[Gnso-epdp-team] Section 4.4.8

Kavouss Arasteh kavouss.arasteh at gmail.com
Mon Sep 17 13:06:29 UTC 2018


I fully support the view points and arguments submitted by Mark and Hadia .
I think arguments launched by Ayden are a narrow thinking and soft reading
of the process.
Ar 29 SHALL NOT  prevail the basic requirements and mandatory provisions of
GPDR
Regards
Kavouss

On Mon, Sep 17, 2018 at 9:29 AM Hadia Abdelsalam Mokhtar EL miniawi <
Hadia at tra.gov.eg> wrote:

> Hi Ayden,
>
>
>
> You say in your email below " It is true that the opinions of A29 were
> also non-binding, but their guidance should carry weight and credibility
> with us, because EU Courts have typically taken their opinions into
> consideration, and now that A29 has morphed into the Data Protection Board,
> it has new legal powers and their previous opinions heavily shaped the
> construction of the GDPR"
>
>
>
> Just a quick clarification normally recitals are used by the court of
> justice to establish what any directive means.   However you should keep in
> mind that the recitals of the GDPR are not only going to be used by the
> courts of justice but also by the European Data Protection Board (EDPB)
> when carrying  its role in ensuring that the regulation is applied.
>
>
>
> Hadia
>
>
>
> *From:* Ayden Férdeline [mailto:icann at ferdeline.com]
> *Sent:* Monday, September 17, 2018 9:12 AM
> *To:* Mark Svancarek
> *Cc:* Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] Section 4.4.8
>
>
>
> Hi Mark,
>
>
>
> Thanks for your email and for giving me the opportunity to clarify my
> remarks.
>
>
>
> I don’t want to suggest that we should ignore the contents of the Recitals
> — but we should not treat Recitals the same as we treat the Articles of the
> GDPR, because the Recitals have no independent legal value and are
> subordinate to, and cannot contradict, the legislative provisions. I did
> not see that distinction being made in the message that I responded to.
>
>
>
> It is true that the opinions of A29 were also non-binding, but their
> guidance should carry weight and credibility with us, because EU Courts
> have typically taken their opinions into consideration, and now that A29
> has morphed into the Data Protection Board, it has new legal powers and
> their previous opinions heavily shaped the construction of the GDPR
>
>
>
> Best wishes,
>
>
>
> Ayden Férdeline
>
>
>
> P.S. Hopefully my response is received, as I will shortly be losing
> posting rights to this list, as I have appointed an alternate for this
> week’s calls.
>
>
>
>
>
> On 17 Sep 2018, at 01:47, Mark Svancarek (CELA) <marksv at microsoft.com>
> wrote:
>
>
>
> Ayden, I don’t understand your logic that a Recital from the current
> version of GDPR would be a less relevant source of insight than an Opinion
> of A29 from 2014 regarding a Directive which has itself been superseded by
> GDPR.
>
>
>
> From Recital 47:  “The interests and fundamental rights of the data
> subject could in particular override the interest of the data controller
> where personal data are processed in circumstances where data subjects do
> not reasonably expect further processing”
>
>
>
> In the pre-GDPR world, I think that the data subject **might** have had a
> reason to expect further processing based on preventing fraud in some
> undefined fashion (though **probably not**) and the data subject **would
> not** have had a reason to expect further processing for direct marketing
> purposes. (I use these examples simply because they are mentioned in the
> Recital.)
>
>
>
> In the new policy that we are creating, we should make it very clear to
> the data subject at the time of collection that the data may possibly be
> used for defined anti-fraud purposes.
>
>
>
> /marksv
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Ayden
> Férdeline
> *Sent:* Sunday, September 16, 2018 8:08 AM
> *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] Section 4.4.8
>
>
>
> Hi Hadia,
>
>
>
> If we consider Recital 47 in its entirety and thus in its context, I don’t
> think it necessarily means what you say it does. The same goes for Recital
> 49.
>
>
>
> But let’s not get ahead of ourselves. We need to distinguish between a
> Recital of the GDPR and an Article of the GDPR, as they are not the same. *While
> the recitals may inform the interpretation of the GDPR's articles, they are
> not legally binding. Only the GDPR's articles are binding instruments.*
>
>
>
> I would suggest that we should be considering published guidance from the
> Article 29 Working Party on what a legitimate interest is. In Opinion
> 06/2014
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0> on
> the “Notion of Legitimate Interests”, they caution that legitimate
> interests "should thus not be considered as 'the weakest link' or an open
> door to legitimise all data processing activities which do not fall under
> any of the other legal grounds” for processing. Rather, it is intended to
> give "necessary flexibility for data controllers for situations where there
> is no undue impact on data subjects.”
>
>
>
> That’s the important distinction here. Anyone who intends to use personal
> data must balance its own legitimate interest against the rights of the
> data subject, *and also against the data subject’s interests*,
> irrespective of whether those interests are legitimate or not. See Article
> 6(f) of the GDPR.
>
>
>
> Best wishes,
>
>
>
> Ayden Férdeline
>
>
>
>
>
>
> On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <
> Hadia at tra.gov.eg> wrote:
>
>
>
> Hi Amr and All,
>
>
>
> I don't think that a final agreement was actually reached on moving items 4.4.2,
> 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD
> Registration Data”.
>
>
>
> The whole confusion in my opinion comes from two considerations the first
> is our lack of understanding of the interests which lets us sometimes put
> some interests that are typically ICANN purposes as third party purposes
