[Gnso-epdp-team] European Commission comments on Phase 1 report - additional information

Chris Disspain chris at disspain.uk
Fri May 3 13:41:34 UTC 2019 

Hi Volker,

Thanks for such a quick response commenting on the letter. 

I do not agree that the selected quotes that you have used lead to the conclusion that the EC ‘basically support’ a view that you propound.

In addition and speaking personally, I think:

…."we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR). The European Commission considers this to be both vital and urgent, and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively.”…..

….clearly shows that the EC supports a UAM which by definition means that the concept of a UAM is perfectly acceptable under GDPR.

I think:

…."As the Commission already noted, the current situation where access to non-public registration data for public policy objectives is left at the discretion of registries and registrars affects the EU Member States authorities’ ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime. The need to ensure effective and secure treatment of third party access requests requires therefore ICANN and the community developing a unified method for accessing non-public gTLD registration data.”…..

….clearly demonstrates that the EC is unhappy with the status quo and that in their view a UAM is essential.

and I think:

…."Accordingly, we consider that a clear distinction needs to be made between ICANN's own purposes for processing personal data and the purposes pursued by the third parties in accessing the data. For this reason, we would recommend revising the formulation of purpose two by excluding the second part of the purpose "through enabling responses to lawful data disclosure requests" and maintaining a broader purpose to "contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission", which is at the core of the role of ICANN as the “guardian” of the Domain Name System.
…..means that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited.



Cheers,

CD

> On 3 May 2019, at 15:29, Volker Greimann <vgreimann at key-Systems.net> wrote:
> 
> Thank you Chris for forwarding this. 
> As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations. 
> By stating that access should be enabled "upon request (...) showing a legitimate interest, provided both the controller (...) and the third party have a legal basis for such processing (...)" they basically support a point many participants of Phase 1 have been making all along in this debate:
> 
> Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure.
> 
> This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates. 
> Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example. 
> For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "Instead, they need to rely on another legal basis, which is normally provided for in national law." It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled.
> Best regards,
> 
> Volker Greimann
> 
> Am 03.05.2019 um 13:10 schrieb Chris Disspain:
>> Hello All,
>> 
>> As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference. 
>> 
>> A response has now been received from the Commission and I attach that for your information. 
>> 
>> 
>> Cheers,
>> 
>> CD
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>-- 
> Volker A. Greimann
> General Counsel and Policy Manager
> KEY-SYSTEMS GMBH
> 
> T: +49 6894 9396901
> M: +49 6894 9396851
> F: +49 6894 9396851
> W: www.key-systems.net <http://www.key-systems.net/>
> 
> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
> CEO: Alexander Siffrin
> 
> Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190503/df06aee9/attachment.html>

More information about the Gnso-epdp-team mailing list