[Gnso-epdp-team] Observations on the EC Letter Shared Today

Margie Milam margiemilam at fb.com
Sat May 4 00:21:46 UTC 2019 

Dear all:

I appreciate the perspectives shared so far.  From a high level, the EC letters are very helpful for us to arrive at some conclusions.  Let me share some thoughts from the BC.

First, there’s little in today’s letter that’s new.  In fact, it’s repetitious, as the author points out.  Prior communications from the EC shows they’ve advised that:


  *   A solution to non-public data access must be a priority, and an immediate one.
  *   The EC supports an access model, provided it is within the bounds of GDPR law.
  *   The current “no access” situation is degrading the ability of LEAs, cybersecurity authorities and others to perform in their roles; thus, the need for a speedy solution.
  *   Access by Law Enforcement uses a different basis than 6(1)f and should be treated differently than other types of 3rd party access.
  *   No conflation should be made between ICANN’s purposes and those of third parties (e.g., ICANN’s purposes can’t be used by others to justify access – a separate legitimate purpose is required).
  *   WHOIS is in the public interest.

These points were made in the previous communications from the EC, and are now echoed in today’s letter.  From the perspective of the BC, the themes in today’s letter are familiar:


  *   We need an access model quickly.  According to the letter:

…we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR).The European Commission considers this to be both vital and urgent, and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively.

and

Your understanding is correct that we do not suggest that ICANN or the contracted parties should not be able to disclose registration data to third parties. On the contrary, finding a timely and workable solution for access to non-public gTLD registration data is a matter of priority.


  *   Don’t conflate purposes, and don’t unnecessarily restrict definition of ICANN’s purposes.  A simple fix here is to split Purpose 2 into two purposes, where one focuses on ICANN’s purpose, and the second one focuses on the third party purposes allowable under GDPR.


  *   A unified system for third party access, for multiple parties, is necessary.  The EC letter recognizes that the current situation is unworkable.   Volker’s statement that “Disclosure can only work on a per-request basis…”  seems to contradict the EC’s concerns regarding the current situation where access is “left at the discretion of registries and registrars”.  As noted in the letter, this affects the … “ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime.”


  *   The Final Report was Too Restrictive. The EC letters clearly state that WHOIS is in the public interest, and that the EPDP Final Report was too restrictive when it only relied on Articles 6(1)(f) as the legal basis for the new policy.  This is consistent with the BC’s position in Phase 1.  We need to update our analysis to recognize the other basis applicable (consent (Art. 6(1)a); performance of a contract(Art. 6(1)b); compliance with a legal obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d); and public interest (Art. 6(1)e)), and ask that Bird & Bird revisit its legal analysis in light of these developments.


  *   The EC Guidance Reduces GDPR Risk. The EC letter notes that it has facilitated discussions between ICANN and the EDPB, and will continue to do so.   This is good news, and means that the advice likely reflects input from those discussions.  Following this advice should reduce GDPR risk for ICANN and contracted parties in creating a UAM.

Therefore, on the points of access and purposes, the BC submits that the wording of today’s EC letter leaves little room for creative interpretation.  They have repeated now, several times, the points listed above, and have done so clearly.

As I say, there’s little new here.  We believe it’s time to expeditiously move forward with Phase 2 and establish an access model that balances the needs of all parties.

 All the best,

Margie and Mark,
On behalf of the BC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190504/f1a27184/attachment-0001.html>

More information about the Gnso-epdp-team mailing list