[Gnso-epdp-team] Further Input on Purpose E from IPC

[Plaut, Diane]

Dear Kurt, Marika and EPDP Team-

Further to yesterday’s call, I wanted to add IPC input and legal opinion in relation to Purpose E. We all very much appreciate the incredible job that Marc A. did and his output is spot on.  The language used, clarity of intent and structure of the Purpose is sound. The IPC herein supports the present draft but further wishes to clarify and confirm its Triage support for the BC in addition of 6(1)(b) as a legal basis for Purpose E, particularly in light of Marc and Berry Cobb’s work. Here is the basis for our position:

First, in stating the legal analysis it is understood that:

In order to rely on Art. 6(1)(b) GDPR (contractual necessity), the processing must be necessary for the performance of A CONTRACT (or to take steps at the request of the data subject before entering into a contract) TO WHICH THE DATA SUBJECT IS PARTY. The GDPR does not therefore specify that the controller must be a party to the contract with the data subject, only that the data subject must be party to a contract which necessitates the processing in question by the controller. As result, there is an argument that ICANN's processing of registrants' personal data is necessary for the performance of the contract between registrants and registrars/registries, notwithstanding that ICANN is not a party to that contract in this context.

We believe that there is a basis to show privity of contract here because there are the following contractual obligations flowing from the registrant through the registrars/registries and ICANN in order to provide escrow as per the RAA:

3.6 Data Escrow. During the Term of this Agreement, on a schedule, under the terms, and in the format specified by ICANN, Registrar shall submit an electronic copy of the data described in Subsections 3.4.1.2<http://3.4.1.2> through 3.4.1.5<http://3.4.1.5> to ICANN or, at Registrar's election and at its expense, to a reputable escrow agent mutually approved by Registrar and ICANN, such approval also not to be unreasonably withheld by either party. The data shall be held under an agreement among Registrar, ICANN, and the escrow agent (if any) providing that (1) the data shall be received and held in escrow, with no use other than verification that the deposited data is complete, consistent, and in proper format, until released to ICANN; (2) the data shall be released from escrow upon expiration without renewal or termination of this Agreement; and (3) ICANN's rights under the escrow agreement shall be assigned with any assignment of this Agreement. The escrow shall provide that in the event the escrow is released under this Subsection, ICANN (or its assignee) shall have a non-exclusive, irrevocable, royalty-free license to exercise (only for transitional purposes) or have exercised all rights necessary to provide Registrar Services.

Based on the above, together with the recommendations that are proposed in Purpose E to update the escrow agreements to provide for the “appropriate contractual provisions” to make clear the contractual obligations and relationships of the parties and bring the agreements into line with current data protection laws, as well as the need for Data Processing Agreements (which require that each party’s data processing activities and responsibilities are set forth), the contractual nexus between ICANN and the data subject will be made clearer and the support for the [additional] legal basis of 6(1)(b) clarified.

As a result, BC/IPC ask that the Initial Report include 6(1)(b) as a basis, simply to provide for the clear obligation of the escrow data to be provided without concern of inconsistent application under 6(1)(f) by individual registrars and registries. It is clear from the great work of Marc and Berry that this is a clear goal of Purpose E, to provide clarity and uniform practice around the obligations in relation to escrow.

Diane


Diane Plaut
General Counsel and Privacy Officer
[cid:image001.png at 01D3CA70.18FC1D40]
Direct +1 646-899-2806 
diane.plaut at corsearch.com<mailto:diane.plaut at corsearch.com>

220 West 42nd Street, 11th Floor, New York, NY 10036, United States
www.corsearch.com<http://www.corsearch.com/>
Join Corsearch on   Twitter<https://twitter.com/corsearch>  Linkedin<https://www.linkedin.com/company/2593860/>  Trademarks + Brands<http://trademarksandbrands.corsearch.com/>
Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241)
Corsearch.USCustomerService at corsearch.com<mailto:Corsearch.USCustomerService at corsearch.com>

Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181102/dc5e2bc4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 5570 bytes
Desc: image001.png
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181102/dc5e2bc4/image001-0001.png>