[Gnso-epdp-team] Access definition

Mon May 27 13:28:09 UTC 2019

The problem, based on our experience in both the RDS and the Phase one of EPDP, is that several parties tend to conflate the use of the term and help themselves to a legal right that does not exist.  We are actually trying to draft a policy that is compliant with and gives effect to legal obligations, it is customary to continue to use the legal terms correctly in the drafting of policy.

This is not to detract in any from the legitimate purposes of the parties who wish to obtain data.

A further complication of the term "access" is that the long history of ICANN providing free public access (as opposed to the kind of access one has a right to under data protection law, which is often circumscribed by legal restrictions, cost, or supervision (e.g. prisoners getting access to their files)) further adds to confusion in our common understanding of the term.  We would strongly encourage us using the term "access" as it is used in the GDPR, to avoid all this confusion and conflation of meanings.

Stephanie Perrin

On 2019-05-26 02:47, jk wrote:
Milton,

Can’t we think in terms of access as  right (for data subjects) and access of third parties to non-private data per established procedure.
On the former, you gave full justification in your e-mail.
For the latter, for example, LEA may get access to full or limited set of data by a court warrant. Other groups may too as a result of a certain established policy and process.
For the sake of our exercise, precise legal definition is not essential, but rather common understanding.

Just a thought
JK

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Mueller, Milton L
Sent: Saturday, May 25, 2019 3:04 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] Access definition

Here is the definition of “access” in the GDPR.
Article 15, EU GDPR, "Right of access by the data subject"

1.       The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
http://www.privacy-regulation.eu/en/article-15-right-of-access-by-the-data-subject-GDPR.htm

It is abundantly clear that legally, “access” refers to a general and unconditional right of the data subject to see data about themselves and to understand the provenance of the data a processor or controller has about themselves.

For the sake of legal accuracy, clarity, and avoidance of confusion let us cease confusing third party disclosure rights with data subjects’ access rights. The working definitions proposed are invalid and need to be modified in conformity with proper legal usage.

I am sure we will have a robust policy debate about how extensive or limited third party disclosure rights are. Let us not waste time playing word games (i.e., conflating data subject access rights with third party disclosure rights) instead.

Dr. Milton L Mueller
Georgia Institute of Technology
School of Public Policy
[IGP_logo_gold block]

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190527/94ac25e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 49455 bytes
Desc: image002.png
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190527/94ac25e2/image002-0001.png>