[Gnso-epdp-team] European Commission comments on Phase 1 report - additional information
Volker Greimann
vgreimann at key-systems.net
Fri May 3 14:21:16 UTC 2019
Hi Chris,
it really depends what one means by the term Unified Access Model.
Currently under the temp spec, we have a system that introduces many
uncertaincies as basically every contracted party is asked to make up
their own access model and define the terms of access. A requester does
not clearly know what is being required to be granted disclosure and
many contracted parties also have difficulties defining hard and fast rules.
Clearly, this is unsustainable for the future, as the EC clearly states
as a requester will have to accommodate the requirements of every single
model and still will not have certaincy of the disclosure. However this
does not mean that the basic principle is flawed.
Ultimately, the existing models developed by the parties will have to be
condensed or refined into a unified model with clear rules of what is
being expected of them when they make a request and that provides for a
set of requirements that when met will result in a certain outcome. This
model can still take into account the various legal requirements a
contracted party may face under its applicable jurisdiction, but it
would reduce the variety that a requester has to put in.
Lets take the following example:
Law enforcement agencies A and B are in different jurisdictions. A is
in the jurisdiction of the contracted party holding the data, B is not.
Under a unified model, both would now be able to immediately find out
the requirements for disclosure of the data needed for their
investigation. Ideally, the template to use for them would be the same
but the output they get may be different. All EU Member States
authorities' would under such a model obtain the ability to obtain
legitimate access to the data needed to enforce laws in compliance with
the requirements and restrictions put in place by the applicable
national laws.
I am sure no one here is advocating or proposing we allow anyone to
circumvent the restrictions put in place by the applicable national laws.
Accreditation and certification also still have a place as they reduce
the time needed to provide evidence of identity of the requester from
having to do this every time to having to do this only every couple of
years.
I do not see a conflict with anything I have proposed with anything in
the response letter. Nothing in that letter requires an all-access model.
Developing a unified access model that meets the needs of law enforcment
and public agencies withjin the framework of their right to access such
data provided for in their applicable national laws is absolutely
doable, centrally or distributedly implementable and consistent with the
advice we just received.
Best regards,
Volker
Am 03.05.2019 um 15:41 schrieb Chris Disspain:
> Hi Volker,
>
> Thanks for such a quick response commenting on the letter.
>
> I do not agree that the selected quotes that you have used lead to the
> conclusion that the EC ‘basically support’ a view that you propound.
>
> In addition and speaking personally, I think:
>
> …."we have constantly urged ICANN and the community to develop a
> *unified access model *that applies to all registries and registrars
> and provides a stable, predictable, and workable method for accessing
> non-public gTLD registration data for users with a legitimate interest
> or other legal basis as provided for in the General Data Protection
> Regulation (GDPR). The European Commission considers this to be both
> *vital and urgent,*and we urge ICANN and the community to develop and
> implement a pragmatic and workable access model in the shortest
> timeframe possible, to which we will contribute actively.”…..
>
> ….clearly shows that the EC supports a UAM which by definition means
> that the concept of a UAM is perfectly acceptable under GDPR.
>
> I think:
>
> …."As the Commission already noted, *the current situation* where
> access to non-public registration data for public policy objectives is
> left at the discretion of registries and registrars *affects the EU
> **Member States authorities’ ability to obtain legitimate access to
> **non-public registration data *necessary to enforce the law online,
> including in relation to the fight against cybercrime. The need to
> ensure effective and secure treatment of third party access requests
> requires therefore ICANN and the community developing a *unified*
> method for accessing non-public gTLD registration data.”…..
>
> ….clearly demonstrates that the EC is unhappy with the status quo and
> that in their view a UAM is essential.
>
> and I think:
>
> …."Accordingly, we consider that a clear distinction needs to be made
> between ICANN's own purposes for processing personal data and the
> purposes pursued by the third parties in accessing the data. For this
> reason, we would recommend revising the formulation of purpose two by
> excluding the second part of the purpose "through enabling responses
> to lawful data disclosure requests" and *maintaining a broader
> purpose* to "contribute to the maintenance of the security, stability,
> and resiliency of the Domain Name System in accordance with ICANN's
> mission", which is at the core of the role of ICANN as the “guardian”
> of the Domain Name System.
