[Gnso-epdp-legal] My internal summary of the Automation Memo

[King, Brian]

Hey Matt and all,

Just a clarification that the Scenario 1 we presented indeed was not automated – the “recommendations” were automated, but decisions were made manually at the CP. Right? I’d consider this not automated, but I’m way in the weeds these days and could be missing quite a bit at common-sense level.

If the legal team thinks that the caveat I suggested about proximate cause related to the chart adds confusion, I am willing to accept if I am in the minority on this. My view, which is shared by a number of IPC colleagues, is that the type of harm contemplated by Article 22 simply is not possible in the SSAD scenario. ICANN sua sponte/by itself is simply not capable of inflicting the type of harm contemplated by Article 22 (denial of immigration/citizenship, voting rights, credit/loan eligibility), even “similarly significant” effects. All SSAD can do is release the data to a third party with its own independent free will, which disclosure standing alone is a benign event for Article 22 purposes. I also don’t find it at all likely that future use of the data by a requestor, based on its own control, would constitute ICANN’s or a CP’s violation of Article 22. I accept that we don’t have case law on this yet, and I acknowledge that reasonable minds could disagree, but I do not yet understand the alternative argument.

Even if the legal team would prefer not to burden the presentation of the chart with an asterisk or a footnote on this, I do find this to be ripe for inclusion in the Mechanism for Evolution of the SSAD. As I’m part of the small team working on that, I will flag this for inclusion in that work.

Thank you all for dealing with me 😊.

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Crossman, Matthew <mmcross at amazon.com>
Sent: Wednesday, April 29, 2020 6:35 PM
To: King, Brian <Brian.King at markmonitor.com>; Becky Burr <becky.burr at board.icann.org>; gnso-epdp-legal at icann.org
Subject: RE: [Gnso-epdp-legal] My internal summary of the Automation Memo

Thank you for the summary Becky, I think this is helpful for the team.

Regarding Brian’s suggestions, I am fine with saying “least risk” of liability provided we say “least risk of liability of the scenarios presented.” I think is accurate, and it’s important to tie it to the scope of the memo (i.e., the least risk of liability overall is actually no automation – I’m not suggesting that, just trying to illustrate the importance of the scope of these conclusions).

On proximate cause I worry that adding that caveat adds unnecessary ambiguity that makes it sound like this is an open issue.  The chart illustrates what is permissible today and we should use it as a tool to move those conversations forward. I don’t disagree that it is an interesting question and certainly something we may need to consider in the SSAD evolution as guidance develops, but adding it as a condition on the chart’s conclusions seems like it will cause more confusion than clarity.

Thanks,
Matt

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org<mailto:gnso-epdp-legal-bounces at icann.org>> On Behalf Of King, Brian via Gnso-epdp-legal
Sent: Wednesday, April 29, 2020 2:19 PM
To: Becky Burr <becky.burr at board.icann.org<mailto:becky.burr at board.icann.org>>; gnso-epdp-legal at icann.org<mailto:gnso-epdp-legal at icann.org>
Subject: RE: [Gnso-epdp-legal] My internal summary of the Automation Memo

Hi Becky,

Thank you for doing this, and for giving consideration to the concerns I expressed on the legal team call. I think your email cut off before its intended conclusion.

In your 7.c. at the risk of appearing to split hairs, I think there is value in presenting this as “least risk” of liability to CPs as Bird & Bird states in the body of the memo (p. 25). This is the best option for CP liability, and it should be clearly presented as such.

My only other suggestion is to note that the chart presented does not consider the impact of the proximate cause question, although Bird & Bird notes that the concern has merit and which is supported by the only existing literature on point, and is therefore the most conservative approach.

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org<mailto:gnso-epdp-legal-bounces at icann.org>> On Behalf Of Becky Burr
Sent: Wednesday, April 29, 2020 4:35 PM
To: gnso-epdp-legal at icann.org<mailto:gnso-epdp-legal at icann.org>
Subject: [Gnso-epdp-legal] My internal summary of the Automation Memo

Colleagues,

In preparation for our discussion tomorrow, I created my own summary of the Bird & Bird memo and our recommendations on next steps.  I don't propose to use this instead of the Executive Summary provided by Bird & Bird but wanted to share in the event that (i) Janis can take away more then the fact that it is in [American][lawyer] English and/or (ii) any of you might disagree with the way I have characterized the memo and our recommendations to the plenary.

