[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #9- 15 October 2019
Volker Greimann
vgreimann at key-systems.net
Tue Oct 15 08:06:42 UTC 2019
Hi Terri,
I see that you completely ignored/missed my edits which had been
agreed in general by Margie as well. I had sent that on Oct 1. Maybe you
missd my attachment?
In any case, the below is not the latest nor generally approved version.
Best Volker
Am 14.10.2019 um 20:26 schrieb Terri Agnew:
>
> *EPDP Phase 2 Legal Committee Meeting #9*
>
> *Tuesday, 15October at 14:00 UTC*
>
> *Proposed Annotated Agenda*
>
> *EPDP Phase 2 Legal Committee Meeting #9***
>
> *Tuesday, 15 October at 14:00 UTC*
>
> *Proposed Annotated Agenda*
>
> 1. *Roll Call & SOI Updates *
>
> **
>
> 2. *Continued Substantive Review of Priority 1 (SSAD) Legal Questions
> Submitted to Date*
>
> a)Substantive review of SSAD questions (beginning where LC left off
> during last LC meeting)
>
> *_Updated Question 11_*_**___
>
> /Status: Thomas, Volker, Brian and Margie to work together on refining
> this question in advance of the next LC call on Tuesday, 15 October./
>
> (Text proposed by Margie)/: / Is it permissible under GDPR to provide
> fast, automated, and non-rate limited responses (as described in SSAC
> 101) to nonpublic WHOIS data for properly credentialed security
> practitioners^1 (as defined in SSAC 101) who are responsible for
> defense against e-crimes (including network operators, providers of
> online services, commercial security services, cyber-crime
> investigators) for use in investigations and mitigation activities to
> protect their network, information systems or services (as referenced
> in GDPR Recital 49) and have agreed on appropriate safeguards? Or
> would any automated disclosure carry a potential for liability of the
> disclosing party, or the controllers or processors of such data? Can
> counsel provide examples of safeguards (such as
> pseudonymization/anonymization) that should be considered?
>
> For purposes of this question, please assume the following safeguards
> are in place:
>
> o Disclosure is required under CP’s contract with ICANN
> (resulting from Phase 2 EPDP policy).
> o CP’s contract with ICANN requires CP to notify the data
> subject of the purposes for which, and types of entities by
> which, personal data may be processed. CP is required to
> notify data subject of this with the opportunity to opt out
> before the data subject enters into the registration agreement
> with the CP, and again annually via the ICANN-required
> registration data accuracy reminder. CP has done so.
> o ICANN or its designee has validated/verified the requestor’s
> identity, and required in each instance that the requestor:
>
> •represents that it has a lawful basis for requesting and processing
> the data,
>
> •provides its lawful basis,
>
> •represents that it is requesting only the data necessary for its
> purpose,
>
> •agrees to process the data in accordance with GDPR, and
>
> •agrees to EU standard contractual clauses for the data transfer.
>
> Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those
> who have a responsibility to perform specific types of functions (as
> specified in Section 3) related to the identification and mitigation
> of malicious activity, and the correction of problems that negatively
> affect services and users online.
>
> *_Updated Question 12 and 13_*
>
> /Status: Brian and Matthew to summarize the two positions re:
> questions 12 and 13 and propose whether Bird & Bird should opine on
> this. Legal Committee to discuss the positions during its next
> meeting. /(Previous text proposed by Margie)
>
> **
>
> *Background:*Therecent EC Letter [icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_correspondence_odonohue-2Dto-2Dmarby-2D03may19-2Den.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=QByFqrfGsimsUqARjmh9tGVvwXBjAR0IbkSD0eVdiYg&s=EdXqx7ByC1uX-5j8DO06GVnRLxI1FCbAryQMnKVef7Q&e=>provides
> clarification regarding the possible legal bases for disclosure of
> non-public registration data to in the section entitled “Legal Bases
> for Processing”, and noted:
>
> /“As explained in our comments, Art. 6(1)f GDPR (legitimate interest)
> is one of the six possible legal bases provided under Art. 6(1) GDPR.
> For instance, disclosure of nonpublic gTLD registration data could be
> necessary for compliance with a legal obligation to which the
> contracted parties are subject (see Art. 6(1)c GDPR)./”
>
> and
>
> /“With regard to the formulation of purpose two, the European
> Commission acknowledges ICANN’s central role and responsibility for
> ensuring the security, stability and resilience of the Internet Domain
> Name System and that in doing so it acts in the public interest.”/
>
> *Questions:*
>
> * In light of these statements from the EC, are there any updates to
> the prior memos submitted by B&B regarding the applicable bases
> for disclosure of non-public registration data to third parties
> for the purposes identified in EPDP Phase 1 Final Report Rec. 1
> (Final Report), such as the memo on 6(1)(b)?
> * To what extent can disclosures of non-public registration data to
> third parties for the purposes identified in the Final Report Rec.
> 1 be justified under GDPR’ Article 6(1)e (public interest), in
> light of the EC’s recognition that: /“With regard to the
> formulation of purpose two, the European Commission acknowledges
> ICANN’s central role and responsibility for ensuring the security,
> stability and resilience of the Internet Domain Name System and
> that in doing so it acts in the public interest.”/
>
> 3. *Questions previously put on hold pending further legal advice
> and/or EPDP Team discussion*
>
> **
>
> a)*Additional topics noted in plenary sessions, where an EPDP Member
> requested the topic be considered by the Legal Committee*
>
> o *Domain names based on identical contact information*:**If a
> requestor obtains contact information for a domain name
> engaged in bad activity, is accessing contact information from
> other domain names with identical contact information
> permissible? (topic introduced by Brian K. during 6 September
> plenary meeting)
>
> o *ccTLD operators offering reverse WHOIS look-up services
> *(topic introduced by Margie during F2F – requested legal advice)
>
> /Status: Thomas, Volker, Brian and Margie to consider these items in
> their review of Q11. /
>
> //
>
> * *BALANCING, AND RIGHT TO OBJECT*: The defense of networks, the
> prevention of fraud, resisting cybercrime, and indicating possible
> criminal acts or threats to public security to a competent
> authority are tasks performed by third parties who are not law
> enforcement or government agencies. Such parties have legitimate
> interests in making data requests under GDPR, notably under
> Article 6(1)f; see also Recitals 47, 49, and 50. We are
> considering balancing where the data subject may be infringing
> upon the rights of others, and the safety of third-party
> requestors who deal with cybercrime. The third-party purposes
> above also require timely responses to data requests.
