[Gnso-epdp-team] Section 4.4.8

Thu Sep 13 13:17:42 UTC 2018

Hi Alan,

I believe the best interpretation of “legal bases” would be to refer to GDPR Articles 5 (Principles relating to processing of personal data) and 6 (Lawfulness of processing).

I hope this helps.

Thanks.

Amr

> On Sep 13, 2018, at 3:01 PM, Alan Greenberg <alan.greenberg at mcgill.ca> wrote:
>
> Amr, my point was the uses the expression "legal bases" which can have multiple competing definitions and that is not a good basis (pun intended) for agreement.
>
> Alan
> --
> Sent from my mobile. Please excuse brevity and typos.
>
> On September 13, 2018 7:44:47 AM EDT, Amr Elsadr <aelsadr at icannpolicy.ninja> wrote:
>
>> Hi Alan,
>>
>> The intention here was to state a principle on which further work down the road may be developed when we eventually get to deliberation on an access model. The principle is meant to provide guidance on a set of specific circumstances, that if met, should allow specific portions of non-public gTLD Registration Data to be shared with specific third-parties, to address specific issues. The objective is to allow this while maintaining compliance with GDPR, or possibly other privacy laws/regulations.
>>
>> This is not to say that a third-party requires the kind of legal rights or mandate I believe you are describing, as in your comparison between LEAs and independent cybersecurity workers. So yes, ICANN’s Mission does come into play here. In fact, I believe it to be a key factor of consideration. At some point, we’re going to have to deliberate on how that Mission does or does not allow third-parties access non-public Registration Data.
>>
>> I hope this was helpful.
>>
>> Thanks.
>>
>> Amr
>>
>>> On Sep 13, 2018, at 4:55 AM, Alan Greenberg <alan.greenberg at mcgill.ca> wrote:
>>>
>>> I am generally in support of this, but I question the term "grounded in legal bases". It this the legal basis in reference to GDPR  (ie that there needs to be a legitimate demonstrable need to access otherwise private information). Or a legal basis as in reference to law enforcement having a right to demand certain information.
>>>
>>> I can accept the former (if it is made clear), but not the latter. ICANN's Mission-defined interest in ensuring that security and stability of the DNS (and by implication, the trusted nature of the DNS) may create a need for cybersecurity workers to have access to certain data, but there is no LAW that gives them that right.
>>>
>>> Alan
>>>
>>> At 11/09/2018 04:33 PM, Alex Deacon wrote:
>>>
>>>> Hi All,
>>>>
>>>> As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.
>>>>
>>>> While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
>>>>
>>>> 4.4.8  Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
>>>>
>>>> The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.
>>>>
>>>> Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.
>>>>
>>>> Alex
>>>>
>>>> --
>>>> ___________
>>>> Alex Deacon
>>>> Cole Valley Consulting
>>>> alex at colevalleyconsulting.com
>>>> +1.415.488.6009
>>>>
>>>> _______________________________________________
>>>> Gnso-epdp-team mailing list
>>>> Gnso-epdp-team at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180913/db1c1991/attachment.html>