B

Summary of Bird & Bird Memo on Automation Use Cases

The legal committee has reviewed Bird & Bird’s draft memorandum on proposed automation use cases based on a common set of assumptions provided by the EPDP.  Two “scenarios” were contemplated for each use case:


•      In Scenario 1 the SSAD/Central Gateway would make an automated “recommendation” to the relevant CP, which could accept or reject the recommendation;

•      In Scenario 2, the decision to disclose would be taken by the Central Gateway rather than the CP (either with or without accessing the actual registrant data before making the decision).

Summary of Bird & Bird Memo

Noting that the structure and content of Art. 22 GDPR remains unclear despite EDPB guidance, the Bird & Bird memo recalls that under GDPR “solely automated” decisions can take place in the SSAD context only where:


1.     The GDPR does not apply because the requested data is not personal data;

2.     The decision does not have a legal or similarly significant effect;

3.     A Member State derogation applies; or

4.     An applicable Member State law authorizes the decision.

Where none of those conditions apply, there must be meaningful human involvement in the decision making process.

Bird & Bird concludes that:


1.     A decision to disclose information by the SSAD/Central Gateway is likely to involve processing of personal information, even in the case where the Central Gateway does not have access to the underlying registrant data.  (Disclosure of city data is a possible exception.)



2.     Only Scenario 1.a. (automated recommendation to CP) does not rise to the level of  “solely automated processing.”



3.     While there are potential Member State derogations/authorizations, they are not uniform and/or uniformly available in this context.



4.     Accordingly, with respect to automated SSAD/Central Gateway use cases, the question is likely to turn on whether or not the processing involves a decision with “legal or similarly significant effect.” Based on the information provided, Bird & Bird concluded that some of the scenarios clearly involve a decision with legal or similar significant effects; some of the scenarios clearly do not; and in the many cases where it is unclear, additional work is needed.



a.     In this regard, Bird & Bird was asked to provide guidance with respect to the meaning of “legal or similarly significant effect.”  The memo notes that the term is undefined but involves an “elevated threshold.” Bird & Bird was also asked to opine on the role of the legal concept of proximate cause (roughly speaking, an action that produces foreseeable consequences without intervention from a third party) when considering whether a decision to release personal information about a registrant results in a legal or similarly significant effect on the data subject.  In this regard, given sparse authority one way or the other, Bird & Bird recommended consultation with EDPB/DPAs as to whether or not automated Central Gateway actions might be permitted as actions taken only in preparation for a decision involving legal significance and therefore not, in themselves, subject to Article 22.



b.     Bird & Bird provided a useful summary table (attached) laying out: the four use cases where, in its view, disclosure would not have a legal/similarly significant effect;  the four use cases where it clearly would have that effect; and the six use cases where this was unclear.



5.     With respect to the unclear cases, Bird & Bird provided a list of safeguards including, among other things, consultation with DPAs and better scoping of each use case and its legal basis.



6.     With respect to the relationship between a Contracted Party and SSAD/Central Gateway, Bird & Bird concluded that there is no scenario in which it would be plausible to argue that CPs are mere processors.  Further, Bird & Bird concluded:



a.     Under Scenario 1, where the ultimate decision to disclose personal information about a registrant lies with the CP, the CP and SSAD/Central Gateway would most likely be considered joint controllers.



b.     Under Scenario 2, where SSAD/Central Gateway (rather than the CP) makes the ultimate disclosure decision, Bird & Bird opined that it is possible that a CP would be found to be a controller for purposes of the disclosure of data to ICANN/Central Gateway but not for disclosure to the third party requesting the data.   (That is not determinative as to whether the CP would have liability for transfer of data to SSAD/Central Gateway in the event of wrongful disclosure.)



7.     With respect to CP liability, Bird & Bird stated:



a.     Where CPs are joint controllers with SSAD/Central Gateway it is important to clearly allocate tasks and responsibilities by way of an agreement.

b.     CPs can only avoid joint and several liability to individuals by demonstrating that they were not in any way involved in the event giving rise to the damage; the situation is less clear with respect to liability to DPAs.

c.     Scenario 2 (where SSAD/Central Gateway makes disclosure decision) presents “lower risk” of liability to CPs, i.e., gives them a relatively better argument regarding no involvement/lower degree of responsibility for decision.

Recommendations on Next Steps

The Legal Committee has asked ICANN Org to develop proposals for ways in which the following use cases (identified by Bird & Bird as not rising to the level of having a legal or similarly significant effect on data subjects) might be automated:


1.     Access to registrant data by a DPA for purposes of investigating a data protection infringement allegedly affecting the registrant;

2.     Requests for city field only for the purposes of (i) evaluating whether to pursue a claim or (ii) statistics;

3.     The registrant record contains no personal data.

The Legal Committee commends the use cases identified by Bird & Bird as “unclear” to the small group working on
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200429/fca0d1a4/attachment-0001.html>