Page History
...
For other times: https://tinyurl.com/rnl7aka
Info | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
PROPOSED AGENDA EPDP Phase 2 Legal Committee Meeting #12 17 December 2019Proposed Agenda
a)Substantive Substantive review of SSAD questions (beginning where LC left off during last LC meeting)
questions
In light of the Right to Be Forgotten Case regarding the reach of GDPR, and the recent guidelines published by the EDPB on Geographic Scope [edpb.europa.eu], Does this ruling and the Guidelines affect:
In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if: a. the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation)and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or b. ICANN served as the sole entity making disclosure decisions for the SSAD, and directly provided access to the redacted data from a processing center outside of the EU (such as from ICANN’s Los Angeles Headquarters)? Previously-worded question (for reference): In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR? b b)Agree Agree on next steps
3 3. Continue review of Priority 2 Legal Questions – WHOIS Accuracy and City Field Redaction a) . Substantive review of Priority 2 Legal Questions: i. Volker’s updated draft questions on Privacy/Proxy + Uniform Anonymized Email address: The group has discussed the option of replacing the email address provided by the data subject with an alternate email address that would in and of itself not identify the data subject (Example: 'sfjgsdfsafgkas@pseudo.nym'). With this approach, two options emerged in the discussion, where (a) the same unique string would be used for multiple registrations by the data subject ('pseudonymisation'), or (b) the string would be unique for each registration ('anonymization'). Under option (a), the identity of the data subject might - but need not necessarily - become identifiable by cross-referencing the content of all domain name registrations the string is used for. From these options, the following question arose: 1) Under options (a) and/or (b), would the the alternate address have to be considered as personal data of the data subject under the GDPR and what would be the legal consequences and risks of this determination with regard to the proposed publication of this string in the publicly accessible part of the registration data service (RDS)? ii. Matthew’s updated questions on Legal v. Natural: Proposed Legal Question As a follow-up to the previously provided memos on Accuracy and Legal vs. Natural persons, the EPDP team requests the following clarification on the scope of the GDPR accuracy principle under Article 5.1(d). As a reminder, one proposal to address the issue of treating all registration data as containing personal data is to allow registrants to self-identify as legal persons at the time of registration. Contracted parties would rely on this self-identification (which could be inaccurate) when deciding whether to redact the registration data. Question 1: Does the accuracy principle only take into account the interests of the data subject and the controller, or does the principle also consider the interests of third-parties (in this case law enforcement, IP rights holders, and others who would request the data from the controller for their own purposes)? In responding to this question, can you please clarify the parties/interests that we should consider in general, and specifically when interpreting the following passages from the prior memos: Both memos reference “relevant parties” in several sections. Are the “relevant parties” limited to the controller(s) or should we account for third-party interests as well?“There may be questions as to whether it is sufficient for the RNH or Account Holder to confirm the accuracy of information relating to technical and administrative contacts, instead of asking information of such contacts directly. GDPR does not necessarily require that, in cases where the personal data must be validated, that it be validated by the data subject herself. ICANN and the relevant parties may rely on third-partiesi. Legal vs. Natural: Updated question from Tara: Registration data submitted by legal person registrants may contain the data of natural persons. A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. As a follow-up to that memo: what are the consent options and requirements related to such designations? Specifically: can data controllers state that it is the responsibility of a legal person registrant to obtain consent from any natural person who will act as a contact, and whose data may be displayed publicly in RDS? As part of your analysis, please consult the GDPR policies and practices of the Internet protocol (IP address) registry RIPE-NCC (the registry for Europe, based in the Netherlands). RIPE-NCC’s customers (registrants) are legal persons, usually corporations. Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS. RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that. RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification. Could similar policies and procedures be used at ICANN? Please see these specific references: 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”: 2) “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net] If time permits, also see the policies of ARIN, the IP address registry for North America. ARIN has some customers located in the EU. ARIN also publishes the data of natural persons in its WHOIS output. ARIN’s customers are natural persons, who submit the data of natural person contacts. 3) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net] 4) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net] "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net] especially the first two paragraphs ii. WHOIS Accuracy and ARS (Support Staff to pull up document submitted by Laureen): Legal Committee Proposed Questions Related to Data Accuracy Suggested Status on GAC Questions:
b) Agree on next steps
Question 2: The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23?
b)Agree on next steps
4. Wrap and confirm next meeting to be scheduled a a) Confirm action items b) AOB
c)The next Legal Committee meeting is scheduled for Tuesday, 7 21 January at 15:00 UTC. BACKGROUND DOCUMENTS |
Info | ||
---|---|---|
| ||
Tip | ||
---|---|---|
| ||
Attendance Attendance Apologies: none Alternates: none |
Note |
---|
Notes/ Action Items Action Items
Question provided for reference:
In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if:
Questions provided for reference:
|