[Gnso-epdp-team] European Commission comments on Phase 1 report - additional information

Volker Greimann vgreimann at key-systems.net
Fri May 3 12:29:32 UTC 2019 

Thank you Chris for forwarding this.

As expected, the response is very helpful in providing further clarity 
in how future disclosure models should work and it is also very helpful 
that they provided a quick response just in time to the tstart of our 
deliberations.

By stating that access should be enabled "/_upon request _(...) _showing 
a legitimate interest_, provided both the controller (...) and the third 
party _have a legal basis _for such processing (...)" /they basically 
support a point many participants of Phase 1 have been making all along 
in this debate:

_Disclosure can only work on a per-request basis and each such request 
must show both the legitimate interest for the disclosure and the legal 
basis for the processing activity requested for all parties involved in 
the disclosure._

This explicitly excludes any concepts of "all-access" models where a 
requester need only acquire some form of certification or accreditation 
prior to being restored to the access to the whois of yore. I therefore 
propose that we abandon these concepts at the start of our deliberations 
to avoid wasting time on ultimately futile debates.

Another shortcut we could use to save time is to initially focus our 
discussions of the UDM (Unified Disclosure Model) by looking exclusively 
at those parties with the best legal basis for disclosure: national law 
enforcement agencies and other public authorities in the same 
jurisdiction as the data controller. Once we have a model for these 
parties, the rest can follow from there. Obviously, the disclosure 
methods these parties have legal rights to (that turn into legal 
obligations for the data compliance) would vary on the legal bases of 
their appropriate jurisdictions and that is ultimately something that we 
would need to ask the individual GAC members to provide for example.

For example, we could start out by asking a GAC members to provide data 
on how individual law enforcement bodies and public authorities have to 
go about in their specific jurisdiction with obtaining data from 
comparable data controllers, like telephone companies, internet access 
providers or hosting providers. Are there special processes that 
entities would need to follow? If so, could our model be based on these 
processes for these jurisdictions? If, for example, a local police has 
to obtain a court warrant or subpoena to demand disclosure personal data 
held by a webhoster, is that not also sufficiently equivalent to a 
demand towards a contracted party? This does mean we would have to vary 
our model by jurisdiction, but ultimately it seems to be the most 
legally sound way to operate. This is also supported by the letter, 
which states: "/Instead, they need to rely on another legal basis, which 
is normally provided for in national law./" It is the job of the GAC to 
tell us what this legal basis is in each instance and it is our job to 
reflect this basis in our model for access of the entities so entitled.

Best regards,

Volker Greimann


Am 03.05.2019 um 13:10 schrieb Chris Disspain:
> Hello All,
>
> As you will know, on 26 April Göran Marby wrote to the European 
> Commission seeking additional information regarding their comments of 
> 17 April. That letter is attached for ease of reference.
>
> A response has now been received from the Commission and I attach that 
> for your information.
>
>
>
> Cheers,
>
>
> CD
>
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190503/f5e804fb/attachment.html>

More information about the Gnso-epdp-team mailing list