From vgreimann at key-systems.net Wed Apr 1 12:26:37 2020 From: vgreimann at key-systems.net (Volker Greimann) Date: Wed, 1 Apr 2020 14:26:37 +0200 Subject: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird In-Reply-To: References: Message-ID: I agree with Becky. Oral presentations may just lead to further differences of opinion. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. On Tue, Mar 31, 2020 at 4:18 PM Becky Burr wrote: > Dear Brian, > > Thanks for this suggestion. Perhaps it would be preferable if we had > Bird & Bird send any follow-up questions, comments, or requests for > clarification to the EPDP Legal Committee in writing? Given our process, > the questions should be able to stand on their own, and it may be easier to > formulate answers to any follow-up questions in writing rather than on the > fly. In addition, having dialogue in writing will promote transparency > since the communications between the Legal Committee and Bird & Bird can be > fully communicated to the rest of the team. > > B > > On Mon, Mar 30, 2020 at 11:23 AM King, Brian via Gnso-epdp-legal < > gnso-epdp-legal at icann.org> wrote: > >> Hi Team, >> >> >> >> I wanted to propose that we schedule a brief call with Bird & Bird to >> discuss the question on automation we just sent. >> >> >> >> While I was just an alternate in Phase 1 and was not able to attend, I >> understand from many EPDP colleagues across various groups that there was a >> lot of value from discussions with Ruth. >> >> >> >> Since the answers to these automation questions will likely be of great >> importance to a high-priority topic (automation), and because at least the >> proximate cause issue may be a novel area of law, I think a dialogue would >> be useful to confirming Bird & Bird?s understanding of our intent behind >> these questions. >> >> >> >> I look forward to your thoughts. >> >> >> >> Thanks. >> >> >> >> *Brian J. King * >> Director of Internet Policy and Industry Affairs >> >> >> >> T +1 443 761 3726 >> * markmonitor.com * >> >> >> >> >> *MarkMonitor *Protecting companies and consumers in a digital world >> >> >> _______________________________________________ >> Gnso-epdp-legal mailing list >> Gnso-epdp-legal at icann.org >> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal >> _______________________________________________ >> By submitting your personal data, you consent to the processing of your >> personal data for purposes of subscribing to this mailing list accordance >> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and >> the website Terms of Service (https://www.icann.org/privacy/tos). You >> can visit the Mailman link above to change your membership status or >> configuration, including unsubscribing, setting digest-style delivery or >> disabling delivery altogether (e.g., for a vacation), and so on. > > _______________________________________________ > Gnso-epdp-legal mailing list > Gnso-epdp-legal at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-legal > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and > the website Terms of Service (https://www.icann.org/privacy/tos). You can > visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.King at markmonitor.com Wed Apr 1 15:13:34 2020 From: Brian.King at markmonitor.com (King, Brian) Date: Wed, 1 Apr 2020 15:13:34 +0000 Subject: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird In-Reply-To: References: Message-ID: Thank you Becky and Volker for those helpful perspectives. I appreciate the need for transparency, and that there are likely differences of opinion within the legal team. In ?the real world? practice of law, the concept of not speaking with outside counsel about a question asked of them would be quite a bizarre scenario. Simply informing them of why we are asking the question could be of great value to how they think about the problem we need help in solving. The first example that comes to mind is Section 1.12 of the memo on Automation, which appears to provide an elegantly simple way to ensure the processing is not automated and therefore not subject to Article 22. If Bird & Bird had a bit more information on what we were trying to accomplish, I can?t help but think they would have elaborated on this section and provided further guidance on how best to ensure the model we?re considering does not invoke Article 22 in the first place. We cannot assume Bird & Bird has been following our work very closely, if at all, especially since the legal committee decided not to send them any sections of the Initial Report for their thoughts. I?ll understand if the legal committee thinks we have the time and resources remaining to engage in further written back-and-forth, but I submit that a 30- or 60-minute phone call would be far more efficient. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Volker Greimann Sent: Wednesday, April 1, 2020 8:27 AM To: Becky Burr Cc: King, Brian ; gnso-epdp-legal at icann.org Subject: Re: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird I agree with Becky. Oral presentations may just lead to further differences of opinion. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. On Tue, Mar 31, 2020 at 4:18 PM Becky Burr > wrote: Dear Brian, Thanks for this suggestion. Perhaps it would be preferable if we had Bird & Bird send any follow-up questions, comments, or requests for clarification to the EPDP Legal Committee in writing? Given our process, the questions should be able to stand on their own, and it may be easier to formulate answers to any follow-up questions in writing rather than on the fly. In addition, having dialogue in writing will promote transparency since the communications between the Legal Committee and Bird & Bird can be fully communicated to the rest of the team. B On Mon, Mar 30, 2020 at 11:23 AM King, Brian via Gnso-epdp-legal > wrote: Hi Team, I wanted to propose that we schedule a brief call with Bird & Bird to discuss the question on automation we just sent. While I was just an alternate in Phase 1 and was not able to attend, I understand from many EPDP colleagues across various groups that there was a lot of value from discussions with Ruth. Since the answers to these automation questions will likely be of great importance to a high-priority topic (automation), and because at least the proximate cause issue may be a novel area of law, I think a dialogue would be useful to confirming Bird & Bird?s understanding of our intent behind these questions. I look forward to your thoughts. Thanks. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -------------- next part -------------- An HTML attachment was scrubbed... URL: From vgreimann at key-systems.net Wed Apr 1 15:50:37 2020 From: vgreimann at key-systems.net (Volker Greimann) Date: Wed, 1 Apr 2020 17:50:37 +0200 Subject: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird In-Reply-To: References: Message-ID: Hi Brian, I agree that this is a different situation than a "real world" legal advice a client would get from their lawyer since in this case the "client" is a bit on the schizophrenia side with so many interests and a multitude of views. Even the "why" of each question could probably be debated at length. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. On Wed, Apr 1, 2020 at 5:13 PM King, Brian wrote: > Thank you Becky and Volker for those helpful perspectives. I appreciate > the need for transparency, and that there are likely differences of opinion > within the legal team. > > > > In ?the real world? practice of law, the concept of not speaking with > outside counsel about a question asked of them would be quite a bizarre > scenario. Simply informing them of why we are asking the question could be > of great value to how they think about the problem we need help in solving. > > > > The first example that comes to mind is Section 1.12 of the memo on > Automation, which appears to provide an elegantly simple way to ensure the > processing is not automated and therefore not subject to Article 22. If > Bird & Bird had a bit more information on what we were trying to > accomplish, I can?t help but think they would have elaborated on this > section and provided further guidance on how best to ensure the model we?re > considering does not invoke Article 22 in the first place. > > > > We cannot assume Bird & Bird has been following our work very closely, if > at all, especially since the legal committee decided not to send them any > sections of the Initial Report for their thoughts. I?ll understand if the > legal committee thinks we have the time and resources remaining to engage > in further written back-and-forth, but I submit that a 30- or 60-minute > phone call would be far more efficient. > > > > *Brian J. King * > Director of Internet Policy and Industry Affairs > > > > T +1 443 761 3726 > * markmonitor.com * > > > > > *MarkMonitor *Protecting companies and consumers in a digital world > > > > *From:* Volker Greimann > *Sent:* Wednesday, April 1, 2020 8:27 AM > *To:* Becky Burr > *Cc:* King, Brian ; gnso-epdp-legal at icann.org > *Subject:* Re: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & > Bird > > > > I agree with Becky. Oral presentations may just lead to further > differences of opinion. > > -- > Volker A. Greimann > General Counsel and Policy Manager > *KEY-SYSTEMS GMBH* > > T: +49 6894 9396901 > M: +49 6894 9396851 > F: +49 6894 9396851 > W: www.key-systems.net > > > Key-Systems GmbH is a company registered at the local court of > Saarbruecken, Germany with the registration no. HR B 18835 > CEO: Alexander Siffrin > > Part of the CentralNic Group PLC (LON: CNIC) a company registered in > England and Wales with company number 8576358. > > > > > > On Tue, Mar 31, 2020 at 4:18 PM Becky Burr > wrote: > > Dear Brian, > > > > Thanks for this suggestion. Perhaps it would be preferable if we had > Bird & Bird send any follow-up questions, comments, or requests for > clarification to the EPDP Legal Committee in writing? Given our process, > the questions should be able to stand on their own, and it may be easier to > formulate answers to any follow-up questions in writing rather than on the > fly. In addition, having dialogue in writing will promote transparency > since the communications between the Legal Committee and Bird & Bird can be > fully communicated to the rest of the team. > > > > B > > > > On Mon, Mar 30, 2020 at 11:23 AM King, Brian via Gnso-epdp-legal < > gnso-epdp-legal at icann.org> wrote: > > Hi Team, > > > > I wanted to propose that we schedule a brief call with Bird & Bird to > discuss the question on automation we just sent. > > > > While I was just an alternate in Phase 1 and was not able to attend, I > understand from many EPDP colleagues across various groups that there was a > lot of value from discussions with Ruth. > > > > Since the answers to these automation questions will likely be of great > importance to a high-priority