[Gnso-epdp-legal] Updated Question 11
Volker Greimann
vgreimann at key-systems.net
Tue Oct 1 15:57:19 UTC 2019
Dear team,
please find attached a first commentary on the proposed question 11
outlining some issues and proposing some edits.
Best,
volker
Am 01.10.2019 um 15:56 schrieb Margie Milam:
>
> Hi-
>
> Here’s my proposal based on prior discussions with Brian, Thomas &
> Volker. Please note that this language is not reviewed yet by Thomas,
> Brian & Volker, but I am sharing for the purposes of discussion today.
>
> __________________________
>
> *_Updated Question 11_*
>
> /Status: Thomas, Volker, Brian and Margie to work together on refining
> this question in advance of the next LC call on Tuesday, 1 October./
>
> (Previous text proposed by Margie)/: /Is it permissible under GDPR to
> provide fast, automated, and non-rate limited responses (as described
> in SSAC 101) to nonpublic WHOIS data for properly credentialed
> security practitioners^1 (as defined in SSAC 101) who are responsible
> for defense against e-crimes (including network operators, providers
> of online services, commercial security services, cyber-crime
> investigators) for use in investigations and mitigation activities to
> protect their network, information systems or services (as referenced
> in GDPR Recital 49) and have agreed on appropriate safeguards? Or
> would any automated disclosure carry a potential for liability of the
> disclosing party, or the controllers or processors of such data? Can
> counsel provide examples of safeguards (such as
> pseudonymization/anonymization) that should be considered?
>
> In addition, does GDPR prohibit the SSAD to be designed to enable
> reverse lookups based on contact fields associated with domain names
> that have been identified as being used for DNS abuse, such as
> phishing, malware and or similar type of attacks? What are the risks
> associated with reverse lookups, and if it is possible to conduct
> reverse lookups, are there steps that can be taken to mitigate any
> perceived risks?
>
> For purposes of this question, please assume the following safeguards
> are in place:
>
> oDisclosure is required under CP’s contract with ICANN (resulting from
> Phase 2 EPDP policy).
>
> oCP’s contract with ICANN requires CP to notify the data subject of
> the purposes for which, and types of entities by which, personal data
> may be processed. CP is required to notify data subject of this with
> the opportunity to opt out before the data subject enters into the
> registration agreement with the CP, and again annually via the
> ICANN-required registration data accuracy reminder. CP has done so.
>
> oICANN or its designee has validated/verified the requestor’s
> identity, and required in each instance that the requestor:
>
> • represents that it has a lawful basis for
> requesting and processing the data,
>
> • provides its lawful basis,
>
> • represents that it is requesting only the data
> necessary for its purpose,
>
> • agrees to process the data in accordance with
> GDPR, and
>
> • agrees to EU standard contractual clauses for
> the data transfer.
>
> Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those
> who have a responsibility to perform specific types of functions (as
> specified in Section 3) related to the identification and mitigation
> of malicious activity, and the correction of problems that negatively
> affect services and users online. are entities that have either
> legal authority and/or legal responsibility to protect their
> technology/network/infrastructure, such as national CERTs, and also
> DSPs. (See the UK ICO
> (https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_digital-2Dservice-2Dproviders_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=avDrp6cxNXTZKuZCGeGUDM-Cgi0HhyR9IzaQzQAiu3Y&e=>)
> since these types of companies appear to have security obligations
> (https://ico.org.uk/for-organisations/the-guide-to-nis/security-requirements/
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_security-2Drequirements_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=5R4dCyK71voQGm83RO7mPQTr5MU4wMXYqIbyvBJCJUE&e=>).
>
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
--
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191001/a8741d3a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Updated Question 11.docx
Type: application/octet-stream
Size: 10603 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191001/a8741d3a/UpdatedQuestion11-0001.docx>
More information about the Gnso-epdp-legal
mailing list