[Gnso-epdp-team] Legal Basis Discussion

Alex Deacon alex at colevalleyconsulting.com
Wed Oct 10 00:32:45 UTC 2018


Thanks Kurt.  I agree with your analysis here.   Thanks for spending the
time thinking about it and laying it out.

The IPC would also like the relevant footnotes related to the addition of
6(1)(b) in the Lawful Basis for Processing Test document to be added to the
body of each table.   Please also add IPC support fo the use of 6(1)(b) for
Purpose A, Purpose E and Purpose F.    As for Purpose B we look forward to
the continued discussions on this purpose this week.

Thanks.
Alex


On Tue, Oct 9, 2018 at 8:57 AM Margie Milam <margiemilam at fb.com> wrote:

> Hi-
>
> Following up on our discussion on today’s call, and consistent with Kurt’s
> approach below,  since we are not limiting our analysis to one legal
> basis,  the BC would like to propose that any footnotes that relate to
> alternative legal basis be moved up into the body of the discussion, with a
> clarification of the groups that support its application.
>
>
>
> Margie
>
>
>
> *From: *Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of
> Kurt Pritz <kurt at kjpritz.com>
> *Date: *Monday, October 8, 2018 at 3:46 PM
> *To: *GNSO EPDP <gnso-epdp-team at icann.org>
> *Subject: *[Gnso-epdp-team] Legal Basis Discussion
>
>
>
> Hi Everyone:
>
>
>
> Following on Caitlin’s earlier memo that described remaining issues having
> to do with the determination of Legal Basis, I wish to raise some points in
> regard to our last full-team meeting where we debated different legal bases
> for third-party escrow of personal data. . Please excuse another longish
> email.
>
>
>
> To facilitate my own understanding and help steer future debate, please
> let me know where you agree and don’t by number (and if you don’t, why).
>
>
>
>
>
> *1*.  Whether 6(1)b or 6(1)f applies to Data Escrow is a legal question
> not a policy question. Once we realized there were differences in team
> members’ opinion as to whether 6(1)b attached, additional discussion was
> not fruitful because it was not a policy debate.
>
>
>
> No one could debate, “6(1)b should be the legal basis for third-party data
> escrow as a matter of policy.”
>
>
>
> For the case of Data Escrow, given the current set of facts and elements
> in GDPR, 6(1)b either is or is not a legal basis for processing to escrow
> personal data. That will be decided for a DPA. GDPR is a law that has
> elements and an impartial decider will determine of those elements are met
> by the data processing described in our policy.
>
>
>
>
>
> *2.*  It is reasonable for us to debate / discuss whether, under a
> specific set of circumstances, a legal basis exists for processing data.
>
>
>
> If we find that a legal basis exists (after determining processing is
> necessary and principles of minimization are applied), then we include that
> processing step under our list of purposes. In most (i.e., all or nearly
> all) cases, we will be correct because we will have done the appropriate
> analysis. However, it will be for a DPA to review the policy or its
> implementation before that fact is known for sure.
>
>
>
>
>
> *3*.  It is our process (and I think our policy) that, in linking a data
> processing step with a legal basis, we select the first one that clearly
> attaches, considering them in the following order:
>
> a. 6(1)a Consent
>
> b. 6(1)b Necessary for performance of contract
>
> c. 6(1)f Legitimate interest not overridden by the interests or
> fundamental rights and freedoms of the data subject
>
>
>
> If it is debatable whether, say, 6(1)b attaches, we should be able to go
> on to 6(1)f without having to make the 6(1)b call first. See number 5 below.
>
>
>
>
>
> *4*.  Regardless of the Legal Basis selected, the same data will
> processed every time.
>
>
>
> Taking as an example Data Escrow with a third party provider, the data
> elements selected must be necessary for the purpose in accordance with the
> principles of minimization. Then, whether the legal basis is 6(1)b or
> 6(1)f, the same data will be transmitted to the escrow provider every time.
> The legal basis test is only performed once, when this new policy in
> enforced and becomes operational, i.e., where GDPR compliance is
> demonstrated.
>
>
>
> I think this is the same in every case.
>
>
>
> If that is correct, I don’t see why we would urge that one legal basis be
> selected over another for any reason other than it would be most likely to
> be accepted by the DPA.
>
>
>
>
>
> *5*.  At this stage of the game, I don’t understand why we have to pick
> one legal basis. I understand the practice of ultimately relying on one
> legal basis, however in the formation of new policy, cannot different
> scenarios be tested?
>
>
>
> If several team members* think* that 6(1)b attaches to data escrow, why
> must we be forced to either put all our eggs in that basket or ignore it
> completely? As stated above, this is not a policy decision, it is a legal
> determination. Why cannot we iterate these issues with DPAs, saying, “Look,
> this data escrow thing is clearly in the best interests of the data subject
> and we are only processing the data necessary to accomplish this purpose.
> We *think* Art.6(1)b applies here but are not sure. We are certain that
> 6(1)f applies but if 6(1)b applies that will make our analysis and yours
> easier.”
>
>
>
> I don’t think the intent of the new law is to force uninformed decisions.
> I don’t know of any other arena (except, ironically, maybe the existing
> Conflict of National Laws Policy) where these choices must be made blindly.
> Should we be reaching out to DPAs on this issue?
>
>
>
>
>
> I hope you find this a helpful guide to our thinking on this and would
> appreciate feedback on these thoughts.
>
>
>
> Best regards,
>
>
>
> Kurt
>
>
>
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team



-- 
___________
*Alex Deacon*
Cole Valley Consulting
alex at colevalleyconsulting.com
+1.415.488.6009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181009/e273f1b1/attachment-0001.html>


More information about the Gnso-epdp-team mailing list