[Gnso-epdp-legal] Notes and action items - EPDP Phase 2 Legal Sub-team Meeting #7 - 17 September 2019

Tue Sep 17 17:54:27 UTC 2019

 Apologies for missing today's meeting. I shall be reading the notes and transcript
BestHadia 
    On Tuesday, September 17, 2019, 09:17:28 AM PDT, Caitlin Tubergen <caitlin.tubergen at icann.org> wrote:  

Dear EPDP Phase 2 Legal Sub-team,

Please find notes and action items from today’s meeting below. 

As a reminder, the next EPDP Phase 2 Legal Sub-team meeting will be Tuesday, 1 October at 14:00 UTC.

Best regards,

Marika, Berry, and Caitlin

-- 

Action Items

   - Thomas, Volker, Brian and Margie to work together on refining this question, including considering the addition of a question on reverse look-ups, in advance of the next LC call on Tuesday, 1 October. Legal Committee to review during the next call.
   - Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Team in advance of the next call on Tuesday, 1 October.  
   - Brian to reach out to Georgios to note the Legal Sub-team is proposing to remove this question due to legal advice received during the F2F meeting, but noting Georgios may clarify the text if he believes a question is still necessary. 

EPDP Phase 2 Legal Committee Meeting #7

Tuesday, 17 September 14:00 UTC

   - Roll Call & SOI Updates 

   - Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date

a)       Substantive review of SSAD questions (beginning where LC left off during last LC meeting)

 Updated Question 11   

(Previous text proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners1 (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?

For purposes of this question, please assume the following safeguards are in place: 

   - Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
   - CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
   - ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: 

•                     represents that it has a lawful basis for requesting and processing the data,  

•                     provides its lawful basis, 

•                     represents that it is requesting only the data necessary for its purpose,  

•                     agrees to process the data in accordance with GDPR, and  

•                     agrees to EU standard contractual clauses for the data transfer.  

Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.

Notes from Call:

- Does the previous memo from Bird & Bird provide enough guidance on automation that this question does not need to be posed? 

- Think the Bird & Bird answer on automation missed the mark. The B&B memo seemed to assume that the decision-making was done by an entity that was a controller of the data. 

- It should not make a difference which entity is ultimately disclosing the data to the third party, as the entity holding the data will still need to disclose data

- This is a different question than the one already posed to Bird & Bird – this question asks about volume, and it still needs to be answered. Consider adding the element of reverse look-ups to this question.

-Action item: Thomas, Volker, Brian and Margie to work together on refining this question in advance of the next LC call on Tuesday, 1 October. Legal Committee to review during the next call.

 Updated Question 12 and 13 :

(Previous text proposed by Margie) 

Background: The recent EC Letter [icann.org] provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:

“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).”

and

“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

Questions:

   - In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)?   
   - To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”

Notes from Call:

- Team agreed to allow Matt and Brian additional time to reformulate this question. 

- is there value in asking the questions in the first place if the responses are not accepted at face value?

- The Team should carefully consider the rewritten question and see if the Legal Committee sees value in ultimately posing the question to outside counsel. 

- Once the Team sees the redrafted question, the Legal Committee should take another look at the memo, because the answer will not be different.

Action item: Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Team in advance of the next call on Tuesday, 1 October.  

Question 6 

Status: Legal Committee to review new text from Brian and Georgios. 

(Updated proposal from Brian and Georgios): Q6) Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, may the disclosing party (which may not be the entity that houses the requested data) take full responsibility to assess the lawful basis of the third-party requestor (without the entity that houses the requested data being responsible for assessing the lawful basis of the requestor)?

*Note to legal subteam: do we want to expand this question to cover the other aspects of a disclosure request, beyond merely the lawful basis?

Previous legal advice rec’d from Bird & Bird: “The safeguards require attestation by the Requestor that it has a legal basis for its collection of personal data via the SSAD. Our conclusion above is that CPs will most likely be viewed as controllers for this processing. Accordingly, the main concern for CPs will be that they (rather than a Requestor) have a legal basis for the processing. Where multiple different controllers are involved, the challenge is greater.”

