[Gnso-epdp-team] Responses to legal questions

[Kurt Pritz]

Dear EPDP Team:
 
I am writing to notify you that outside legal counsel has responded to three questions from the EPDP Legal Team. The Legal Team has reviewed the responses. Rather than include a Legal Team opinion regarding the effect of the responses on our discussion, the Team decided to simply provide the answers (in summary form and in formal memo) that Bird&Bird provided to us.

Below, please find the: 
EPDP Team questions posed to Bird&Bird, and 
Informal summary of the answers provided by Bird& Bird. 


The full legal memoranda can be found on the wiki page. <https://community.icann.org/display/EOTSFGRD/Meetings+Legal+Committee+Framework> (https://community.icann.org/display/EOTSFGRD/Meetings+Legal+Committee+Framework) 

Please respond with questions you might have to this list. 

Best regards, 

Kurt



Legal vs. Natural
 
Q: The EPDP Team discussed Charter Question h3, namely, should Contracted Parties be allowed or required to treat legal and natural persons differently, and what mechanism is needed to ensure reliable determination of status? In determining the answer to this question, the EPDP Team sought the guidance of external legal counsel, inquiring specifically, “If a registrar permits a registrant, at the time of domain name registration, to self-identify as a natural or legal person, does a registrant’s incorrect self-identification that results in the public display of personal data create liability under GDPR? If so, please advise, for each possible participant in the domain name registration process listed below, if that participant incurs liability.” External legal counsel provided the following summary answer.
 
A: “We conclude that the relevant parties could be subject to liability if a registrant wrongly self-identifies as a legal person (and not a natural person) and the registrant's data is disclosed in reliance on this self-identification. To reduce the risks, we propose several solutions, such as focus group testing of the registration process to minimise the risk of errors and technical tools (if feasible) to verify the information provided. We also recommend providing clear notice to data subjects of the consequences for them of the designation as either a legal or a natural person as well as a way for data subjects to easily correct a mistaken classification. One way to do this effectively would be to send a follow-up email after registration to the listed contacts – this could also help with the notice issue addressed in question 1 [Technical Contact].
 

Technical Contact

Q: The EPDP Team also took note of a related footnote [from the EDPB] which states, “[if contact details for persons other than the RNH are provided] it should be ensured that the individual concerned is informed”. The EPDP Team discussed whether this note implies that it is sufficient for the Registered Name Holder (RNH) to inform the individual it has designated as the technical contact, or whether the registrar may have the additional legal obligations to obtain consent. The EPDP Team requested external legal counsel guidance on this topic who provided the following summary answer:
 
A: “In cases where the RNH and the technical contact are not the same person, relying on the RNH to provide notice on the registrar's behalf will not meet GDPR's notice requirements if the RNH fails to provide the notice. While this may provide grounds for a contractual claim against the RNH, it is unlikely to provide a viable defence under the GDPR. Moreover, this arrangement will make it difficult for registrars to demonstrate that notice has been provided. If notice is not effectively provided, this could affect the legitimate interests analysis, since technical contacts may not "reasonably expect" the manner in which their data will be processed. If relying on consent, such an arrangement would make it difficult to document that consent has been provided” .
 

Article 6(1)(b) 
 
Q: The EPDP Team asked two questions about the application of Article 6(1)b to external legal counsel:
 
Does the reference 'to which the data subject is party' limit the use of this lawful basis only to those entities that have a direct contractual relationship with the Registered Name Holder? 
Does "necessary for the performance of a contract" relate solely to the registration and activation of a domain, or, alternatively, could related activities such as fighting DNS abuse also be considered necessary for the performance of a contract?
 
External legal counsel provided the following summary answers: 
 
A: “a) it is not clear if the contractual necessity condition can only apply where there is a contract between data controller and data subject, or whether the contract could be between another person and the data subject. (For example, so that ICANN or a registry could argue that their processing is necessary for the contract between the registrar and the RNH/data subject). In countries where we have checked, there are no cases on point. Some data protection authorities interpret the provision narrowly. However, there is also guidance arguing for a more liberal approach. We think a more liberal approach is correct – but this is untested.
 
b) What is 'necessary' is interpreted strictly. We do not think that the EPDP could successfully argue that preventing DNS abuses is 'necessary' for the contract with the RNH. There is guidance from the Article 29 Working Party on this which has examples somewhat similar to ICANN's situation”.


 
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190201/37db4eb0/attachment-0001.html>