Versions Compared

Version Old Version 7 New Version 8
Changes made by

Terri Agnew

Michelle DeSmyter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

PROPOSED AGENDA


Proposed Annotated Agenda

  1. Roll Call & SOI Updates
  2. Discussion of Bird & Bird Clarification Questions to Batch 1 Questions 

           a. Is Q2 asking a different question to those in the first set of questions?  Q1(1), in particular, asks us to consider "the risk of a third party abusing or circumventing the safeguards" – that seems similar to what Q2 is asking.

           b. In the first set of questions, one assumption is that "data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body" – we assume that even for a "direct" disclosure, the request is still going to come in via the SSAD, and will still be evaluated as all other requests would be; the key difference is just in terms of the final step (data would be sent directly to the requestor by the CP, not via ICANN org / ICANN org's designee).

 

    3. Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date

           a. Substantive review of SSAD questions (beginning where LC left off last week)


  • Updated Question 11  (proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners1 (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?


For purposes of this question, please assume the following safeguards are in place:


  • Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
  • CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
  • ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: 
    • represents that it has a lawful basis for requesting and processing the data,  
    • provides its lawful basis, 
    • represents that it is requesting only the data necessary for its purpose,  
    • agrees to process the data in accordance with GDPR, and  
    • agrees to EU standard contractual clauses for the data transfer.  



Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.

 

Status: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.



 Updated Question 12 and 13 :


Background: The recent EC Letter [icann.org] provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:


“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).


and


“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”


Questions:

  • In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)?   
  • To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”


  • Question 6 : Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)

Status: awaiting updated text from Brian/Georgios

     4. Additional questions/issues raised for discussion

           a. Suggestion from Farzaneh: Add a general question about how to carry out the balancing test

           b. Draft question from Hadia:


Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.


The EPDP team would appreciate Bird & Bird answers to the following:


  1. The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist
  2. The conditions/precautions that should be applied if automated decision making is to be used.
  3. Could a balancing test be used to weigh up the risks of using the results and how could this be best done.


Note: Legal Committee agreed to review legal advice received from first batch of questions and assess whether this question, or a permutation thereof, is needed.


  1. Agree on next steps


    5. Wrap and confirm next meeting to be scheduled

          a. Confirm action items

          b, The next LC Meeting will take place on Tuesday, 17 September at 14:00 UTC.


BACKGROUND DOCUMENTS



Info
titleRECORDINGS

Audio Recording

Zoom Recording

Chat Transcript


Tip
titlePARTICIPATION

Attendance 

Apologies: none

Alternates: none


Note

Notes/ Action Items

Action Items

  1. Thomas, Volker, Brian and Margie to work together on refining Q11 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September.
  2. Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Legal Committee in advance of the next call on Tuesday, 17 September. 
  3. Brian and Georgios to review and refine Q6 and submit updated language to the Legal Committee in advance of the next call on Tuesday, 17 September.
  4. EPDP Support Staff to review the Phase 1 Bird & Bird City Field memo and circulate the relevant text regarding carrying out the balancing test to the Legal Committee for further review to assess whether a further legal question needs to be asked.
  5. EPDP Support Staff to circulate the agreed-upon clarifications to Bird & Bird following today’s meeting. León to note the clarifications to the plenary team on Thursday, 5 September during the Legal Committee update.

Proposed Annotated Agenda – EPDP Phase 2 Legal Committee Meeting

3 September 2019

  1. Roll Call & SOI Updates
  2. Discussion of Bird & Bird Clarification Questions to Batch 1 Questions


           a) Is Q2 asking a different question to those in the first set of questions?  Q1(1), in particular, asks us to consider "the risk of a third party abusing or circumventing the safeguards" – that seems similar to what Q2 is asking.


          • Proposed response: Thank you for clarifying. It is not a different question from Q1(1), rather it's a specific concern we would like Bird and Bird to address in your response to Q1(1).


          b) In the first set of questions, one assumption is that "data must be disclosed over RDAP to requestors either directly or through an intermediary request accreditation/authorization body" – we assume that even for a "direct" disclosure, the request is still going to come in via the SSAD, and will still be evaluated as all other requests would be; the key difference is just in terms of the final step (data would be sent directly to the requestor by the CP, not via ICANN org / ICANN org's designee).


          • Yes, this is an assumption you can make.
          • The question that the team is asking about disclosure in an SSAD system. Yes, assume that even for a direct disclosure the request is still coming in through an SSAD.
          • Disclosure is envisaged to take place without any manual interaction with the contracted party. The contracted party would not intervene in this instance.
          • Proposed answer: Yes, your assumption is correct. We confirm data will be requested through an SSAD without any interaction from the contracted parties.


     3. Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date


           a) Substantive review of SSAD questions (beginning where LC left off last week)


  • Updated Question 11  (proposed by Margie): Is it permissible under GDPR to provide fast, automated, and non-rate limited responses (as described in SSAC 101) to nonpublic WHOIS data for properly credentialed security practitioners1 (as defined in SSAC 101) who are responsible for defense against e-crimes (including network operators, providers of online services, commercial security services, cyber-crime investigators) for use in investigations and mitigation activities to protect their network, information systems or services (as referenced in GDPR Recital 49) and have agreed on appropriate safeguards? Or would any automated disclosure carry a potential for liability of the disclosing party, or the controllers or processors of such data? Can counsel provide examples of safeguards (such as pseudonymization/anonymization) that should be considered?


