[Gnso-epdp-team] Bird & Bird response to question on legitimate interests and automated submissions and/or disclosures

Caitlin Tubergen caitlin.tubergen at icann.org
Tue Sep 10 19:02:17 UTC 2019

Dear EPDP Team: 


Attached, please find a legal memo from Bird & Bird in response to the following question:

Assuming that there is a policy that allows accredited parties to access non-public WHOIS data through an SSAD (and requires the accredited party to commit to certain reasonable safeguards similar to a code of conduct), is it legally permissible under Article 6(1)(f) to:

·         define specific categories of requests from accredited parties (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer), for which there can be automated submissions for non-public WHOIS data, without having to manually verify the qualifications of the accredited parties for each individual disclosure request, and/or

·         enable automated disclosures of such data, without requiring a manual review by the controller or processor of each individual disclosure request.

In addition, if it is not possible to automate any of these steps, please provide any guidance for how to perform the balancing test under Article 6(1)(f).


For reference, please refer to the following potential safeguards: 


·         Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).

·         CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so. 

·         ICANN or its designee has validated the requestor’s identity, and required that the requestor: 

o    represents that it has a lawful basis for requesting and processing the data, 

o    provides its lawful basis,

o    represents that it is requesting only the data necessary for its purpose, 

o    agrees to process the data in accordance with GDPR, and 

o    agrees to standard contractual clauses for the data transfer. 

·         ICANN or its designee logs requests for non-public registration data, regularly audits these logs, takes compliance action against suspected abuse, and makes these logs available upon request by the data subject.


Thank you.


Best regards,


Marika, Berry, and Caitlin



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190910/13f407e8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ICANN-EPDP - Question 3 - 10th September 2019[1].pdf
Type: application/pdf
Size: 316667 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190910/13f407e8/ICANN-EPDP-Question3-10thSeptember20191-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190910/13f407e8/smime-0001.p7s>

More information about the Gnso-epdp-team mailing list