>
> Assume that registrars notify their registrants up-front of the
> purposes of data collection, under what circumstances the data may be
> released, the right to object, etc.
>
> 1. When a data controller receives a legitimate
> third-party data request, under what circumstances is
> the controller required under GDPR to explicitly
> notify the data subject that a request has occurred,
> and/or that it has provided data to a third party?
> 2. Under what circumstances do data subjects have the
> right to object under GDPR to the release of their
> data to third parties? Per Bird & Bird's Question 3
> memo, ICANN's use cases do not involve profiling or
> highly sensitive data categories (race, political
> affiliation, etc.), and "a decision to release
> information via the SSAD is would not in itself have
> legal effect on the data subject."
> 3. Are data controllers ever required to notify the data
> subject of the/identity/of a third-party requestor?
> 4. Please confirm: when a data subject objects to
> processing, the decision to release the data resides
> with the data controller?
> 5. If a registrant must be notified of a request and then
> be given the opportunity to object, please explain how
> this process can be reconciled with or integrated into
> a SSAD that is designed to provide timely data
> exchange when possible and does not involve "a
> decision based solely on automated processing". (See
> Bird & Bird's Question 3 memo, paragraph 1.12.)
>
> * *Google Right to be Forgotten: *(Proposed by Margie) In light of
> last week’s landmark Right to Be Forgotten Case regarding the
> reach of GDPR:
>
> https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-09/cp190112en.pdf,
> where the Court clarified the applicability of GDPR outside of the EU,
> and stated:
>
> /“However, it states that numerous third States do not recognise the
> right to dereferencing or have a different approach to that right. The
> Court adds that the right to the protection of personal data is not an
> absolute right, but must be considered in relation to its function in
> society and be balanced against other fundamental rights, in
> accordance with the principle of proportionality. In addition, the
> balance between the right to privacy and the protection of personal
> data, on the one hand, and the freedom of information of internet
> users, on the other, is likely to vary significantly around the world.”/
>
> Does this ruling affect:
>
> 1. The advice given inPhase 1 Regarding Territorial Scope
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fcommunity.icann.org-252Fdownload-252Fattachments-252F102138857-252FICANN-252520-2D-252520Memo-252520on-252520Territorial-252520Scope-252520.docx-253Fversion-253D1-2526modificationDate-253D1552176561000-2526api-253Dv2-26data-3D02-257C01-257CMarksv-2540microsoft.com-257C0fc10369b86b4fb54cdb08d745d81ad8-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C1-257C637054666773951714-26sdata-3D85hB3n-252BgHO5zltdzTm5Pmd-252FUeu0T7OL-252F4bywkCcb7dg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqgqaikAoSyJzElcg7C-u09feQBWajzhT1JT2LBv05jg%26s%3D8TCbK69KiXCKrPpNO-KL9rKcsRkCISjzvCof8uKQBRs%26e%3D&data=02%7C01%7CMarksv%40microsoft.com%7C2925832daae546b63e0408d745f74dba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637054800792839937&sdata=exadgrNqqCKVQ%2FLTBKZXXJMnBkfDjA9SNSTaJuX%2FH4Q%3D&reserved=0>?
> 2. The advice given in Q1-2 with respect to liability (Section 4 of
> the memo)?
>
> In light of this ECJ decision, using the same assumptions identified
> for Q1 and Q2, would there be less risk under GDPR to contracted
> parties if:
>
> 1. the SSAD allowed automated disclosure responses to
> requests submitted by accredited entities for redacted
> data of registrants and/or controllers located outside of
> the EU, for legitimate purposes (such as cybersecurity
> investigations and mitigation)**and/or other fundamental
> rightssuch asintellectual propertyinfringement
> investigations(See Article 17, Section
> 2https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Feur-2Dlex.europa.eu-252Flegal-2Dcontent-252FEN-252FTXT-252F-253Furi-253DCELEX-253A12012P-252FTXT-26data-3D02-257C01-257CMarksv-2540microsoft.com-257C2925832daae546b63e0408d745f74dba-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C1-257C637054800792819948-26sdata-3DRxgqL9eYdRavnaFqIDjzDOT4GPHJRSsmQ1-252Favz10vKw-253D-26reserved-3D0&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=VLG2NlF9SKlO5Br01dwddo_lA4oncgv7PkSSSsw8ZV4&s=fPD2dxvOeBSKNBXQT0rUNkNPmaova0kNQcFCii_4G6Y&e=>);and/or
>
>
> 2. ICANN served as the sole entity making disclosure
> decisions for the SSAD, and directly provided access to
> the redacted data from a processing center outside of the
> EU (such as from ICANN’s Los Angeles Headquarters)?
>
> **
>
> *b)**Agree on next steps*
>
> 4. *Presentation of high-level summaries of legal memos *
>
> **
>
> 5. *Wrap and confirm next meeting to be scheduled *
>
> a)Confirm action items
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
--
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191015/a5aca559/attachment-0001.html>
More information about the Gnso-epdp-legal
mailing list