[Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC

Volker Greimann vgreimann at key-systems.net
Tue Sep 24 08:49:28 UTC 2019


Hi Brian,

you seem to be under a fundamental misunderstanding about the concepts 
of the balancing test and decision-making as the decision whether to 
disclose the data is the fundamental decision about the data of the data 
subject in this case. I thought this would be understood by all and 
therefore would not need mentioning.

Automated decision making about how to handle the data and therefore the 
decision whether to disclose fundamentally affects the rights of the 
data subject.

Best,

Volker

Am 24.09.2019 um 00:36 schrieb King, Brian via Gnso-epdp-team:
>
> Hi all,
>
> It seems that we are mixing up a couple concepts that require 
> clarification in order for this conversation to be more productive.
>
> First, the concept of automated decision-making should be clarified. 
> As discussed in the Bird & Bird memo, the concept of automated 
> decision-making is limited to decisions about the data subject (not 
> decisions about whether to disclose their data). The types of 
> decisions about the data subject protected by GDPR include decisions 
> carrying the legal significance of denial of child or housing benefit 
> or refused admission to a country or denial of citizenship. It’s 
> necessary to clarify here that while the third parties who request and 
> might process this data need be cautious about their own automated 
> decision-making when using the requested data, the decision about 
> whether to disclose the data itself is not Article 22 decision-making.
>
> Then, the section of the Bird & Bird memo that Ayden references 
> describes requirements if the types of decision-making spelled out 
> above is explicitly authorized by national law. Those provisions are 
> irrelevant to our work for two reasons: 1) again, the disclosure 
> decision is not the type of legally significant decision-making that 
> Article 22 is intended to prevent, and 2) even if it were, the 
> disclosure decisions we’re talking about are grounded in 6.1.f or some 
> other 6.1. basis and not on the basis of a national law permitting 
> such decision-making.
>
> *Brian J. King *
> Director of Internet Policy and Industry Affairs
>
> T +1 443 761 3726_
> markmonitor.com <http://www.markmonitor.com>_
>
> *MarkMonitor
> *Protecting companies and consumers in a digital world
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf 
> Of *Ayden Férdeline
> *Sent:* Monday, September 23, 2019 2:40 PM
> *To:* Greg Aaron <greg at illumintel.com>
> *Cc:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting 
> #20 on Tuesday 24 September at 14.00 UTC
>
> Greg,
>
> I believe the existing legal advice, contained in Bird & Bird's legal 
> memo of 10 September 2019 (question 3), supports the need for natural 
> persons to have a right to object to data processing activities.
>
> On page 10 of the memo Bird & Bird advised, /"The initial and annual 
> notice and opt-out process suggested by the EPDP would not be 
> sufficient: an individual would be given general notice that an 
> automated process may be used, but would not know that a decision has 
> actually been taken on this basis and, unless an individual was aware 
> of this, he or she would not be in a positon to take advantage of the 
> safeguards required by the GDPR."/
>
> They also advised (same page):
>
> /"... safeguards require the controller to notify the data subject as 
> soon as possible that a decision has been taken, at which point the 
> data subject has up to one month to require the controller to 
> reconsider the decision, with significant operational implications for 
> any urgent requests."/
>
> I still need to consult with NCSG colleagues regarding the language 
> that I proposed, but I believe any building block k language that does 
> not ensure there are mechanisms in place that allow registrants to 
> exercise their rights under the GDPR would be unacceptable to us.
>
> Thanks,
>
> Ayden
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Monday, 23 September 2019 18:10, Greg Aaron <greg at illumintel.com 
> <mailto:greg at illumintel.com>> wrote:
>
>     Adyen’s proposal has major flaws, and IMHO is a non-starter.
>
>     One: it does not propose a deadline for the registry/registrar to
>     provide any substantive response, i.e. the data or a denial.
>      Instead, it seems to allow contracted parties to not provide a
>     substantive response for sixteen days, and maybe more.  That sets
>     a very long response floor and expectation for the entire gTLD
>     world. The effective result will be: no flow of data.
>
>     Two: as we discussed in Los Angeles, we are trying to automate
>     what can be automated, including automated decision-making where
>     it is possible.  For anything that is automated, an ACK letter is
>     not necessary -- instead the data (or a 6(1)f denial) should just
>     come back in reply.  That would leverage RDAP, which is a goal of
>     ours.  See also the TSG paper.
>
>     Three: a written ACK is appropriate for requests that are made
>     offline, outside the system.  Even then, an acknowledgement of
>     receipt can be issued automatically and immediately by the
>     contracting party (with a tracking number).  That’s SOP for any
>     system that requires the tracking of submissions, and most
>     registrars already do it with customer service tickets.
>
