[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #9- 15 October 2019
Becky Burr
becky.burr at board.icann.org
Tue Oct 15 13:12:51 UTC 2019
Thomas, Brian, Margie -
Con you confirm Volker's concern that the test in the agenda is not your
current agreed upon version and, if so, can you circulate your agreed upon
test for our consideration this morning? Thanks.
Becky
On Tue, Oct 15, 2019 at 1:07 AM Volker Greimann <vgreimann at key-systems.net>
wrote:
> Hi Terri,
>
> I see that you completely ignored/missed my edits which had been agreed
> in general by Margie as well. I had sent that on Oct 1. Maybe you missd my
> attachment?
>
> In any case, the below is not the latest nor generally approved version.
>
> Best Volker
>
>
>
> Am 14.10.2019 um 20:26 schrieb Terri Agnew:
>
> *EPDP Phase 2 Legal Committee Meeting #9*
>
> *Tuesday, 15 October at 14:00 UTC*
>
> *Proposed Annotated Agenda*
>
> *EPDP Phase 2 Legal Committee Meeting #9*
>
> *Tuesday, 15 October at 14:00 UTC*
>
> *Proposed Annotated Agenda*
>
> 1. *Roll Call & SOI Updates *
>
>
>
> 1. *Continued Substantive Review of Priority 1 (SSAD) Legal Questions
> Submitted to Date*
>
>
>
> a) Substantive review of SSAD questions (beginning where LC left
> off during last LC meeting)
>
>
>
> *Updated Question 11 *
>
>
>
> *Status: Thomas, Volker, Brian and Margie to work together on refining
> this question in advance of the next LC call on Tuesday, 15 October.*
>
>
>
> (Text proposed by Margie)*: * Is it permissible under GDPR to provide
> fast, automated, and non-rate limited responses (as described in SSAC 101)
> to nonpublic WHOIS data for properly credentialed security practitioners1 (as
> defined in SSAC 101) who are responsible for defense against e-crimes
> (including network operators, providers of online services, commercial
> security services, cyber-crime investigators) for use in investigations and
> mitigation activities to protect their network, information systems or
> services (as referenced in GDPR Recital 49) and have agreed on appropriate
> safeguards? Or would any automated disclosure carry a potential for
> liability of the disclosing party, or the controllers or processors of such
> data? Can counsel provide examples of safeguards (such as
> pseudonymization/anonymization) that should be considered?
>
>
>
> For purposes of this question, please assume the following safeguards are
> in place:
>
>
>
> - Disclosure is required under CP’s contract with ICANN (resulting
> from Phase 2 EPDP policy).
> - CP’s contract with ICANN requires CP to notify the data subject
> of the purposes for which, and types of entities by which, personal data
> may be processed. CP is required to notify data subject of this with the
> opportunity to opt out before the data subject enters into the registration
> agreement with the CP, and again annually via the ICANN-required
> registration data accuracy reminder. CP has done so.
> - ICANN or its designee has validated/verified the requestor’s
> identity, and required in each instance that the requestor:
>
> • represents that it has a lawful basis for
> requesting and processing the data,
>
> • provides its lawful basis,
>
> • represents that it is requesting only the data
> necessary for its purpose,
>
> • agrees to process the data in accordance with GDPR,
> and
>
> • agrees to EU standard contractual clauses for the
> data transfer.
>
>
>
>
>
> Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who
> have a responsibility to perform specific types of functions (as specified
> in Section 3) related to the identification and mitigation of malicious
> activity, and the correction of problems that negatively affect services
> and users online.
