[Gnso-epdp-team] European Commission comments on Phase 1 report

Volker Greimann vgreimann at key-systems.net
Wed Apr 24 08:14:52 UTC 2019

Hi Chris,

I am with Milton here as I felt that the statements in the letter were 
more than clear when it comes to disclosures to law enforcement and 
third parties.  The purposes of law enforcement and third parties are 
not purposes of ICANN and ICANN should stop trying to fit a square peg 
through the round hole of its own purposes.

Law enforcement has legal rights under which access to data processed 
for various other purposes may be requested, for example under Art. 6 I 
(c) GDPR. Similarly, third parties will need a legal basis for any and 
every access request and controllers must in their own responsibility 
carry out a balancing between the rights of the data subject affected in 
each case and the rights of the requester.

When they note under "Next Steps" that law enforcement needs a timely 
and workable solution going forward to ensure the ability of LEAs to 
access the data legitimately, that does not invalidate the basic legal 
assumptions they make before that. On the contrary, it supports their 
view that a disclosure model for LEAs that is compliant with the legal 
requirements as well as stable, transparent and predictable is necessary.

No one said this was going to be easy but there is no contradiction in 
the letter when it comes to its messages.

Best regards,

Volker Greimann

Am 23.04.2019 um 20:04 schrieb Mueller, Milton L:
> Chris
> There is no inconsistency between the two statements. I am struggling 
> to understand why key members of ICANN’s board do not understand this.
> Purposes determine what data is collected and how it can be used by 
> the controller. Disclosure to third parties with legitimate interests 
> is not a purpose ICANN has in collecting and using registrant data, 
> but disclosure Is  nevertheless something that can happen legally when 
> certain conditions are met. When a credit card company collects PII 
> about me, its purpose is to facilitate financial transactions, it is 
> not to provide my name and address to the police. But legally, the 
> police can request disclosure of that information from the credit card 
> company under certain conditions set by law. What is so difficult to 
> understand there?
> In the statements below, the EC merely insists, correctly, upon 
> distinguishing between ICANN’s purposes for collecting and using 
> registrant data, and its reasons for disclosing it to third parties. 
> This does not rule out all disclosure to third parties with legitimate 
> interests.
> During the EPDP deliberations, the same point was made repeatedly by 
> public comments, and a majority of the EPDP members.
> The law is clear. Some in this debate are trying to erect a false 
> dichotomy: either we have ICANN collecting and disclosing registrant 
> data indiscriminately, as it did during the old Whois, or there is no 
> disclosure to third parties at all. Do you really think this is the 
> choice we have?
> --MM
> *From:*Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of 
> *Chris Disspain
> *Sent:* Tuesday, April 23, 2019 11:26 AM
> *To:* Volker Greimann <vgreimann at key-systems.net>
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] European Commission comments on Phase 
> 1 report
> Indeed, thanks Volker. It is both important and useful. It is also 
> confusing although that may only be to me. What is said below appears 
> to be directly at odds with things being said by the DPAs and EC 
> representatives.
> In its statement of 27 May 2018 
> (https://edpb.europa.eu/news/news/2018/european-data-protection-board-endorsed-statement-wp29-icannwhois_en) 
> the EDPB said:
> /"As expressed also in earlier correspondence with ICANN (including 
> //*this letter*/ 
> <http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48839>/ of 
> December 2017 and //*this letter*/ 
> <http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51021>/ of 
> April 2018),  WP29 expects ICANN to develop and implement a WHOIS 
> model which will enable legitimate uses by relevant stakeholders, such 
> as law enforcement, of personal data concerning registrants in 
> compliance with the GDPR, without leading to an unlimited publication 
> of those data."/
> And during a Board GAC call last week on the Kobe GAC Communique 
> (https://gac.icann.org/minutes/gac%20kobe%20communiqué%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf) 
> <https://gac.icann.org/minutes/gac%20kobe%20communiqu%C3%A9%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf)> in 
> a discussion about the need for an access model, the work carried out 
> by the Technical Study Group to design one and how ICANN can get legal 
> advice for the DPAs about the legality of that model, the Commission 
> said that although it was not is a position to speak for the EU member 
> of the GAC...:
> "European Commission reiterated its willingness to help facilitate 
> communications with DPAs, and in particular the Belgian DPAs who it 
> indicated has been chosen to be the lead DPA on this issue for the EU, 
> a European Commission further suggested a two-step process: first, 
> considering with legal advisors implementation options to achieve the 
> aims of the EPDP report; and second, start consulting with the lead 
> DPA to get their views before consulting the full EDPB once more, with 
> facilitation from the Commission as needed"
> I’m struggling to align the above with the input below.
> Cheers,
> Chris
>     On 18 Apr 2019, at 16:08, Ayden Férdeline <icann at ferdeline.com
