[Gnso-epdp-team] [EXTERNAL] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird
mmcross at amazon.com
Thu Jan 23 00:05:50 UTC 2020
I agree that understanding the legal implications and limits of "semi-automated" processing is important as we collaborate on how to automate the SSAD process to the greatest extent permitted. The good news from a resource and timing perspective is that we already have a memo from Bird & Bird on automation (opinion here<https://community.icann.org/download/attachments/117604842/ICANN-EPDP%20-%20Question%203%20-%2010th%20September%202019%5B1%5D.pdf?version=1&modificationDate=1568143539000&api=v2>, summary of key points here<https://docs.google.com/document/d/1rV0Iwo6HCABfP8oaxPC_u_D-vvjud15b/edit> on pg. 98) that provides both the legal framework for assessing these questions and directly addresses the question of potential categories of requests for automation.
Although we can characterize the entire system as a "semi-automated" SSAD, the ultimate question we are asking is can we allow the SSAD to make a specific decision in a fully automated manner. Here is the basic framework that Bird & Bird provided to answer that question:
* GDPR does not permit decisions based solely on automated processing which produce legal or similarly significant effects on the data subject.
* In most instances, a decision to release information via the SSAD will not in itself have a legal effect on the data subject. For our purposes, the question is whether the decision has a "similarly significant" effect on the data subject.
* It may be possible to determine categories of requests where the decision to disclose data would not have a "similarly significant" effect. For example, the disclosure of administrative contact details for non-natural registrants in response to malware attacks or IP infringement would not have a "similarly significant" effect.
* In other situations, disclosure of registrant data about a natural person may be much more likely to have a "similarly significant" effect. Considerable care would need to be taken over such analysis.
* For decisions more likely to have a "similarly significant" effect, human review or oversight is necessary. Token human involvement does not suffice. For the human review element to count, the controller must ensure meaningful oversight by someone who has the authority and competence to change the decision.
* Processes not involving a decision about the registrant can also be automated without producing "similarly significant" effects, for example authentication of an accredited requestor.
I think the takeaway (at least based on the state of the law today) is that most decisions short of the ultimate decision whether or not to disclose data can be fully automated, but that most decisions involving disclosing registrant data of a natural person will require meaningful human review. To be clear, this shouldn't foreclose the possibility of a model that evolves towards further automation of disclosure decisions, or individual controllers automating their own decision-making processes based on their assessment of the risks.
Hopefully this is helpful as we continue these discussions.
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Mark Svancarek (CELA) via Gnso-epdp-team
Sent: Tuesday, January 21, 2020 11:16 AM
To: Amr Elsadr <aelsadr at icannpolicy.ninja>; gnso-epdp-team at ICANN.org
Subject: Re: [Gnso-epdp-team] [EXTERNAL] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird
Hi, I also apologize for sending this in after the deadline. I didn't see any need to change any of the existing proposes questions.
My concern is not about the questions already being readied for submission. Rather, I am concerned that we aren't asking about the implications and limits of semi-automated processing of disclosure requests.
By "semi-automated processing", I mean processing which is mostly automated but which contains triggers which pass requests off to a human. Examples might be "your credentials are valid but I have never received a request from you", "the nature or volume of requests has suddenly changed", the data subject is a child", or "your credentials indicate that you are LEA from a jurisdiction of concern".
All of the models we have discussed can support semi-automated request processing.
- In the centralized model, the automation could happen at the central authorizer.
- In the hybrid model, each CP could utilize automated processing within their own systems.
- And we've had further suggestions for additional hybridization in the recent calls, where CPs pool resources to share an authorizer, or where a central authorizer automates a portion of the requests and hands off some subset of them back to the CP for processing.
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Amr Elsadr
Sent: Monday, January 20, 2020 1:55 AM
To: Mark Svancarek via Gnso-epdp-team <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Subject: [EXTERNAL] [Gnso-epdp-team] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird
Apologies for not sending these in before the deadline, but attached is the NCSG Team feedback on the Batch 2 legal questions proposed by the Legal Committee to be sent to Bird & Bird.
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team