For purposes of this question, please assume the following safeguards are in place:


    • Disclosure is required under CP’s contract with ICANN (resulting from Phase 2 EPDP policy).
    • CP’s contract with ICANN requires CP to notify the data subject of the purposes for which, and types of entities by which, personal data may be processed. CP is required to notify data subject of this with the opportunity to opt out before the data subject enters into the registration agreement with the CP, and again annually via the ICANN-required registration data accuracy reminder. CP has done so.
    • ICANN or its designee has validated/verified the requestor’s identity, and required in each instance that the requestor: 
  • represents that it has a lawful basis for requesting and processing the data,  
  • provides its lawful basis, 
  • represents that it is requesting only the data necessary for its purpose,  
  • agrees to process the data in accordance with GDPR, and  
  • agrees to EU standard contractual clauses for the data transfer.  



Footnote 1: SSAC defines “security practitioners” in SSAC 101 as those who have a responsibility to perform specific types of functions (as specified in Section 3) related to the identification and mitigation of malicious activity, and the correction of problems that negatively affect services and users online.


Status: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.


Action item: Thomas, Volker, Brian and Margie to work together on refining this question. Legal Committee to review during the next call.




Updated Question 12 and 13 :


Background: The recent EC Letter [icann.org] provides clarification regarding the possible legal bases for disclosure of non-public registration data to in the section entitled “Legal Bases for Processing”, and noted:


“As explained in our comments, Art. 6(1)f GDPR (legitimate interest) is one of the six possible legal bases provided under Art. 6(1) GDPR. For instance, disclosure of nonpublic gTLD registration data could be necessary for compliance with a legal obligation to which the contracted parties are subject (see Art. 6(1)c GDPR).


and


“With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”


Questions:

  • In light of these statements from the EC, are there any updates to the prior memos submitted by B&B regarding the applicable bases for disclosure of non-public registration data to third parties for the purposes identified in EPDP Phase 1 Final Report Rec. 1 (Final Report), such as the memo on 6(1)(b)?   
  • To what extent can disclosures of non-public registration data to third parties for the purposes identified in the Final Report Rec. 1 be justified under GDPR’ Article 6(1)e (public interest), in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.”
          • Still having trouble seeing how the EC statement would change the 6(1)(b) memo. 6(1)(e) requires some sort of underlying law in a member state to enable the entity to process data under that exception – that does not seem relevant for ICANN, particularly in light of Recital 45.
          • The memo may not change, but it’s worthwhile to at least pose the question, especially since the memo came out before the EC letter.
          • Problem with this question – as long as the law does not change, unclear why the EC’s letter will change the previous advice here.
          • The question may need to be tweaked to be made clearer, the answer is not clear and should be asked. Another thing that makes this an important question to ask is that we still do not have an agreed-upon Purpose 2. Clarification on this question could assist in moving the team forward.
          • It may be worth getting clarity on this question. One alternative that could help the question be more productive – there has been guidance from the EDPB re: online data subjects in May 2019. This is binding guidance and may change the legal analysis.
          • If the team wants B&B to consider other inputs, the question could be tweaked to include other inputs.
          • Action item: Brian and Matt to review and refine updated Q12/13 and provide the updated language to the EPDP Team in advance of the next call on Tuesday, 17 September. 


  • Question 6 : Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third-party requestor? (Question from ICANN65 from GAC/IPC)

Status: Awaiting updated text from Brian/Georgios

      4. Additional questions/issues raised for discussion

             a) Suggestion from Farzaneh: Add a general question about how to carry out the balancing test


          • Need a volunteer from the EPDP to draft this.
          • Alan Woods sent around an informal how-to, Alan pointed out there is already guidance from the City Field memo about what goes into the 6(1)(f) balancing test.
          • Action: EPDP Support Staff to review the City Field memo and include the relevant text regarding carrying out the balancing test for Legal Committee to review.


             b) Draft question from Hadia:


Part of the rights that GDPR gives to individual users are in relation to automated decision making. In the context of gTLD registration data, automated decision making could be particularly useful when evaluating requests for disclosure of non public registration data. The decision making would typically involve examining the request, the supporting documents and the lawful basis of the controller/processor for disclosure in addition, to performing the balancing test in case article 6(1)f is being used as the lawful basis for disclosure. The decision would typically be based on factual information/data as well as maybe digitally created data. The automated decision would particularly lead to quicker and consistent decisions especially where a large number of requests are being analyzed.


The EPDP team would appreciate Bird & Bird answers to the following:

  1. The potential risks to the controllers/processors associated with automated decision making especially that a margin of error could always exist

       2. The conditions/precautions that should be applied if automated decision making is to be used.

       3. Could a balancing test be used to weigh up the risks of using the results and how could this be best done.


Note: Legal Committee agreed to review legal advice received from first batch of questions and assess whether this question, or a permutation thereof, is needed.


          • This question seems similar to questions included in Batch 1.
          • Proposal to review Hadia’s draft text once the advice from Batch 1 is returned.


           c) Agree on next steps


   5. Wrap and confirm next meeting to be scheduled

          a) Confirm action items

          b) The next LC Meeting will take place on Tuesday, 17 September at 14:00 UTC.