Notes from call:

- The EC and GAC are interested in whether there is a difference b/w the disclosing entity (SSAD) and the entity that houses the data 

- Going back to the memos previously received, there is a chart that shows the difference b/w controllers and processors. Does this provide guidance to this question?

- This question is a duplicate of a previous question. Liability cannot be shifted by contract. 

- For the future, if there is any doubt about duplication of questions, the individuals proposing the question should explain how the question differs and why it is necessary to ask the question.

- At this juncture, before spending money on legal questions – the Team needs to voice concerns with existing answers. The LC seems to be reframing questions to get a different answer that may suit particular parties. Rather than wordsmithing the questions, could the Team consider issues in the current memos and see if further guidance is needed, or, instead, if the open issues are policy questions.

- Support the idea of stating what the problem is, and then determining what the legal or policy issue is. That said, the policy discussion should occur in plenary meetings, not in legal committee calls.

- Any objection to note that Q6 has already been answered, and accordingly, remove it from the roster of questions?

- Action: Brian to reach out to Georgios to note the EPDP Team received advice on lawful basis of requesting entity and give opportunity to clarify updated Q6. 

   - Questions previously put on hold pending further legal advice and/or EPDP Team discussion

a)       How to conduct a balancing test under Article 6(1)(f) (suggestion by Farzaneh B.)

Status: Does the Legal Committee believe a further question on how to conduct a balancing test under 6(1)(f) is still warranted? (For reference, Bird & Bird has previously provided legal advice on how to carry out a balancing in both the Phase 1 city field memo and the Phase 2 automation memo.)

Notes from LC call:

   - Legal Committee agrees it has already received previous advice on this question, and it can be removed from the list of outstanding questions.

b)       Automated decision-making: 

Status: Legal Committee to determine if the below question, or a permutation thereof, is necessary in light of the advice received from Bird & Bird in its Phase 2 Automation memo.

Draft question from Hadia: 

Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.

The EPDP team would appreciate Bird & Bird answers to the following:

   - The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist
   - The conditions/precautions that should be applied if automated decision making is to be used.
   - Could a balancing test be used to weigh up the risks of using the results and how could this be best done.

Notes from call:

   - Legal Committee agrees it has already received previous advice on this question, and the questions can be removed from the list of outstanding questions.

c)       Accreditation: 

Status: The below question was proposed by ISPCP before the EPDP Team began discussing accreditation. Does this question need to be revisited now that discussions about accreditation have begun, or should it remain on hold pending further discussion?

3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (ISPCP)

Notes from call: 

   - The F2F meeting in Los Angeles made very clear that the Team does not have a common definition of what accreditation means. Until the Team agrees on a common definition, this question should be placed ON HOLD.

d)       Additional topics noted in plenary sessions, where an EPDP Member requested the topic be considered by the Legal Committee

Status: Legal Committee to determine if the below topics should be considered further by the Legal Committee, and if so, volunteers are needed to provide draft text.  

   - Domain names based on identical contact information: If a requestor obtains contact information for a domain name engaged in bad activity, is accessing contact information from other domain names with identical contact information permissible? (topic introduced by Brian K. during 6 September plenary meeting)

Notes from call:

   -   

   - ccTLD operators offering reverse WHOIS look-up services (topic introduced by Margie during F2F – requested legal advice) 

-          Thomas, Volker, Brian and Margie to consider these items in their review of Q11. 

e)       Agree on next steps

   - Wrap and confirm next meeting to be scheduled 

a)       Confirm action items

b)       The next LC Meeting will take place on Tuesday, 1 October at 14:00 UTC.

_______________________________________________
Gnso-epdp-legal mailing list
Gnso-epdp-legal at icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20190917/62002b6a/attachment-0001.html>