[Gnso-epdp-team] European Commission comments on Phase 1 report

Volker Greimann vgreimann at key-systems.net
Thu Apr 18 14:37:27 UTC 2019

Dear fellow members,

the European Commission just provided very valuable and constructive 
insights into our reports that we would be well-advised to take into 
account in Phase 2:


"/The European Commission recognises this (the recommendation of 
purposes and association with processing activities) as a *long due and 
important step forward* in the ongoing reform of the WHOIS system. 
//Having a clear definition of the purposes for the processing of the 
data in the WHOIS system is an *essential pre-requisite* for ensuring a 
GDPR-compliant system./"

"/the overall model would benefit from *making even more explicit the 
links between the purposes for processing personal data and the specific 
processing activity(ies) as well as the specific personal data items.*/"

"/Accordingly, the European Commission considers that *the purposes* for 
processing WHOIS personal data by ICANN and/or the contracted parties 
*should not include enabling access by third parties*. This is also at 
the core of the concerns expressed for some time by the DPAs and the 
European Data Protection Board (EDPB), which have clarified that the 
purposes of ICANN and contracted parties must *not be conflated with the 
interests of third parties* in accessing registration data./"

"/Notwithstanding the above, the European Commission would like to 
acknowledge that maintaining such a distinction does not per se limit 
WHOIS data access by/disclosure to third parties, but merely 
differentiates between*ICANN’s own purposes* (e.g. maintaining the 
security, stability and resilience of the Domain Name System) which are 
capable of justifying collection of the data in the first place, and 
subsequent processing (enabling access to and disclosing WHOIS data) for 
legitimate purposes pursued by third parties./"

"/In the Report, Article 6(1) (f) of the GDPR is often invoked. The 
European Commission would like to recall that legitimate interest is one 
of the six possible legal bases provided under the GDPR1. (...) 
Specifically, the legitimate interest*needs to outweigh* the interest of 
the individual concerned. Given that there is an interference with the 
fundamental right to data protection of an individual, a balancing of 
interests is necessary to properly justify the reasons for such an 
interference. (...) The *balancing is *thus *a responsibility* (*not a 
prerogative*) of the data controller./"

"/*Third parties seeking access also need a legal basis for processing 
the data*. For instance, an IPR rightholder might have a legitimate 
interest to gain access to WHOIS personal data in order to ensure 
his/her IP right is protected and not abused. The existence of *such a 
right needs to be substantiated and the necessity/proportionality of 
accessing that data ascertained*. This IPR rightholder might rely on 
Art. 6(1) (f)./"

"/*GDPR legitimate interest cannot be used as a legal basis for data 
processing by public authorities*/".

"/With regard to the various processing activities involved in the WHOIS 
system, the issue of whether they involve an *international data 
transfer *under the GDPR should be considered./ (...) it is also 
necessary to identify *an appropriate legal ground *for the 
international transfer"

"/the current situation is affecting EU Member State *authorities’ 
ability* to obtain legitimate access to this data, necessary to enforce 
the law online, including in relation to the fight against cybercrime/"

All this seems to point in a very clear direction for our path ahead 
with regard to the disclosure model we will be working on. More on that 
when we get to this part of our deliberations.

Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190418/2a53519e/attachment.html>

More information about the Gnso-epdp-team mailing list