topic (automation), and because at least the > proximate cause issue may be a novel area of law, I think a dialogue would > be useful to confirming Bird & Bird?s understanding of our intent behind > these questions. > > > > I look forward to your thoughts. > > > > Thanks. > > > > *Brian J. King * > Director of Internet Policy and Industry Affairs > > > > T +1 443 761 3726 > * markmonitor.com * > > > > > *MarkMonitor *Protecting companies and consumers in a digital world > > > > _______________________________________________ > Gnso-epdp-legal mailing list > Gnso-epdp-legal at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-legal > > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy > ) > and the website Terms of Service (https://www.icann.org/privacy/tos > ). > You can visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. > > _______________________________________________ > Gnso-epdp-legal mailing list > Gnso-epdp-legal at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-legal > > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy > ) > and the website Terms of Service (https://www.icann.org/privacy/tos > ). > You can visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan at donuts.email Wed Apr 1 16:07:48 2020 From: alan at donuts.email (Alan Woods) Date: Wed, 1 Apr 2020 17:07:48 +0100 Subject: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird In-Reply-To: References: Message-ID: I am in complete agreement with Becky and Volker, and I must note that that the legal team went to great lengths to agree the questions as posed. The questions are agreed and I feel that additional 'clarification', however well meaning, are simply not appropriate at this juncture. Additionally, Bird & Bird were chosen for their expertise in this field. B&B has been our primary counsel for over a year and are clearly very familiar with a) our work, b) icann's work and mandate, and surely c) the practical implementation of gdpr across a multitude of business types and models. If there are doubts as to their inability to understand the underlying issues here, surely this should have been raised much earlier than this. Warm regards, Alan [image: Donuts Inc.] Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ Suite 1-31, Block D, Iveagh Court Harcourt Road Dublin 2, County Dublin Ireland Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Wed, Apr 1, 2020 at 4:13 PM King, Brian via Gnso-epdp-legal < gnso-epdp-legal at icann.org> wrote: > Thank you Becky and Volker for those helpful perspectives. I appreciate > the need for transparency, and that there are likely differences of opinion > within the legal team. > > > > In ?the real world? practice of law, the concept of not speaking with > outside counsel about a question asked of them would be quite a bizarre > scenario. Simply informing them of why we are asking the question could be > of great value to how they think about the problem we need help in solving. > > > > The first example that comes to mind is Section 1.12 of the memo on > Automation, which appears to provide an elegantly simple way to ensure the > processing is not automated and therefore not subject to Article 22. If > Bird & Bird had a bit more information on what we were trying to > accomplish, I can?t help but think they would have elaborated on this > section and provided further guidance on how best to ensure the model we?re > considering does not invoke Article 22 in the first place. > > > > We cannot assume Bird & Bird has been following our work very closely, if > at all, especially since the legal committee decided not to send them any > sections of the Initial Report for their thoughts. I?ll understand if the > legal committee thinks we have the time and resources remaining to engage > in further written back-and-forth, but I submit that a 30- or 60-minute > phone call would be far more efficient. > > > > *Brian J. King * > Director of Internet Policy and Industry Affairs > > > > T +1 443 761 3726 > * markmonitor.com * > > > > > *MarkMonitor *Protecting companies and consumers in a digital world > > > > *From:* Volker Greimann > *Sent:* Wednesday, April 1, 2020 8:27 AM > *To:* Becky Burr > *Cc:* King, Brian ; gnso-epdp-legal at icann.org > *Subject:* Re: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & > Bird > > > > I agree with Becky. Oral presentations may just lead to further > differences of opinion. > > -- > Volker A. Greimann > General Counsel and Policy Manager > *KEY-SYSTEMS GMBH* > > T: +49 6894 9396901 > M: +49 6894 9396851 > F: +49 6894 9396851 > W: www.key-systems.net > > > Key-Systems GmbH is a company registered at the local court of > Saarbruecken, Germany with the registration no. HR B 18835 > CEO: Alexander Siffrin > > Part of the CentralNic Group PLC (LON: CNIC) a company registered in > England and Wales with company number 8576358. > > > > > > On Tue, Mar 31, 2020 at 4:18 PM Becky Burr > wrote: > > Dear Brian, > > > > Thanks for this suggestion. Perhaps it would be preferable if we had > Bird & Bird send any follow-up questions, comments, or requests for > clarification to the EPDP Legal Committee in writing? Given our process, > the questions should be able to stand on their own, and it may be easier to > formulate answers to any follow-up questions in writing rather than on the > fly. In addition, having dialogue in writing will promote transparency > since the communications between the Legal Committee and Bird & Bird can be > fully communicated to the rest of the team. > > > > B > > > > On Mon, Mar 30, 2020 at 11:23 AM King, Brian via Gnso-epdp-legal < > gnso-epdp-legal at icann.org> wrote: > > Hi Team, > > > > I wanted to propose that we schedule a brief call with Bird & Bird to > discuss the question on automation we just sent. > > > > While I was just an alternate in Phase 1 and was not able to attend, I > understand from many EPDP colleagues across various groups that there was a > lot of value from discussions with Ruth. > > > > Since the answers to these automation questions will likely be of great > importance to a high-priority topic (automation), and because at least the > proximate cause issue may be a novel area of law, I think a dialogue would > be useful to confirming Bird & Bird?s understanding of our intent behind > these questions. > > > > I look forward to your thoughts. > > > > Thanks. > > > > *Brian J. King * > Director of Internet Policy and Industry Affairs > > > > T +1 443 761 3726 > * markmonitor.com * > > > > > *MarkMonitor *Protecting companies and consumers in a digital world > > > > _______________________________________________ > Gnso-epdp-legal mailing list > Gnso-epdp-legal at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-legal > > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy > ) > and the website Terms of Service (https://www.icann.org/privacy/tos > ). > You can visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. > > _______________________________________________ > Gnso-epdp-legal mailing list > Gnso-epdp-legal at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-legal > > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy > ) > and the website Terms of Service (https://www.icann.org/privacy/tos > ). > You can visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. > > _______________________________________________ > Gnso-epdp-legal mailing list > Gnso-epdp-legal at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-legal > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and > the website Terms of Service (https://www.icann.org/privacy/tos). You can > visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.King at markmonitor.com Wed Apr 1 17:31:39 2020 From: Brian.King at markmonitor.com (King, Brian) Date: Wed, 1 Apr 2020 17:31:39 +0000 Subject: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird In-Reply-To: References: Message-ID: If the consensus here is that we don?t need to have the call, I?m ok to wait and read the responsive memo. Candidly, I didn?t expect any opposition to the suggestion as I thought it would be a non-controversial way to further guide Bird & Bird on how best to help us. I?m surprised to see that?s not the case, but I?m often surprised ? For the record, I have no doubts as to B&B?s competence or ability to understand our issues. I just note that the more background we can provide, the more precisely they might be able to help. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Alan Woods Sent: Wednesday, April 1, 2020 12:08 PM To: King, Brian Cc: Volker Greimann ; Becky Burr ; gnso-epdp-legal at icann.org Subject: Re: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird I am in complete agreement with Becky and Volker, and I must note that that the legal team went to great lengths to agree the questions as posed. The questions are agreed and I feel that additional 'clarification', however well meaning, are simply not appropriate at this juncture. Additionally, Bird & Bird were chosen for their expertise in this field. B&B has been our primary counsel for over a year and are clearly very familiar with a) our work, b) icann's work and mandate, and surely c) the practical implementation of gdpr across a multitude of business types and models. If there are doubts as to their inability to understand the underlying issues here, surely this should have been raised much earlier than this. Warm regards, Alan [Image removed by sender. Donuts Inc.] Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ Suite 1-31, Block D, Iveagh Court Harcourt Road Dublin 2, County Dublin Ireland [Image removed by sender.] [Image removed by sender.] [Image removed by sender.] Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Wed, Apr 1, 2020 at 4:13 PM King, Brian via Gnso-epdp-legal > wrote: Thank you Becky and Volker for those helpful perspectives. I appreciate the need for transparency, and that there are likely differences of opinion within the legal team. In ?the real world? practice of law, the concept of not speaking with outside counsel about a question asked of them would be quite a bizarre scenario. Simply informing them of why we are asking the question could be of great value to how they think about the problem we need help in solving. The first example that comes to mind is Section 1.12 of the memo on Automation, which appears to provide an elegantly simple way to ensure the processing is not automated and therefore not subject to Article 22. If Bird & Bird had a bit more information on what we were trying to accomplish, I can?t help but think they would have elaborated on this section and provided further guidance on how best to ensure the model we?re considering does not invoke Article 22 in the first place. We cannot assume Bird & Bird has been following our work very closely, if at all, especially since the legal committee decided not to send them any sections of the Initial Report for their thoughts. I?ll understand if the legal committee thinks we have the time and resources remaining to engage in further written back-and-forth, but I submit that a 30- or 60-minute phone call would be far more efficient. