[Gnso-epdp-team] REVISED: Question for legal advisors

Mark Svancarek (CELA) marksv at microsoft.com
Tue Jul 30 03:30:10 UTC 2019 

I agree that it will be valuable to get more legal advice on this. Greg and I seem to thinking similarly. A number of inputs go into the process of making the decision. Whether a requester is credentialed, or accredited, or has received a certification, or has entered into a code of conduct… These are all factors that play a role in the decision process.

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Alan Greenberg <alan.greenberg at mcgill.ca>
Sent: Monday, July 29, 2019 8:10:59 PM
To: Mueller, Milton L <milton at gatech.edu>; Greg Aaron <greg at illumintel.com>; 'EPDP' <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors

As I understand it, if we cannot rely on reputation and commitments, then there is no way to build an fully automated system to address ANY requests, no matter how repetitive or simple they may be. That implies that every request will require human intervention, and even that human must not rely of the requester credentials or commitments.

Moreover, I am not sure I see the benefit of credentialing if we cannot rely on the credentials conveying some level of trust.

Perhaps someone understands how we could still have a partially or fully automated system and if so I wish they would tell us. The hype around Artificial Intelligence implies it would be a piece of cake, but I remain skeptical and I have not heard any contracted parties saying they would be happy to rely on such a system.

So if Milton and others are correct, and AI is not up to doing the "balancing", then we need to give up on the concept of an automated system or even an automation-assisted system. And the sooner we do it, the less time we will waste. But if we are ditching this core part of our task, I believe that we need professional guidance and not armchair lawyers.

Alan

At 29/07/2019 04:43 PM, Mueller, Milton L wrote:
I find the discussions of this proposed question to be fundamentally detached from legal and practical reality.

Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data?
The answer to that should be obvious.

If the law requires a balancing test, it doesn?t matter _who_ the person making the inquiry is. It doesn?t matter how ?trustworthy? they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop.

This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. ?Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?? No, you can?t do that. Balancing test means a balancing test. One party?s interests are weighed against the other?s.

I hope we do not waste our scarce legal time with something like this.

Dr. Milton L Mueller
School of Public Policy
Georgia Institute of Technology



From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Greg Aaron
Sent: Monday, July 29, 2019 3:22 PM
To: 'Alan Greenberg' <alan.greenberg at mcgill.ca>; 'EPDP' <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors

Dear Alan, Mark, legal team:

Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue.  An additional way to explain it is below.  Feel free to adapt or include any of this suggested language below if you like.

<snip>

6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject."
This language describes a general requirement that must be met.  It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case.

Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)?s balancing test?   If it is possible, then what are the considerations?  If not, why?

Example: a third party is trying to mitigate a phishing attack.  This third party is the victim of the attack, or is defending its customers.  GDPR Recital 49 says that processing personal data for such a purpose ?constitutes a legitimate interest of the data controller concerned.?  The third party makes a data request to the controller.  The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request.  Can the data processor rely on this information and relationship?

</snip>

(And I also assume what you wrote --  accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.)

BTW, am hoping to move away from ?security researcher? as a blanket term to include those involved in operational security, for some previously explained reasons.

Thanks,
--Greg


From: Gnso-epdp-team < gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Alan Greenberg
Sent: Wednesday, July 24, 2019 11:18 PM
To: EPDP <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org> >
Subject: [Gnso-epdp-team] REVISED: Question for legal advisors

At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity.

==============

Background:

If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy.

If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon.

Examples:

As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it.

For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately

Perhaps other specific cases should be cited in the question, but we do need guidance in the general case.

Summary:

Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible.

Question:

If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied?

Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made.


At 24/07/2019 04:27 PM, Alan Greenberg wrote:

As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion.

===============================

If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy.

If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon.

Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied.

Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made.

In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it.

A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example).

Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible.

Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190730/2ba831e4/attachment.html>

More information about the Gnso-epdp-team mailing list