Page History
...
For other times: https://tinyurl.com/rnl7aka
Info | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
PROPOSED AGENDA Proposed Agenda
a a) Substantive Substantive review of SSAD questions (awaiting updated territorial scope question from Margie)questions
In light of the Right to Be Forgotten Case regarding the reach of GDPR, and the recent guidelines published by the EDPB on Geographic Scope [edpb.europa.eu], Does this ruling and the Guidelines affect:
In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if: a. the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation)and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or b. ICANN served as the sole entity making disclosure decisions for the SSAD, and directly provided access to the redacted data from a processing center outside of the EU (such as from ICANN’s Los Angeles Headquarters)? Previously-worded question (for reference): In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR? b) Agree Agree on next steps 3. Continue review of Priority 2 Legal Questions a) a. Substantive review of Priority 2 Legal Questions: i i. Legal vs. Natural (awaiting updated : Updated question from Tara): Previously-worded question: Registration data submitted by legal person registrants may contain the data of natural persons. A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person , especially if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. As a follow-up to that memo: what are the consent issues options and requirements related to such designations? Can registrars Specifically: can data controllers state that it is the responsibility of a legal person registrant to obtain consent from any natural person who will act as a contact, and whose data it submitsmay be displayed publicly in RDS? As part of the your analysis, please examine consult the GDPR policies and practices of the Internet protocol (IP address) registries registry RIPE-NCC (the registry in for Europe, based in the Netherlands) and ARIN (the registry in North America, which has customer contacts in Europe). These registries publish the data of natural person contacts who are subject to the GDPR, publicly via their WHOIS services, by placing the choice and responsibility on their registrants, who are legal persons. These IP address registries state mission justifications and . RIPE-NCC’s customers (registrants) are legal persons, usually corporations. Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS. RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that. RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification. Could similar policies and procedures be used at ICANN? Please see these specific referencesPlease see: 1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”: 2) “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net] 3) "Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net] If time permits, also see the policies of ARIN, the IP address registry for North America. ARIN has some customers located in the EU. ARIN also publishes the data of natural persons in its WHOIS output. ARIN’s customers are natural persons, who submit the data of natural person contacts. 34) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net] 54) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]6) ARIN Privacy Policy: "Personal Data Privacy Considerations At ARIN": https://www.arinteamarin.net/about/privacy/ [arin2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net] especially the first two paragraphs ii ii. WHOIS Accuracy and ARS (Awaiting for Laureen’s confirmation/analysis that question is still needed, specifically in light of already-approved questions related to accuracy): 4Support Staff to pull up document submitted by Laureen): Legal Committee Proposed Questions Related to Data Accuracy Suggested Status on GAC Questions:
b)Agree Agree on next steps
4. Wrap and confirm next meeting to be scheduled a a) Confirm action items b b) AOB
c)The next Legal Committee meeting is scheduled for Tuesday, 21 January at 15:00 UTC. BACKGROUND DOCUMENTS |
Info | ||
---|---|---|
| ||
Tip | ||
---|---|---|
| ||
Attendance Attendance Apologies: Volker Greimann, none Alternates: none |
Note |
---|
Notes/ Action Items Action Items
Question provided for reference:
In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if:
Questions provided for reference:
|