[Gnso-epdp-legal] previous Bird & Bird guidance on 6(1)(f) balancing test

[Caitlin Tubergen]

Dear EPDP Phase 2 Legal Committee:

1.       In response to the action item for EPDP Support Staff to circulate the portion of the Bird & Bird City Field memo that referenced the 6(1)(f) balancing test, please find the below excerpt, which starts on p. 4. For context, please find a link to the full memo here: City field.docx.
Balancing test. Satisfying the balancing test requires an assessment of the strength of the interest pursued balanced against the potential risks for data subjects. This element of the test usually requires detailed analysis of the facts and circumstances. Opinion 06/2014 provides helpful guidance on weighing each side of the balance:
 

a)            Analysis of the strength of the interest:

 

"In general, the fact that a controller acts not only in its own legitimate (e.g. business) interest, but also in the interests of the wider community, can give more 'weight' to that interest. The more compelling the public interest or the interest of the wider community, and the more clearly acknowledged and expected it is in the community and by data subjects that the controller can take action and process data in pursuit of these interests, the more heavily this legitimate interest weighs in the balance. 

 

"On the other hand, 'private enforcement' of the law should not be used to legitimise intrusive practices that would, were they carried out by a government organisation, be prohibited pursuant to the case law of the European Court of Human Rights on grounds that the activities of the public authority would interfere with the privacy of data subjects without meeting the stringent test under Article 8(2) of the ECHR".

 

b)           The WP29 lists five factors to consider when assessing the impact on data subjects:

 
Assessment of impact. The controller must consider not only adverse outcomes on individuals, but also other broader consequences for data subjects: "Relevant 'impact' is a much broader concept than harm or damage to one or more specific data subjects. 'Impact' as used in this Opinion covers any possible (potential or actual) consequences of the data processing".
 
Nature of the data. This factor requires consideration of the level of sensitivity of the data as well as whether the data is already publicly available.
 
The way the data is processed. The manner in which the data will be processed affects the balance of interests. Of particular relevance, the WP29 states, "whether the data are publicly disclosed or otherwise made accessible to a large number of persons" is an important consideration if "[s]eemingly innocuous data, when processed on a large scale and combined with other data may lead to inferences about more sensitive data".
 
The reasonable expectations of the data subject. Whether an individual is likely to expect the processing activity will affect the balance of interests. This concept also appears in Recital 47 of the GDPR, which states, "the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place".
 
The status of the controller and data subject. Finally, the assessment must take into consideration the negotiating power and any imbalances in authority between the controller and the data subject. Thus, this analysis changes depending on both the status and authority of the controller and the relative power of the data subject. 
 

Please let us know if we can be of further assistance.

 

Best regards,

 

Marika, Berry, and Caitlin

 

 

 

From: Caitlin Tubergen <caitlin.tubergen at icann.org>
Date: Tuesday, September 3, 2019 at 8:18 AM
To: "gnso-epdp-legal at icann.org" <gnso-epdp-legal at icann.org>
Subject: Notes and action items - EPDP Phase 2 Legal Committee Meeting #6 - 3 September 2019

 

Dear EPDP Phase 2 Legal Committee, 

 

Please find the notes and action items from today’s Legal Committee Meeting below.

 

As a reminder, the next Legal Committee meeting will be on Tuesday, 3 September at 14:00 UTC.

 

Best regards,

 

Marika, Berry, and Caitlin

 

--

Action Items

Thomas, Volker, Brian and Margie to work together on refining Q11 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September.
Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September.  
Brian and Georgios to review and refine Q6 and submit updated language to the Legal Committee in advance of the next call on Tuesday, 17 September.
EPDP Support Staff to review the Phase 1 Bird & Bird City Field memo and circulate the relevant text regarding carrying out the balancing test to the Legal Committee for further review to assess whether a further legal question needs to be asked. 
EPDP Support Staff to circulate the agreed-upon clarifications to Bird & Bird following today’s meeting. León to note the clarifications to the plenary team on Thursday, 5 September during the Legal Committee update.
Proposed Annotated Agenda – EPDP Phase 2 Legal Committee Meeting

3 September 2019 
Roll Call & SOI Updates 
Discussion of Bird & Bird Clarification Questions to Batch 1 Questions
 

a)      Is Q2 asking a different question to those in the first set of questions?  Q1(1), in particular, asks us to consider "the risk of a third party abusing or circumventing the safeguards" – that seems similar to what Q2 is asking.

