[Gnso-epdp-legal] For your review by COB today: updated legal committee questions.

Caitlin Tubergen caitlin.tubergen at icann.org
Mon Jan 13 16:27:18 UTC 2020 

Dear EPDP Legal Committee:

 

Please find below the homework from Margie/Brian and Laureen/Georgios. All: please review the below questions and provide any additional edits or concerns by close of business today, Monday, 13 January 2020. For ease of reference, we have also included the already-approved questions in an attachment to this message.

 
Brian and Margie’s proposed updated on Territorial Scope, now including suggestions from Volker and Matt:
 

In light of the Right to Be Forgotten Case regarding the reach of GDPR, and the recent guidelines published by the EDPB on Geographic Scope,

Does this ruling and the Guidelines affect:

 

1.      The advice given in Phase 1 Regarding Territorial Scope, in Sections 6.2- 6.9?     

2.      The advice given in Q1-2 with respect to liability (Section 4 of the memo)?

3.      In light of this ECJ decision and the Geographic Scope Guidelines, using the same assumptions identified for Q1 and Q2, would there be less risk to EEA-based contracted parties if:

A.      an SSAD operated by ICANN (as opposed to the EEA-based contracted party) based in ICANN’s Los Angeles Headquarters allowed automated disclosure responses for redacted data of registrants located outside of the EU where such data may or may not be processed by processors or additional controllers inside the EU or otherwise subject to the GDPR, for legitimate, for legitimate purposes (such as cybersecurity investigations and mitigation) and/or other fundamental rights such as intellectual property infringement investigations (See EU Charter of Fundamental Rights Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT
Laureen and Georgios’ proposed updated WHOIS Accuracy questions: 
 

Bird & Bird’s memo on the meaning of the GDPR’s Accuracy Principle concluded that this Principle “requires controllers to take ‘reasonable steps’ to ensure that personal data is accurate and up to date. Memo at ¶15.

  

This memo also cited to the United Kingdom Information Commissioner Office’s guidance: 

 

The more important it is that the personal data is accurate, the greater the effort you should put into ensuring its accuracy.  So if you are using the data to make decisions that may significantly affect the individual concerned or others, you need to put more effort into ensuring accuracy. [emphasis added].  Memo at ¶7.

 

Finally, the memo observed that:

 

a.            controllers collect registration data in part to ensure the security, stability and resiliency of the Domain Name System in accordance with ICANN’s mission through the enabling of lawful access for legitimate third-party interests [ICANN Purpose, Final Report EPDP at p. 21] and 

 

b.            the current Registrar Accreditation Agreement (RAA) requires registrars to take certain steps to ensure the accuracy of data provided by registered domain name holder (registrants),

 

In light of these conclusions and observations, in addition to the requirements set forth in the current RAA, 

 

1)            What additional reasonable steps should data controllers take to ensure the accuracy of the data submitted with regard to the purposes for which they are processed? 

 

2)            What additional reasonable steps should data controllers take to ensure the overall appropriate levels of data accuracy?  In particular, would it be advisable for data controllers to implement the methods identified in Bird and Bird’s January 25, 2019 memo on liability related to a registrant's self-identification as a natural or non-natural person:

 

a.            Confirmation emails seeking certification of the accuracy of the data submitted

b.            Independent verification

c.             Communicating consequences of submitting inaccurate data (under RAA, can suspend or cancel registration under certain circumstance)

 

in order to ensure the overall appropriate levels of data accuracy? 

 

3)            If statistics indicate that overall levels of data accuracy fall below a reasonable threshold (to be determined), would that demonstrate that the data controller’s methods to ensure data accuracy are not reasonable?

 

4)            If the data controllers engage third parties to assist with processing personal data, how would that affect the risk of liability to the data controllers?

 

Best regards,

 

Marika, Berry, and Caitlin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200113/d1864339/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EPDP Phase 2 Legal Questions, pending plenary review.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 24186 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200113/d1864339/EPDPPhase2LegalQuestionspendingplenaryreview-0001.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20200113/d1864339/smime-0001.p7s>

More information about the Gnso-epdp-legal mailing list