[Gnso-epdp-team] Approved questions from Legal Committee - Batch 1
farzaneh badii
farzaneh.badii at gmail.com
Thu Aug 29 01:34:30 UTC 2019
Thank you Caitlin
I would like to one more time to mention that this group was not a
representative group of EPDP. NCSG was under-represented vis a vis CSG,
which is unfortunate.
My comments on some of the questions:
"
1. To what extent, if any, are contracted parties liable when a third
party that accesses non-public WHOIS data under an accreditation scheme
where by the accessor is accredited for the stated purpose, commits to
certain reasonable safeguards similar to a code of conduct regarding use of
the data, but misrepresents their intended purposes for processing such
data, and subsequently processes it in a manner inconsistent with the
stated purpose. Under such circumstances, if there is possibility of
liability to contracted parties, are there steps that can be taken to
mitigate or reduce the risk of liability to the contracted parties?"
Why was it decided to add this question? We are supposed to have an SSAD
that facilitates disclosure but also holds the abusers of WHOIS data
accountable. If the law has assigned liability to this case it is to
incentivize the parties to conduct the disclosure with due diligence and
care and have an interest in holding the abuser accountable. By asking this
question (and asking for mitigating liability in general) we are weakening
the data protection system in WHOIS. I don't think that is our aim. Our aim
is to facilitate disclosure and protecting domain name registrants data.
****
Q: 3. is it legally permissible under Article 6(1)(f) to:
> define specific categories of requests from accredited parties (e.g.
> rapid response to a malware attack or contacting a non-responsive IP
> infringer), for which there can be automated submissions for non-public
> WHOIS data, without having to manually verify the qualifications of the
> accredited parties for each individual disclosure request, and/or
Didn't we specifically say that having "user groups" should not result in
"automation of disclosure"? I understand that you are talking about
"categories of requests" here but also you are talking about automating the
"accredited parties" submission and disclosure without checking their
qualifications every time. I am concerned that this might actually lead to
creating user groups request/disclosure automation.
In addition, if it is not possible to automate any of these steps, please
> provide any guidance for how to perform the balancing test under Article
> 6(1)(f).
Can we please ask the question on how to perform a balancing test
regardless of being able to automate disclosure/submission steps? Unless
you want to ask how to carry out a balancing test while also automating the
steps. If that is the case I think it should be clearer and please refrain
from using the passive voice especially in Q 3. Also a general question
about how to carry out the balancing test might not be a bad idea since we
are in a deadlock about it.
Best
Farzaneh
Farzaneh
On Thu, Aug 29, 2019 at 1:43 AM Caitlin Tubergen <caitlin.tubergen at icann.org>
wrote:
> Dear EPDP Team,
>
>
>
> On behalf of the Phase 2 EPDP Legal Committee, please find the first set
> of legal questions the Legal Committee has agreed to send to outside
> counsel.
>
>
>
> As a reminder, the below text has been reviewed, edited, and agreed to by
> a representative group of EPDP Team Members, and, as such, EPDP Leadership
> would ask the EPDP Team to apply the “cannot live with” standard it its
> review of the below questions.
>
>
>
> Thank you.
>
>
>
> Best regards,
>
>
>
> Marika, Berry, and Caitlin
>
>
>
> *Questions to Outside Counsel: Batch 1 *
>
>
>
> 1. Consider a System for Standardized Access/Disclosure where:
>
>
> - contracted parties “CPs” are contractually required by ICANN to
> disclose registration data including personal data,
> - data must be disclosed over RDAP to requestors either directly or
> through an intermediary request accreditation/authorization body,
> - the accreditation is carried out by third party commissioned by
> ICANN without CP involvement,
> - disclosure takes place in an automated fashion without any manual
> intervention,
> - data subjects are being duly informed according to ICANN’s
> contractual requirements of the purposes for which, and types of entities
> by which, personal data may be processed. CP’s contract with ICANN also
> requires CP to notify data subject about this potential disclosure and
> third-party processing before the data subject enters into the registration
> agreement with the CP, and again annually via the ICANN-required
> registration data accuracy reminder. CP has done so.
>
> Further, assume the following safeguards are in place
>
> - ICANN or its designee has validated/verified the requestor’s
> identity, and required in each instance that the requestor:
>
> · represents that it has a lawful
> basis for requesting and processing the data,
>
> · provides its lawful basis,
>
> · represents that it is requesting
> only the data necessary for its purpose,
>
> · agrees to process the data in
> accordance with GDPR, and
>
> · agrees to EU standard
> contractual clauses for the data transfer.
>
>
>
> - ICANN or its designee logs requests for non-public registration
> data, regularly audits these logs, takes compliance action against
> suspected abuse, and makes these logs available upon request by the data
> subject.
>
> 1. What risk or liability, if any, would the CP face for the processing
> activity of disclosure in this context, including the risk of a third party
> abusing or circumventing the safeguards?
>
> 2. Would you deem the criteria and safeguards outlined
> above sufficient to make disclosure of registration data compliant? If any
> risk exists, what improved or additional safeguards would eliminate1 this
> risk?
>
> 3. In this scenario, would the CP be a controller or a processor2, and
> to what extent, if at all, is the CP’s liability impacted by this
> controller/processor distinction?
>
> 4. Only answer if a risk still exists for the CP: If a risk still exists
> for the CP, what additional safeguards might be required to eliminate CP
> liability depending on the nature of the disclosure request, i.e. depending
> on whether data is requested e.g. by private actors pursuing civil claims
> or law enforcement authorities depending on their jurisdiction or the
> nature of the crime (misdemeanor or felony) or the associated sanctions
> (fine, imprisonment or capital punishment)?