 
Proposed response: Thank you for clarifying. It is not a different question from Q1(1), rather it's a specific concern we would like Bird and Bird to address in your response to Q1(1).
 

b)      In the first set of questions, one assumption is that "data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body" – we assume that even for a "direct" disclosure, the request is still going to come in via the SSAD, and will still be evaluated as all other requests would be; the key difference is just in terms of the final step (data would be sent directly to the requestor by the CP, not via ICANN org / ICANN org's designee).

 
Yes, this is an assumption you can make. 
The question that the team is asking about disclosure in an SSAD system. Yes, assume that even for a direct disclosure the request is still coming in through an SSAD.
Disclosure is envisaged to take place without any manual interaction with the contracted party. The contracted party would not intervene in this instance.
Proposed answer: Yes, your assumption is correct. We confirm data will be requested through an SSAD without any interaction from the contracted parties. 
 
Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date
 

a)      Substantive review of SSAD questions (beginning where LC left off last week)

 
Updated Question 11  (proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners1 (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?
 

For purposes of this question, please assume the following safeguards are in place: 

 
Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: 
•                     represents that it has a lawful basis for requesting and processing the data,  

•                     provides its lawful basis, 

•                     represents that it is requesting only the data necessary for its purpose,  

•                     agrees to process the data in accordance with GDPR, and  

•                     agrees to EU standard contractual clauses for the data transfer.  

 

 

Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.

 

Status: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.

 

Action item: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.

 

 

 

Updated Question 12 and 13 : 

 

Background: The recent EC Letter [icann.org] provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:

 

“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).”

 

and

 

“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

 

Questions:
In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)?   
To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”
Still having trouble seeing how the EC statement would change the 6(1)(b) memo. 6(1)(e) requires some sort of underlying law in a member state to enable the entity to process data under that exception – that does not seem relevant for ICANN, particularly in light of Recital 45. 
The memo may not change, but it’s worthwhile to at least pose the question, especially since the memo came out before the EC letter.
Problem with this question – as long as the law does not change, unclear why the EC’s letter will change the previous advice here.
The question may need to be tweaked to be made clearer, the answer is not clear and should be asked. Another thing that makes this an important question to ask is that we still do not have an agreed-upon Purpose 2. Clarification on this question could assist in moving the team forward.
It may be worth getting clarity on this question. One alternative that could help the question be more productive – there has been guidance from the EDPB re: online data subjects in May 2019. This is binding guidance and may change the legal analysis. 
If the team wants B&B to consider other inputs, the question could be tweaked to include other inputs.
Action item: Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Team in advance of the next call on Tuesday, 17 September.  
 
Question 6 : Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)
Status: Awaiting updated text from Brian/Georgios
Additional questions/issues raised for discussion
a)      Suggestion from Farzaneh: Add a general question about how to carry out the balancing test 

 
Need a volunteer from the EPDP to draft this.
Alan Woods sent around an informal how-to, Alan pointed out there is already guidance from the City Field memo about what goes into the 6(1)(f) balancing test. 
Action: EPDP Support Staff to review the City Field memo and include the relevant text regarding carrying out the balancing test for Legal Committee to review.
 

b)      Draft question from Hadia: 

 

Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.

 

The EPDP team would appreciate Bird & Bird answers to the following:

 
The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist
The conditions/precautions that should be applied if automated decision making is to be used.
Could a balancing test be used to weigh up the risks of using the results and how could this be best done.
 

Note: Legal Committee agreed to review legal advice received from first batch of questions and assess whether this question, or a permutation thereof, is needed.

 
This question seems similar to questions included in Batch 1. 
Proposal to review Hadia’s draft text once the advice from Batch 1 is returned. 
 

c)       Agree on next steps

 
Wrap and confirm next meeting to be scheduled 
a)      Confirm action items

b)      The next LC Meeting will take place on Tuesday, 17 September at 14:00 UTC.

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190905/9356a635/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190905/9356a635/smime-0001.p7s>