[Gnso-epdp-team] ICANN org response to 28 January question concerning "liability risk"

Amy Bivins amy.bivins at icann.org
Thu Feb 25 20:18:33 UTC 2021


Dear All,


Below is a response from ICANN org to a question raised by the EPDP 2A Team on 28 January: How does ICANN org see its liability risk to enforce mandatory differentiation of legal v. natural persons? For example, the risk for a registry is for 1 zone, for ICANN, the risk is likely for thousands of contracted parties.


We understand this question about potential liability for differentiation of registration data of legal vs natural persons is being asked from the perspective that a contractual requirement (including a requirement in a consensus policy or a temporary policy that contracted parties must comply with under their agreements with ICANN) for differentiation between data of legal and natural persons would make ICANN a controller with respect to any processing of personal data that might occur as a result of that differentiation. (As a side note, this question asks about “ICANN org” liability in relation to controllership. To clarify, however, such liability would exist for ICANN, the Internet Corporation for Assigned Names and Numbers, a California non-profit, public benefit corporation, and not only for ICANN org, as a part of ICANN.)



The concepts of controller and processor cannot always be clearly differentiated from each other and, in particular, the concept of joint controllership is still developing and in the process of being shaped by court decisions and data protection authority guidance (see Draft Guidelines 07/2020 on the concepts of controller and processor in the GDPR<https://urldefense.com/v3/__https:/edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en__;!!PtGJab4!uARV9jTEvo14G6_J58982mqPJ7juwEKQtwnt9jgDrNpPxMPZ6W_iB5pHi1Yn--_0geHnxm0$>).  At the moment, it’s not clear whether a Consensus Policy requirement, alone and absent ICANN’s actual involvement in processing contemplated under any such Policy, would make ICANN a controller for this processing.



ICANN org has been advocating for clarity in this regard.  For example, ICANN org’s 19 October 2020 Public Comment to the Guidelines 07/2020<https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/guidelines-072020-concepts-controller-and-processor_en>, Feedback Reference 07/2020-0047 stated: “… ICANN org would recommend a further clarification of whether a contract between the parties, alone, would lead to a joint controllership assumption if one party lacks any factual influence on the processing. The Board states that “[i]n line with the factual approach, the word “determines” means that the entity that actually exerts influence on the purposes and means of the processing is the controller.” Building on that, it should be emphasized that a contractual set of rules or a joint code of conduct, without further possibilities of exerting control over the actual processing activities, is not sufficient to assume joint controllership and that independent controllership would need further examination on the basis of the other criteria described for control stemming from factual influence in the Guidelines.” In the same Public Comment document, ICANN org also rejected the notion that requirements stated in policies may lead per se to an assumption of controllership: “…, adherence to international community-based policies by decentralized organizations (e.g., umbrella associations, standardization organizations, global think tanks) should not per se lead to a general controllership assumption of both the members and the organization itself. This is particularly important if the latter merely coordinates the policy-making process, as is the case with many governance models in the digital space.”



Some have asked about how the NIS2 might apply in this scenario, and members of the Phase 2A team have raised questions about whether and how the team could or should account for NIS2 in their current work. Among other things, article 23 (4) of the NIS 2 Directive requires that “Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data.”



In ICANN org’s view, under the wording of Article 23 (4) as proposed in the NIS 2 Directive, the issue of presumably non-personal data such as the domain name or the legal person’s name containing data that are to be considered personal data under EU data protection rules remains. Therefore, also the question by which means a differentiation between personal and non-personal data shall be accomplished and how liability under EU data protection law is allocated if personal data are mistakenly published in this process. ICANN org intends to highlight that in the contribution it plans to submit to the public consultation on NIS2 and welcomes additional clarification.



In any event, if the EPDP Team develops consensus policy recommendations concerning differentiation, and the Board determines it is in the best interests of the ICANN community and directs ICANN org to implement such recommendations, ICANN org would do so.


Regards,


Amy and Brian G.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210225/51479f29/attachment.html>


More information about the Gnso-epdp-team mailing list