[Gnso-epdp-legal] Proposed agenda - EPDP Phase 2 Legal Committee meeting #7

Fri Sep 13 18:42:11 UTC 2019

Dear EPDP Phase 2 Legal Committee,

Please find the proposed annotated agenda for the upcoming meeting of the EPDP Phase 2 Legal Committee on Tuesday, 17 September at 14:00 UTC.

As a reminder, here are the outstanding items from the last call:

Thomas, Volker, Brian and Margie to work together on refining Q11 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September.
Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September.

Best regards,

Marika, Berry, and Caitlin

--

EPDP Phase 2 Legal Committee Meeting #7

Tuesday, 17 September 14:00 UTC

Proposed Annotated Agenda
Roll Call & SOI Updates 
Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date

a)      Substantive review of SSAD questions (beginning where LC left off during last LC meeting)

 Updated Question 11   

Status: Thomas, Volker, Brian and Margie to work together on refining this question in advance of the next LC call on Tuesday, 17 September. Legal Committee to review during the next call.

(Previous text proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners1 (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?

For purposes of this question, please assume the following safeguards are in place: 

Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: 
•                     represents that it has a lawful basis for requesting and processing the data,  

•                     provides its lawful basis, 

•                     represents that it is requesting only the data necessary for its purpose,  

•                     agrees to process the data in accordance with GDPR, and  

•                     agrees to EU standard contractual clauses for the data transfer.  

Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.

 Updated Question 12 and 13 : 

Status: Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Team in advance of the next call on Tuesday, 17 September.  

(Previous text proposed by Margie) 

Background: The recent EC Letter [icann.org] provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:

“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).”

and

“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

Questions:
In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)?   

To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”
Question 6 

Status: Legal Committee to review new text from Brian and Georgios. 

(Updated proposal from Brian and Georgios): Q6) Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, may the disclosing party (which may not be the entity that houses the requested data) take full responsibility to assess the lawful basis of the third-party requestor (without the entity that houses the requested data being responsible for assessing the lawful basis of the requestor)?

*Note to legal subteam: do we want to expand this question to cover the other aspects of a disclosure request, beyond merely the lawful basis?

Previous legal advice rec’d from Bird & Bird: “The safeguards require attestation by the Requestor that it has a legal basis for its collection of personal data via the SSAD. Our conclusion above is that CPs will most likely be viewed as controllers for this processing. Accordingly, the main concern for CPs will be that they (rather than a Requestor) have a legal basis for the processing. Where multiple different controllers are involved, the challenge is greater.”
Questions previously put on hold pending further legal advice and/or EPDP Team discussion

a)      How to conduct a balancing test under Article 6(1)(f) (suggestion by Farzaneh B.)

Status: Does the Legal Committee believe a further question on how to conduct a balancing test under 6(1)(f) is still warranted? (For reference, Bird & Bird has previously provided legal advice on how to carry out a balancing in both the Phase 1 city field memo and the Phase 2 automation memo.)

b)      Automated decision-making: 

Status: Legal Committee to determine if the below question, or a permutation thereof, is necessary in light of the advice received from Bird & Bird in its Phase 2 Automation memo.

Draft question from Hadia: 

Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.

The EPDP team would appreciate Bird & Bird answers to the following:
The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist
The conditions/precautions that should be applied if automated decision making is to be used.
Could a balancing test be used to weigh up the risks of using the results and how could this be best done.

c)       Accreditation: 

Status: The below question was proposed by ISPCP before the EPDP Team began discussing accreditation. Does this question need to be revisited now that discussions about accreditation have begun, or should it remain on hold pending further discussion?

3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (ISPCP)

d)      Additional topics noted in plenary sessions, where an EPDP Member requested the topic be considered by the Legal Committee

Status: Legal Committee to determine if the below topics should be considered further by the Legal Committee, and if so, volunteers are needed to provide draft text.  

Domain names based on identical contact information: If a requestor obtains contact information for a domain name engaged in bad activity, is accessing contact information from other domain names with identical contact information permissible? (topic introduced by Brian K. during 6 September plenary meeting)
ccTLD operators offering reverse WHOIS look-up services (topic introduced by Margie during F2F – requested legal advice) 

e)      Agree on next steps

Wrap and confirm next meeting to be scheduled 
a)      Confirm action items

b)      The next LC Meeting will take place on Tuesday, 1 October at 14:00 UTC.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190913/b1dcf1d6/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190913/b1dcf1d6/smime-0001.p7s>