[Gnso-epdp-legal] Proposed Agenda - Legal Committee Meeting #13 - Tuesday, 7 Jan 2020 15:00 UTC

[Volker Greimann]

Hi all,

due to an urgent conflict, I cannot make todays call, but I will try to 
arrange a substitute from the RRSG, if possible.

Best,

Volker

Am 06.01.2020 um 14:21 schrieb Caitlin Tubergen:
>
> Dear Legal Committee,
>
> Happy New Year!
>
> Please find below the proposed agenda for tomorrow’s Legal Committee 
> call. As a reminder, the outstanding items from the last meeting, 
> which are due in advance of tomorrow’s meeting, include:
>
> *Action Items associated with additional priority 1 and priority 2 
> questions*
>
> 1. Margie to rephrase territorial scope question to address the 
> question of if the finalized guidelines have any effect on the 
> applicability of GDPR to registration data about registrants who are 
> not residents within the EEA? Previously-worded question: In light of 
> the finalized guidelines on the territorial scope of the GDPR and the 
> ECJ opinion on regarding the right to be forgotten (Google case), are 
> there any modifications you would propose to your previous memo on the 
> territorial scope of the GDPR?
>
> 2. Tara to rephrase the SSAC Legal v. Natural question to rephrase the 
> issue regarding transferring consent. Tara to review the Technical 
> Contact memo from Phase 1 
> <https://community.icann.org/pages/viewpage.action?pageId=105386422>. 
> Additionally, Tara to refer to specific excerpts of guidance from the 
> cited sources.
>
> Previously-worded question:
>
> Registration data submitted by legal person registrants may contain 
> the data of natural persons.  A Phase 1 memo stated that registrars 
> can rely on a registrant's self-identification as legal or natural 
> person, especially if risk is mitigated by taking further steps to 
> ensure the accuracy of the registrant's designation.
>
> As a follow-up to that memo: what are the consent issues and 
> requirements related to such designations?  Can registrars state that 
> it is the responsibility of a legal person registrant to obtain 
> consent from any natural person whose data it submits?
>
> As part of the analysis, please examine the GDPR policies and 
> practices of the Internet protocol (IP address) registries RIPE NCC 
> (the registry in Europe, based in the Netherlands) and ARIN (the 
> registry in North America, which has customer contacts in Europe). 
> These registries publish the data of natural person contacts who are 
> subject to the GDPR, publicly via their WHOIS services, by placing the 
> choice and responsibility on their registrants, who are legal 
> persons.  These IP address registries state mission justifications and 
> collection purposes similar to those in ICANN's Temporary Specification.
>
> Please see:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal 
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database 
> [labs.ripe.net] 
> <https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database%20%5blabs.ripe.net%5d>
>
> 2)  “How We're Implementing the GDPR: The RIPE Database”: 
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database 
> [labs.ripe.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__labs.ripe.net_Members_Athina_how-2Dwe-2Dre-2Dimplementing-2Dthe-2Dgdpr-2Dthe-2Dripe-2Ddatabase&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=MHkNDZD5npTHhFCww7h37jH0dZVXjP3J6gC_3_MlKMA&e=>
>
> 3) "Personal Data Privacy Considerations At ARIN": 
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ 
> [teamarin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__teamarin.net_2018_03_20_personal-2Ddata-2Dprivacy-2Dconsiderations-2Dat-2Darin_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=pk0huv2aNSfvLj6S90UIZ4QJUIpAr9Ht-yJyf7pEC2g&e=>
>
> 4) ARIN "Data Accuracy": 
> https://www.arin.net/reference/materials/accuracy/ [arin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_reference_materials_accuracy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=ckReulFNZOhT8xWNRFYx6OBfLxsYr0RaqxOEgr_Em6c&e=>
>
> 5) ARIN Registration Services Agreement, paragraph 3: 
> https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_corporate_agreements_rsa.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=A__4cvbv8CN_aWnGqBhNkF9hSAUmtHzIDL2uiGtMtLI&e=>
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net] 