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Volker Greimann > Sent: Wednesday, April 1, 2020 8:27 AM To: Becky Burr > Cc: King, Brian >; gnso-epdp-legal at icann.org Subject: Re: [Gnso-epdp-legal] Request for Brief Dialogue with Bird & Bird I agree with Becky. Oral presentations may just lead to further differences of opinion. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. On Tue, Mar 31, 2020 at 4:18 PM Becky Burr > wrote: Dear Brian, Thanks for this suggestion. Perhaps it would be preferable if we had Bird & Bird send any follow-up questions, comments, or requests for clarification to the EPDP Legal Committee in writing? Given our process, the questions should be able to stand on their own, and it may be easier to formulate answers to any follow-up questions in writing rather than on the fly. In addition, having dialogue in writing will promote transparency since the communications between the Legal Committee and Bird & Bird can be fully communicated to the rest of the team. B On Mon, Mar 30, 2020 at 11:23 AM King, Brian via Gnso-epdp-legal > wrote: Hi Team, I wanted to propose that we schedule a brief call with Bird & Bird to discuss the question on automation we just sent. While I was just an alternate in Phase 1 and was not able to attend, I understand from many EPDP colleagues across various groups that there was a lot of value from discussions with Ruth. Since the answers to these automation questions will likely be of great importance to a high-priority topic (automation), and because at least the proximate cause issue may be a novel area of law, I think a dialogue would be useful to confirming Bird & Bird?s understanding of our intent behind these questions. I look forward to your thoughts. Thanks. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ~WRD2404.jpg Type: image/jpeg Size: 823 bytes Desc: ~WRD2404.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 407 bytes Desc: image001.jpg URL: From Brian.King at markmonitor.com Mon Apr 6 21:39:45 2020 From: Brian.King at markmonitor.com (King, Brian) Date: Mon, 6 Apr 2020 21:39:45 +0000 Subject: [Gnso-epdp-legal] Status update Message-ID: Hi, When should we expect the response from Bird & Bird on our most recent question? Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world -------------- next part -------------- An HTML attachment was scrubbed... URL: From caitlin.tubergen at icann.org Tue Apr 7 21:54:19 2020 From: caitlin.tubergen at icann.org (Caitlin Tubergen) Date: Tue, 7 Apr 2020 21:54:19 +0000 Subject: [Gnso-epdp-legal] Status update Message-ID: <0713F175-BCCA-4C31-AE15-34766198A137@icann.org> Hi Brian, Thank you for checking in. Bird & Bird expects to provide its response to the automation use case questions by Friday, 17 April. Best regards, Caitlin From: Gnso-epdp-legal on behalf of "King, Brian via Gnso-epdp-legal" Reply-To: "King, Brian" Date: Monday, April 6, 2020 at 2:39 PM To: "gnso-epdp-legal at icann.org" Subject: [Gnso-epdp-legal] Status update Hi, When should we expect the response from Bird & Bird on our most recent question? Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com [markmonitor.com] MarkMonitor Protecting companies and consumers in a digital world -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4620 bytes Desc: not available URL: From Brian.King at markmonitor.com Wed Apr 8 01:53:10 2020 From: Brian.King at markmonitor.com (King, Brian) Date: Wed, 8 Apr 2020 01:53:10 +0000 Subject: [Gnso-epdp-legal] Status update In-Reply-To: <0713F175-BCCA-4C31-AE15-34766198A137@icann.org> References: <0713F175-BCCA-4C31-AE15-34766198A137@icann.org> Message-ID: <02A27D00-ACAF-42B6-82C8-AB10848BBA38@markmonitor.com> Thank you, Caitlin! Brian J. King Director of Internet Policy and Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king at markmonitor.com On Apr 7, 2020, at 5:54 PM, Caitlin Tubergen wrote: ? Hi Brian, Thank you for checking in. Bird & Bird expects to provide its response to the automation use case questions by Friday, 17 April. Best regards, Caitlin From: Gnso-epdp-legal on behalf of "King, Brian via Gnso-epdp-legal" Reply-To: "King, Brian" Date: Monday, April 6, 2020 at 2:39 PM To: "gnso-epdp-legal at icann.org" Subject: [Gnso-epdp-legal] Status update Hi, When should we expect the response from Bird & Bird on our most recent question? Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com [markmonitor.com] MarkMonitor Protecting companies and consumers in a digital world -------------- next part -------------- An HTML attachment was scrubbed... URL: From karklinsj at gmail.com Thu Apr 16 20:35:31 2020 From: karklinsj at gmail.com (Janis Karklins) Date: Thu, 16 Apr 2020 22:35:31 +0200 Subject: [Gnso-epdp-legal] Bird@Bird memo on data accuracy legal questions Message-ID: Dear Keith, In following up on the Council?s direction to submit the pending data accuracy legal questions to its outside counsel in order to help inform the work of any future scoping team, the EPDP Team?s Legal Committee submitted its agreed-upon questions to Bird & Bird. I am writing to inform you that Bird & Bird has provided the attached memo in response. As the accuracy topic is not on the EPDP Team?s critical path for delivery of its Final Report on the System for Standardized Access/Disclosure, the EPDP Team will not consider the legal guidance at this time. However, the Phase 2 Legal Committee will review the guidance in order to determine if any follow-up questions are warranted that may help inform a possible scoping team to further consider this topic. Please let me know if you have any further questions. Best regards, JK -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ICANN accuracy memo 9 April 2020.pdf Type: application/pdf Size: 628861 bytes Desc: not available URL: From vgreimann at key-systems.net Thu Apr 16 21:10:43 2020 From: vgreimann at key-systems.net (Volker Greimann) Date: Thu, 16 Apr 2020 23:10:43 +0200 Subject: [Gnso-epdp-legal] [Gnso-epdp-team] Bird@Bird memo on data accuracy legal questions In-Reply-To: References: Message-ID: Thank you Janis, it is good to see one's legal opinion reflected closely in this legal brief. I hope this will provide the necessary closure and will help to finally lay this issue to bed. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Oliver Fries and Robert Birkner Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. On Thu, Apr 16, 2020 at 10:36 PM Janis Karklins wrote: > Dear Keith, > > > > In following up on the Council?s direction to submit the pending data > accuracy legal questions to its outside counsel in order to help inform the > work of any future scoping team, the EPDP Team?s Legal Committee submitted > its agreed-upon questions to Bird & Bird. I am writing to inform you that > Bird & Bird has provided the attached memo in response. > > > > As the accuracy topic is not on the EPDP Team?s critical path for delivery > of its Final Report on the System for Standardized Access/Disclosure, the > EPDP Team will not consider the legal guidance at this time. However, the > Phase 2 Legal Committee will review the guidance in order to determine if > any follow-up questions are warranted that may help inform a possible > scoping team to further consider this topic. > > > > Please let me know if you have any further questions. > > > > Best regards, > > JK > > > _______________________________________________ > Gnso-epdp-team mailing list > Gnso-epdp-team at icann.org > https://mm.icann.org/mailman/listinfo/gnso-epdp-team > _______________________________________________ > By submitting your personal data, you consent to the processing of your > personal data for purposes of subscribing to this mailing list accordance > with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and > the website Terms of Service (https://www.icann.org/privacy/tos). You can > visit the Mailman link above to change your membership status or > configuration, including unsubscribing, setting digest-style delivery or > disabling delivery altogether (e.g., for a vacation), and so on. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ruth.Boardman at twobirds.com Thu Apr 23 08:37:48 2020 From: Ruth.Boardman at twobirds.com (Ruth Boardman) Date: Thu, 23 Apr 2020 08:37:48 +0000 Subject: [Gnso-epdp-legal] Automation memo Message-ID: <195351e58ffa4b0b927671262416cc3f@BBLDNEXCH03.twobirds.com> Dear EPDP legal team, I'm attaching the memorandum of advice on this topic. With best regards, Ruth & Katerina BIRD & BIRD For information on the international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses (together "Bird & Bird"), our offices, our members and partners, regulatory information, complaints procedure and the use of e-mail see www.twobirds.com/LN Our privacy policy, which describes how we handle personal information and the use of cookies is available at www.twobirds.com/LNPrivacy. If you would like to opt-out of receiving marketing communications from Bird & Bird click here: https://sites-twobirds.vuture.net/5/52/landing-pages/unsubscribe-blank.asp Any e-mail sent from Bird & Bird may contain information which is confidential and/or privileged. Unless you are the intended recipient, you may not disclose, copy or use it; please notify the sender immediately and delete it and any copies from your system. You should protect your system from viruses etc.; we accept no responsibility for damage that may be caused by them. For the terms on which we receive from, hold for or make available to a client or third party client money see www.twobirds.com/CM Bird & Bird LLP, a limited liability partnership, registered in England and Wales with registered number OC340318, with its registered office and principal place of business at 12 New Fetter Lane, London EC4A 1JP, is authorised and regulated by the Solicitors Regulation Authority, whose professional rules and code may be found at www.sra.org.uk A list of members of Bird & Bird LLP and of any non-members who are designated as partners, being lawyers or other professionals with equivalent standing or qualifications, and of their respective professional qualifications, is open to inspection at its registered office. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ICANN_Automation memo 23 April 2020.PDF Type: application/pdf Size: 941428 bytes Desc: ICANN_Automation memo 23 April 2020.PDF URL: From terri.agnew at icann.org Tue Apr 28 15:27:03 2020 From: terri.agnew at icann.org (Terri Agnew) Date: Tue, 28 Apr 2020 15:27:03 +0000 Subject: [Gnso-epdp-legal] =?utf-8?q?Post_Call_=7C_GNSO_Temp_Spec_gTLD_RD_?= =?utf-8?q?EPDP_=E2=80=93_Phase_2_-_Legal_Subteam_=7C_Tuesday=2C_28_April_?= =?utf-8?q?2020_at_14=3A00_UTC?