[Gnso-epdp-team] Legal Basis Discussion
margiemilam at fb.com
Tue Oct 9 15:56:05 UTC 2018
Following up on our discussion on today’s call, and consistent with Kurt’s approach below, since we are not limiting our analysis to one legal basis, the BC would like to propose that any footnotes that relate to alternative legal basis be moved up into the body of the discussion, with a clarification of the groups that support its application.
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Kurt Pritz <kurt at kjpritz.com>
Date: Monday, October 8, 2018 at 3:46 PM
To: GNSO EPDP <gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] Legal Basis Discussion
Following on Caitlin’s earlier memo that described remaining issues having to do with the determination of Legal Basis, I wish to raise some points in regard to our last full-team meeting where we debated different legal bases for third-party escrow of personal data. . Please excuse another longish email.
To facilitate my own understanding and help steer future debate, please let me know where you agree and don’t by number (and if you don’t, why).
1. Whether 6(1)b or 6(1)f applies to Data Escrow is a legal question not a policy question. Once we realized there were differences in team members’ opinion as to whether 6(1)b attached, additional discussion was not fruitful because it was not a policy debate.
No one could debate, “6(1)b should be the legal basis for third-party data escrow as a matter of policy.”
For the case of Data Escrow, given the current set of facts and elements in GDPR, 6(1)b either is or is not a legal basis for processing to escrow personal data. That will be decided for a DPA. GDPR is a law that has elements and an impartial decider will determine of those elements are met by the data processing described in our policy.
2. It is reasonable for us to debate / discuss whether, under a specific set of circumstances, a legal basis exists for processing data.
If we find that a legal basis exists (after determining processing is necessary and principles of minimization are applied), then we include that processing step under our list of purposes. In most (i.e., all or nearly all) cases, we will be correct because we will have done the appropriate analysis. However, it will be for a DPA to review the policy or its implementation before that fact is known for sure.
3. It is our process (and I think our policy) that, in linking a data processing step with a legal basis, we select the first one that clearly attaches, considering them in the following order:
a. 6(1)a Consent
b. 6(1)b Necessary for performance of contract
c. 6(1)f Legitimate interest not overridden by the interests or fundamental rights and freedoms of the data subject
If it is debatable whether, say, 6(1)b attaches, we should be able to go on to 6(1)f without having to make the 6(1)b call first. See number 5 below.
4. Regardless of the Legal Basis selected, the same data will processed every time.
Taking as an example Data Escrow with a third party provider, the data elements selected must be necessary for the purpose in accordance with the principles of minimization. Then, whether the legal basis is 6(1)b or 6(1)f, the same data will be transmitted to the escrow provider every time. The legal basis test is only performed once, when this new policy in enforced and becomes operational, i.e., where GDPR compliance is demonstrated.
I think this is the same in every case.
If that is correct, I don’t see why we would urge that one legal basis be selected over another for any reason other than it would be most likely to be accepted by the DPA.
5. At this stage of the game, I don’t understand why we have to pick one legal basis. I understand the practice of ultimately relying on one legal basis, however in the formation of new policy, cannot different scenarios be tested?
If several team members think that 6(1)b attaches to data escrow, why must we be forced to either put all our eggs in that basket or ignore it completely? As stated above, this is not a policy decision, it is a legal determination. Why cannot we iterate these issues with DPAs, saying, “Look, this data escrow thing is clearly in the best interests of the data subject and we are only processing the data necessary to accomplish this purpose. We think Art.6(1)b applies here but are not sure. We are certain that 6(1)f applies but if 6(1)b applies that will make our analysis and yours easier.”
I don’t think the intent of the new law is to force uninformed decisions. I don’t know of any other arena (except, ironically, maybe the existing Conflict of National Laws Policy) where these choices must be made blindly. Should we be reaching out to DPAs on this issue?
I hope you find this a helpful guide to our thinking on this and would appreciate feedback on these thoughts.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team