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.arin.net_about_privacy_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=9Y9HB3OlTZfz1no1-rFIekmLoJGp-tuExNdcqd9C86s&s=99xt1m5gH1mu0-Pt3ERCRTLchE2_nxsr0OLfK-0uyls&e=>
>
> 3. Laureen to review the previously-submitted questions on WHOIS 
> accuracy and ARS and note if the questions are still relevant. If they 
> are, Laureen to provide a rationale as how this question will assist 
> the EPDP Team in moving forward. The numbers below correspond to the 
> WHOIS Accuracy and ARS Priority 2 worksheet 
> <https://docs.google.com/document/d/1pS9Pibanj-Hp6LztZpeERtxdoLsnp4y_-do0vU5VJuw/edit>.
>
> 4. If current verification statistics provide that a number of data is 
> inaccurate, would that be considered a metric to deduce that the 
> accuracy principle is not served in a reasonable manner as demanded by 
> the GDPR? (GAC)
>
> 5. According to the GDPR all personal data are processed based on the 
> principle that they are necessary for the purpose for which they are 
> collected. If those data are necessary, how can the purpose be served 
> while the data are inaccurate? (GAC)
>
> 6. Can you provide an analysis on the third parties mentioned in para 
> 19 on which "ICANN and the relevant parties may rely on to confirm the 
> accuracy of personal data if it is reasonable to do so"? Do they 
> become in such a scenario data processors? (GAC)
>
> 7. How is the accuracy principle in connection to the parties' 
> liability has to be understood in light of the accountability 
> principle of the GDPR? What are the responsibilities of ICANN and the 
> contracted parties (who are subject to the GDPR) under Chapter IV of 
> the GDPR? If the contracted parties (as data controllers) engage third 
> entities as processors (e.g. to provide data back-up services), what 
> are the responsibilities of these entities? What does this mean in 
> terms of liabilities (in light of Art. 82 GDPR)? (GAC)
>
> 8. While it is up to the registrants to provide accurate details about 
> themselves and it is up to the registrants not to mistakenly identify 
> themselves as natural or legal persons, the Memo on "Natural vs Legal 
> persons" provides interesting ideas/suggestions for the contracted 
> parties to proactively ensuring the reliability of information 
> provided, including through measures to independently verify the data. 
> Could similar mechanisms be identified also for ensuring the 
> reliability of the contact details of the registrant? Can best 
> practices be drawn from the ccTLDs? (GAC)
>
> Thank you.
>
> Best regards,
>
> Marika, Berry, and Caitlin
>
> --
>
> *EPDP Phase 2 Legal Committee Meeting #13*
>
> *7 January 2020*
>
>  1. *Roll Call & SOI Updates *
>
> **
>
>  2. *Continued Substantive Review of Priority 1 (SSAD) Legal Questions
>     Submitted to Date*
>
> a)Substantive review of SSAD questions (awaiting updated territorial 
> scope question from Margie)
>
> ·*_Updated Territorial Scope Question_*
>
> ·Note: Margie to rephrase territorial scope question to address the 
> question of if the finalized guidelines have any effect on the 
> applicability of GDPR to registration data about registrants who are 
> not residents within the EEA?
>
> Previously-worded question: In light of the finalized guidelines on 
> the territorial scope of the GDPR and the ECJ opinion on regarding the 
> right to be forgotten (Google case), are there any modifications you 
> would propose to your previous memo on the territorial scope of the GDPR?
>
> b)Agree on next steps
>
>  3. *Continue review of Priority 2 Legal Questions *
>
> a)Substantive review of Priority 2 Legal Questions:
>
> i.*Legal vs. Natural* (awaiting updated question from Tara):
>
> Previously-worded question: Registration data submitted by legal 
> person registrants may contain the data of natural persons.  A Phase 1 
> memo stated that registrars can rely on a registrant's 
> self-identification as legal or natural person, especially if risk is 
> mitigated by taking further steps to ensure the accuracy of the 
> registrant's designation.
>
> As a follow-up to that memo: what are the consent issues and 
> requirements related to such designations?  Can registrars state that 
> it is the responsibility of a legal person registrant to obtain 
> consent from any natural person whose data it submits?
>
