[Gnso-epdp-legal] Fwd: questions for Bird & Bird

[Volker Greimann]

Thank you Leon,

I do note that the legal vs. natural question has been discussed to 
death and I object to re-opening this issue as part of the legal 
questions. I do not believe that this question will provide any benefit 
to our deliverations regardless of the response and would only serve to 
further delay the ultimate result of our work due to the debates that 
will likely follow.

I also disagree with some of the statements made with regard to the 
first question. Whether such parties have a legitimate interest or not 
is not something that should be asserted but must first be questioned 
and then proven in every single case a request is being made.

As for sub-question c, the identity of a requestor is an important part 
of the information of the data subject as he would not be able to 
exercise his rights if he does not know where and by whom his data is 
processed.

For subquestion d, the decision of whether to release the data to a 
requestor lies with the data controller regardless of whether the data 
subject objects.

I do not understand what is meant by subquestion e.

Best regards,

Volker

Am 27.09.2019 um 19:46 schrieb Leon Sanchez:
> Dear colleagues,
>
> Below you will find a submission from SSAC for our consideration.
>
> Dear support staff,
>
> Could you please add these questions to the roster and include them in 
> future call agendas?
>
> Kind regards,
>
> León
>
>> Inicio del mensaje reenviado:
>>
>> *De: *"Greg Aaron" <greg at illumintel.com <mailto:greg at illumintel.com>>
>> *Asunto: **questions for Bird & Bird*
>> *Fecha: *27 de septiembre de 2019, 12:43:02 GMT-5
>> *Para: *<gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>>, 
>> <leon.sanchez at board.icann.org <mailto:leon.sanchez at board.icann.org>>
>>
>> Dear Leon et al:
>> Following up on the first round of answers from Bird & Bird and the 
>> F2F, SSAC would like to following to be reviewed by the legal 
>> sub-team and sent to Bird & Bird.  We’ve tried to make sure that 
>> these are new questions and are not duplicative of info we got from 
>> the first batch.  The SSAC team feels these are important questions 
>> to ask per the current work and the charter.
>> BALANCING, AND RIGHT TO OBJECT:
>> The defense of networks, the prevention of fraud, resisting 
>> cybercrime, and indicating possible criminal acts or threats to 
>> public security to a competent authority are tasks performed by third 
>> parties who are not law enforcement or government agencies. Such 
>> parties have legitimate interests in making data requests under GDPR, 
>> notably under Article 6(1)f; see also Recitals 47, 49, and 50. We are 
>> considering balancing where the data subject may be infringing upon 
>> the rights of others, and the safety of third-party requestors who 
>> deal with cybercrime.  The third-party purposes above also require 
>> timely responses to data requests.
>> Assume that registrars notify their registrants up-front of the 
>> purposes of data collection, under what circumstances the data may be 
>> released, the right to object, etc.
>> a. When a data controller receives a legitimate third-party data 
>> request, under what circumstances is the controller required under 
>> GDPR to explicitly notify the data subject that a request has 
>> occurred, and/or that it has provided data to a third party?
>> b.            Under what circumstances do data subjects have the 
>> right to object under GDPR  to the release of their data to third 
>> parties?  Per Bird & Bird's Question 3 memo, ICANN's use cases do not 
>> involve profiling or highly sensitive data categories (race, 
>> political affiliation, etc.), and "a decision to release information 
>> via the SSAD is would not in itself have legal effect on the data 
>> subject."
>> c.             Are data controllers ever required to notify the data 
>> subject of the/identity/of a third-party requestor?
>> d.           Please confirm: when a data subject objects to 
>> processing, the decision to release the data resides with the data 
>> controller?
>> e.            If a registrant must be notified of a request and then 
>> be given the opportunity to object, please explain how this process 
>> can be reconciled with or integrated into a SSAD that is designed to 
>> provide timely data exchange when possible and does not involve "a 
>> decision based solely on automated processing". (See Bird & Bird's 
>> Question 3 memo, paragraph 1.12.)
>> LEGAL VERSUS NATURAL PERSONS:
>> Registration data submitted by legal person registrants may contain 
>> the data of natural persons.  For example the contact data they 
>> provide may include a natural person's name and email address. Legal 
>> person registrants also have the ability to publish non-personally 
>> identifiable contact data ("admin at companyname.com 
>> <mailto:admin at companyname.com>") should they desire.
>> If registrants are required to self-identify as either a natural or 
>> legal person, then:
>> a. Can registrars rely on that self-identification?
>> b. Can registrars make the contact data submitted by legal person 
>> registrants publicly available in RDS (WHOIS), by stating that it is 
>> the responsibility of a legal person registrant to obtain consent 
>> from any natural person whose data it submits?
>> Please state any considerations, such as the ability of the 
>> registrant to correct its data.
>> As part of the analysis, please examine the policies of the Internet 
>> protocol (IP address) registries RIPE NCC (the registry in Europe, 
>> based in the Netherlands) and ARIN (the registry in North America, 
>> which has customer contacts in Europe).  These registries publish the 
>> data of natural persons who are subject to the GDPR, publicly via 
>> their WHOIS services, by placing the choice and responsibility on 
>> their registrants, who are legal persons.  IP addresses and domain 
>> names are two sides of the same coin, and these IP address registries 
>> state mission justifications and collection purposes similar to those 
>> in ICANN's Temporary Specification. See:
>> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful 
>> Personal Data Processing and the RIPE Database”:
>> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
>> 2)  “How We're Implementing the GDPR: The RIPE 
>> Database”:https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
>> 3) "Personal Data Privacy Considerations At 
>> ARIN":https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
>> 4) ARIN "Data 
>> Accuracy":https://www.arin.net/reference/materials/accuracy/
>> 5) ARIN Registration Services Agreement, paragraph 
>> 3:https://www.arin.net/about/corporate/agreements/rsa.pdf
>> 6) ARIN Privacy Policy:https://www.arin.net/about/privacy/
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191001/17731e85/attachment-0001.html>