= Message-ID: <7B34E6D5-AD57-4FDE-82BA-95885B6731FE@icann.org> Dear all, All recordings for the GNSO Temp Spec gTLD RD EPDP ? Phase 2 ? Legal Subteam held on Tuesday, 28 April 2020 at 14:00 UTC can be found on the agenda wiki page (attendance included) and the GNSO Master calendar . These include: * Attendance (please let me know if your name has been left off the attendance list) * Audio recording * Zoom chat archive * Zoom recording (including audio, visual, rough transcript) As a reminder only members and alternates can join the calls. For additional information, you may consult the mailing list archives and the main wiki page. Thank you. Kind regards, Terri -------------- next part -------------- An HTML attachment was scrubbed... URL: From hadiaminiawi at yahoo.com Tue Apr 28 22:19:15 2020 From: hadiaminiawi at yahoo.com (Hadia El Miniawi) Date: Tue, 28 Apr 2020 22:19:15 +0000 (UTC) Subject: [Gnso-epdp-legal] =?utf-8?q?Post_Call_=7C_GNSO_Temp_Spec_gTLD_RD_?= =?utf-8?q?EPDP_=E2=80=93_Phase_2_-_Legal_Subteam_=7C_Tuesday=2C_28_April_?= =?utf-8?q?2020_at_14=3A00_UTC?= In-Reply-To: <7B34E6D5-AD57-4FDE-82BA-95885B6731FE@icann.org> References: <7B34E6D5-AD57-4FDE-82BA-95885B6731FE@icann.org> Message-ID: <432479058.1902386.1588112355176@mail.yahoo.com> I appologies for not attending the call I was caught on another call, will listen to the recordings Hadia On Tuesday, April 28, 2020, 08:57:18 AM PDT, Terri Agnew wrote: Dear all, ? All recordings for the?GNSO Temp Spec gTLD RD EPDP ? Phase 2?? Legal?Subteam?held on?Tuesday, 28 April 2020?at?14:00 UTC??can be?found?on the?agenda wiki page??(attendance included)?and the?GNSO Master calendar?. ? These include: - Attendance?(please let me know if your name has been left off the attendance list) - Audio?recording - Zoom chat archive - Zoom recording (including audio, visual, rough transcript) ? As a reminder only members and alternates can join the calls. ?? For additional information, you may consult the?mailing list archives?and the?main wiki page. ? Thank you. ? Kind regards, ? Terri ? ? ? _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -------------- next part -------------- An HTML attachment was scrubbed... URL: From becky.burr at board.icann.org Wed Apr 29 20:34:56 2020 From: becky.burr at board.icann.org (Becky Burr) Date: Wed, 29 Apr 2020 16:34:56 -0400 Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo Message-ID: Colleagues, In preparation for our discussion tomorrow, I created my own summary of the Bird & Bird memo and our recommendations on next steps. I don't propose to use this instead of the Executive Summary provided by Bird & Bird but wanted to share in the event that (i) Janis can take away more then the fact that it is in [American][lawyer] English and/or (ii) any of you might disagree with the way I have characterized the memo and our recommendations to the plenary. B Summary of Bird & Bird Memo on Automation Use Cases The legal committee has reviewed Bird & Bird?s draft memorandum on proposed automation use cases based on a common set of assumptions provided by the EPDP. Two ?scenarios? were contemplated for each use case: ? In *Scenario 1* the SSAD/Central Gateway would make an automated ?recommendation? to the relevant CP, which could accept or reject the recommendation; ? In *Scenario 2*, the decision to disclose would be taken by the Central Gateway rather than the CP (either with or without accessing the actual registrant data before making the decision). *Summary of Bird & Bird Memo* Noting that the structure and content of Art. 22 GDPR remains unclear despite EDPB guidance, the Bird & Bird memo recalls that under GDPR ?solely automated? decisions can take place in the SSAD context only where: 1. The GDPR does not apply because the requested data is not personal data; 2. The decision does not have a legal or similarly significant effect; 3. A Member State derogation applies; or 4. An applicable Member State law authorizes the decision. Where none of those conditions apply, there must be meaningful human involvement in the decision making process. Bird & Bird concludes that: 1. A decision to disclose information by the SSAD/Central Gateway is likely to involve processing of personal information, even in the case where the Central Gateway does not have access to the underlying registrant data. (Disclosure of city data is a possible exception.) 2. Only Scenario 1.a. (automated recommendation to CP) does not rise to the level of ?solely automated processing.? 3. While there are potential Member State derogations/authorizations, they are not uniform and/or uniformly available in this context. 4. Accordingly, with respect to automated SSAD/Central Gateway use cases, the question is likely to turn on whether or not the processing involves a decision with ?legal or similarly significant effect.? Based on the information provided, Bird & Bird concluded that some of the scenarios clearly involve a decision with legal or similar significant effects; some of the scenarios clearly do not; and in the many cases where it is unclear, additional work is needed. a. In this regard, Bird & Bird was asked to provide guidance with respect to the meaning of ?legal or similarly significant effect.? The memo notes that the term is undefined but involves an ?elevated threshold.? Bird & Bird was also asked to opine on the role of the legal concept of proximate cause (roughly speaking, an action that produces foreseeable consequences without intervention from a third party) when considering whether a decision to release personal information about a registrant results in a legal or similarly significant effect on the data subject. In this regard, given sparse authority one way or the other, Bird & Bird recommended consultation with EDPB/DPAs as to whether or not automated Central Gateway actions might be permitted as actions taken only in preparation for a decision involving legal significance and therefore not, in themselves, subject to Article 22. b. Bird & Bird provided a useful summary table (attached) laying out: the four use cases where, in its view, disclosure would not have a legal/similarly significant effect; the four use cases where it clearly would have that effect; and the six use cases where this was unclear. 5. With respect to the unclear cases, Bird & Bird provided a list of safeguards including, among other things, consultation with DPAs and better scoping of each use case and its legal basis. 6. With respect to the relationship between a Contracted Party and SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in which it would be plausible to argue that CPs are mere processors. Further, Bird & Bird concluded: a. Under Scenario 1, where the ultimate decision to disclose personal information about a registrant lies with the CP, the CP and SSAD/Central Gateway would most likely be considered joint controllers. b. Under Scenario 2, where SSAD/Central Gateway (rather than the CP) makes the ultimate disclosure decision, Bird & Bird opined that it is possible that a CP would be found to be a controller for purposes of the disclosure of data to ICANN/Central Gateway but not for disclosure to the third party requesting the data. (That is not determinative as to whether the CP would have liability for transfer of data to SSAD/Central Gateway in the event of wrongful disclosure.) 7. With respect to CP liability, Bird & Bird stated: a. Where CPs are joint controllers with SSAD/Central Gateway it is important to clearly allocate tasks and responsibilities by way of an agreement. b. CPs can only avoid joint and several liability to individuals by demonstrating that they were not in any way involved in the event giving rise to the damage; the situation is less clear with respect to liability to DPAs. c. Scenario 2 (where SSAD/Central Gateway makes disclosure decision) presents ?lower risk? of liability to CPs, i.e., gives them a relatively better argument regarding no involvement/lower degree of responsibility for decision. *Recommendations on Next Steps* The Legal Committee has asked ICANN Org to develop proposals for ways in which the following use cases (identified by Bird & Bird as not rising to the level of having a legal or similarly significant effect on data subjects) might be automated: 1. Access to registrant data by a DPA for purposes of investigating a data protection infringement allegedly affecting the registrant; 2. Requests for city field only for the purposes of (i) evaluating whether to pursue a claim or (ii) statistics; 3. The registrant record contains no personal data. The Legal Committee commends the use cases identified by Bird & Bird as ?unclear? to the small group working on -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.King at markmonitor.com Wed Apr 29 21:18:38 2020 From: Brian.King at markmonitor.com (King, Brian) Date: Wed, 29 Apr 2020 21:18:38 +0000 Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo In-Reply-To: References: Message-ID: Hi Becky, Thank you for doing this, and for giving consideration to the concerns I expressed on the legal team call. I think your email cut off before its intended conclusion. In your 7.c. at the risk of appearing to split hairs, I think there is value in presenting this as ?least risk? of liability to CPs as Bird & Bird states in the body of the memo (p. 25). This is the best option for CP liability, and it should be clearly presented as such. My only other suggestion is to note that the chart presented does not consider the impact of the proximate cause question, although Bird & Bird notes that the concern has merit and which is supported by the only existing literature on point, and is therefore the most conservative approach. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Gnso-epdp-legal On Behalf Of Becky Burr Sent: Wednesday, April 29, 2020 4:35 PM To: gnso-epdp-legal at icann.org Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo Colleagues, In preparation for our discussion tomorrow, I created my own summary of the Bird & Bird memo and our recommendations on next steps. I don't propose to use this instead of the Executive Summary provided by Bird & Bird but wanted to share in the event that (i) Janis can take away more then the fact that it is in [American][lawyer] English and/or (ii) any of you might disagree with the way I have characterized the memo and our recommendations to the plenary. B Summary of Bird & Bird Memo on Automation Use Cases The legal committee has reviewed Bird & Bird?s draft memorandum on proposed automation use cases based on a common set of assumptions provided by the EPDP. Two ?scenarios? were contemplated for each use case: ? In Scenario 1 the SSAD/Central Gateway would make an automated ?recommendation? to the relevant CP, which could accept or reject the recommendation; ? In Scenario 2, the decision to disclose would be taken by the Central Gateway rather than the CP (either with or without accessing the actual registrant data before making the decision). Summary of Bird & Bird Memo Noting that the structure and content of Art. 22 GDPR remains unclear despite EDPB guidance, the Bird & Bird memo recalls that under GDPR ?solely automated? decisions can take place in the SSAD context only where: 1. The GDPR does not apply because the requested data is not personal data; 2. The decision does not have a legal or similarly significant effect; 3. A Member State derogation applies; or 4. An applicable Member State law authorizes the decision. Where none of those conditions apply, there must be meaningful human involvement in the decision making process. Bird & Bird concludes that: 1. A decision to disclose information by the SSAD/Central Gateway is likely to involve processing of personal information, even in the case where the Central Gateway does not have access to the underlying registrant data. (Disclosure of city data is a possible exception.) 