[gnso-rds-pdp-wg] Legal basis vs. lawful
Marika Konings
marika.konings at icann.org
Tue Feb 6 21:54:23 UTC 2018
To kick off this discussion for action item #1, the proposed WG agreement read:
Possible agreement: If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing.
The question was raised during the meeting whether the reference should be to legal basis or should be lawful instead. Maybe I can restate the question I asked in Adobe Connect to get the conversation going:
“Isn't all processing required to be lawful as otherwise it would be unlawful, or am I missing something (so basically isn't this implicit in any recommendations the WG would put forward)?”
As a reminder: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteered to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement.
Best regards,
Marika
From: gnso-rds-pdp-wg <gnso-rds-pdp-wg-bounces at icann.org> on behalf of Lisa Phifer <lisa at corecom.com>
Reply-To: Lisa Phifer <lisa at corecom.com>
Date: Tuesday, February 6, 2018 at 15:33
To: "gnso-rds-pdp-wg at icann.org" <gnso-rds-pdp-wg at icann.org>
Subject: [gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 6 February
Dear all,
Below please find notes from today’s RDS PDP WG meeting.
To recap Action Items from today’s call: https://community.icann.org/x/9wq8B
* Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement.
* Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy."
* Note: All WG members are encouraged to participate in this week’s poll before it closes COB Saturday 10 February.
Best regards,
Lisa
Action Items and Notes from RDS PDP WG Call – 6 February 2018
These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki.
1. Roll Call/SOI Updates
* SOI Update from Klaus Stoll: Now also a Visiting Professor at Xi'an Jiaotong-Liverpool University, Suzhou
* Call Handout: https://community.icann.org/download/attachments/79432439/Handout-6February-RDSWGCall.pdf[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_79432439_Handout-2D6February-2DRDSWGCall.pdf&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=s1KB6ZOoO_ArevgEdJxWLVm0iozSdTIn5T5caj13tM0&e=>
* Poll Results: https://community.icann.org/download/attachments/79432439/AnnotatedResults-Poll-from-30JanuaryCall.pdf[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_79432439_AnnotatedResults-2DPoll-2Dfrom-2D30JanuaryCall.pdf&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=eDlDyUVoD0uE7rRJgrXlr43e1rTzVwDVg5KQhpFfIGE&e=>
2. Discuss list of criteria that make purposes legitimate for processing
a. See GDPR definition of processing and Q2 poll results[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_79432439_AnnotatedResults-2DPoll-2Dfrom-2D30JanuaryCall.pdf-3Fversion-3D1-26modificationDate-3D1517853136000-26api-3Dv2&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=x5yFC9dRew1F61C7YQV2AaPQhXpupzvby_EpkTZOL1E&e=>
* Q2 (criteria) was discussed last week, producing a revised possible agreement polled on
* Results for all variants of that possible agreement ranged from 56-41% support or could live with
* After considering responses and comments, the leadership proposes two possible agreements for WG consideration to address main concerns
Leadership-suggested Possible agreement #1
* One main concern expressed in poll results: consistency with ICANN's mission.
* Long standing topic of discussion within community. Ultimately the board interprets ICANN's mission and will do so when considering any recommended policies
* Excerpts from ICANN's mission on slides 15-17 of Call Handout[community.icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_79432439_Handout-2D6February-2DRDSWGCall.pdf-3Fversion-3D1-26modificationDate-3D1517891437000-26api-3Dv2&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=osRDTgojiWH9PRjWxtFOII1EAyy-w8NLHlYy3LiMEJU&e=>
* Given mixed poll responses that supported, opposed, and provided alternatives to this criterion, the leadership proposed this as a possible compromise:
* Any purpose for processing registration data must be consistent with ICANN's mission as it relates to RDS. Any recommended purpose must be confirmed by the board with respect to consistency with ICANN's mission.
* Comments and Questions:
* Does "as it relates to the RDS" narrow scope of what falls within ICANN's mission for the WG's deliberation?
* How do WG members interpret this possible agreement - for example, inclusion of access to registration data by law enforcement or fighting cyber-issues?
* Is the phrase "as it relates to RDS" redundant and subject to misinterpretation?
* Is the second sentence just trying to make people feel better or does it open the WG's recommendations to reconsideration?
* The Board cannot act outside of ICANN's mission so if there would be a serious concern that this WG would be recommending anything that would be outside of ICANN's mission, the Board would need to act accordingly.