>
>
>
> *Updated Question 12 and 13*
>
> *Status: Brian and Matthew to summarize the two positions re: questions 12
> and 13 and propose whether Bird & Bird should opine on this. Legal
> Committee to discuss the positions during its next meeting. *(Previous
> text proposed by Margie)
>
>
>
> *Background: *The recent EC Letter [icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_correspondence_odonohue-2Dto-2Dmarby-2D03may19-2Den.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=QByFqrfGsimsUqARjmh9tGVvwXBjAR0IbkSD0eVdiYg&s=EdXqx7ByC1uX-5j8DO06GVnRLxI1FCbAryQMnKVef7Q&e=>
> provides clarification regarding the possible legal bases for disclosure
> of non-public registration data to in the section entitled “Legal Bases for
> Processing”, and noted:
>
>
>
> *“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is
> one of the six possible legal bases provided under Art. 6(1) GDPR. For
> instance, disclosure of nonpublic gTLD registration data could be necessary
> for compliance with a legal obligation to which the contracted parties are
> subject (see Art. 6(1)c GDPR).*”
>
>
>
> and
>
>
>
> *“With regard to the formulation of purpose two, the European Commission
> acknowledges ICANN’s central role and responsibility for ensuring the
> security, stability and resilience of the Internet Domain Name System and
> that in doing so it acts in the public interest.”*
>
>
>
> *Questions:*
>
> - In light of these statements from the EC, are there any updates to
> the prior memos submitted by B&B regarding the applicable bases for
> disclosure of non-public registration data to third parties for the
> purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report),
> such as the memo on 6(1)(b)?
> - To what extent can disclosures of non-public registration data to
> third parties for the purposes identified in the Final Report Rec. 1 be
> justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s
> recognition that: *“With regard to the formulation of purpose two, the
> European Commission acknowledges ICANN’s central role and responsibility
> for ensuring the security, stability and resilience of the Internet Domain
> Name System and that in doing so it acts in the public interest.”*
>
>
> 1. *Questions previously put on hold pending further legal advice
> and/or EPDP Team discussion*
>
>
>
> a) *Additional topics noted in plenary sessions, where an EPDP
> Member requested the topic be considered by the Legal Committee*
>
>
>
> - *Domain names based on identical contact information*: If a
> requestor obtains contact information for a domain name engaged in bad
> activity, is accessing contact information from other domain names with
> identical contact information permissible? (topic introduced by Brian K.
> during 6 September plenary meeting)
>
>
>
> - *ccTLD operators offering reverse WHOIS look-up services *(topic
> introduced by Margie during F2F – requested legal advice)
>
>
>
> *Status: Thomas, Volker, Brian and Margie to consider these items in their
> review of Q11. *
>
>
>
> - *BALANCING, AND RIGHT TO OBJECT*: The defense of networks, the
> prevention of fraud, resisting cybercrime, and indicating possible criminal
> acts or threats to public security to a competent authority are tasks
> performed by third parties who are not law enforcement or government
> agencies. Such parties have legitimate interests in making data requests
> under GDPR, notably under Article 6(1)f; see also Recitals 47, 49, and 50.
> We are considering balancing where the data subject may be infringing upon
> the rights of others, and the safety of third-party requestors who deal
> with cybercrime. The third-party purposes above also require timely
> responses to data requests.
>
> Assume that registrars notify their registrants up-front of the purposes
> of data collection, under what circumstances the data may be released, the
> right to object, etc.
>
> 1. When a data controller receives a legitimate third-party data
> request, under what circumstances is the controller required under GDPR to
> explicitly notify the data subject that a request has occurred, and/or that
> it has provided data to a third party?
> 2. Under what circumstances do data subjects have the right
> to object under GDPR to the release of their data to third parties? Per
> Bird & Bird's Question 3 memo, ICANN's use cases do not involve profiling
> or highly sensitive data categories (race, political affiliation, etc.),
> and "a decision to release information via the SSAD is would not in itself
> have legal effect on the data subject."
> 3. Are data controllers ever required to notify the data
> subject of the *identity* of a third-party requestor?
> 4. Please confirm: when a data subject objects to processing,
> the decision to release the data resides with the data controller?
> 5. If a registrant must be notified of a request and then be
> given the opportunity to object, please explain how this process can be
> reconciled with or integrated into a SSAD that is designed to provide
> timely data exchange when possible and does not involve "a decision based
> solely on automated processing". (See Bird & Bird's Question 3 memo,
> paragraph 1.12.)
