[Gnso-epdp-legal] Fwd: Updated Question 11

Volker Greimann vgreimann at key-systems.net
Wed Oct 2 14:53:38 UTC 2019 

She sent that 4 minutes before the meeting, obviously without the input 
of thomas and me...



-------- Weitergeleitete Nachricht --------
Betreff: 	[Gnso-epdp-legal] Updated Question 11
Datum: 	Tue, 1 Oct 2019 13:56:24 +0000
Von: 	Margie Milam <margiemilam at fb.com>
An: 	gnso-epdp-legal at icann.org <gnso-epdp-legal at icann.org>



Hi-

Here’s my proposal based on prior discussions with Brian, Thomas & 
Volker.  Please note that this language is not reviewed yet by Thomas, 
Brian &  Volker,  but I am sharing for the purposes of discussion today.

__________________________

*_Updated Question 11_*

/Status: Thomas, Volker, Brian and Margie to work together on refining 
this question in advance of the next LC call on Tuesday, 1 October./

(Previous text proposed by Margie)/: /Is it permissible under GDPR to 
provide fast, automated, and non-rate limited responses (as described in 
SSAC 101) to nonpublic WHOIS data for properly credentialed security 
practitioners^1 (as defined in SSAC 101) who are responsible for defense 
against e-crimes (including network operators, providers of online 
services, commercial security services, cyber-crime investigators) for 
use in investigations and mitigation activities to protect their 
network, information systems or services (as referenced in GDPR Recital 
49) and have agreed on appropriate safeguards? Or would any automated 
disclosure carry a potential for liability of the disclosing party, or 
the controllers or processors of such data? Can counsel provide examples 
of safeguards (such as pseudonymization/anonymization) that should be 
considered?

In addition, does GDPR prohibit  the SSAD to be designed to enable 
reverse lookups based on contact fields associated with domain names 
that have been identified as being used for DNS abuse, such as phishing, 
malware and or similar type of attacks?  What are the risks associated 
with reverse lookups, and if it is possible to conduct reverse lookups, 
are there steps that can be taken to mitigate any perceived risks?

For purposes of this question, please assume the following safeguards 
are in place:

oDisclosure is required under CP’s contract with ICANN (resulting from 
Phase 2 EPDP policy).

oCP’s contract with ICANN requires CP to notify the data subject of the 
purposes for which, and types of entities by which, personal data may be 
processed. CP is required to notify data subject of this with the 
opportunity to opt out before the data subject enters into the 
registration agreement with the CP, and again annually via the 
ICANN-required registration data accuracy reminder. CP has done so.

oICANN or its designee has validated/verified the requestor’s identity, 
and required in each instance that the requestor:

•                     represents that it has a lawful basis for 
requesting and processing the data, 

•                     provides its lawful basis,

•                     represents that it is requesting only the data 
necessary for its purpose, 

•                     agrees to process the data in accordance with 
GDPR, and 

•                     agrees to EU standard contractual clauses for the 
data transfer. 

Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those 
who have a responsibility to perform specific types of functions (as 
specified in Section 3) related to the identification and mitigation of 
malicious activity, and the correction of problems that negatively 
affect services and users online.   are entities that have either legal 
authority and/or legal responsibility to protect their 
  technology/network/infrastructure, such as national CERTs, and also 
DSPs.  (See the UK ICO 
(https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-providers/ 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_digital-2Dservice-2Dproviders_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=avDrp6cxNXTZKuZCGeGUDM-Cgi0HhyR9IzaQzQAiu3Y&e=>) 
since these types of companies appear to have security obligations 
(https://ico.org.uk/for-organisations/the-guide-to-nis/security-requirements/ 
<https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_the-2Dguide-2Dto-2Dnis_security-2Drequirements_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=xeXHSQy6Jg3NeENvgZ2sqoBiOr3J07ArOU4MUONzwU4&s=5R4dCyK71voQGm83RO7mPQTr5MU4wMXYqIbyvBJCJUE&e=>). 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191002/86c31ae6/attachment-0001.html>
-------------- next part --------------
_______________________________________________
Gnso-epdp-legal mailing list
Gnso-epdp-legal at icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

More information about the Gnso-epdp-legal mailing list