[Gnso-epdp-team] questions for Bird & Bird

Greg Aaron greg at illumintel.com
Fri Sep 27 17:43:02 UTC 2019

Dear Leon et al:


Following up on the first round of answers from Bird & Bird and the F2F,
SSAC would like to following to be reviewed by the legal sub-team and sent
to Bird & Bird.  We've tried to make sure that these are new questions and
are not duplicative of info we got from the first batch.  The SSAC team
feels these are important questions to ask per the current work and the



                The defense of networks, the prevention of fraud, resisting
cybercrime, and indicating possible criminal acts or threats to public
security to a competent authority are tasks performed by third parties who
are not law enforcement or government agencies. Such parties have legitimate
interests in making data requests under GDPR, notably under Article 6(1)f;
see also Recitals 47, 49, and 50. We are considering balancing where the
data subject may be infringing upon the rights of others, and the safety of
third-party requestors who deal with cybercrime.  The third-party purposes
above also require timely responses to data requests.

Assume that registrars notify their registrants up-front of the purposes of
data collection, under what circumstances the data may be released, the
right to object, etc.  

a.            When a data controller receives a legitimate third-party data
request, under what circumstances is the controller required under GDPR to
explicitly notify the data subject that a request has occurred, and/or that
it has provided data to a third party? 

b.            Under what circumstances do data subjects have the right to
object under GDPR  to the release of their data to third parties?  Per Bird
& Bird's Question 3 memo, ICANN's use cases do not involve profiling or
highly sensitive data categories (race, political affiliation, etc.), and "a
decision to release information via the SSAD is would not in itself have
legal effect on the data subject."

c.             Are data controllers ever required to notify the data subject
of the identity of a third-party requestor?

d.            Please confirm: when a data subject objects to processing, the
decision to release the data resides with the data controller? 

e.            If a registrant must be notified of a request and then be
given the opportunity to object, please explain how this process can be
reconciled with or integrated into a SSAD that is designed to provide timely
data exchange when possible and does not involve "a decision based solely on
automated processing". (See Bird & Bird's Question 3 memo, paragraph 1.12.)



Registration data submitted by legal person registrants may contain the data
of natural persons.  For example the contact data they provide may include a
natural person's name and email address. Legal person registrants also have
the ability to publish non-personally identifiable contact data
("admin at companyname.com") should they desire.

If registrants are required to self-identify as either a natural or legal
person, then:

a.            Can registrars rely on that self-identification?  

b.            Can registrars make the contact data submitted by legal person
registrants publicly available in RDS (WHOIS), by stating that it is the
responsibility of a legal person registrant to obtain consent from any
natural person whose data it submits?  

Please state any considerations, such as the ability of the registrant to
correct its data.

As part of the analysis, please examine the policies of the Internet
protocol (IP address) registries RIPE NCC (the registry in Europe, based in
the Netherlands) and ARIN (the registry in North America, which has customer
contacts in Europe).  These registries publish the data of natural persons
who are subject to the GDPR, publicly via their WHOIS services, by placing
the choice and responsibility on their registrants, who are legal persons.
IP addresses and domain names are two sides of the same coin, and these IP
address registries state mission justifications and collection purposes
similar to those in ICANN's Temporary Specification. See:

1) "How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data
Processing and the RIPE Database":


2)  "How We're Implementing the GDPR: The RIPE Database":

3) "Personal Data Privacy Considerations At ARIN":

4) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/

5) ARIN Registration Services Agreement, paragraph 3:

6) ARIN Privacy Policy: https://www.arin.net/about/privacy/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190927/fd9f66ff/attachment.html>

More information about the Gnso-epdp-team mailing list