>
>
>
> - *Google Right to be Forgotten: *(Proposed by Margie) In light of
> last week’s landmark Right to Be Forgotten Case regarding the reach of GDPR:
>
>
> https://curia.europa.eu/jcms/upload/docs/application/pdf/2019-09/cp190112en.pdf
> , where the Court clarified the applicability of GDPR outside of the EU,
> and stated:
>
> *“However, it states that numerous third States do not recognise the right
> to dereferencing or have a different approach to that right. The Court adds
> that the right to the protection of personal data is not an absolute right,
> but must be considered in relation to its function in society and be
> balanced against other fundamental rights, in accordance with the principle
> of proportionality. In addition, the balance between the right to privacy
> and the protection of personal data, on the one hand, and the freedom of
> information of internet users, on the other, is likely to vary
> significantly around the world.”*
>
>
>
> Does this ruling affect:
>
> 1. The advice given in Phase 1 Regarding Territorial Scope
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fcommunity.icann.org-252Fdownload-252Fattachments-252F102138857-252FICANN-252520-2D-252520Memo-252520on-252520Territorial-252520Scope-252520.docx-253Fversion-253D1-2526modificationDate-253D1552176561000-2526api-253Dv2-26data-3D02-257C01-257CMarksv-2540microsoft.com-257C0fc10369b86b4fb54cdb08d745d81ad8-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C1-257C637054666773951714-26sdata-3D85hB3n-252BgHO5zltdzTm5Pmd-252FUeu0T7OL-252F4bywkCcb7dg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqgqaikAoSyJzElcg7C-u09feQBWajzhT1JT2LBv05jg%26s%3D8TCbK69KiXCKrPpNO-KL9rKcsRkCISjzvCof8uKQBRs%26e%3D&data=02%7C01%7CMarksv%40microsoft.com%7C2925832daae546b63e0408d745f74dba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637054800792839937&sdata=exadgrNqqCKVQ%2FLTBKZXXJMnBkfDjA9SNSTaJuX%2FH4Q%3D&reserved=0>
> ?
> 2. The advice given in Q1-2 with respect to liability (Section 4 of
> the memo)?
>
> In light of this ECJ decision, using the same assumptions identified for
> Q1 and Q2, would there be less risk under GDPR to contracted parties if:
>
> 1. the SSAD allowed automated disclosure responses to requests
> submitted by accredited entities for redacted data of registrants and/or
> controllers located outside of the EU, for legitimate purposes (such as
> cybersecurity investigations and mitigation) and/or other
> fundamental rights such as intellectual property infringement
> investigations (See Article 17, Section 2
> https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Feur-2Dlex.europa.eu-252Flegal-2Dcontent-252FEN-252FTXT-252F-253Furi-253DCELEX-253A12012P-252FTXT-26data-3D02-257C01-257CMarksv-2540microsoft.com-257C2925832daae546b63e0408d745f74dba-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C1-257C637054800792819948-26sdata-3DRxgqL9eYdRavnaFqIDjzDOT4GPHJRSsmQ1-252Favz10vKw-253D-26reserved-3D0&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=VLG2NlF9SKlO5Br01dwddo_lA4oncgv7PkSSSsw8ZV4&s=fPD2dxvOeBSKNBXQT0rUNkNPmaova0kNQcFCii_4G6Y&e=>
> ); and/or
>
>
> 1. ICANN served as the sole entity making disclosure decisions for the
> SSAD, and directly provided access to the redacted data from a processing
> center outside of the EU (such as from ICANN’s Los Angeles Headquarters)?
>
>
>
> *b) **Agree on next steps*
>
>
>
> 1. *Presentation of high-level summaries of legal memos *
>
>
>
> 1. *Wrap and confirm next meeting to be scheduled *
>
> a) Confirm action items
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Gnso-epdp-legal mailing listGnso-epdp-legal at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
>
> --
> Volker A. Greimann
> General Counsel and Policy Manager
> *KEY-SYSTEMS GMBH*
>
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
>
> Key-Systems GmbH is a company registered at the local court of
> Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Alexander Siffrin
>
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
> England and Wales with company number 8576358.
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191015/a0aa023e/attachment-0001.html>
More information about the Gnso-epdp-legal
mailing list