[Gnso-epdp-legal] Proposed Agenda - Legal Committee Meeting #13 - Tuesday, 7 Jan 2020 15:00 UTC
Volker Greimann
vgreimann at key-systems.net
Tue Jan 7 10:18:28 UTC 2020
Hi all,
due to an urgent conflict, I cannot make todays call, but I will try to
arrange a substitute from the RRSG, if possible.
Best,
Volker
Am 06.01.2020 um 14:21 schrieb Caitlin Tubergen:
>
> Dear Legal Committee,
>
> Happy New Year!
>
> Please find below the proposed agenda for tomorrow’s Legal Committee
> call. As a reminder, the outstanding items from the last meeting,
> which are due in advance of tomorrow’s meeting, include:
>
> *Action Items associated with additional priority 1 and priority 2
> questions*
>
> 1. Margie to rephrase territorial scope question to address the
> question of if the finalized guidelines have any effect on the
> applicability of GDPR to registration data about registrants who are
> not residents within the EEA? Previously-worded question: In light of
> the finalized guidelines on the territorial scope of the GDPR and the
> ECJ opinion on regarding the right to be forgotten (Google case), are
> there any modifications you would propose to your previous memo on the
> territorial scope of the GDPR?
>
> 2. Tara to rephrase the SSAC Legal v. Natural question to rephrase the
> issue regarding transferring consent. Tara to review the Technical
> Contact memo from Phase 1
> <https://community.icann.org/pages/viewpage.action?pageId=105386422>.
> Additionally, Tara to refer to specific excerpts of guidance from the
> cited sources.
>
> Previously-worded question:
>
> Registration data submitted by legal person registrants may contain
> the data of natural persons. A Phase 1 memo stated that registrars
> can rely on a registrant's self-identification as legal or natural
> person, especially if risk is mitigated by taking further steps to
> ensure the accuracy of the registrant's designation.
>
> As a follow-up to that memo: what are the consent issues and
> requirements related to such designations? Can registrars state that
> it is the responsibility of a legal person registrant to obtain
> consent from any natural person whose data it submits?
>
> As part of the analysis, please examine the GDPR policies and
> practices of the Internet protocol (IP address) registries RIPE NCC
> (the registry in Europe, based in the Netherlands) and ARIN (the
> registry in North America, which has customer contacts in Europe).
> These registries publish the data of natural person contacts who are
> subject to the GDPR, publicly via their WHOIS services, by placing the
> choice and responsibility on their registrants, who are legal
> persons. These IP address registries state mission justifications and
> collection purposes similar to those in ICANN's Temporary Specification.
>
> Please see:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
> [labs.ripe.net]
> <https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database%20%5blabs.ripe.net%5d>
>
> 2) “How We're Implementing the GDPR: The RIPE Database”:
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
> [labs.ripe.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.ripe.net_Members_Athina_how-2Dwe-2Dre-2Dimplementing-2Dthe-2Dgdpr-2Dthe-2Dripe-2Ddatabase&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=MHkNDZD5npTHhFCww7h37jH0dZVXjP3J6gC_3_MlKMA&e=>
>
> 3) "Personal Data Privacy Considerations At ARIN":
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
> [teamarin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__teamarin.net_2018_03_20_personal-2Ddata-2Dprivacy-2Dconsiderations-2Dat-2Darin_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=pk0huv2aNSfvLj6S90UIZ4QJUIpAr9Ht-yJyf7pEC2g&e=>
>
> 4) ARIN "Data Accuracy":
> https://www.arin.net/reference/materials/accuracy/ [arin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_reference_materials_accuracy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=ckReulFNZOhT8xWNRFYx6OBfLxsYr0RaqxOEgr_Em6c&e=>
>
> 5) ARIN Registration Services Agreement, paragraph 3:
> https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_corporate_agreements_rsa.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=A__4cvbv8CN_aWnGqBhNkF9hSAUmtHzIDL2uiGtMtLI&e=>
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_privacy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=99xt1m5gH1mu0-Pt3ERCRTLchE2_nxsr0OLfK-0uyls&e=>
>
> 3. Laureen to review the previously-submitted questions on WHOIS
> accuracy and ARS and note if the questions are still relevant. If they
> are, Laureen to provide a rationale as how this question will assist
> the EPDP Team in moving forward. The numbers below correspond to the
> WHOIS Accuracy and ARS Priority 2 worksheet
> <https://docs.google.com/document/d/1pS9Pibanj-Hp6LztZpeERtxdoLsnp4y_-do0vU5VJuw/edit>.
>
> 4. If current verification statistics provide that a number of data is
> inaccurate, would that be considered a metric to deduce that the
> accuracy principle is not served in a reasonable manner as demanded by
> the GDPR? (GAC)
>
> 5. According to the GDPR all personal data are processed based on the
> principle that they are necessary for the purpose for which they are
> collected. If those data are necessary, how can the purpose be served
> while the data are inaccurate? (GAC)
>
> 6. Can you provide an analysis on the third parties mentioned in para
> 19 on which "ICANN and the relevant parties may rely on to confirm the
> accuracy of personal data if it is reasonable to do so"? Do they
> become in such a scenario data processors? (GAC)
>
> 7. How is the accuracy principle in connection to the parties'
> liability has to be understood in light of the accountability
> principle of the GDPR? What are the responsibilities of ICANN and the
> contracted parties (who are subject to the GDPR) under Chapter IV of
> the GDPR? If the contracted parties (as data controllers) engage third
> entities as processors (e.g. to provide data back-up services), what
> are the responsibilities of these entities? What does this mean in
> terms of liabilities (in light of Art. 82 GDPR)? (GAC)
>
> 8. While it is up to the registrants to provide accurate details about
> themselves and it is up to the registrants not to mistakenly identify
> themselves as natural or legal persons, the Memo on "Natural vs Legal
> persons" provides interesting ideas/suggestions for the contracted
> parties to proactively ensuring the reliability of information
> provided, including through measures to independently verify the data.
