[Gnso-epdp-legal] Legal Committee Approved and Outstanding questions

Tue Mar 16 02:17:40 UTC 2021

Dear Legal Committee,

As a reminder, we will discussing Melina’s questions during tomorrow’s meeting. The questions<https://docs.google.com/document/d/1CqczmN_ShkDFgx05q8AyUX5iDM2u5dul/edit> are pasted here for ease of reference (and highlighted in the Google doc in yellow):

Would you change or add anything else on your analysis under points 1, 2 and 3 if an additional step is introduced after distinguishing between natural and legal persons, as described in the 2-step approach below? In particular, could you please assess the level of risk (if any) of such approach:

a.           Distinguishing at first level between natural and legal persons. If natural, then publish no data, if legal go to step 2.
b.           Further distinguishing between data of legal persons which contain personal information and data which contain non-personal information. Publish only non-personal information.

Additionally – and this could be optional – give the possibility to legal persons to publish personal information if they wish so. This aims at protecting, for instance, a case where there is a one person company and their corporate address is the same as the home address. The registrant should have the option on whether they want their home address published.
Please advise on further steps to be taken on how to correctly implement such approach (if different than the steps described under points 2-3).
--
Additionally, as there were no objections to Becky’s updated Feasibility question<https://docs.google.com/document/d/1UCP86uPZJBA_oh_4lfa6GwisfqnXUgbi5kdq-VOQCS0/edit>, the below question will be sent to Bird & Bird and the EPDP Team (as an FYI).
Questions Regarding Feasibility of Unique Contacts
B&B’s Memo data 4 February 2020 regarding email contact information discussed two options: (a) a “pseudonymous email contact” where the same unique string is used for multiple registrations by the data subject; and (b) an “anonymous email contact” where a separate unique email string is used for each such registration.  B&B opined that publication of either (a) or (b) would be treated as publication of personal data on the web because the purpose of making this masked email address available is to allow 3rd parties to directly contact the data subject and because third parties with legitimate and proportionate interests would have access to the underlying data.
Upon review, the EPDP Legal Team has proposed to describe options (a) and (b) going forward as follows:

  *   The phrase "pseudonymous email contact” (option (a)) should be replaced with the phrase "Registrant-based email contact," defined as: “an email for all domains registered by a unique registrant, which is intended to be pseudonymous data when processed by third party users (i.e., non-contracted parties). (The question of whether the email should be common across ICANN-accredited Registrars requires a policy determination TBD.)
  *   The phrase "anonymous email contact" (option (b)) should be replaced with the phrase "Registration-based email contact," defined as “a separate single use email for each domain name registered by a unique registrant, which is intended to be virtually or “essentially” anonymous data when processed by third party users (i.e., non-contracted parties).”
In answering the questions below, please assume, for discussion purposes, that third-party users of Registration-based email contact information cannot identify the data subject without disproportionate effort so that the risk of identification appears in reality to be insignificant.

  1.  Based on your experience and applicable precedent, please compare the level of risk, likelihood of enforcement actions, fines, counseling, etc. associated with (a) publication on the web or (b) automated disclosure of (i) a Registrant-based email contact on the one hand and (ii) a Registration-based email contact on the other?  In responding to this question please consider:

     *   Whether the assumed fact that the risk of data subject identification by a third party (i.e., non-contracted party) through a Registration-based email contact appears to be insignificant would render such emails effectively “anonymous” with respect to such third parties under the Breyer standard?
     *   If not, how would the choice of email contact (Registrant-based or Registration-based) affect the outcome of the legitimate interests balancing test under Article 6(1)(f)? To what extent would the use of a Registration-based email contact reduce the impact of publication on the interests or fundamental rights and freedoms of the data subject?
Does the answer to these questions change if the primary purpose for publishing a masked email is to support statistical research and analytics, and not to communicate with the data subject?

Thank you.

Best regards,

Berry, Marika, and Caitlin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20210316/5d0c50b5/attachment.html>