[Gnso-epdp-team] ICANN Meets with Belgian Data Protection Authority

Thu Feb 20 21:47:59 UTC 2020

Colleagues:
I really have to push back against Hadia’s interpretation of the ICANN blog post, and the blog post itself.

As others pointed out, the blog’s claim that “a centralized model” is better for security is just the writer’s opinion. The claim is seriously undermined by the fact that we do not know whether they were talking about centralization of requests, or centralization of disclosure, or both. In this respect, the discussion within EPDP, which makes a clear distinction between request and disclosure centralization, is a far more advanced than ICANN’s old UAM concept. So merely on the basis of its ambiguity, this alleged principle is meaningless. And from a cybersecurity standpoint, it should be obvious that centralization/automation of disclosure is very bad for the privacy of the data subject, because it allows any accredited user to get private data without any reviews. I have a hard time believing that any DPA would sanction something like that if they were presented with a clear explanation of it.

As for the second alleged principle, it is a worthless tautology. In essence, it says: Automated decision making is allowed under GDPR as long as the GDPR allows it. Well, thank you very much.

The problem is that automated disclosure decisions does not permit one to see whether the request actually conforms to the criteria that would authorize disclosure. Automation thus massively increases the risk that disclosures that are not compliant will be made.

This whole episode is just another demonstration of why ICANN org’s insistence on mediating between us and the DPAs is unhelpful; I wish they would stop. No issue we face has been clarified; no part of our work has been advanced by this exchange. We just debate different interpretations of these meetings based on different policy preferences. Worst of all, we do not know how ICANN org presents issues to the DPAs in these private meetings.

Can we call a moratorium on these unwanted and unneeded parallel interventions?

And if not, can we at least teach Goran and his staff to say “SSAD” instead of “UAM,” so that we are sure we are talking about the same thing? It’s only one more letter, it shouldn’t be hard.

Dr. Milton L Mueller
School of Public Policy
Georgia Institute of Technology
[IGP_logo_gold block_email sig]

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi
Sent: Thursday, February 20, 2020 11:00 AM
To: Journoud, Franck <Franck_Journoud at motionpictures.org>; Johan Helsingius <julf at julf.com>; gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] ICANN Meets with Belgian Data Protection Authority

Dear All,

As I have said on the call today I also found the blog useful, it highlighted two main principles. First, a centralized model is better in terms of security and in relation to the data subjects and second, an algorithm that automates decision making is allowed under GDPR as long as it can demonstrate the decision was taken in accordance with the criteria set by GDPR. We keep thinking about the liability, but given the limited time we have, we need to focus on having a workable, efficient system that is compliant with GDPR.

Best
Hadia
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Journoud, Franck
Sent: Thursday, February 20, 2020 4:55 PM
To: Johan Helsingius; gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] ICANN Meets with Belgian Data Protection Authority

Dear Janis, ICANN org liaisons and EC EPDP members,

I'd like to reiterate the point that I made on the EPDP call today. I have found the blog post very helpful and sincerely thank Göran for writing it - and yet it is insufficient. I appreciate that this was a meeting rather than formal legal guidance, but it'd still be helpful if all 'our' attendees (ICANN org staff, Janis, EC) could pool their notes and analysis to produce as detailed as possible an account of what the Belgian DPA reps said. This should be followed by these attendees attending an EPDP call so that we can ask follow-up questions. Surely we can get more our of that extremely important interaction than informative and useful, but short couple of substantive paragraphs.

-Franck

Franck Journoud | VP, Tech Policy | MPA | E franck_journoud at motionpictures.org<mailto:franck_journoud at motionpictures.org> | O (202) 378-9127 | M (202) 285-7322

-----Original Message-----
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Johan Helsingius
Sent: Wednesday, February 19, 2020 4:49 PM
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: [Gnso-epdp-team] ICANN Meets with Belgian Data Protection Authority

WARNING - External Sender

https://www.icann.org/news/blog/icann-meets-with-belgian-data-protection-authority
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

CONFIDENTIALITY NOTICE: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is strictly prohibited. If you have received this communication in error, please notify the sender by return e-mail and delete and/or destroy all copies of this communication and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200220/cef7a328/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2697 bytes
Desc: image001.jpg
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200220/cef7a328/image001-0001.jpg>