[Gnso-epdp-legal] Proposed Agenda - Legal Committee Meeting #13 - Tuesday, 7 Jan 2020 15:00 UTC

[Caitlin Tubergen]

Dear Legal Committee,

 

Happy New Year!

 

Please find below the proposed agenda for tomorrow’s Legal Committee call. As a reminder, the outstanding items from the last meeting, which are due in advance of tomorrow’s meeting, include:

Action Items associated with additional priority 1 and priority 2 questions

1. Margie to rephrase territorial scope question to address the question of if the finalized guidelines have any effect on the applicability of GDPR to registration data about registrants who are not residents within the EEA? Previously-worded question: In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR?

 

2. Tara to rephrase the SSAC Legal v. Natural question to rephrase the issue regarding transferring consent. Tara to review the Technical Contact memo from Phase 1. Additionally, Tara to refer to specific excerpts of guidance from the cited sources. 

 

Previously-worded question: 

 

Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person, especially if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. 

 

As a follow-up to that memo: what are the consent issues and requirements related to such designations?  Can registrars state that it is the responsibility of a legal person registrant to obtain consent from any natural person whose data it submits? 

 

As part of the analysis, please examine the GDPR policies and practices of the Internet protocol (IP address) registries RIPE NCC (the registry in Europe, based in the Netherlands) and ARIN (the registry in North America, which has customer contacts in Europe).  These registries publish the data of natural person contacts who are subject to the GDPR, publicly via their WHOIS services, by placing the choice and responsibility on their registrants, who are legal persons.  These IP address registries state mission justifications and collection purposes similar to those in ICANN's Temporary Specification.

 

Please see:

1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:

https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]

2)  “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]

3) "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]

4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]

5) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]

6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]

 

3. Laureen to review the previously-submitted questions on WHOIS accuracy and ARS and note if the questions are still relevant. If they are, Laureen to provide a rationale as how this question will assist the EPDP Team in moving forward. The numbers below correspond to the WHOIS Accuracy and ARS Priority 2 worksheet.

4. If current verification statistics provide that a number of data is inaccurate, would that be considered a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? (GAC)
5. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? (GAC)
6. Can you provide an analysis on the third parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? (GAC)
7. How is the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV of the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? (GAC)
8. While it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLDs? (GAC)

Thank you.

Best regards, 

Marika, Berry, and Caitlin

--

EPDP Phase 2 Legal Committee Meeting #13

7 January 2020

 
Roll Call & SOI Updates 
 
Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date
 

a)      Substantive review of SSAD questions (awaiting updated territorial scope question from Margie)

  

·         Updated Territorial Scope Question

·         Note: Margie to rephrase territorial scope question to address the question of if the finalized guidelines have any effect on the applicability of GDPR to registration data about registrants who are not residents within the EEA? 

 

Previously-worded question: In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR?

 

b)      Agree on next steps

 
Continue review of Priority 2 Legal Questions 
a)       Substantive review of Priority 2 Legal Questions:

i. Legal vs. Natural (awaiting updated question from Tara):

Previously-worded question: Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person, especially if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. 

As a follow-up to that memo: what are the consent issues and requirements related to such designations?  Can registrars state that it is the responsibility of a legal person registrant to obtain consent from any natural person whose data it submits? 

 

As part of the analysis, please examine the GDPR policies and practices of the Internet protocol (IP address) registries RIPE NCC (the registry in Europe, based in the Netherlands) and ARIN (the registry in North America, which has customer contacts in Europe).  These registries publish the data of natural person contacts who are subject to the GDPR, publicly via their WHOIS services, by placing the choice and responsibility on their registrants, who are legal persons.  These IP address registries state mission justifications and collection purposes similar to those in ICANN's Temporary Specification.

Please see:

1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:

https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]

2)  “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]

3) "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]

4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]

5) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]

6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]

ii. WHOIS Accuracy and ARS (Awaiting for Laureen’s confirmation/analysis that question is still needed, specifically in light of already-approved questions related to accuracy):

4. If current verification statistics provide that a number of data is inaccurate, would that be considered a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? (GAC)

5. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? (GAC)

6. Can you provide an analysis on the third parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? (GAC)

7. How is the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV of the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? (GAC)

8. While it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLDs? (GAC)

b)      Agree on next steps

 
Wrap and confirm next meeting to be scheduled 
a)       Confirm action items

b)       AOB
Note: No objections received re: Bird and Bird’s updates to the memo summaries by the pre-holiday deadline. The summaries are now included in the Initial Report Google Doc.
Note: No objections received regarding questions to submit for plenary review by the pre-holiday deadline. Following this call, EPDP Support Staff forward the questions to the plenary for its review (with highlighting removed). 
c)        The next Legal Committee meeting is scheduled for Tuesday, 21 January at 15:00 UTC.

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200106/8a65b287/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200106/8a65b287/smime-0001.p7s>