>     <mailto:icann at ferdeline.com>> wrote:
>     Thank you for highlighting this important and useful contribution,
>     Volker.
>     -- Ayden
>     ‐‐‐‐‐‐‐Original Message ‐‐‐‐‐‐‐
>     On Thursday, April 18, 2019 4:37 PM, Volker Greimann
>     <vgreimann at key-systems.net <mailto:vgreimann at key-systems.net>> wrote:
>         Dear fellow members,
>         the European Commission just provided very valuable and
>         constructive insights into our reports that we would be
>         well-advised to take into account in Phase 2:
>         https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/20190417/6f0a65b2/CommentsontheTemporarySpecificationforgTLDRegistrationDataPolicyRecommendations-0001.pdf
>         "/The European Commission recognises this (the recommendation
>         of purposes and association with processing activities) as a
>         *long due and important step forward* in the ongoing reform of
>         the WHOIS system. Having a clear definition of the purposes
>         for the processing of the data in the WHOIS system is an
>         *essential pre-requisite* for ensuring a GDPR-compliant system./"
>         "/the overall model would benefit from *making even more
>         explicit the links between the purposes for processing
>         personal data and the specific processing activity(ies) as
>         well as the specific personal data items.*/"
>         "/Accordingly, the European Commission considers that *the
>         purposes* for processing WHOIS personal data by ICANN and/or
>         the contracted parties *should not include enabling access by
>         third parties*. This is also at the core of the concerns
>         expressed for some time by the DPAs and the European Data
>         Protection Board (EDPB), which have clarified that the
>         purposes of ICANN and contracted parties must *not be
>         conflated with the interests of third parties* in accessing
>         registration data./"
>         "/Notwithstanding the above, the European Commission would
>         like to acknowledge that maintaining such a distinction does
>         not per se limit WHOIS data access by/disclosure to third
>         parties, but merely differentiates between*ICANN’s own
>         purposes* (e.g. maintaining the security, stability and
>         resilience of the Domain Name System) which are capable of
>         justifying collection of the data in the first place, and
>         subsequent processing (enabling access to and disclosing WHOIS
>         data) for legitimate purposes pursued by third parties./"
>         "/In the Report, Article 6(1) (f) of the GDPR is often
>         invoked. The European Commission would like to recall that
>         legitimate interest is one of the six possible legal bases
>         provided under the GDPR1. (...) Specifically, the legitimate
>         interest*needs to outweigh* the interest of the individual
>         concerned. Given that there is an interference with the
>         fundamental right to data protection of an individual, a
>         balancing of interests is necessary to properly justify the
>         reasons for such an interference. (...) The *balancing is
>         *thus *a responsibility* (*not a prerogative*) of the data
>         controller./"
>         "*/Third parties seeking access also need a legal basis for
>         processing the data/*/. For instance, an IPR rightholder might
>         have a legitimate interest to gain access to WHOIS personal
>         data in order to ensure his/her IP right is protected and not
>         abused. The existence of *such a right needs to be
>         substantiated and the necessity/proportionality of accessing
>         that data ascertained*. This IPR rightholder might rely on
>         Art. 6(1) (f)./"
>         "*/GDPR legitimate interest cannot be used as a legal basis
>         for data processing by public authorities/*".
>         "/With regard to the various processing activities involved in
>         the WHOIS system, the issue of whether they involve an
>         *international data transfer *under the GDPR should be
>         considered./ (...) it is also necessary to identify *an
>         appropriate legal ground *for the international transfer"
>         "/the current situation is affecting EU Member State
>         *authorities’ ability* to obtain legitimate access to this
>         data, necessary to enforce the law online, including in
>         relation to the fight against cybercrime/"
>         All this seems to point in a very clear direction for our path
>         ahead with regard to the disclosure model we will be working
>         on. More on that when we get to this part of our deliberations.
>         -- 
>         Volker A. Greimann
>         General Counsel and Policy Manager
>         *KEY-SYSTEMS GMBH*
>         T: +49 6894 9396901
>         M: +49 6894 9396851
>         F: +49 6894 9396851
>         W: www.key-systems.net <http://www.key-systems.net/>
>         Key-Systems GmbH is a company registered at the local court of
>         Saarbruecken, Germany with the registration no. HR B 18835
>         CEO: Alexander Siffrin
>         Part of the CentralNic Group PLC (LON: CNIC) a company
>         registered in England and Wales with company number 8576358.
>     _______________________________________________
>     Gnso-epdp-team mailing list
>     Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>     https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190424/38c05d7a/attachment-0001.html>

More information about the Gnso-epdp-team mailing list