[ODP-SSAD] Request for verification/feedback on SSAD recommendations

Wed Oct 20 15:07:28 UTC 2021

Hello Yuko,

Looking forward to our conversation in less than an hour.
I prepared answer to the second question, but would like to better
understand the first one. I will formulate full response after our
conversation.
The answer to the Q2 is as follows:

Your assumption is correct.  Even EPDP was created to develop ICANN policy
to accommodate the GDPR requirements, the EPDP Team took broader approach
and attempted to formulate recommendations that would correspond to all
existing and possible future privacy regulations in different parts of the
world. Reference to specific provisions of GDPR in 9.4.1 is evident as it
was existing regulation at the time of the formulation of the
recommendation.
JK

On Mon, Oct 18, 2021 at 11:59 PM Yuko Yokoyama <yuko.green at icann.org> wrote:

> Dear Janis,
>
>
>
> As we continue to develop Org’s assessment for the SSAD ODP, we came to
> additional questions/assumptions that we would like GNSO Council’s
> confirmation and/or clarifications.
>
> *Contractual Compliance*
>
> In the SSAD, there are two areas that implicate ICANN Contractual
> Compliance intervention:
>
>    1. Alert mechanisms/complaints regarding Contracted Party behavior
>    (Recs 5.3, 5.4)
>
> The recommendation states the “alert mechanism is not an appeal mechanism
> – to contest disclosure or non-disclosure affected parties are expected to
> use available dispute resolution mechanisms such as courts or Data
> Protection Authorities…”
>
>
>
> As a result, Compliance’s role is limited to investigating complaints
> related to procedural failures by the contracted party.
>
>
>
>    1. Contracted Party SLA requirements (Rec 10)
>
>
>
> Similar to existing processes, complaints or investigations related to
> contracted party requirements for SSAD may be received and processed
> through public-facing complaint forms that feed into the Naming Services
> portal (NSp) and result in individual cases.
>
>
>
> If needed, develop automation of complaints related to violations as those
> may be triggered from internal reporting.
>
>
>
> *Question 1: Does the proposed approach regarding development of potential
> complaint forms or automated notifications (where possible) fulfill the
> intentions of the recommendations?*
>
> *Automation of Disclosure Request Processing*
>
> Per recommendation 9.4, only the following categories are considered to
> meet the criteria for automated processing of data disclosure:
>
>    - Requests from Law Enforcement in local or otherwise applicable
>    jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2)
>    processing is to be carried out under a GDPR, Article 2 exemption;
>    - The investigation of an infringement of the data protection
>    legislation allegedly committed by ICANN/Contracted Parties affecting the
>    registrant;
>    - Request for city field only, to evaluate whether to pursue a claim
>    or for statistical purposes;
>    - No personal data on registration record that has been previously
>    disclosed by the Contracted Party.
>
>
>
> *Question 2: We note the first bullet specifically references the GDPR.
> Our understanding is the above categories were included in the legal
> guidance provided to the EPDP Team, and the legal guidance specifically
> referenced the GDPR. Our assumption is the EPDP Team considered this
> guidance in developing this recommendation but did not intend to exclude
> privacy laws outside the GDPR. In other words, though this first use case
> only references the specific scenario in which a law enforcement requestor
> has a legal basis for processing under GDPR 6(1)e (or whose processing is
> explicitly exempted from GDPR’s restrictions on data processing), other law
> enforcement authorities who are outside the EU might also qualify for
> automated disclosure if they have a comparable legitimate interest in
> processing such data under their own local law. Can you please confirm if
> this assumption is correct (or if, conversely, the intention was only for
> EU law enforcement requests to have the potential for automation under this
> use case)? *
>
>
>
> We would very much appreciate your help in relaying these questions to the
> GNSO Council. If you have any questions, please do not hesitate to contact
> us.
>
>
>
> Regards,
>
>
>
> Yuko Yokoyama
>
> Program Director
>
> Strategic Initiatives, Global Domains & Strategy
>
> Internet Corporation for Assigned Names and Numbers (ICANN)
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/odp-ssad/attachments/20211020/ac9cf324/attachment.html>