[Gnso-epdp-team] Observations on the EC Letter Shared Today

Mark Svancarek (CELA) marksv at microsoft.com
Mon May 6 18:22:23 UTC 2019

Hi, Volker, my comments are inline, below.  Please LMK if they are not clear or helpful

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Volker Greimann
Sent: Monday, May 6, 2019 02:57
To: gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] Observations on the EC Letter Shared Today

Hi Margie,

  *   A unified system for third party access, for multiple parties, is necessary.  The EC letter recognizes that the current situation is unworkable.   Volker’s statement that “Disclosure can only work on a per-request basis…”  seems to contradict the EC’s concerns regarding the current situation where access is “left at the discretion of registries and registrars”.  As noted in the letter, this affects the … “ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime.”

This need not be a contradiction. Currently, contracted bear the legal risk for any non-compliant disclosure, so if that issue is fixed, the level of discretion can be reduced. Also, the model may include stricter guidelines for both contracted parties that create a much higher level of predictability towards the results of each request.

[Mark Svancarek] Regarding non-contradiction: Perhaps we are talking past each other – maybe we are in agreement but using different terms.  We tried to develop terminology defining “disclosure” and “access” and other things during Phase 1, but we started too late and we weren’t completely successful.  Developing a shared terminology/taxonomy earlier in Phase 2 will benefit us all.

But even if the discretion is placed elsewhere, away from contracted parties, someone somewhere will have to make a determination whether any particular request demonstrates a legitimate interest of the requester that outweighs the rights of the data subject.

 [Mark Svancarek] Regarding discretion: Regardless whether responsibility resides with contracted parties, or moves elsewhere, I’d like us to confirm whether the discretion can be programmatic and automatable.

[Mark Svancarek] (That is, if a currently accredited party is currently authorized to perform specific processing of specific data under a specific legal basis in jurisdiction and under a specific code of conduct, and if the identity of the party can be authenticated in a secure fashion, and if the system can be audited, then the process of authorizing the disclosure of data based on these criteria and these proofs of identity and authorization could probably be programmatically approved in an automated fashion over time, with only a small number of exceptional cases requiring additional scrutiny.)

In other words: The UDM is needed and wanted, but it needs to comply with the legal principles of the GDPR. Or as the letter clearly states: "Such a unified access model should be fully in line with EU data protection rules, in particular the GDPR."

If that goal is missed, any model we design would be doomed to fail.

[Mark Svancarek] I don’t think anyone ever disagreed that we must be compliant 😊 We just didn’t have full certainty which designs are defensible, so we are still working in part from our own existing assumptions (such as mine, above).  I think we’ve made progress, though (latest B&B opinions; EC letters; etc.) so I remain confident that we won’t remain blocked for too long.

  *   The Final Report was Too Restrictive. The EC letters clearly state that WHOIS is in the public interest, and that the EPDP Final Report was too restrictive when it only relied on Articles 6(1)(f) as the legal basis for the new policy.  This is consistent with the BC’s position in Phase 1.  We need to update our analysis to recognize the other basis applicable (consent (Art. 6(1)a); performance of a contract(Art. 6(1)b); compliance with a legal obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d); and public interest (Art. 6(1)e)), and ask that Bird & Bird revisit its legal analysis in light of these developments.

It is clear that other bases are possible, however they all come with their own set of issues that will have to be addressed once we get to that. Any legal review would have to factor in such issues so it is too early to call for a review without first being able to define the scope of such a review.

[Mark Svancarek] Probably another example of “need not be a contradiction”.

  *   The EC Guidance Reduces GDPR Risk. The EC letter notes that it has facilitated discussions between ICANN and the EDPB, and will continue to do so.   This is good news, and means that the advice likely reflects input from those discussions.  Following this advice should reduce GDPR risk for ICANN and contracted parties in creating a UAM.

I agree in as much as keeping the discussion going reduces the risk of immediate DPA compliance action, however this is not a carte blanche. If we were to develop something that has legal issues, the risk of contracted parties may actually increase as ICANN and by extention the CPs have been told repeatedly to get into compliance and if that is not achieved, we may be subject to harsher penalties than if no such advice had been received.

[Mark Svancarek] I would hope potential penalties would only be harsher if we disregarded the advice.  I don’t know that we can demonstrate best effort or good faith if we don’t ask clarifying questions up front… but maybe I misunderstood your comment, sorry.
Therefore, on the points of access and purposes, the BC submits that the wording of today’s EC letter leaves little room for creative interpretation.  They have repeated now, several times, the points listed above, and have done so clearly.
Agreed. I never fully understood the quest for clarity by ICANN as I felt that the DPAs and the EC have always been quite clear.
Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.key-systems.net&data=01%7C01%7Cmarksv%40microsoft.com%7Ce2e60492c36144aafa8708d6d209420e%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=tmZIa9ORdbms%2BnWz1D4ZJxp0%2FgqOde%2FwNFMcvBsNw%2Bs%3D&reserved=0>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190506/fe95d981/attachment-0001.html>

More information about the Gnso-epdp-team mailing list