[Gnso-epdp-team] Observations on the EC Letter Shared Today

Volker Greimann vgreimann at key-systems.net
Mon May 6 09:57:06 UTC 2019 

Hi Margie,

>   * _A unified system for third party access, for multiple parties, is
>     necessary_.  The EC letter recognizes that the current situation
>     is unworkable.   Volker’s statement that “/Disclosure can only
>     work on a per-request basis…” / seems to contradict the EC’s
>     concerns regarding the current situation where access is “left at
>     the discretion of registries and registrars”.  As noted in the
>     letter, this affects the … “ability to obtain legitimate access to
>     non-public registration data necessary to enforce the law online,
>     including in relation to the fight against cybercrime.”
>
This need not be a contradiction. Currently, contracted bear the legal 
risk for any non-compliant disclosure, so if that issue is fixed, the 
level of discretion can be reduced. Also, the model may include stricter 
guidelines for both contracted parties that create a much higher level 
of predictability towards the results of each request.

But even if the discretion is placed elsewhere, away from contracted 
parties, someone somewhere will have to make a determination whether any 
particular request demonstrates a legitimate interest of the requester 
that outweighs the rights of the data subject.

In other words: The UDM is needed and wanted, but it needs to comply 
with the legal principles of the GDPR. Or as the letter clearly states: 
"/Such a unified access model should be fully in line with EU data 
protection rules, in particular the GDPR./"

If that goal is missed, any model we design would be doomed to fail.

>   * _The Final Report was Too Restrictive_. The EC letters clearly
>     state that WHOIS is in the public interest, and that the EPDP
>     Final Report was too restrictive when it only relied on Articles
>     6(1)(f) as the legal basis for the new policy.  This is consistent
>     with the BC’s position in Phase 1.  We need to update our analysis
>     to recognize the other basis applicable (consent (Art. 6(1)a);
>     performance of a contract(Art. 6(1)b); compliance with a legal
>     obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d);
>     and public interest (Art. 6(1)e)), and ask that Bird & Bird
>     revisit its legal analysis in light of these developments.
>
It is clear that other bases are possible, however they all come with 
their own set of issues that will have to be addressed once we get to 
that. Any legal review would have to factor in such issues so it is too 
early to call for a review without first being able to define the scope 
of such a review.

>   * _The EC Guidance Reduces GDPR Risk_. The EC letter notes that it
>     has facilitated discussions between ICANN and the EDPB, and will
>     continue to do so.   This is good news, and means that the advice
>     likely reflects input from those discussions.  Following this
>     advice should reduce GDPR risk for ICANN and contracted parties in
>     creating a UAM.
>
I agree in as much as keeping the discussion going reduces the risk of 
immediate DPA compliance action, however this is not a carte blanche. If 
we were to develop something that has legal issues, the risk of 
contracted parties may actually increase as ICANN and by extention the 
CPs have been told repeatedly to get into compliance and if that is not 
achieved, we may be subject to harsher penalties than if no such advice 
had been received.

> Therefore, on the points of access and purposes, the BC submits that 
> the wording of today’s EC letter leaves little room for creative 
> interpretation.  They have repeated now, several times, the points 
> listed above, and have done so clearly.
>
Agreed. I never fully understood the quest for clarity by ICANN as I 
felt that the DPAs and the EC have always been quite clear.

-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190506/9f193af0/attachment-0001.html>

More information about the Gnso-epdp-team mailing list