[Gnso-epdp-legal] Outstanding action items reminder

King, Brian Brian.King at markmonitor.com
Mon Oct 14 20:14:22 UTC 2019 

Hi Matthew,

Thank you for sending this well-reasoned and persuasive outline. I agree that we should not ask Bird & Bird for legal advice on this, at least without first considering further input to allow us to raise a better/different question. It seems clear to me that B&B’s advice will track your outline very closely, and will likely arrive at the same conclusion.

I do admit I have trouble abandoning the concept of public interest for a couple reasons below:


  1.  Common sense: ICANN acts in the public interest (in the plain meaning of the term) in coordinating the DNS.
     *   ICANN is a nonprofit public benefit corporation.
     *   There are no clear pecuniary or other benefits to ICANN itself to coordinating the global DNS, including operating an SSAD.
     *   This could be the definition intended by the EC in its letter to ICANN, but I’m not sure.



  1.  GDPR assumes that WHOIS-type registers will be covered by law.
     *   Recital 73 is on point, referring to “the keeping of public registers kept for reasons of general public interest” (e.g. land or TM ownership registers, I assume)
     *   Recital 111 is on point, stating that “provisions should be made” for the transfer of data “necessary in relation to a contract or a legal claim” or “from a register established by law and intended for consultation by the public or persons having a legitimate interest.”
     *   Providing WHOIS for .eu domain names is established under EU law (https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1571074502391&uri=CELEX:32019R0517 Article 12), and under national law of many member states for their own ccTLDs (e.g. https://www.dk-hostmaster.dk/en/danish-act-internet-domains).
     *   Piecing these breadcrumbs together, it appears that GDPR assumes that these registers operate in the public interest, and that they will be established under EU or member state law. The problem with this assumption is that it’s inapplicable to the DNS. ICANN does not coordinate the DNS because it’s been established to do so under EU law, and ICANN does not require legislative endorsement by the EU in order to operate an SSAD.

The outstanding question about this “public interest” concept, in my mind at least, is perhaps more for the DPAs than for Bird & Bird: are we to understand that although ICANN acts in the public interest, as noted by the European Commission<https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/20190417/6f0a65b2/CommentsontheTemporarySpecificationforgTLDRegistrationDataPolicyRecommendations-0001.pdf>, ICANN couldn’t rely on 6.1.e grounds to ensure the security, stability and resilience of the DNS (as European ccTLDs do<https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1571074502391&uri=CELEX:32019R0517>) merely because ICANN’s coordination of gTLDs is not established under EU law? Alternatively, is the concept of WHOIS, which is established in EU and member state law, naturally extended to ICANN’s coordination of gTLDs, perhaps due to their global nature? If so, what further “provisions should be made” beyond the EC’s aforementioned letter, to establish this?

Perhaps the Strawberry Team or someone else could put this concept to the DPAs with a request for insight. What does the legal team think?

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> On Behalf Of Crossman, Matthew via Gnso-epdp-legal
Sent: Monday, October 14, 2019 11:16 AM
To: Caitlin Tubergen <caitlin.tubergen at icann.org>; gnso-epdp-legal at icann.org
Subject: Re: [Gnso-epdp-legal] Outstanding action items reminder

Hi everyone,

Here is a brief summary of my thoughts on why we don’t need to ask the proposed question on 6.1(e) and can rely on Bird & Bird’s existing advice.

Proposed Question: To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

Position: We should not ask Bird & Bird whether disclosure of non-public registration data is justified under 6.1(e) because, per Bird & Bird’s existing advice, a necessary condition for the use of 6.1(e) is an existing basis in EU or Member State law.

  *   Processing of personal data is permissible under 6.1(e)<https://urldefense.proofpoint.com/v2/url?u=https-3A__gdpr-2Dinfo.eu_art-2D6-2Dgdpr_&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=2vtm2kNVRAVKJnky_VSJmHVKjbbX3Xv8wHStjgPJ1F4&s=hgD8qC9TedTkHu_JLhp-Ykn5Rt0Drj2ha8O4fYlVqaQ&e=> if the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” However, “[t]he basis for the processing referred to in [6.1(e)] shall be laid down by: Union law; or Member State law to which the controller is subject.” (See 6.3<https://urldefense.proofpoint.com/v2/url?u=https-3A__gdpr-2Dinfo.eu_art-2D6-2Dgdpr_&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=2vtm2kNVRAVKJnky_VSJmHVKjbbX3Xv8wHStjgPJ1F4&s=hgD8qC9TedTkHu_JLhp-Ykn5Rt0Drj2ha8O4fYlVqaQ&e=>).  Recital 45<https://urldefense.proofpoint.com/v2/url?u=https-3A__gdpr-2Dinfo.eu_recitals_no-2D45_&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=2vtm2kNVRAVKJnky_VSJmHVKjbbX3Xv8wHStjgPJ1F4&s=JF8rvDr_vzcqjtpzuFBsAuiDCsrv5UyhVLpJOtAHDgg&e=> also confirms that “[w]here processing . . . is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law.” (emphasis mine).
  *   In other words, processing under 6.1(e) has two required conditions: it must be (i) necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; AND (ii) the processing should have a basis in Union or Member State law. (emphasis mine)
  *   The existing memo from Bird & Bird on Question 4 confirms that a basis in Union or Member State law is required. “Art 6(3)<https://urldefense.proofpoint.com/v2/url?u=https-3A__gdpr-2Dinfo.eu_art-2D6-2Dgdpr_&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=2vtm2kNVRAVKJnky_VSJmHVKjbbX3Xv8wHStjgPJ1F4&s=hgD8qC9TedTkHu_JLhp-Ykn5Rt0Drj2ha8O4fYlVqaQ&e=> makes clear that the task or authority in question must be laid down by EU or Member State law and that the processing must meet an objective of public interest and be proportionate to the legitimate aim pursued.” (emphasis mine)
  *   Even assuming for the purpose of argument that the EC letter is authoritative in determining whether ICANN has an “objective of public interest”, it is apparent that ICANN currently has no authority to perform that task based on EU or Member State law.
  *   In light of the guidance from the ICANN Board to our committee to “avoid[] duplication and look[] to past and current efforts, where available, as there may be existing legal advice the EPDP Team could utilize,” I suggest we strike this question since Bird & Bird’s existing advice confirms that 6.1(e) is not applicable in this context.

Thanks,
Matt


From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org<mailto:gnso-epdp-legal-bounces at icann.org>> On Behalf Of Caitlin Tubergen
Sent: Friday, October 11, 2019 12:55 PM
To: gnso-epdp-legal at icann.org<mailto:gnso-epdp-legal at icann.org>
Subject: [Gnso-epdp-legal] Outstanding action items reminder

Dear Phase 2 Legal Committee:

Gentle reminder of the following outstanding action items from our last meeting:

1. Matthew, Brian, Margie, Stephanie and Hadia to provide high-level summaries of legal memos for the plenary to review by Monday, 14 October.
2. LC to review Margie’s proposed updated text to Question 11 (re: security practitioners) – question to be discussed during the next call on Tuesday, 15 October.
3. Brian and Matthew to summarize the two positions re: questions 12 and 13 and propose whether Bird & Bird should opine on this. Legal Committee to discuss the positions during its next meeting.

Thank you.

Best regards,

Marika, Berry, and Caitlin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191014/5791f0f1/attachment-0001.html>

More information about the Gnso-epdp-legal mailing list