[Gnso-epdp-legal] Notes and action items - EPDP Phase 2 Legal Committee Meeting #9 - 15 Oct 2019

Caitlin Tubergen caitlin.tubergen at icann.org
Wed Oct 16 22:11:32 UTC 2019 

Dear EPDP Phase 2 Legal Committee:

 

Please find below the notes and action items from yesterday’s Legal Committee meeting.

 

As a reminder, the next Legal Committee meeting is scheduled for Tuesday, 19 November at 1400 UTC.

 

Thank you.


Best regards,

 

Marika, Berry, and Caitlin

--

 

EPDP Phase 2 Legal Committee Meeting #9

Tuesday, 15 October at 14:00 UTC

Action Items

1. Brian, Margie, Thomas, and Volker to work together on reformulating Q11 based on today’s discussion. In redrafting the question, small group to consider the previous Bird & Bird advice re: safeguards.

2. EPDP Legal Committee to notify the Strawberry Team of the 6(1)(e) example.

3. Margie to draft new question based on reverse WHOIS look-up services.

4. Margie to update the question on the right to be forgotten with specific text that may conflict with the previous territorial scope memo.

5. ICANN org staff to assist with formatting the legal memo summaries.

Notes

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. 

 
Roll Call & SOI Updates 
 
Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date
 

a)      Substantive review of SSAD questions (beginning where LC left off during last LC meeting)

 

Updated Question 11    
Margie is generally OK with Volker’s approach, but the assumptions should match the assumptions in other questions
By listing the safeguards, the balancing test became baked into the facts. This is predetermining the outcome of a balancing test based on the safeguards put in place.
This use case is unique, and the text should emphasize this is not about IP rights or wanting to see who is behind a domain name – this class of requestor has a legal obligation under law (like a 6(1((c) basis) – could this predetermine the outcome of the 6(1)(f) test?
The balancing test cannot be preempted by preloading the requestor’s side with interests
Would the team like to take another shot at resolving the issues, or is the small group deadlocked? 
Can the team ask for the information needed without categorizing the balancing test as being abandoned? For example – the interests of the registrant are considered in a general way as are the interests of the party seeking access to the data.
Should the question be iterative? Since we have advice on additional safeguards, it may be worth working that into the question.
Action item: Brian, Margie, Thomas, and Volker to work together on reformulating the question based on today’s discussion. In redrafting the question, small group to consider the previous Bird & Bird advice re: safeguards.

Updated Question 12 and 13

 

Notes:
There are two conditions required to use 6(1)(e) – the processing has to be necessary to carry out a public interest AND has to have a basis in union law.
GDPR assumes that these types of registers will be provided for under national law. It seems to be established that domain name registers would be provided for in national law. It may be helpful to reach out to DPAs in this regard.
Does not make sense to ask this question – however, it may be worth asking the Strawberry Team to explore this concept.
Just b/c there is a regulation for one specific case does not mean it can be applied to all similar cases
ccTLDs have a different relationship to gTLDs – this case cannot be relied on as an analogy – do not understand how the strawberry team can deal with this concept
There may not be a public interest concept to rely on in this particular case
Conclusion – this question will not be forwarded to Bird & Bird. However, this can be pointed out to the Strawberry Team.
 
Questions previously put on hold pending further legal advice and/or EPDP Team discussion
 

a)      Additional topics noted in plenary sessions, where an EPDP Member requested the topic be considered by the Legal Committee

 
Domain names based on identical contact information: If a requestor obtains contact information for a domain name engaged in bad activity, is accessing contact information from other domain names with identical contact information permissible? (topic introduced by Brian K. during 6 September plenary meeting)
 
ccTLD operators offering reverse WHOIS look-up services (topic introduced by Margie during F2F – requested legal advice) 
 

Status: Thomas, Volker, Brian and Margie to consider these items in their review of Q11. 

 

Notes: 
Small team has not thoroughly considered the above points.
Does it make sense to take reverse look-ups into a separate question? 
Yes – Margie to reformulate reverse WHOIS look-up services into a separate question.
 
BALANCING, AND RIGHT TO OBJECT: The defense of networks, the prevention of fraud, resisting cybercrime, and indicating possible criminal acts or threats to public security to a competent authority are tasks performed by third parties who are not law enforcement or government agencies. Such parties have legitimate interests in making data requests under GDPR, notably under Article 6(1)f; see also Recitals 47, 49, and 50. We are considering balancing where the data subject may be infringing upon the rights of others, and the safety of third-party requestors who deal with cybercrime.  The third-party purposes above also require timely responses to data requests.
Assume that registrars notify their registrants up-front of the purposes of data collection, under what circumstances the data may be released, the right to object, etc. 
When a data controller receives a legitimate third-party data request, under what circumstances is the controller required under GDPR to explicitly notify the data subject that a request has occurred, and/or that it has provided data to a third party? 
Under what circumstances do data subjects have the right to object under GDPR to the release of their data to third parties?  Per Bird & Bird's Question 3 memo, ICANN's use cases do not involve profiling or highly sensitive data categories (race, political affiliation, etc.), and "a decision to release information via the SSAD is would not in itself have legal effect on the data subject."
Are data controllers ever required to notify the data subject of the identity of a third-party requestor?
Please confirm: when a data subject objects to processing, the decision to release the data resides with the data controller?
If a registrant must be notified of a request and then be given the opportunity to object, please explain how this process can be reconciled with or integrated into a SSAD that is designed to provide timely data exchange when possible and does not involve "a decision based solely on automated processing". (See Bird & Bird's Question 3 memo, paragraph 1.12.) 
 

Notes:

 
Does the Team want to ask this question, and if so, should the text be revised? 
Should not take on more than the law requires. Data subject is required to be informed at the time the data is collected. The rest of this question appears to go above and beyond what is required.
This appears to be interpreting the GDPR too broadly. Registrars likely do not notify data subjects after each disclosure. 
Conclusion: this question will be removed from further consideration by the legal committee.
 
Google Right to be Forgotten: 
 

Notes:
There was another right to be forgotten case that took seems to have taken a different path – perhaps both cases should be included
This question could be answered without asking the legal consultants. Reading the GDPR helps in this context – it defines the scope of the right to be forgotten
The cited case applies to GDPR, and it would be useful to hear from B&B on this.
It may be helpful to pull out items in the case that may conflict with the territorial scope memo
 

b)      Agree on next steps

 
Presentation of high-level summaries of legal memos 
 
Questions 1/2: https://docs.google.com/document/d/1wqEn6-PvvIOjcK5BxrVFi2HND4na2H-vE4jbKt00oCk/edit
Question 3: https://docs.google.com/document/d/1SJu0Znem6fOybAKb19nB6cSSgaO6ZRfM3BpViX-wZA4/edit
Question 4: https://docs.google.com/document/d/1blfcicgJu_NBV9L3dtF9aRU28W5hjaXdVzCeVNwcoXA/edit
 

Notes:
Formatting should be uniform.
It would be helpful to cite back to the text of the memos in the summaries
Include an executive summary on the top of the memo – these are likely to be the pieces that are most helpful and informative to the EPDP Team
Helpful to have until the end of the week to finalize the action items.
 

 
Wrap and confirm next meeting to be scheduled 
a)      Confirm action items

b)      The next Legal Committee meeting is scheduled for Tuesday, 19 November at 14:00 UTC.

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191016/7a2276b9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20191016/7a2276b9/smime-0001.p7s>

More information about the Gnso-epdp-legal mailing list