[Gnso-epdp-team] Section 4.4.8

Thu Sep 13 13:09:25 UTC 2018

Hi Alan,

I agree of course it is understood that by legal basis we mean the GDPR, however using a term as "lawful basis" instead would leave no room for confusion

Best
Hadia

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Alan Greenberg
Sent: Thursday, September 13, 2018 3:01 PM
To: Amr Elsadr
Cc: gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] Section 4.4.8

Amr, my point was the uses the expression "legal bases" which can have multiple competing definitions and that is not a good basis (pun intended) for agreement.

Alan
--
Sent from my mobile. Please excuse brevity and typos.
On September 13, 2018 7:44:47 AM EDT, Amr Elsadr <aelsadr at icannpolicy.ninja> wrote:
Hi Alan,

The intention here was to state a principle on which further work down the road may be developed when we eventually get to deliberation on an access model. The principle is meant to provide guidance on a set of specific circumstances, that if met, should allow specific portions of non-public gTLD Registration Data to be shared with specific third-parties, to address specific issues. The objective is to allow this while maintaining compliance with GDPR, or possibly other privacy laws/regulations.

This is not to say that a third-party requires the kind of legal rights or mandate I believe you are describing, as in your comparison between LEAs and independent cybersecurity workers. So yes, ICANN’s Mission does come into play here. In fact, I believe it to be a key factor of consideration. At some point, we’re going to have to deliberate on how that Mission does or does not allow third-parties access non-public Registration Data.

I hope this was helpful.

Thanks.

Amr

On Sep 13, 2018, at 4:55 AM, Alan Greenberg <alan.greenberg at mcgill.ca<mailto:alan.greenberg at mcgill.ca>> wrote:

I am generally in support of this, but I question the term "grounded in legal bases". It this the legal basis in reference to GDPR  (ie that there needs to be a legitimate demonstrable need to access otherwise private information). Or a legal basis as in reference to law enforcement having a right to demand certain information.

I can accept the former (if it is made clear), but not the latter. ICANN's Mission-defined interest in ensuring that security and stability of the DNS (and by implication, the trusted nature of the DNS) may create a need for cybersecurity workers to have access to certain data, but there is no LAW that gives them that right.

Alan

At 11/09/2018 04:33 PM, Alex Deacon wrote:

Hi All,

As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.

While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
4.4.8  Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.

The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.

Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.

Alex

--
___________
Alex Deacon
Cole Valley Consulting
alex at colevalleyconsulting.com<mailto:alex at colevalleyconsulting.com>
+1.415.488.6009

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180913/93cb176d/attachment-0001.html>