>
> …..means that the EC’s view is that attempts to narrow ICANN’s purpose
> are counter-productive and the current wording needs to be revisited.
>
>
>
> Cheers,
>
>
> CD
>
>
>> On 3 May 2019, at 15:29, Volker Greimann <vgreimann at key-Systems.net
>> <mailto:vgreimann at key-Systems.net>> wrote:
>>
>> Thank you Chris for forwarding this.
>>
>> As expected, the response is very helpful in providing further
>> clarity in how future disclosure models should work and it is also
>> very helpful that they provided a quick response just in time to the
>> tstart of our deliberations.
>>
>> By stating that access should be enabled "/_upon request _(...)
>> _showing a legitimate interest_, provided both the controller (...)
>> and the third party _have a legal basis _for such processing (...)"
>> /they basically support a point many participants of Phase 1 have
>> been making all along in this debate:
>>
>> _Disclosure can only work on a per-request basis and each such
>> request must show both the legitimate interest for the disclosure and
>> the legal basis for the processing activity requested for all parties
>> involved in the disclosure._
>>
>> This explicitly excludes any concepts of "all-access" models where a
>> requester need only acquire some form of certification or
>> accreditation prior to being restored to the access to the whois of
>> yore. I therefore propose that we abandon these concepts at the start
>> of our deliberations to avoid wasting time on ultimately futile debates.
>>
>> Another shortcut we could use to save time is to initially focus our
>> discussions of the UDM (Unified Disclosure Model) by looking
>> exclusively at those parties with the best legal basis for
>> disclosure: national law enforcement agencies and other public
>> authorities in the same jurisdiction as the data controller. Once we
>> have a model for these parties, the rest can follow from there.
>> Obviously, the disclosure methods these parties have legal rights to
>> (that turn into legal obligations for the data compliance) would vary
>> on the legal bases of their appropriate jurisdictions and that is
>> ultimately something that we would need to ask the individual GAC
>> members to provide for example.
>>
>> For example, we could start out by asking a GAC members to provide
>> data on how individual law enforcement bodies and public authorities
>> have to go about in their specific jurisdiction with obtaining data
>> from comparable data controllers, like telephone companies, internet
>> access providers or hosting providers. Are there special processes
>> that entities would need to follow? If so, could our model be based
>> on these processes for these jurisdictions? If, for example, a local
>> police has to obtain a court warrant or subpoena to demand disclosure
>> personal data held by a webhoster, is that not also sufficiently
>> equivalent to a demand towards a contracted party? This does mean we
>> would have to vary our model by jurisdiction, but ultimately it seems
>> to be the most legally sound way to operate. This is also supported
>> by the letter, which states: "/Instead, they need to rely on another
>> legal basis, which is normally provided for in national law./" It is
>> the job of the GAC to tell us what this legal basis is in each
>> instance and it is our job to reflect this basis in our model for
>> access of the entities so entitled.
>>
>> Best regards,
>>
>> Volker Greimann
>>
>>
>> Am 03.05.2019 um 13:10 schrieb Chris Disspain:
>>> Hello All,
>>>
>>> As you will know, on 26 April Göran Marby wrote to the European
>>> Commission seeking additional information regarding their comments
>>> of 17 April. That letter is attached for ease of reference.
>>>
>>> A response has now been received from the Commission and I attach
>>> that for your information.
>>>
>>>
>>> Cheers,
>>>
>>> CD
>>>
>>>
>>>
>>> _______________________________________________
>>> Gnso-epdp-team mailing list
>>> Gnso-epdp-team at icann.org
>>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>> --
>> Volker A. Greimann
>> General Counsel and Policy Manager
>> *KEY-SYSTEMS GMBH*
>>
>> T: +49 6894 9396901
>> M: +49 6894 9396851
>> F: +49 6894 9396851
>> W: www.key-systems.net
>>
>> Key-Systems GmbH is a company registered at the local court of
>> Saarbruecken, Germany with the registration no. HR B 18835
>> CEO: Alexander Siffrin
>>
>> Part of the CentralNic Group PLC (LON: CNIC) a company registered in
>> England and Wales with company number 8576358.
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>
--
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190503/744c0b89/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list