* Revised Possible agreement (based on comments thus far): Any purpose for processing registration data must be consistent with ICANN's mission.
* Is processing RDS data for purposes of DNS abuse investigation (including by law enforcement) consistent with ICANN mission? This is the advantage of the "not inconsistent" language we discussed last week.
* Why was the proposed agreement phrased in the way it was, and what is lost by trimming the agreement?
* The GAC certainly thinks that allowing DNS abuse investigation is within scope of ICANN's mission. (Which includes Germany the last time I checked.) https://www.icann.org/en/system/files/files/gdpr-comments-gac-icann-proposed-compliance-models-29jan18-en.pdf[icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_files_gdpr-2Dcomments-2Dgac-2Dicann-2Dproposed-2Dcompliance-2Dmodels-2D29jan18-2Den.pdf&d=DwMFAg&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=OqhTn07i_pV1qdUd6R8nr8n8ojWrXMZysPKjP1Mee0Q&s=Z7TWKS6dmimw55akD4ZLHKcULPPatJzVm6Rpkf_AesI&e=>
* Several chat comments express a strong preference for "not inconsistent with" instead of the proposed revised phrasing -- some do not view the change from "not inconsistent" to "consistent" as a compromise, at least without a clearer idea of how a criterion of "consistent with" would be applied.
Leadership-suggested Possible agreement #2
* Another main concern express in poll results: whether criteria will be applied using AND, OR, or AND/OR
* Given mixed poll responses on this point, the leadership proposed separating this out as a standalone criterion:
* If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing.
* Comments and Questions:
* If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing.
* Difference between "legal basis" and "lawful basis" - should agreement be revised to "lawful basis" ?
* Note: Art. 6 GDPR Lawfulness of processing: (1) Processing shall be lawful only if and to the extent that at least one of the following applies
* "legal basis" occurs several times in GDPR. E.g., Article 13: "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: [...] the legal basis for the processing"
* The terms lawful and legal differ in that the former contemplates the substance of law, whereas the latter alludes to the form of law. A lawful act is authorized, sanctioned, or not forbidden by law. A legal act is performed in accordance with the forms and usages of law, or in a technical manner. Lawful legal definition of lawful - Legal Dictionary - The Free Dictionary
* Suggestion: evaluate "legal" and "lawful" as they apply to the proposed change, to be reviewed by the group for next week -- because it seems to be a substantive change with consequences
* If (b) wording is not resolved then it is not possible to go through each purpose to see if that purpose satisfies (b).
* It depends on the lawfulness in the jurisdictions applicable to the provider of the data (which includes applicability of the GDPR to foreign providers when handling EU data subjects data)
Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement.
Criterion also addressed by last week's poll: "Inherent to the functionality of the DNS"
* Should this be tested as a separate criterion in this week's poll?
* If so, how would the proposed agreement be phrased (as an AND or and OR which applied to any purpose) -- that is, would EVERY purpose be required to be inherent to the functionality of the DNS, or would SOME be legitimate because they were inherent to the functionality of the DNS
* What does “inherent to the functionality of the DNS” mean? Something required for the DNS to function at all, or to function as intended (with all the policies surrounding the DNS that have been created by ICANN)
* Here are two examples from ICANN's mission from Bylaws Annexes G-1 & G-2 that I do not believe are 'inherent to the functionality of the DNS': prohibitions on warehousing of or speculation in domain names by registries or registrars; reservation of registered names in a TLD that may not be registered initially or that may not be renewed due to reasons reasonably related to (i) avoidance of confusion among or misleading of users, (ii) intellectual property, or (iii) the technical management of the DNS or the Internet (e.g., establishment of reservations of names from registration).
* We have issues that involve the workings of the Internet which you could trace back (convoluted in some cases) to functionality of the DNS, but other issues that involve just the actual characters themselves in their relation to ability to use/not use that are completely unrelated to any technical thing. Those rights protections systems (UDRP and others) rely on RDS data for both rights holders AND registrants to protect their respective interests.
* One possible phrasing to test: One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy.
* Note that the intent of "inherent to the functionality of the DNS" was discussed at length during the 16 January call
Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy."
3. Discuss list of purposes for processing based on criteria - DEFERRED
4. Confirm agreements for polling & next steps
* Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement.
* Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy."
5. Confirm next meeting: Tuesday 13 February at 17:00 UTC
Meeting Materials: https://community.icann.org/x/9wq8B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180206/b83a7e13/attachment-0001.html>
More information about the gnso-rds-pdp-wg
mailing list