Versions Compared

Version Old Version 2 New Version Current
Changes made by

Andrea Glandon

Aleksey Khapchenko

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fix links.

The next meeting of the EPDP– Phase 2 PDP Legal subteam is scheduled on Tuesday, 17 December 2019 at 1415:00 UTC for 75 minutes  2 hours

0706:00 PDT, 1009:00 EDT, 1615:00 Paris CESTCET, 19:00 Karachi PKT, 23:00 Tokyo JST, (Wednesday) 0001:00 Melbourne AEDT

For other times: https://tinyurl.com/yywn59ehsqvuu9s

Info

PROPOSED AGENDA

EPDP Phase 2 Legal Committee Meeting #12

17 December 2019


  1. Roll Call & SOI Updates 
  2. Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date

           a)Substantive review of SSAD questions (beginning where LC left off during last LC meeting)

  

  • Updated Google Right to be Forgotten Question

In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR?


          b)Agree on next steps

  • Questions to be submitted to plenary (Q11)

    3. Continue review of Priority 2 Legal Questions – WHOIS Accuracy and City Field Redaction

          a) Substantive review of Priority 2 Legal Questions:

    i. Volker’s updated draft questions on Privacy/Proxy + Uniform Anonymized Email address:

The group has discussed the option of replacing the email address provided by the data subject with an alternate email address that would in and of itself not identify the data subject (Example: 'sfjgsdfsafgkas@pseudo.nym'). With this approach, two options emerged in the discussion, where (a) the same unique string would be used for multiple registrations by the data subject ('pseudonymisation'), or (b) the string would be unique for each registration ('anonymization'). Under option (a), the identity of the data subject might - but need not necessarily - become identifiable by cross-referencing the content of all domain name registrations the string is used for.

From these options, the following question arose:

1) Under options (a) and/or (b), would the the alternate address have to be considered as personal data of the data subject under the GDPR and what would be the legal consequences and risks of this determination with regard to the proposed publication of this string in the publicly accessible part of the registration data service (RDS)?

    ii. Matthew’s updated questions on Legal v. Natural:

Proposed Legal Question

As a follow-up to the previously provided memos on Accuracy and Legal vs. Natural persons, the EPDP team requests the following clarification on the scope of the GDPR accuracy principle under Article 5.1(d).  As a reminder, one proposal to address the issue of treating all registration data as containing personal data is to allow registrants to self-identify as legal persons at the time of registration.  Contracted parties would rely on this self-identification (which could be inaccurate) when deciding whether to redact the registration data.

Question 1:

Does the accuracy principle only take into account the interests of the data subject and the controller, or does the principle also consider the interests of third-parties (in this case law enforcement, IP rights holders, and others who would request the data from the controller for their own purposes)?

In responding to this question, can you please clarify the parties/interests that we should consider in general, and specifically when interpreting the following passages from the prior memos:

  • Both memos reference “relevant parties” in several sections.  Are the “relevant parties” limited to the controller(s) or should we account for third-party interests as well?
    • “There may be questions as to whether it is sufficient for the RNH or Account Holder to confirm the accuracy of information relating to technical and administrative contacts, instead of asking information of such contacts directly. GDPR does not necessarily require that, in cases where the personal data must be validated, that it be validated by the data subject herself. ICANN and the relevant parties may rely on third-parties to confirm the accuracy of personal data if it is reasonable to do so. Therefore, we see no immediate reason to find that the current procedures are insufficient.” (emphasis added) (Paragraph 19 – Accuracy)
    • “In sum, because compliance with the Accuracy Principle is based on a reasonableness standard, ICANN and the relevant parties will be better placed to evaluate whether these procedures are sufficient. From our vantage point, as the procedures do require affirmative steps that will help confirm accuracy, unless there is reason to believe these are insufficient, we see no clear requirement to review them.” (emphasis added) (Paragraph 21 - Accuracy)
    • “If the relevant parties had no reason to doubt the reliability of a registrant's self-identification, then they likely would be able to rely on the self-identification alone, without independent confirmation. However, we understand that the parties are concerned that some registrants will not understand the question and will wrongly self-identify. Therefore, there would be a risk of liability if the relevant parties did not take further steps to ensure the accuracy of the registrant's designation.” (emphasis added) (Paragraph 17 – Legal v. Natural)
  • Similarly, the Legal vs. Natural person memo refers to the “importance” of the data in determining the level of effort required to ensure accuracy.  Is the assessment of the “importance” of the data limited to considering the importance to the data subject and the controller(s), or does it include the importance of the data to third-parties as well (in this case law enforcement, IP rights holders, and others who would request the data from the controller for their own purposes)?
    • “As explained in the ICO guidance, "The more important it is that the personal data is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the data to make decisions that may significantly affect the individual concerned or others, you need to put more effort into ensuring accuracy.” (Paragraph 14 – Legal vs. Natural)

Question 2:

The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. How do you characterize the level of risk of liability - low, medium, or high?  What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability?  Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23?

  • “If the relevant parties had no reason to doubt the reliability of a registrant's self-identification, then they likely would be able to rely on the self-identification alone, without independent confirmation. However, we understand that the parties are concerned that some registrants will not understand the question and will wrongly self-identify. Therefore, there would be a risk of liability if the relevant parties did not take further steps to ensure the accuracy of the registrant's designation.” (emphasis added) (Paragraph 17 – Legal vs. Natural)
  • “When a registrant identifies as either a natural or a legal person, this self-identification will determine whether the data provided is made publicly available by default. If there is a reasonable risk that data subjects will wrongly self-identify, then failing to make the consequences of the self-identification known to data subjects could result in liability for failing to meet the Lawfulness, Fairness and Transparency Principle.” (emphasis added) (Paragraph 23 – Legal vs. Natural)

    iii. Potential OCTO Purpose

     b)Agree on next steps

 

   4. Wrap and confirm next meeting to be scheduled 

        a)Confirm action items

         b)The next Legal Committee meeting is scheduled for Tuesday, 7 January at 15:00 UTC.



BACKGROUND DOCUMENTS



Info
titleRECORDINGS

Audio Recording

Zoom Recording

Chat Transcript


Tip
titlePARTICIPATION

Attendance 

Apologies: 

Alternates: 


Note

Notes/ Action Items


Detailed Action Items

  1. Legal Committee to review Matthew’s updated Legal vs. Natural questions, which now incorporates the additions from today’s meeting. We have highlighted the updates for ease of reference. (Please refer to p.3 of the attached document.) Feedback, if any, is due COB Wednesday, 18 December.
  2. Margie to rephrase territorial scope question to address the question of if the finalized guidelines have any effect on the applicability of GDPR regarding registration data about registrants who are not residents within the EEA? Previously-worded question: In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR?
  3. Tara to rephrase the SSAC Legal v. Natural question to rephrase the issue regarding transferring consent, taking into account the previous guidance received from theTechnical Contact memo from Phase 1. Additionally, Tara to refer to specific excerpts of guidance from the cited sources.
  4. Laureen to review the previously-submitted GAC questions on WHOIS accuracy and ARS and note if the questions are still relevant. If they are, Laureen to provide a rationale as how this question will assist the EPDP Team in moving forward. (Please refer to p. 7 of the attachment for the list of questions.)