> As part of the analysis, please examine the GDPR policies and 
> practices of the Internet protocol (IP address) registries RIPE NCC 
> (the registry in Europe, based in the Netherlands) and ARIN (the 
> registry in North America, which has customer contacts in Europe).  
> These registries publish the data of natural person contacts who are 
> subject to the GDPR, publicly via their WHOIS services, by placing the 
> choice and responsibility on their registrants, who are legal 
> persons.  These IP address registries state mission justifications and 
> collection purposes similar to those in ICANN's Temporary Specification.
>
> Please see:
>
> 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal 
> Data Processing and the RIPE Database”:
>
> https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database 
> [labs.ripe.net]
>
> 2) “How We're Implementing the GDPR: The RIPE Database”: 
> https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database 
> [labs.ripe.net]
>
> 3) "Personal Data Privacy Considerations At ARIN": 
> https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ 
> [teamarin.net]
>
> 4) ARIN "Data Accuracy": 
> https://www.arin.net/reference/materials/accuracy/ [arin.net]
>
> 5) ARIN Registration Services Agreement, paragraph 3: 
> https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]
>
> 6) ARIN Privacy Policy: https://www.arin.net/about/privacy/ [arin.net]
>
> ii. *WHOIS Accuracy and ARS* (Awaiting for Laureen’s 
> confirmation/analysis that question is still needed, specifically in 
> light of already-approved questions related to accuracy):
>
> 4. If current verification statistics provide that a number of data is 
> inaccurate, would that be considered a metric to deduce that the 
> accuracy principle is not served in a reasonable manner as demanded by 
> the GDPR? (GAC)
>
> 5. According to the GDPR all personal data are processed based on the 
> principle that they are necessary for the purpose for which they are 
> collected. If those data are necessary, how can the purpose be served 
> while the data are inaccurate? (GAC)
>
> 6. Can you provide an analysis on the third parties mentioned in para 
> 19 on which "ICANN and the relevant parties may rely on to confirm the 
> accuracy of personal data if it is reasonable to do so"? Do they 
> become in such a scenario data processors? (GAC)
>
> 7. How is the accuracy principle in connection to the parties' 
> liability has to be understood in light of the accountability 
> principle of the GDPR? What are the responsibilities of ICANN and the 
> contracted parties (who are subject to the GDPR) under Chapter IV of 
> the GDPR? If the contracted parties (as data controllers) engage third 
> entities as processors (e.g. to provide data back-up services), what 
> are the responsibilities of these entities? What does this mean in 
> terms of liabilities (in light of Art. 82 GDPR)? (GAC)
>
> 8. While it is up to the registrants to provide accurate details about 
> themselves and it is up to the registrants not to mistakenly identify 
> themselves as natural or legal persons, the Memo on "Natural vs Legal 
> persons" provides interesting ideas/suggestions for the contracted 
> parties to proactively ensuring the reliability of information 
> provided, including through measures to independently verify the data. 
> Could similar mechanisms be identified also for ensuring the 
> reliability of the contact details of the registrant? Can best 
> practices be drawn from the ccTLDs? (GAC)
>
> b)Agree on next steps
>
> **
>
>  4. *Wrap and confirm next meeting to be scheduled *
>
> a)Confirm action items
>
> b)AOB
>
>   * Note: No objections received re: Bird and Bird’s updates to the
>     memo summaries by the pre-holiday deadline. The summaries are now
>     included in the Initial Report Google Doc.
>   * Note: No objections received regarding questions to submit for
>     plenary review by the pre-holiday deadline. Following this call,
>     EPDP Support Staff forward the questions to the plenary for its
>     review (with highlighting removed).
>
> *c)*The next Legal Committee meeting is scheduled for *Tuesday, 21 
> January at 15:00 UTC.*
>
>
> _______________________________________________
> Gnso-epdp-legal mailing list
> Gnso-epdp-legal at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200107/b499bf32/attachment-0001.html>