2. Only Scenario 1.a. (automated recommendation to CP) does not rise to the level of ?solely automated processing.? 3. While there are potential Member State derogations/authorizations, they are not uniform and/or uniformly available in this context. 4. Accordingly, with respect to automated SSAD/Central Gateway use cases, the question is likely to turn on whether or not the processing involves a decision with ?legal or similarly significant effect.? Based on the information provided, Bird & Bird concluded that some of the scenarios clearly involve a decision with legal or similar significant effects; some of the scenarios clearly do not; and in the many cases where it is unclear, additional work is needed. a. In this regard, Bird & Bird was asked to provide guidance with respect to the meaning of ?legal or similarly significant effect.? The memo notes that the term is undefined but involves an ?elevated threshold.? Bird & Bird was also asked to opine on the role of the legal concept of proximate cause (roughly speaking, an action that produces foreseeable consequences without intervention from a third party) when considering whether a decision to release personal information about a registrant results in a legal or similarly significant effect on the data subject. In this regard, given sparse authority one way or the other, Bird & Bird recommended consultation with EDPB/DPAs as to whether or not automated Central Gateway actions might be permitted as actions taken only in preparation for a decision involving legal significance and therefore not, in themselves, subject to Article 22. b. Bird & Bird provided a useful summary table (attached) laying out: the four use cases where, in its view, disclosure would not have a legal/similarly significant effect; the four use cases where it clearly would have that effect; and the six use cases where this was unclear. 5. With respect to the unclear cases, Bird & Bird provided a list of safeguards including, among other things, consultation with DPAs and better scoping of each use case and its legal basis. 6. With respect to the relationship between a Contracted Party and SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in which it would be plausible to argue that CPs are mere processors. Further, Bird & Bird concluded: a. Under Scenario 1, where the ultimate decision to disclose personal information about a registrant lies with the CP, the CP and SSAD/Central Gateway would most likely be considered joint controllers. b. Under Scenario 2, where SSAD/Central Gateway (rather than the CP) makes the ultimate disclosure decision, Bird & Bird opined that it is possible that a CP would be found to be a controller for purposes of the disclosure of data to ICANN/Central Gateway but not for disclosure to the third party requesting the data. (That is not determinative as to whether the CP would have liability for transfer of data to SSAD/Central Gateway in the event of wrongful disclosure.) 7. With respect to CP liability, Bird & Bird stated: a. Where CPs are joint controllers with SSAD/Central Gateway it is important to clearly allocate tasks and responsibilities by way of an agreement. b. CPs can only avoid joint and several liability to individuals by demonstrating that they were not in any way involved in the event giving rise to the damage; the situation is less clear with respect to liability to DPAs. c. Scenario 2 (where SSAD/Central Gateway makes disclosure decision) presents ?lower risk? of liability to CPs, i.e., gives them a relatively better argument regarding no involvement/lower degree of responsibility for decision. Recommendations on Next Steps The Legal Committee has asked ICANN Org to develop proposals for ways in which the following use cases (identified by Bird & Bird as not rising to the level of having a legal or similarly significant effect on data subjects) might be automated: 1. Access to registrant data by a DPA for purposes of investigating a data protection infringement allegedly affecting the registrant; 2. Requests for city field only for the purposes of (i) evaluating whether to pursue a claim or (ii) statistics; 3. The registrant record contains no personal data. The Legal Committee commends the use cases identified by Bird & Bird as ?unclear? to the small group working on -------------- next part -------------- An HTML attachment was scrubbed... URL: From mmcross at amazon.com Wed Apr 29 22:35:11 2020 From: mmcross at amazon.com (Crossman, Matthew) Date: Wed, 29 Apr 2020 22:35:11 +0000 Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo Message-ID: Thank you for the summary Becky, I think this is helpful for the team. Regarding Brian?s suggestions, I am fine with saying ?least risk? of liability provided we say ?least risk of liability of the scenarios presented.? I think is accurate, and it?s important to tie it to the scope of the memo (i.e., the least risk of liability overall is actually no automation ? I?m not suggesting that, just trying to illustrate the importance of the scope of these conclusions). On proximate cause I worry that adding that caveat adds unnecessary ambiguity that makes it sound like this is an open issue. The chart illustrates what is permissible today and we should use it as a tool to move those conversations forward. I don?t disagree that it is an interesting question and certainly something we may need to consider in the SSAD evolution as guidance develops, but adding it as a condition on the chart?s conclusions seems like it will cause more confusion than clarity. Thanks, Matt From: Gnso-epdp-legal On Behalf Of King, Brian via Gnso-epdp-legal Sent: Wednesday, April 29, 2020 2:19 PM To: Becky Burr ; gnso-epdp-legal at icann.org Subject: RE: [Gnso-epdp-legal] My internal summary of the Automation Memo Hi Becky, Thank you for doing this, and for giving consideration to the concerns I expressed on the legal team call. I think your email cut off before its intended conclusion. In your 7.c. at the risk of appearing to split hairs, I think there is value in presenting this as ?least risk? of liability to CPs as Bird & Bird states in the body of the memo (p. 25). This is the best option for CP liability, and it should be clearly presented as such. My only other suggestion is to note that the chart presented does not consider the impact of the proximate cause question, although Bird & Bird notes that the concern has merit and which is supported by the only existing literature on point, and is therefore the most conservative approach. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Gnso-epdp-legal > On Behalf Of Becky Burr Sent: Wednesday, April 29, 2020 4:35 PM To: gnso-epdp-legal at icann.org Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo Colleagues, In preparation for our discussion tomorrow, I created my own summary of the Bird & Bird memo and our recommendations on next steps. I don't propose to use this instead of the Executive Summary provided by Bird & Bird but wanted to share in the event that (i) Janis can take away more then the fact that it is in [American][lawyer] English and/or (ii) any of you might disagree with the way I have characterized the memo and our recommendations to the plenary. B Summary of Bird & Bird Memo on Automation Use Cases The legal committee has reviewed Bird & Bird?s draft memorandum on proposed automation use cases based on a common set of assumptions provided by the EPDP. Two ?scenarios? were contemplated for each use case: ? In Scenario 1 the SSAD/Central Gateway would make an automated ?recommendation? to the relevant CP, which could accept or reject the recommendation; ? In Scenario 2, the decision to disclose would be taken by the Central Gateway rather than the CP (either with or without accessing the actual registrant data before making the decision). Summary of Bird & Bird Memo Noting that the structure and content of Art. 22 GDPR remains unclear despite EDPB guidance, the Bird & Bird memo recalls that under GDPR ?solely automated? decisions can take place in the SSAD context only where: 1. The GDPR does not apply because the requested data is not personal data; 2. The decision does not have a legal or similarly significant effect; 3. A Member State derogation applies; or 4. An applicable Member State law authorizes the decision. Where none of those conditions apply, there must be meaningful human involvement in the decision making process. Bird & Bird concludes that: 1. A decision to disclose information by the SSAD/Central Gateway is likely to involve processing of personal information, even in the case where the Central Gateway does not have access to the underlying registrant data. (Disclosure of city data is a possible exception.) 2. Only Scenario 1.a. (automated recommendation to CP) does not rise to the level of ?solely automated processing.? 3. While there are potential Member State derogations/authorizations, they are not uniform and/or uniformly available in this context. 4. Accordingly, with respect to automated SSAD/Central Gateway use cases, the question is likely to turn on whether or not the processing involves a decision with ?legal or similarly significant effect.? Based on the information provided, Bird & Bird concluded that some of the scenarios clearly involve a decision with legal or similar significant effects; some of the scenarios clearly do not; and in the many cases where it is unclear, additional work is needed. a. In this regard, Bird & Bird was asked to provide guidance with respect to the meaning of ?legal or similarly significant effect.? The memo notes that the term is undefined but involves an ?elevated threshold.? Bird & Bird was also asked to opine on the role of the legal concept of proximate cause (roughly speaking, an action that produces foreseeable consequences without intervention from a third party) when considering whether a decision to release personal information about a registrant results in a legal or similarly significant effect on the data subject. In this regard, given sparse authority one way or the other, Bird & Bird recommended consultation with EDPB/DPAs as to whether or not automated Central Gateway actions might be permitted as actions taken only in preparation for a decision involving legal significance and therefore not, in themselves, subject to Article 22. b. Bird & Bird provided a useful summary table (attached) laying out: the four use cases where, in its view, disclosure would not have a legal/similarly significant effect; the four use cases where it clearly would have that effect; and the six use cases where this was unclear. 