> and the second is that when we talk about data processing we mix collection
> with disclosure.
>
>
>
> Recital 47 of the GDPR states that " The processing of personal data
> strictly necessary for the purposes of preventing fraud also constitutes a
> legitimate interest of the data controller concerned" Therefore fraud
> prevention constitutes a legitimate interest, and recital 49 of the GDPR
> states that the necessary and proportionate processing for network security
> also constitutes a legitimate interest. So when we speak about the original
> text of 4.4.8
>
> "Supporting a framework to address issues involving domain name
> registrations, including but not limited to: consumer protection,
> investigation of cybercrime, DNS abuse, and intellectual property
> protection;"  First we should not deduce that the text speaks only about
> the access, in order to have a framework through which access can be
> provided you should also have the data itself (that is the collection of
> the data). Second I would argue that the collection of the data for the
> above purpose is not only a third party's purpose but it is also an ICANN
> purpose
>
>
>
> As for  the difference between a framework and a model, a framework is a
> guide or some principles that make you implement the model, while the model
> is the tool itself. I would rather see the actual model than just the
> principles.
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* Amr Elsadr [mailto:aelsadr at protonmail.ch <aelsadr at protonmail.ch>]
> *Sent:* Thursday, September 13, 2018 2:03 PM
> *To:* Arasteh
> *Cc:* Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] Section 4.4.8
>
>
>
> Hi Hadia and Kavouss,
>
>
>
> The volunteer team working on 4.4.8 did so with the understanding that
> sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the
> header “Purposes for Processing gTLD Registration Data”. This was following
> Kurt’s email to the EPDP list on 4 September, titled “Project Plan
> Adjustments and Policy Organization”.
>
>
>
> We did consider an earlier suggestion by Mark; to split the processing
> purposes to two lists, one to achieve the purposes of controllers and one
> of third-parties. However, we did not pursue this too aggressively.
> Speaking for myself, I agree that 4.4.8 in both its original and proposed
> altered forms do not describe purposes for processing (for any party).
>
>
>
> I am not sure why a “model” would be preferable to a “framework”, so if
> you could elaborate on why you believe it to be more specific, I would be
> grateful. Within NCSG, we have considered both these terms, as well as
> others such as “Methodology” and “Mechanism”. We haven’t settled on any
> one, just yet.
>
>
>
> As Alex suggested in his original email, this is still a tentative
> proposal. We like it, or at least prefer it to other alternatives
> previously suggested, but we’re not exactly married to it just yet. :-)
>
>
>
> Thanks.
>
>
>
> Amr
>
>
>
>
>
> On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh at gmail.com> wrote:
>
>
>
> Dear All
>
> I agree almost with what Hadia said
>
> Kavouss
>
> Sent from my iPhone
>
>
> On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <
> Hadia at tra.gov.eg> wrote:
>
> Hi All,
>
>
>
> Dear Alex and Amr,
>
>
>
> First off thank you  for your effort and time on this proposal. But are
> you saying that among the purposes of the processing of the data is the "
>  identification of third-parties with legitimate interests". This is surely
> not one of the purposes for the processing of the data therefore a suggest
> removing it.
>
>
>
> So my suggestion would be.
>
>
>
> 4.4.8  Supporting a Model that provides access to parties with legitimate
> interests grounded in legal bases to Registration Data relevant to
> addressing specific issues involving domain name registrations; such as
> issues related to consumer protection, investigation of cybercrime, DNS
> abuse and intellectual property protection.
>
>
>
> I put model as I think it is more specific but I am fine with using the
> term framework if you see it more appropriate. I also suggest adding  "such
> as issues related to"  which would serve to provide examples of third
> parties with legitimate interest.
>
>
>
> Kind Regards
>
> Hadia
>
>
>
>
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org
> <gnso-epdp-team-bounces at icann.org>] *On Behalf Of *Alex Deacon
> *Sent:* Tuesday, September 11, 2018 10:34 PM
> *To:* gnso-epdp-team at icann.org
> *Subject:* [Gnso-epdp-team] Section 4.4.8
>
>
>
> Hi All,
>
>
>
> As you know a group of us has been working to recommend an update to
> Section 4.4.8 of the temp spec.
>
>
>
> While we haven't come to full agreement on the update, we are pretty close
> and wanted to share the current/tentative output of the volunteer team with
> the broader team.
>
>
>
> 4.4.8  Supporting a framework that enables identification of third-parties
> with legitimate interests grounded in legal bases, and providing these
> third-parties with access to Registration Data relevant to addressing
> specific issues involving domain name registrations *related to consumer
> protection, investigation of cybercrime, DNS abuse and intellectual
> property protection. *
>
>
>
> The non-bold text was suggested by Amr/NCSG and the added bold text was an
> updated suggested by me/IPC and supported by the BC.
>
>
>
> Giving it a re-read again today I think additional word-smithing could be
> warranted, but for now I will resist and step away and let others share
> their thoughts.
>
>
>
> Alex
>
>
>
>
>
>
> --
>
> ___________
>
> *Alex Deacon*
>
> Cole Valley Consulting
>
> alex at colevalleyconsulting.com
>
> +1.415.488.6009
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=R7K%2BLf9Bk4Xv8hE%2BXpVhGJKLZULunT5jAg61l7lWwY0%3D&reserved=0>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180917/9a3e5be5/attachment-0001.html>


More information about the Gnso-epdp-team mailing list