[Gnso-epdp-team] REVISED: Question for legal advisors

Alan Greenberg alan.greenberg at mcgill.ca
Thu Jul 25 03:18:26 UTC 2019


At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity.

==============

Background:

If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy.

If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon.

Examples:

As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it.

For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately

Perhaps other specific cases should be cited in the question, but we do need guidance in the general case.

Summary:

Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible.

Question:

If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied?

Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made.


At 24/07/2019 04:27 PM, Alan Greenberg wrote:
As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion.

===============================

If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy.

If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon.

Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied.

Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made.

In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it.

A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example).

Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible.

Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190725/a13e7537/attachment.html>


More information about the Gnso-epdp-team mailing list