cases, should
be able to request disclosure of domain names registered by a given
registered domain holder including non-public registration data for multiple
domain names where the dispute resolution policy allows for multiple domain
names to be included in one complaint, and where the multiple infringing
domain names are to be submitted as evidence by the complainant to support a
finding by the panelist of bad faith by the registrant.

Alternate proposal: Allow for DRPs to make requests to check whether the
data of any given domain name matches an already obtained data set. No data
would be disclosed, only the fact whether the data set matches that used in
the query.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191119/0bc3fffc/attachment.html>