Page History
The next meeting of the EPDP– Phase 2 PDP Legal subteam is scheduled on Tuesday, 07 January 2020 at 15:00 UTC for 2 hours
For other times: https://tinyurl.com/rnl7aka
Info | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
PROPOSED AGENDA Proposed Agenda
a) Substantive review of SSAD questions
In light of the Right to Be Forgotten Case regarding the reach of GDPR, and the recent guidelines published by the EDPB on Geographic Scope [edpb.europa.eu], Does this ruling and the Guidelines affect:
In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if: a. the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation)and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or b. ICANN served as the sole entity making disclosure decisions for the SSAD, and directly provided access to the redacted data from a processing center outside of the EU (such as from ICANN’s Los Angeles Headquarters)? Previously-worded question (for reference): In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR? b) Agree on next steps 3. Continue review of Priority 2 Legal Questions a. Substantive review of Priority 2 Legal Questions: i. Legal vs. Natural: Updated question from Tara: Registration data submitted by legal person registrants may contain the data of natural persons. A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. As a follow-up to that memo: what are the consent options and requirements related to such designations? Specifically: can data controllers state that it is the responsibility of a legal person registrant to obtain consent from any natural person who will act as a contact, and whose data may be displayed publicly in RDS? As part of your analysis, please consult the GDPR policies and practices of the Internet protocol (IP address) registry RIPE-NCC (the registry for Europe, based in the Netherlands). RIPE-NCC’s customers (registrants) are legal persons, usually corporations. Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS. RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that. RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification. Could similar policies and procedures be used at ICANN? Please see these specific references: 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”: 2) “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net] If time permits, also see the policies of ARIN, the IP address registry for North America. ARIN has some customers located in the EU. ARIN also publishes the data of natural persons in its WHOIS output. ARIN’s customers are natural persons, who submit the data of natural person contacts. 3) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net] 4) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net] "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net] especially the first two paragraphs ii. WHOIS Accuracy and ARS (Support Staff to pull up document submitted by Laureen): Legal Committee Proposed Questions Related to Data Accuracy Suggested Status on GAC Questions:
b) Agree on next steps
4. Wrap and confirm next meeting to be scheduled a) Confirm action items b) AOB
c)The next Legal Committee meeting is scheduled for Tuesday, 21 January at 15:00 UTC. BACKGROUND DOCUMENTS |
Info | ||
---|---|---|
| ||
Tip | ||
---|---|---|
| ||
Apologies: none Alternates: none |
Note |
---|
Notes/ Action Items |