Note
Notes/ Action Items Action Items Brian and Margie to review 2A of the Territorial Scope question to clarify the ask based on the Legal Committee’s discussion, for example, consider adding a matrix. Question provided for reference: The advice given in Q1-2 with respect to liability (Section 4 of the memo)? In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if: the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation) and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or Laureen and Georgios to review and consider combining GAC-proposed questions 4, 5, 7, and 8 based on the Legal Committee’s discussion as well as the Phase 1 Accuracy Memo. Questions provided for reference: If current verification statistics provide that a number of data is inaccurate, would that be considered a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? How is the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV of the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? While it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLDs?

Note

Notes/ Action Items

Action Items

Brian and Margie to review 2A of the Territorial Scope question to clarify the ask based on the Legal Committee’s discussion, for example, consider adding a matrix.

Question provided for reference:

The advice given in Q1-2 with respect to liability (Section 4 of the memo)?

In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if:

the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation) and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or

Laureen and Georgios to review and consider combining GAC-proposed questions 4, 5, 7, and 8 based on the Legal Committee’s discussion as well as the Phase 1 Accuracy Memo.

Questions provided for reference:

If current verification statistics provide that a number of data is inaccurate, would that be considered a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?

According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?

How is the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV of the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?

While it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLDs?

Content

Space Tools

Versions Compared

Old Version 10

New Version Current

Key