[Gnso-epdp-team] European Commission comments on Phase 1 report
icann at ferdeline.com
Thu Apr 18 15:08:43 UTC 2019
Thank you for highlighting this important and useful contribution, Volker.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, April 18, 2019 4:37 PM, Volker Greimann <vgreimann at key-systems.net> wrote:
> Dear fellow members,
> the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2:
> "The European Commission recognises this (the recommendation of purposes and association with processing activities) as a long due and important step forward in the ongoing reform of the WHOIS system. Having a clear definition of the purposes for the processing of the data in the WHOIS system is an essential pre-requisite for ensuring a GDPR-compliant system."
> "the overall model would benefit from making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items."
> "Accordingly, the European Commission considers that the purposes for processing WHOIS personal data by ICANN and/or the contracted parties should not include enabling access by third parties. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must not be conflated with the interests of third parties in accessing registration data."
> "Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between ICANN’s own purposes (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties."
> "In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest needs to outweigh the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The balancing is thus a responsibility (not a prerogative) of the data controller."
> "Third parties seeking access also need a legal basis for processing the data. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained. This IPR rightholder might rely on Art. 6(1) (f)."
> "GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities".
> "With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an international data transfer under the GDPR should be considered. (...) it is also necessary to identify an appropriate legal ground for the international transfer"
> "the current situation is affecting EU Member State authorities’ ability to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime"
> All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations.
> Volker A. Greimann
> General Counsel and Policy Manager
> KEY-SYSTEMS GMBH
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net
> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Alexander Siffrin
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team