[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #6

Margie Milam margiemilam at fb.com
Mon Sep 2 17:14:39 UTC 2019 

Hi –
Here is an updated question 12/13 for your consideration:
Background: The recent EC Letter<https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf> provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:

“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).”

and

“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

Questions:

  *   In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)?
  *   To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that:
“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

All the best,

Margie

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen at icann.org>
Date: Monday, September 2, 2019 at 7:25 AM
To: "gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
Subject: [Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee Meeting #6

Dear EPDP Phase 2 Legal Committee,

Please find the agenda for the next Legal Committee call on 3 September at 14:00 UTC below.

As a reminder,


  *   Thomas, Volker, Brian and Margie to work together on refining Question 11. Legal Committee to review updated text during the next call.
  *   Margie to review the 6(1)(b) memo and reword Question 12/13 to add more specificity (in response to feedback from the plenary team).
Thank you.

Best regards,

Marika, Berry, and Caitlin
--

EPDP Phase 2 Legal Committee Meeting #6
Tuesday, 3 September 14:00 UTC
Proposed Annotated Agenda

  1.  Roll Call & SOI Updates
  2.  Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date


a)       Substantive review of SSAD questions (beginning where LC left off last week)


  *   Updated Question 11  (proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners1 (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?

For purposes of this question, please assume the following safeguards are in place:


     *   Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
     *   CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
     *   ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor:

•                     represents that it has a lawful basis for requesting and processing the data, 

•                     provides its lawful basis,

•                     represents that it is requesting only the data necessary for its purpose, 

•                     agrees to process the data in accordance with GDPR, and 

•                     agrees to EU standard contractual clauses for the data transfer. 


Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.

Status: Thomas, Volker, Brian and Margie to work together on refining this question.  Legal Committee to review during the next call.



  *   Updated Question 12 and 13 : LC to review simplified question before sending to EPDP Team for sign off: In light of the 3 May 2019 correspondence from the European Commission<https://www.icann.org/en/system/files/correspondence/odonohue-to-marby-03may19-en.pdf>, are any updates on the previous memo on 6(1)(b)<https://community.icann.org/download/attachments/102138857/6%281%29%28b%29%20Memo.docx?version=1&modificationDate=1548874809000&api=v2> necessary?
Status: Further to the feedback from the plenary team, Margie to review the previous memo on 6(1)(b)<https://community.icann.org/download/attachments/102138857/6%281%29%28b%29%20Memo.docx?version=1&modificationDate=1548874809000&api=v2> and propose updated and specific language for review by the Legal Committee.

  *   Question 6 : Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)
Status: awaiting updated text from Brian/Georgios

  1.  Additional questions/issues raised for discussion

a)       Suggestion from Farzaneh: Add a general question about how to carry out the balancing test

b)       Draft question from Hadia:



Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.

The EPDP team would appreciate Bird & Bird answers to the following:

        *   The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist
        *   The conditions/precautions that should be applied if automated decision making is to be used.
        *   Could a balancing test be used to weigh up the risks of using the results and how could this be best done.



Note: Legal Committee agreed to review legal advice received from first batch of questions and assess whether this question, or a permutation thereof, is needed.

c)       Agree on next steps


  1.  Wrap and confirm next meeting to be scheduled

a)       Confirm action items

b)       The next LC Meeting will take place on Tuesday, 17 September at 14:00 UTC.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190902/d0a144a4/attachment-0001.html>

More information about the Gnso-epdp-legal mailing list