>     Four: the proposal assumes that data subjects must be informed
>     every time a request for their data comes in, and that data
>     subjects have the right to decline the processing.  The GDPR does
>     not    require either of those.  Instead, GDPR requires that the
>     data subject be made aware before of the processing that may
>     happen, and who generally the recipients may be.  Appropriately,
>     the Temp Spec already covers  this – it requires registrars to
>     notify their registrants of the  specific purposes for which their
>     data will be processed, and potential recipients, so case-based
>     notification is not required. (Temp Spec, Section 7.)  If the
>     policy needs to be more specific and tell registrants that they
>     are subject to GDPR Article 6 disclosures, then we should make
>     that happen.  Unfortunately Adyen’s proposal builds in a way for
>     data subjects to hide their criminal activity and cover their
>     tracks.  That is not necessary under the law, and it is contrary
>     to the GDPR’s intent.  SSAC provided the legal-sub team with draft
>     questions about these topics in the last submission round, and
>     hopefully those will go to Bird & Bird soon.
>
>     All best,
>
>     --Greg
>
>     *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org
>     <mailto:gnso-epdp-team-bounces at icann.org>> *On Behalf Of *Ayden
>     Férdeline
>
>     *Sent:* Sunday, September 22, 2019 7:06 PM
>
>     *To:* Alex Deacon <alex at colevalleyconsulting.com
>     <mailto:alex at colevalleyconsulting.com>>
>
>     *Cc:* gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>
>
>     *Subject:* Re: [Gnso-epdp-team] Proposed agenda - EPDP Team
>     meeting #20 on Tuesday 24 September at 14.00 UTC
>
>     Hi Alex,
>
>     I envision this being some form of written communication (most
>     likely an email) that lets the SSAD requestor know that their
>     request has been successfully received and is being processed. I
>     also imagine it containing a copy of their request.
>
>     Thanks,
>
>     Ayden
>
>     ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
>     On Sunday, 22 September 2019 22:45, Alex Deacon
>     <alex at colevalleyconsulting.com
>     <mailto:alex at colevalleyconsulting.com>> wrote:
>
>         Ayden,
>
>         Can you describe what form this "Receipt Acknowledgement
>         Letter" would take?
>
>         Alex
>
>         ___________
>
>         *Alex Deacon*
>
>         Cole Valley Consulting
>
>         alex at colevalleyconsulting.com
>         <mailto:alex at colevalleyconsulting.com>
>
>         +1.415.488.6009
>
>         On Sat, Sep 21, 2019 at 11:41 AM Ayden Férdeline
>         <icann at ferdeline.com <mailto:icann at ferdeline.com>> wrote:
>
>             Hi,
>
>             Regarding building block k, I have alternate language that
>             I would like to table for consideration please.
>
>             _The language circulated in the below email is:_
>
>             *Building Block k) */(Receipt of acknowledgement)/
>
>             The EPDP Team recommends that, consistent with the EPDP
>             Phase 1 recommendations, the response time for
>             acknowledging receipt of a SSAD request should be without
>             undue delay, but not more than two (2) business days from
>             receipt, unless shown circumstances does not make this
>             possible.
>
>             The response should also include information about the
>             subsequent steps as well as the timeline consistent with
>             the recommendations outlined below.
>
>             _Proposed new language (changes in red):_
>
>             *Building Block k) */(_A_cknowledgement_of request_)/
>
>             The EPDP Team recommends that _upon receipt of an SSAD
>             request, the receiving entity shall issue a Receipt
>             Acknowledgement Letter which summarizes the applicant’s
>             requests. This should happen without undue delay and,
>             ideally, within two business days of the request being
>             received by the receiving entity. This response shall
>             include information about the subsequent steps to be taken
>             as well as a timeline for its processing. Following the
>             issuance of the Receipt Acknowledgement Letter, the
>             applicant shall have a fourteen-calendar-day period within
>             which it may make certain types of corrections to its
>             request. This is to permit the applicant to correct data
>             entry errors, change contact information, and to withdraw
>             the request if it is no longer required. Similarly, the
>             receiving entity of the request shall inform the data
>             subject(s) whose personal information is sought, unless
>             prohibited to make such a disclosure by law, and provide
>             the data subject with a reasonable window of time and the
>             opportunity within which they may object to their data
>             being processed._
>
>             Kind regards,
>
>             Ayden Férdeline
>
>             ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
>             On Saturday, 21 September 2019 02:19, Marika Konings
>             <marika.konings at icann.org
>             <mailto:marika.konings at icann.org>> wrote:
>
>                 Dear EPDP Team,
>
>                 Please find attached the proposed agenda for the next
