[Gnso-epdp-legal] My internal summary of the Automation Memo

Becky Burr becky.burr at board.icann.org
Wed Apr 29 20:34:56 UTC 2020 

Colleagues,

In preparation for our discussion tomorrow, I created my own summary of the
Bird & Bird memo and our recommendations on next steps.  I don't propose to
use this instead of the Executive Summary provided by Bird & Bird but
wanted to share in the event that (i) Janis can take away more then the
fact that it is in [American][lawyer] English and/or (ii) any of you might
disagree with the way I have characterized the memo and our recommendations
to the plenary.

B

Summary of Bird & Bird Memo on Automation Use Cases



The legal committee has reviewed Bird & Bird’s draft memorandum on proposed
automation use cases based on a common set of assumptions provided by the
EPDP.  Two “scenarios” were contemplated for each use case:



·      In *Scenario 1* the SSAD/Central Gateway would make an automated
“recommendation” to the relevant CP, which could accept or reject the
recommendation;

·      In *Scenario 2*, the decision to disclose would be taken by the
Central Gateway rather than the CP (either with or without accessing the
actual registrant data before making the decision).



*Summary of Bird & Bird Memo*



Noting that the structure and content of Art. 22 GDPR remains unclear
despite EDPB guidance, the Bird & Bird memo recalls that under GDPR “solely
automated” decisions can take place in the SSAD context only where:



1.     The GDPR does not apply because the requested data is not personal
data;

2.     The decision does not have a legal or similarly significant effect;

3.     A Member State derogation applies; or

4.     An applicable Member State law authorizes the decision.



Where none of those conditions apply, there must be meaningful human
involvement in the decision making process.



Bird & Bird concludes that:



1.     A decision to disclose information by the SSAD/Central Gateway is
likely to involve processing of personal information, even in the case
where the Central Gateway does not have access to the underlying registrant
data.  (Disclosure of city data is a possible exception.)



2.     Only Scenario 1.a. (automated recommendation to CP) does not rise to
the level of  “solely automated processing.”



3.     While there are potential Member State derogations/authorizations,
they are not uniform and/or uniformly available in this context.



4.     Accordingly, with respect to automated SSAD/Central Gateway use
cases, the question is likely to turn on whether or not the processing
involves a decision with “legal or similarly significant effect.” Based on
the information provided, Bird & Bird concluded that some of the scenarios
clearly involve a decision with legal or similar significant effects; some
of the scenarios clearly do not; and in the many cases where it is unclear,
additional work is needed.



a.     In this regard, Bird & Bird was asked to provide guidance with
respect to the meaning of “legal or similarly significant effect.”  The
memo notes that the term is undefined but involves an “elevated threshold.”
Bird & Bird was also asked to opine on the role of the legal concept of
proximate cause (roughly speaking, an action that produces foreseeable
consequences without intervention from a third party) when considering
whether a decision to release personal information about a registrant
results in a legal or similarly significant effect on the data subject.  In
this regard, given sparse authority one way or the other, Bird & Bird
recommended consultation with EDPB/DPAs as to whether or not automated
Central Gateway actions might be permitted as actions taken only in
preparation for a decision involving legal significance and therefore not,
in themselves, subject to Article 22.



b.     Bird & Bird provided a useful summary table (attached) laying out:
the four use cases where, in its view, disclosure would not have a
legal/similarly significant effect;  the four use cases where it clearly
would have that effect; and the six use cases where this was unclear.



5.     With respect to the unclear cases, Bird & Bird provided a list of
safeguards including, among other things, consultation with DPAs and better
scoping of each use case and its legal basis.



6.     With respect to the relationship between a Contracted Party and
SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in
which it would be plausible to argue that CPs are mere processors.
Further, Bird & Bird concluded:



a.     Under Scenario 1, where the ultimate decision to disclose personal
information about a registrant lies with the CP, the CP and SSAD/Central
Gateway would most likely be considered joint controllers.



b.     Under Scenario 2, where SSAD/Central Gateway (rather than the CP)
makes the ultimate disclosure decision, Bird & Bird opined that it is
possible that a CP would be found to be a controller for purposes of the
disclosure of data to ICANN/Central Gateway but not for disclosure to the
third party requesting the data.   (That is not determinative as to whether
the CP would have liability for transfer of data to SSAD/Central Gateway in
the event of wrongful disclosure.)



7.     With respect to CP liability, Bird & Bird stated:



a.     Where CPs are joint controllers with SSAD/Central Gateway it is
important to clearly allocate tasks and responsibilities by way of an
agreement.

b.     CPs can only avoid joint and several liability to individuals by
demonstrating that they were not in any way involved in the event giving
rise to the damage; the situation is less clear with respect to liability
to DPAs.

c.     Scenario 2 (where SSAD/Central Gateway makes disclosure decision)
presents “lower risk” of liability to CPs, i.e., gives them a relatively
better argument regarding no involvement/lower degree of responsibility for
decision.



*Recommendations on Next Steps*



The Legal Committee has asked ICANN Org to develop proposals for ways in
which the following use cases (identified by Bird & Bird as not rising to
the level of having a legal or similarly significant effect on data
subjects) might be automated:



1.     Access to registrant data by a DPA for purposes of investigating a
data protection infringement allegedly affecting the registrant;

2.     Requests for city field only for the purposes of (i) evaluating
whether to pursue a claim or (ii) statistics;

3.     The registrant record contains no personal data.


The Legal Committee commends the use cases identified by Bird & Bird as
“unclear” to the small group working on
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200429/935b12b1/attachment.html>

More information about the Gnso-epdp-legal mailing list