Content Comparison

PROPOSED AGENDA

1. Roll Call & SOI Updates
2. Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date

a) Substantive review of SSAD questions (beginning where LC left off last week)

• Updated Question 11  (proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners¹ (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?

For purposes of this question, please assume the following safeguards are in place:

• Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
• CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
• ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: 
• represents that it has a lawful basis for requesting and processing the data,  
• provides its lawful basis, 
• represents that it is requesting only the data necessary for its purpose,  
• agrees to process the data in accordance with GDPR, and  
• agrees to EU standard contractual clauses for the data transfer.  

Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.

Status: Thomas, Volker, Brian and Margie to work together on refining this question.  Legal Committee to review during the next call.

• Updated Question 12 and 13 : LC to review simplified question before sending to EPDP Team for sign off: In light of the 3 May 2019 correspondence from the European Commission, are any updates on the previous memo on 6(1)(b) necessary? 

Status: Further to the feedback from the plenary team, Margie to review the previous memo on 6(1)(b) and propose updated and specific language for review by the Legal Committee.

• Question 6 : Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)

Status: awaiting updated text from Brian/Georgios

3. Additional questions/issues raised for discussion

a) Suggestion from Farzaneh: Add a general question about how to carry out the balancing test

b) Draft question from Hadia:

Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.

The EPDP team would appreciate Bird & Bird answers to the following:

1.The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist

2. The conditions/precautions that should be applied if automated decision making is to be used.

3. Could a balancing test be used to weigh up the risks of using the results and how could this be best done.

Note: Legal Committee agreed to review legal advice received from first batch of questions and assess whether this question, or a permutation thereof, is needed.

c) Agree on next steps

4. Wrap and confirm next meeting to be scheduled

a) Confirm action items

b) The next LC Meeting will take place on Tuesday, 17 September at 14:00 UTC.

BACKGROUND DOCUMENTS