5. With respect to the unclear cases, Bird & Bird provided a list of safeguards including, among other things, consultation with DPAs and better scoping of each use case and its legal basis. 6. With respect to the relationship between a Contracted Party and SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in which it would be plausible to argue that CPs are mere processors. Further, Bird & Bird concluded: a. Under Scenario 1, where the ultimate decision to disclose personal information about a registrant lies with the CP, the CP and SSAD/Central Gateway would most likely be considered joint controllers. b. Under Scenario 2, where SSAD/Central Gateway (rather than the CP) makes the ultimate disclosure decision, Bird & Bird opined that it is possible that a CP would be found to be a controller for purposes of the disclosure of data to ICANN/Central Gateway but not for disclosure to the third party requesting the data. (That is not determinative as to whether the CP would have liability for transfer of data to SSAD/Central Gateway in the event of wrongful disclosure.) 7. With respect to CP liability, Bird & Bird stated: a. Where CPs are joint controllers with SSAD/Central Gateway it is important to clearly allocate tasks and responsibilities by way of an agreement. b. CPs can only avoid joint and several liability to individuals by demonstrating that they were not in any way involved in the event giving rise to the damage; the situation is less clear with respect to liability to DPAs. c. Scenario 2 (where SSAD/Central Gateway makes disclosure decision) presents ?lower risk? of liability to CPs, i.e., gives them a relatively better argument regarding no involvement/lower degree of responsibility for decision. Recommendations on Next Steps The Legal Committee has asked ICANN Org to develop proposals for ways in which the following use cases (identified by Bird & Bird as not rising to the level of having a legal or similarly significant effect on data subjects) might be automated: 1. Access to registrant data by a DPA for purposes of investigating a data protection infringement allegedly affecting the registrant; 2. Requests for city field only for the purposes of (i) evaluating whether to pursue a claim or (ii) statistics; 3. The registrant record contains no personal data. The Legal Committee commends the use cases identified by Bird & Bird as ?unclear? to the small group working on -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.King at markmonitor.com Wed Apr 29 23:58:17 2020 From: Brian.King at markmonitor.com (King, Brian) Date: Wed, 29 Apr 2020 23:58:17 +0000 Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo In-Reply-To: References: Message-ID: Hey Matt and all, Just a clarification that the Scenario 1 we presented indeed was not automated ? the ?recommendations? were automated, but decisions were made manually at the CP. Right? I?d consider this not automated, but I?m way in the weeds these days and could be missing quite a bit at common-sense level. If the legal team thinks that the caveat I suggested about proximate cause related to the chart adds confusion, I am willing to accept if I am in the minority on this. My view, which is shared by a number of IPC colleagues, is that the type of harm contemplated by Article 22 simply is not possible in the SSAD scenario. ICANN sua sponte/by itself is simply not capable of inflicting the type of harm contemplated by Article 22 (denial of immigration/citizenship, voting rights, credit/loan eligibility), even ?similarly significant? effects. All SSAD can do is release the data to a third party with its own independent free will, which disclosure standing alone is a benign event for Article 22 purposes. I also don?t find it at all likely that future use of the data by a requestor, based on its own control, would constitute ICANN?s or a CP?s violation of Article 22. I accept that we don?t have case law on this yet, and I acknowledge that reasonable minds could disagree, but I do not yet understand the alternative argument. Even if the legal team would prefer not to burden the presentation of the chart with an asterisk or a footnote on this, I do find this to be ripe for inclusion in the Mechanism for Evolution of the SSAD. As I?m part of the small team working on that, I will flag this for inclusion in that work. Thank you all for dealing with me ?. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Crossman, Matthew Sent: Wednesday, April 29, 2020 6:35 PM To: King, Brian ; Becky Burr ; gnso-epdp-legal at icann.org Subject: RE: [Gnso-epdp-legal] My internal summary of the Automation Memo Thank you for the summary Becky, I think this is helpful for the team. Regarding Brian?s suggestions, I am fine with saying ?least risk? of liability provided we say ?least risk of liability of the scenarios presented.? I think is accurate, and it?s important to tie it to the scope of the memo (i.e., the least risk of liability overall is actually no automation ? I?m not suggesting that, just trying to illustrate the importance of the scope of these conclusions). On proximate cause I worry that adding that caveat adds unnecessary ambiguity that makes it sound like this is an open issue. The chart illustrates what is permissible today and we should use it as a tool to move those conversations forward. I don?t disagree that it is an interesting question and certainly something we may need to consider in the SSAD evolution as guidance develops, but adding it as a condition on the chart?s conclusions seems like it will cause more confusion than clarity. Thanks, Matt From: Gnso-epdp-legal > On Behalf Of King, Brian via Gnso-epdp-legal Sent: Wednesday, April 29, 2020 2:19 PM To: Becky Burr >; gnso-epdp-legal at icann.org Subject: RE: [Gnso-epdp-legal] My internal summary of the Automation Memo Hi Becky, Thank you for doing this, and for giving consideration to the concerns I expressed on the legal team call. I think your email cut off before its intended conclusion. In your 7.c. at the risk of appearing to split hairs, I think there is value in presenting this as ?least risk? of liability to CPs as Bird & Bird states in the body of the memo (p. 25). This is the best option for CP liability, and it should be clearly presented as such. My only other suggestion is to note that the chart presented does not consider the impact of the proximate cause question, although Bird & Bird notes that the concern has merit and which is supported by the only existing literature on point, and is therefore the most conservative approach. Brian J. King Director of Internet Policy and Industry Affairs T +1 443 761 3726 markmonitor.com MarkMonitor Protecting companies and consumers in a digital world From: Gnso-epdp-legal > On Behalf Of Becky Burr Sent: Wednesday, April 29, 2020 4:35 PM To: gnso-epdp-legal at icann.org Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo Colleagues, In preparation for our discussion tomorrow, I created my own summary of the Bird & Bird memo and our recommendations on next steps. I don't propose to use this instead of the Executive Summary provided by Bird & Bird but wanted to share in the event that (i) Janis can take away more then the fact that it is in [American][lawyer] English and/or (ii) any of you might disagree with the way I have characterized the memo and our recommendations to the plenary. B Summary of Bird & Bird Memo on Automation Use Cases The legal committee has reviewed Bird & Bird?s draft memorandum on proposed automation use cases based on a common set of assumptions provided by the EPDP. Two ?scenarios? were contemplated for each use case: ? In Scenario 1 the SSAD/Central Gateway would make an automated ?recommendation? to the relevant CP, which could accept or reject the recommendation; ? In Scenario 2, the decision to disclose would be taken by the Central Gateway rather than the CP (either with or without accessing the actual registrant data before making the decision). Summary of Bird & Bird Memo Noting that the structure and content of Art. 22 GDPR remains unclear despite EDPB guidance, the Bird & Bird memo recalls that under GDPR ?solely automated? decisions can take place in the SSAD context only where: 1. The GDPR does not apply because the requested data is not personal data; 2. The decision does not have a legal or similarly significant effect; 3. A Member State derogation applies; or 4. An applicable Member State law authorizes the decision. Where none of those conditions apply, there must be meaningful human involvement in the decision making process. Bird & Bird concludes that: 1. A decision to disclose information by the SSAD/Central Gateway is likely to involve processing of personal information, even in the case where the Central Gateway does not have access to the underlying registrant data. (Disclosure of city data is a possible exception.) 2. Only Scenario 1.a. (automated recommendation to CP) does not rise to the level of ?solely automated processing.? 3. While there are potential Member State derogations/authorizations, they are not uniform and/or uniformly available in this context. 4. Accordingly, with respect to automated SSAD/Central Gateway use cases, the question is likely to turn on whether or not the processing involves a decision with ?legal or similarly significant effect.? Based on the information provided, Bird & Bird concluded that some of the scenarios clearly involve a decision with legal or similar significant effects; some of the scenarios clearly do not; and in the many cases where it is unclear, additional work is needed. a. In this regard, Bird & Bird was asked to provide guidance with respect to the meaning of ?legal or similarly significant effect.? The memo notes that the term is undefined but involves an ?elevated threshold.? Bird & Bird was also asked to opine on the role of the legal concept of proximate cause (roughly speaking, an action that produces foreseeable consequences without intervention from a third party) when considering whether a decision to release personal information about a registrant results in a legal or similarly significant effect on the data subject. In this regard, given sparse authority one way or the other, Bird & Bird recommended consultation with EDPB/DPAs as to whether or not automated Central Gateway actions might be permitted as actions taken only in preparation for a decision involving legal significance and therefore not, in themselves, subject to Article 22. b. Bird & Bird provided a useful summary table (attached) laying out: the four use cases where, in its view, disclosure would not have a legal/similarly significant effect; the four use cases where it clearly would have that effect; and the six use cases where this was unclear. 