> Could similar mechanisms be identified also for ensuring the
> reliability of the contact details of the registrant? Can best
> practices be drawn from the ccTLDs? (GAC)
>
> Thank you.
>
> Best regards,
>
> Marika, Berry, and Caitlin
>
> --
>
> *EPDP Phase 2 Legal Committee Meeting #13*
>
> *7 January 2020*
>
> 1. *Roll Call & SOI Updates *
>
> **
>
> 2. *Continued Substantive Review of Priority 1 (SSAD) Legal Questions
> Submitted to Date*
>
> a)Substantive review of SSAD questions (awaiting updated territorial
> scope question from Margie)
>
> ·*_Updated Territorial Scope Question_*
>
> ·Note: Margie to rephrase territorial scope question to address the
> question of if the finalized guidelines have any effect on the
> applicability of GDPR to registration data about registrants who are
> not residents within the EEA?
>
> Previously-worded question: In light of the finalized guidelines on
> the territorial scope of the GDPR and the ECJ opinion on regarding the
> right to be forgotten (Google case), are there any modifications you
> would propose to your previous memo on the territorial scope of the GDPR?
>
> b)Agree on next steps
>
> 3. *Continue review of Priority 2 Legal Questions *
>
> a)Substantive review of Priority 2 Legal Questions:
>
> i.*Legal vs. Natural* (awaiting updated question from Tara):
>
> Previously-worded question: Registration data submitted by legal
> person registrants may contain the data of natural persons. A Phase 1
> memo stated that registrars can rely on a registrant's
> self-identification as legal or natural person, especially if risk is
> mitigated by taking further steps to ensure the accuracy of the
> registrant's designation.
>
> As a follow-up to that memo: what are the consent issues and
> requirements related to such designations? Can registrars state that
> it is the responsibility of a legal person registrant to obtain
> consent from any natural person whose data it submits?
>
> As part of the analysis, please examine the GDPR policies and
> practices of the Internet protocol (IP address) registries RIPE NCC
> (the registry in Europe, based in the Netherlands) and ARIN (the
> registry in North America, which has customer contacts in Europe).
> These registries publish the data of natural person contacts who are
> subject to the GDPR, publicly via their WHOIS services, by placing the
> choice and responsibility on their registrants, who are legal
> persons. These IP address registries state mission justifications and
> collection purposes similar to those in ICANN's Temporary Specification.
>
> Please see:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database
> [labs.ripe.net]
>
> 2) “How We're Implementing the GDPR: The RIPE Database”:
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
> [labs.ripe.net]
>
> 3) "Personal Data Privacy Considerations At ARIN":
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
> [teamarin.net]
>
> 4) ARIN "Data Accuracy":
> https://www.arin.net/reference/materials/accuracy/ [arin.net]
>
> 5) ARIN Registration Services Agreement, paragraph 3:
> https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]
>
> ii. *WHOIS Accuracy and ARS* (Awaiting for Laureen’s
> confirmation/analysis that question is still needed, specifically in
> light of already-approved questions related to accuracy):
>
> 4. If current verification statistics provide that a number of data is
> inaccurate, would that be considered a metric to deduce that the
> accuracy principle is not served in a reasonable manner as demanded by
> the GDPR? (GAC)
>
> 5. According to the GDPR all personal data are processed based on the
> principle that they are necessary for the purpose for which they are
> collected. If those data are necessary, how can the purpose be served
> while the data are inaccurate? (GAC)
>
> 6. Can you provide an analysis on the third parties mentioned in para
> 19 on which "ICANN and the relevant parties may rely on to confirm the
> accuracy of personal data if it is reasonable to do so"? Do they
> become in such a scenario data processors? (GAC)
>
> 7. How is the accuracy principle in connection to the parties'
> liability has to be understood in light of the accountability
> principle of the GDPR? What are the responsibilities of ICANN and the
> contracted parties (who are subject to the GDPR) under Chapter IV of
> the GDPR? If the contracted parties (as data controllers) engage third
> entities as processors (e.g. to provide data back-up services), what
> are the responsibilities of these entities? What does this mean in
> terms of liabilities (in light of Art. 82 GDPR)? (GAC)
>
> 8. While it is up to the registrants to provide accurate details about
> themselves and it is up to the registrants not to mistakenly identify
> themselves as natural or legal persons, the Memo on "Natural vs Legal
> persons" provides interesting ideas/suggestions for the contracted
> parties to proactively ensuring the reliability of information
> provided, including through measures to independently verify the data.
> Could similar mechanisms be identified also for ensuring the
> reliability of the contact details of the registrant? Can best
> practices be drawn from the ccTLDs? (GAC)
>
> b)Agree on next steps
>
> **
>
> 4. *Wrap and confirm next meeting to be scheduled *
>
> a)Confirm action items
>
> b)AOB
>
> * Note: No objections received re: Bird and Bird’s updates to the
> memo summaries by the pre-holiday deadline. The summaries are now
> included in the Initial Report Google Doc.
> * Note: No objections received regarding questions to submit for
> plenary review by the pre-holiday deadline. Following this call,
> EPDP Support Staff forward the questions to the plenary for its
> review (with highlighting removed).
>
> *c)*The next Legal Committee meeting is scheduled for *Tuesday, 21
> January at 15:00 UTC.*
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
--
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200107/b499bf32/attachment-0001.html>
More information about the Gnso-epdp-legal
mailing list