[Gnso-epdp-team] Section 4.4.8
Hadia Abdelsalam Mokhtar EL miniawi
Hadia at tra.gov.eg
Mon Sep 17 07:28:42 UTC 2018
You say in your email below " It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR"
Just a quick clarification normally recitals are used by the court of justice to establish what any directive means. However you should keep in mind that the recitals of the GDPR are not only going to be used by the courts of justice but also by the European Data Protection Board (EDPB) when carrying its role in ensuring that the regulation is applied.
From: Ayden Férdeline [mailto:icann at ferdeline.com]
Sent: Monday, September 17, 2018 9:12 AM
To: Mark Svancarek
Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] Section 4.4.8
Thanks for your email and for giving me the opportunity to clarify my remarks.
I don’t want to suggest that we should ignore the contents of the Recitals — but we should not treat Recitals the same as we treat the Articles of the GDPR, because the Recitals have no independent legal value and are subordinate to, and cannot contradict, the legislative provisions. I did not see that distinction being made in the message that I responded to.
It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR
P.S. Hopefully my response is received, as I will shortly be losing posting rights to this list, as I have appointed an alternate for this week’s calls.
On 17 Sep 2018, at 01:47, Mark Svancarek (CELA) <marksv at microsoft.com<mailto:marksv at microsoft.com>> wrote:
Ayden, I don’t understand your logic that a Recital from the current version of GDPR would be a less relevant source of insight than an Opinion of A29 from 2014 regarding a Directive which has itself been superseded by GDPR.
From Recital 47: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing”
In the pre-GDPR world, I think that the data subject *might* have had a reason to expect further processing based on preventing fraud in some undefined fashion (though *probably not*) and the data subject *would not* have had a reason to expect further processing for direct marketing purposes. (I use these examples simply because they are mentioned in the Recital.)
In the new policy that we are creating, we should make it very clear to the data subject at the time of collection that the data may possibly be used for defined anti-fraud purposes.
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Ayden Férdeline
Sent: Sunday, September 16, 2018 8:08 AM
To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>>
Cc: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] Section 4.4.8
If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49.
But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments.
I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In Opinion 06/2014<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0> on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.”
That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, and also against the data subject’s interests, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR.
On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>> wrote:
Hi Amr and All,
I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”.
The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure.
Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8
"Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose
As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles.
From: Amr Elsadr [mailto:aelsadr at protonmail.ch]
Sent: Thursday, September 13, 2018 2:03 PM
Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] Section 4.4.8
Hi Hadia and Kavouss,
The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”.
We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party).
I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet.
As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-)
On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh at gmail.com<mailto:kavouss.arasteh at gmail.com>> wrote:
I agree almost with what Hadia said
Sent from my iPhone
On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg<mailto:Hadia at tra.gov.eg>> wrote:
Dear Alex and Amr,
First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it.
So my suggestion would be.
4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest.
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Alex Deacon
Sent: Tuesday, September 11, 2018 10:34 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] Section 4.4.8
As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.
While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.
Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.
Cole Valley Consulting
alex at colevalleyconsulting.com<mailto:alex at colevalleyconsulting.com>
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team