5. With respect to the unclear cases, Bird & Bird provided a list of safeguards including, among other things, consultation with DPAs and better scoping of each use case and its legal basis. 6. With respect to the relationship between a Contracted Party and SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in which it would be plausible to argue that CPs are mere processors. Further, Bird & Bird concluded: a. Under Scenario 1, where the ultimate decision to disclose personal information about a registrant lies with the CP, the CP and SSAD/Central Gateway would most likely be considered joint controllers. b. Under Scenario 2, where SSAD/Central Gateway (rather than the CP) makes the ultimate disclosure decision, Bird & Bird opined that it is possible that a CP would be found to be a controller for purposes of the disclosure of data to ICANN/Central Gateway but not for disclosure to the third party requesting the data. (That is not determinative as to whether the CP would have liability for transfer of data to SSAD/Central Gateway in the event of wrongful disclosure.) 7. With respect to CP liability, Bird & Bird stated: a. Where CPs are joint controllers with SSAD/Central Gateway it is important to clearly allocate tasks and responsibilities by way of an agreement. b. CPs can only avoid joint and several liability to individuals by demonstrating that they were not in any way involved in the event giving rise to the damage; the situation is less clear with respect to liability to DPAs. c. Scenario 2 (where SSAD/Central Gateway makes disclosure decision) presents ?lower risk? of liability to CPs, i.e., gives them a relatively better argument regarding no involvement/lower degree of responsibility for decision. Recommendations on Next Steps The Legal Committee has asked ICANN Org to develop proposals for ways in which the following use cases (identified by Bird & Bird as not rising to the level of having a legal or similarly significant effect on data subjects) might be automated: 1. Access to registrant data by a DPA for purposes of investigating a data protection infringement allegedly affecting the registrant; 2. Requests for city field only for the purposes of (i) evaluating whether to pursue a claim or (ii) statistics; 3. The registrant record contains no personal data. The Legal Committee commends the use cases identified by Bird & Bird as ?unclear? to the small group working on -------------- next part -------------- An HTML attachment was scrubbed... URL: From becky.burr at board.icann.org Thu Apr 30 03:00:10 2020 From: becky.burr at board.icann.org (Becky Burr) Date: Wed, 29 Apr 2020 23:00:10 -0400 Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo In-Reply-To: References: Message-ID: Thanks Brian, apologies for the cut off, the final sentence should have said "The Legal Committee commends the use cases identified by Bird & Bird as ?unclear? to the small group working on automation issues, along with Bird & Bird?s suggested safeguards that could be considered to reduce uncertainty." As indicated, this summary was designed for my use as talking points and I value input from members of the legal committee. Will leave it to members of the committee to make the "least risk argument" during the call tomorrow. My personal read is that Bird & Bird said "argument A is better than argument B," which is not the same as saying that argument A is a good one. That is not intended to reflect my view on where this should come out, just a characterization of what I think our legal experts have concluded. And, of course, since no one actually knows what is required, ultimately they could be proven wrong. On Wed, Apr 29, 2020 at 5:18 PM King, Brian wrote: > Hi Becky, > > > > Thank you for doing this, and for giving consideration to the concerns I > expressed on the legal team call. I think your email cut off before its > intended conclusion. > > > > In your 7.c. at the risk of appearing to split hairs, I think there is > value in presenting this as ?least risk? of liability to CPs as Bird & Bird > states in the body of the memo (p. 25). This is the best option for CP > liability, and it should be clearly presented as such. > > > > My only other suggestion is to note that the chart presented does not > consider the impact of the proximate cause question, although Bird & Bird > notes that the concern has merit and which is supported by the only > existing literature on point, and is therefore the most conservative > approach. > > > > *Brian J. King * > Director of Internet Policy and Industry Affairs > > > > T +1 443 761 3726 > * markmonitor.com * > > > > > *MarkMonitor *Protecting companies and consumers in a digital world > > > > *From:* Gnso-epdp-legal *On Behalf Of > *Becky Burr > *Sent:* Wednesday, April 29, 2020 4:35 PM > *To:* gnso-epdp-legal at icann.org > *Subject:* [Gnso-epdp-legal] My internal summary of the Automation Memo > > > > Colleagues, > > > > In preparation for our discussion tomorrow, I created my own summary of > the Bird & Bird memo and our recommendations on next steps. I don't > propose to use this instead of the Executive Summary provided by Bird & > Bird but wanted to share in the event that (i) Janis can take away more > then the fact that it is in [American][lawyer] English and/or (ii) any of > you might disagree with the way I have characterized the memo and our > recommendations to the plenary. > > > > B > > > > Summary of Bird & Bird Memo on Automation Use Cases > > > > The legal committee has reviewed Bird & Bird?s draft memorandum on > proposed automation use cases based on a common set of assumptions provided > by the EPDP. Two ?scenarios? were contemplated for each use case: > > > > ? In *Scenario 1* the SSAD/Central Gateway would make an automated > ?recommendation? to the relevant CP, which could accept or reject the > recommendation; > > ? In *Scenario 2*, the decision to disclose would be taken by the > Central Gateway rather than the CP (either with or without accessing the > actual registrant data before making the decision). > > > > *Summary of Bird & Bird Memo* > > > > Noting that the structure and content of Art. 22 GDPR remains unclear > despite EDPB guidance, the Bird & Bird memo recalls that under GDPR ?solely > automated? decisions can take place in the SSAD context only where: > > > > 1. The GDPR does not apply because the requested data is not personal > data; > > 2. The decision does not have a legal or similarly significant effect; > > 3. A Member State derogation applies; or > > 4. An applicable Member State law authorizes the decision. > > > > Where none of those conditions apply, there must be meaningful human > involvement in the decision making process. > > > > Bird & Bird concludes that: > > > > 1. A decision to disclose information by the SSAD/Central Gateway is > likely to involve processing of personal information, even in the case > where the Central Gateway does not have access to the underlying registrant > data. (Disclosure of city data is a possible exception.) > > > > 2. Only Scenario 1.a. (automated recommendation to CP) does not rise > to the level of ?solely automated processing.? > > > > 3. While there are potential Member State derogations/authorizations, > they are not uniform and/or uniformly available in this context. > > > > 4. Accordingly, with respect to automated SSAD/Central Gateway use > cases, the question is likely to turn on whether or not the processing > involves a decision with ?legal or similarly significant effect.? Based on > the information provided, Bird & Bird concluded that some of the scenarios > clearly involve a decision with legal or similar significant effects; some > of the scenarios clearly do not; and in the many cases where it is unclear, > additional work is needed. > > > > a. In this regard, Bird & Bird was asked to provide guidance with > respect to the meaning of ?legal or similarly significant effect.? The > memo notes that the term is undefined but involves an ?elevated threshold.? > Bird & Bird was also asked to opine on the role of the legal concept of > proximate cause (roughly speaking, an action that produces foreseeable > consequences without intervention from a third party) when considering > whether a decision to release personal information about a registrant > results in a legal or similarly significant effect on the data subject. In > this regard, given sparse authority one way or the other, Bird & Bird > recommended consultation with EDPB/DPAs as to whether or not automated > Central Gateway actions might be permitted as actions taken only in > preparation for a decision involving legal significance and therefore not, > in themselves, subject to Article 22. > > > > b. Bird & Bird provided a useful summary table (attached) laying out: > the four use cases where, in its view, disclosure would not have a > legal/similarly significant effect; the four use cases where it clearly > would have that effect; and the six use cases where this was unclear. > > > > 5. With respect to the unclear cases, Bird & Bird provided a list of > safeguards including, among other things, consultation with DPAs and better > scoping of each use case and its legal basis. > > > > 6. With respect to the relationship between a Contracted Party and > SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in > which it would be plausible to argue that CPs are mere processors. > Further, Bird & Bird concluded: > > > > a. Under Scenario 1, where the ultimate decision to disclose personal > information about a registrant lies with the CP, the CP and SSAD/Central > Gateway would most likely be considered joint controllers. > > > > b. Under Scenario 2, where SSAD/Central Gateway (rather than the CP) > makes the ultimate disclosure decision, Bird & Bird opined that it is > possible that a CP would be found to be a controller for purposes of the > disclosure of data to ICANN/Central Gateway but not for disclosure to the > third party requesting the data. (That is not determinative as to whether > the CP would have liability for transfer of data to SSAD/Central Gateway in > the event of wrongful disclosure.) > > > > 7. With respect to CP liability, Bird & Bird stated: > > > > a. Where CPs are joint controllers with SSAD/Central Gateway it is > important to clearly allocate tasks and responsibilities by way of an > agreement. > > b. CPs can only avoid joint and several liability to individuals by > demonstrating that they