>                 EPDP Team meeting which is scheduled for Tuesday 24
>                 September at 14.00 UTC. To facilitate your
>                 preparation, please review the attached documents
>                 which include in addition to the relevant section from
>                 the zero draft, the relevant section from the SSAD
>                 worksheet that contains information in relation to the
>                 objective of addressing the topic as well as materials
>                 to review.
>
>                 Best regards,
>
>                 Caitlin, Berry and Marika
>
>                 ===========
>
>                 *EPDP Phase 2 - Meeting #20*
>
>                 *Proposed Agenda*
>
>                 Tuesday, 24 September 2019 at 14.00 UTC
>
>                 1.Roll Call & SOI Updates (5 minutes)
>
>                 2.Confirmation of agenda (Chair)
>
>                 3.Welcome and housekeeping issues (Chair) (5 minutes)
>
>                 a)Reminder - the EPDP Team members to populate the
>                 contents of the lawful basis table *by Wednesday 25
>                 September *(see
>                 https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--
>                 9aD2lHZI/edit
>                 <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_1U9jt9nOHs9QMjWTDl7UPaT-2D-2D-25099aD2lHZI_edit&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=X14udqL03ET9WHiBXsNzWXmbi78EqiJHd1J3CmTF6Hs&s=Kt8K3nGmOOIpxKvVSFee5y-kLOb-WuCAgN8iZLbhIA0&e=>)
>
>                 b)Reminder - submit alternate form if members are not
>                 attending the Jan 2020 F2F meeting
>
>                 4.Acceptable Use Policy (Building block d & h) – first
>                 reading (30 minutes).
>
>                 a)Initial discussion
>
>                 b)Feedback from EPDP Team
>
>                 c)Confirm next steps
>
>                 5.Receipt of acknowledgement (building block k) –
>                 first reading (30 minutes)
>
>                 a)Initial discussion
>
>                 b)Feedback from EPDP Team
>
>                 c)Confirm next steps
>
>                 6.Who should be responsible for disclosure decision
>                 (15 minutes)
>
>                 a)Review additional team input provided (see
>                 https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQuniv8/edit
>                 <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_10VRZRziGDXvckC-5Fy3ob-5FSGB-2D1NN9WrL6Y6A3XQuniv8_edit&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=X14udqL03ET9WHiBXsNzWXmbi78EqiJHd1J3CmTF6Hs&s=v6JLhdSt_Hruy8Hx7Z7EnRQbk2oWBXc_BWbgVZtxqoo&e=>)
>
>
>                 b)Consider team input and approach forward
>
>                 c)Confirm next steps
>
>                 7.Wrap and confirm next EPDP Team meeting (5 minutes):
>
>                 a)Thursday 26 September 2019 at 14.00 UTC
>
>                 b)Confirm action items
>
>                 c)Confirm questions for ICANN Org, if any
>
>                 */Marika Konings/*
>
>                 /Vice President, Policy Development Support – GNSO,
>                 Internet Corporation for Assigned Names and Numbers
>                 (ICANN) /
>
>                 /Email: marika.konings at icann.org
>                 <mailto:marika.konings at icann.org> /
>
>                 //
>
>                 /Follow the GNSO via Twitter @ICANN_GNSO/
>
>                 /Find out more about the GNSO by taking our
>                 interactive courses
>                 <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and
>                 visiting the GNSO Newcomer pages
>                 <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.
>                 /
>
>             _______________________________________________
>
>             Gnso-epdp-team mailing list
>
>             Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>
>             https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>             <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=X14udqL03ET9WHiBXsNzWXmbi78EqiJHd1J3CmTF6Hs&s=lvOCLjofgKkBFNMYjp3LmStd_aTFtj2Us5eQluWJSVI&e=>
>
>             _______________________________________________
>
>             By submitting your personal data, you consent to the
>             processing of your personal data for purposes of
>             subscribing to this mailing list accordance with the ICANN
>             Privacy Policy (https://www.icann.org/privacy/policy
>             <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=X14udqL03ET9WHiBXsNzWXmbi78EqiJHd1J3CmTF6Hs&s=3DZDjBGkOKP7XI4Pi7YqohFX1I8ToC05JxZ0C7Vbzmc&e=>)
>             and the website Terms of Service
>             (https://www.icann.org/privacy/tos
>             <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=X14udqL03ET9WHiBXsNzWXmbi78EqiJHd1J3CmTF6Hs&s=yt2dDOp7-cys530sDAKGx4RO8sDCWwtzPt2WX8glR8c&e=>).
>             You can visit the Mailman link above to change your
>             membership status or configuration, including
>             unsubscribing, setting digest-style delivery or disabling
>             delivery altogether (e.g., for a vacation), and so on.
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of 
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in 
England and Wales with company number 8576358.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190924/25a5f517/attachment-0001.html>


More information about the Gnso-epdp-team mailing list