>
>
>
> Footnote 1: “Here it is important to highlight the special role that
> safeguards may play in reducing the undue impact on the data subjects, and
> thereby changing the balance of rights and interests to the extent that the
> data controller’s legitimate interests will not be overridden.“ (
> https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf
> [iapp.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_media_pdf_resource-5Fcenter_wp217-5Flegitimate-2Dinterests-5F04-2D2014.pdf&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=sWyYss17bzERUGYmyRgrLIYOWeEFfEm8TK82oD0K4Yg&e=>
> )
>
>
>
> Footnote 2: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en
> [ec.europa.eu]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__ec.europa.eu_info_law_law-2Dtopic_data-2Dprotection_reform_rules-2Dbusiness-2Dand-2Dorganisations_obligations_controller-2Dprocessor_what-2Ddata-2Dcontroller-2Dor-2Ddata-2Dprocessor-5Fen&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=8K75qGdDlOta4kh6k2F0jrT195M3tF3J_Fxcz6EvuG2kYKDeA67ZTEnthHXAPVXH&m=WmQKTNAW4Y5U-c0lyA5XiCXNYR3bBOIeUD3JHAistCY&s=VLfFI2qvdMLP-znynFRMTpavBVBxa6oxjPohOdyWao0&e=>
>
>
>
>
>
> 1. To what extent, if any, are contracted parties liable when a third
> party that accesses non-public WHOIS data under an accreditation scheme
> where by the accessor is accredited for the stated purpose, commits to
> certain reasonable safeguards similar to a code of conduct regarding use of
> the data, but misrepresents their intended purposes for processing such
> data, and subsequently processes it in a manner inconsistent with the
> stated purpose. Under such circumstances, if there is possibility of
> liability to contracted parties, are there steps that can be taken to
> mitigate or reduce the risk of liability to the contracted parties?
>
>
>
>
>
> 1. (Formerly Q9) Assuming that there is a policy that allows
> accredited parties to access non-public WHOIS data through an SSAD (and
> requires the accredited party to commit to certain reasonable safeguards
> similar to a code of conduct), is it legally permissible under Article
> 6(1)(f) to:
>
>
>
> · define specific categories of requests from accredited parties
> (e.g. rapid response to a malware attack or contacting a non-responsive IP
> infringer), for which there can be automated submissions for non-public
> WHOIS data, without having to manually verify the qualifications of the
> accredited parties for each individual disclosure request, and/or
>
> · enable automated disclosures of such data, without requiring a
> manual review by the controller or processor of each individual disclosure
> request.
>
> In addition, if it is not possible to automate any of these steps, please
> provide any guidance for how to perform the balancing test under Article
> 6(1)(f).
>
>
>
> For reference, please refer to the following potential safeguards:
>
>
>
> · Disclosure is required under CP’s contract with ICANN
> (resulting from Phase 2 EPDP policy).
>
> · CP’s contract with ICANN requires CP to notify the data subject
> of the purposes for which, and types of entities by which, personal data
> may be processed. CP is required to notify data subject of this with the
> opportunity to opt out before the data subject enters into the registration
> agreement with the CP, and again annually via the ICANN-required
> registration data accuracy reminder. CP has done so.
>
> · ICANN or its designee has validated the requestor’s identity,
> and required that the requestor:
>
> o represents that it has a lawful basis for requesting and processing
> the data,
>
> o provides its lawful basis,
>
> o represents that it is requesting only the data necessary for its
> purpose,
>
> o agrees to process the data in accordance with GDPR, and
>
> o agrees to standard contractual clauses for the data transfer.
>
> · ICANN or its designee logs requests for non-public registration
> data, regularly audits these logs, takes compliance action against
> suspected abuse, and makes these logs available upon request by the data
> subject.
>
>
>
>
>
> 1. Under the GDPR, a data controller can disclose personal data to law
> enforcement of competent authority under Art. 6 1 c GDPR provided the law
> enforcement authority has the legal authority to create a legal obligation
> under applicable law. Certain commentators have interpreted “legal
> obligation” to apply only to legal obligations grounded in EU or Member
> State law.
>
>
>
> As to the data controller:
>
>
>
> a. Consequently, does it follow that the data controller may not rely on
> Art. 6 1 c GDPR to disclose personal data to law enforcement authorities
> outside the data controller’s jurisdiction? Alternatively, are there any
> circumstances in which data controllers could rely on Art. 6 1 c GDPR to
> disclose personal data to law enforcement authorities outside the data
> controller’s jurisdiction?
>
>
>
> b. May the data controller rely on any other legal bases, besides Art. 6 I
> f GDPR, to disclose personal data to law enforcement authorities outside
> the data controller’s jurisdiction?
>
>
>
> As to the law enforcement authority:
>
>
>
> Given that Art. 6 1 GDPR states that European public authorities cannot
> use Art. 6 I f GDPR as a legal basis for processing carried out in the
> performance of their tasks, these public authorities need to have a legal
> basis so that disclosure can take place based on another legal basis (e.g.
> Art. 6 I c GDPR).
>
>
>
> c. In the light of this, is it possible for non-EU-based law enforcement
> authorities to rely on Art. 6 I f GDPR as a legal basis for their
> processing? In this context, can the data controller rely on Art. 6 1 f
> GDPR to disclose the personal data? If non-EU-based law enforcement
> authorities cannot rely on Art. 6 1 f GDPR as a legal basis for their
> processing, on what lawful basis can non-EU-based law enforcement rely?
>
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190829/b666818e/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list