were not in any way involved in the event giving > rise to the damage; the situation is less clear with respect to liability > to DPAs. > > c. Scenario 2 (where SSAD/Central Gateway makes disclosure decision) > presents ?lower risk? of liability to CPs, i.e., gives them a relatively > better argument regarding no involvement/lower degree of responsibility for > decision. > > > > *Recommendations on Next Steps* > > > > The Legal Committee has asked ICANN Org to develop proposals for ways in > which the following use cases (identified by Bird & Bird as not rising to > the level of having a legal or similarly significant effect on data > subjects) might be automated: > > > > 1. Access to registrant data by a DPA for purposes of investigating a > data protection infringement allegedly affecting the registrant; > > 2. Requests for city field only for the purposes of (i) evaluating > whether to pursue a claim or (ii) statistics; > > 3. The registrant record contains no personal data. > > > > The Legal Committee commends the use cases identified by Bird & Bird as > ?unclear? to the small group working on > -------------- next part -------------- An HTML attachment was scrubbed... URL: From becky.burr at board.icann.org Thu Apr 30 03:03:27 2020 From: becky.burr at board.icann.org (Becky Burr) Date: Wed, 29 Apr 2020 23:03:27 -0400 Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo In-Reply-To: References: Message-ID: my take-away on proximate cause is that Bird & Bird finds merit in but no precedent for the argument that the disclosure issue in unclear cases could be qualified as preparatory rather than decisional. On Wed, Apr 29, 2020 at 6:35 PM Crossman, Matthew wrote: > Thank you for the summary Becky, I think this is helpful for the team. > > > > Regarding Brian?s suggestions, I am fine with saying ?least risk? of > liability provided we say ?least risk of liability of the scenarios > presented.? I think is accurate, and it?s important to tie it to the scope > of the memo (i.e., the least risk of liability overall is actually no > automation ? I?m not suggesting that, just trying to illustrate the > importance of the scope of these conclusions). > > > > On proximate cause I worry that adding that caveat adds unnecessary > ambiguity that makes it sound like this is an open issue. The chart > illustrates what is permissible today and we should use it as a tool to > move those conversations forward. I don?t disagree that it is an > interesting question and certainly something we may need to consider in the > SSAD evolution as guidance develops, but adding it as a condition on the > chart?s conclusions seems like it will cause more confusion than clarity. > > > > Thanks, > Matt > > > > *From:* Gnso-epdp-legal *On Behalf Of > *King, Brian via Gnso-epdp-legal > *Sent:* Wednesday, April 29, 2020 2:19 PM > *To:* Becky Burr ; gnso-epdp-legal at icann.org > *Subject:* RE: [Gnso-epdp-legal] My internal summary of the Automation > Memo > > > > Hi Becky, > > > > Thank you for doing this, and for giving consideration to the concerns I > expressed on the legal team call. I think your email cut off before its > intended conclusion. > > > > In your 7.c. at the risk of appearing to split hairs, I think there is > value in presenting this as ?least risk? of liability to CPs as Bird & Bird > states in the body of the memo (p. 25). This is the best option for CP > liability, and it should be clearly presented as such. > > > > My only other suggestion is to note that the chart presented does not > consider the impact of the proximate cause question, although Bird & Bird > notes that the concern has merit and which is supported by the only > existing literature on point, and is therefore the most conservative > approach. > > > > *Brian J. King * > Director of Internet Policy and Industry Affairs > > > > T +1 443 761 3726 > * markmonitor.com * > > > > > *MarkMonitor *Protecting companies and consumers in a digital world > > > > *From:* Gnso-epdp-legal *On Behalf Of > *Becky Burr > *Sent:* Wednesday, April 29, 2020 4:35 PM > *To:* gnso-epdp-legal at icann.org > *Subject:* [Gnso-epdp-legal] My internal summary of the Automation Memo > > > > Colleagues, > > > > In preparation for our discussion tomorrow, I created my own summary of > the Bird & Bird memo and our recommendations on next steps. I don't > propose to use this instead of the Executive Summary provided by Bird & > Bird but wanted to share in the event that (i) Janis can take away more > then the fact that it is in [American][lawyer] English and/or (ii) any of > you might disagree with the way I have characterized the memo and our > recommendations to the plenary. > > > > B > > > > Summary of Bird & Bird Memo on Automation Use Cases > > > > The legal committee has reviewed Bird & Bird?s draft memorandum on > proposed automation use cases based on a common set of assumptions provided > by the EPDP. Two ?scenarios? were contemplated for each use case: > > > > ? In *Scenario 1* the SSAD/Central Gateway would make an automated > ?recommendation? to the relevant CP, which could accept or reject the > recommendation; > > ? In *Scenario 2*, the decision to disclose would be taken by the > Central Gateway rather than the CP (either with or without accessing the > actual registrant data before making the decision). > > > > *Summary of Bird & Bird Memo* > > > > Noting that the structure and content of Art. 22 GDPR remains unclear > despite EDPB guidance, the Bird & Bird memo recalls that under GDPR ?solely > automated? decisions can take place in the SSAD context only where: > > > > 1. The GDPR does not apply because the requested data is not personal > data; > > 2. The decision does not have a legal or similarly significant effect; > > 3. A Member State derogation applies; or > > 4. An applicable Member State law authorizes the decision. > > > > Where none of those conditions apply, there must be meaningful human > involvement in the decision making process. > > > > Bird & Bird concludes that: > > > > 1. A decision to disclose information by the SSAD/Central Gateway is > likely to involve processing of personal information, even in the case > where the Central Gateway does not have access to the underlying registrant > data. (Disclosure of city data is a possible exception.) > > > > 2. Only Scenario 1.a. (automated recommendation to CP) does not rise > to the level of ?solely automated processing.? > > > > 3. While there are potential Member State derogations/authorizations, > they are not uniform and/or uniformly available in this context. > > > > 4. Accordingly, with respect to automated SSAD/Central Gateway use > cases, the question is likely to turn on whether or not the processing > involves a decision with ?legal or similarly significant effect.? Based on > the information provided, Bird & Bird concluded that some of the scenarios > clearly involve a decision with legal or similar significant effects; some > of the scenarios clearly do not; and in the many cases where it is unclear, > additional work is needed. > > > > a. In this regard, Bird & Bird was asked to provide guidance with > respect to the meaning of ?legal or similarly significant effect.? The > memo notes that the term is undefined but involves an ?elevated threshold.? > Bird & Bird was also asked to opine on the role of the legal concept of > proximate cause (roughly speaking, an action that produces foreseeable > consequences without intervention from a third party) when considering > whether a decision to release personal information about a registrant > results in a legal or similarly significant effect on the data subject. In > this regard, given sparse authority one way or the other, Bird & Bird > recommended consultation with EDPB/DPAs as to whether or not automated > Central Gateway actions might be permitted as actions taken only in > preparation for a decision involving legal significance and therefore not, > in themselves, subject to Article 22. > > > > b. Bird & Bird provided a useful summary table (attached) laying out: > the four use cases where, in its view, disclosure would not have a > legal/similarly significant effect; the four use cases where it clearly > would have that effect; and the six use cases where this was unclear. > > > > 5. With respect to the unclear cases, Bird & Bird provided a list of > safeguards including, among other things, consultation with DPAs and better > scoping of each use case and its legal basis. > > > > 6. With respect to the relationship between a Contracted Party and > SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in > which it would be plausible to argue that CPs are mere processors. > Further, Bird & Bird concluded: > > > > a. Under Scenario 1, where the ultimate decision to disclose personal > information about a registrant lies with the CP, the CP and SSAD/Central > Gateway would most likely be considered joint controllers. > > > > b. Under Scenario 2, where SSAD/Central Gateway (rather than the CP) > makes the ultimate disclosure decision, Bird & Bird opined that it is > possible that a CP would be found to be a controller for purposes of the > disclosure of data to ICANN/Central Gateway but not for disclosure to the > third party requesting the data. (That is not determinative as to whether > the CP would have liability for transfer of data to SSAD/Central Gateway in > the event of wrongful disclosure.) > > > > 7. With respect to CP liability, Bird & Bird stated: > > > > a. Where CPs are joint controllers with SSAD/Central Gateway it is > important to clearly allocate tasks and responsibilities by way of an > agreement. > > b. CPs can only avoid joint and several liability to individuals by > demonstrating that they were not in any way involved in the event giving > rise to the damage; the situation is less clear with respect to liability > to DPAs. > > c. Scenario 2 (where SSAD/Central Gateway makes disclosure decision) > presents ?lower risk? of liability to CPs, i.e., gives them a relatively > better argument regarding no involvement/lower degree of responsibility for > decision. > > > > *Recommendations on Next Steps* > > > > The Legal Committee has asked ICANN Org to develop proposals for ways in > which the following use cases (identified by Bird & Bird as not rising to > the level of having a legal or similarly significant effect on data > subjects) might be automated: > > > > 1. Access to registrant data by a DPA for purposes of investigating a > data protection infringement allegedly affecting the registrant; > > 2. Requests for city field only for the purposes of (i) evaluating > whether to pursue a claim or (ii) statistics; > > 3. The registrant record contains no personal data. > > > > The Legal Committee commends the use cases identified by Bird & Bird as > ?unclear? to the small group working on > -------------- next part -------------- An HTML attachment was scrubbed... URL: