Page History
...
Info |
---|
PROPOSED AGENDA
Confirmed EPDP-Legal Team members
*During ICANN65, Janis proposed Leon to chair the Phase 2 Legal Committee calls. Leon agreed to serve as the chair, and no EPDP Team Members registered their objection. 2. Review Legal Committee Process and Working Methods a) Similar to the Phase 1 Legal Committee, if the EPDP Team identifies questions it believes are legal in nature, the Phase 2 Legal Committee will vet the questions to determine:
b) Meetings of the Phase 2 Legal Committee will be open to all EPDP Team members, but only appointed members will be invited to speak. Appointed members unable to attend meetings may appoint an alternate to speak during the meeting. c) Ultimate determinations of the Phase 2 Legal Committee will be shared and signed off with the EPDP Team before questions are sent to Bird & Bird. d) Questions/Concerns? 3. Substantive Review of Priority 1 Legal Questions Submitted to Date a) The Phase 2 Legal Committee will begin its review of questions submitted for Priority 1 items, i.e., questions submitted for SSAD.
b) Substantive review of SSAD questions 4. Wrap and confirm next meeting to be scheduled a)Confirm action items For ease of reference, please find the SSAD questions submitted to date below:
Can legal counsel be consulted to determine if the restated purpose 2 (as stated above) is possible under GDPR? If the above language is not possible, are there suggestions that counsel can make to improve this language? (BC) 9. Can legal analysis be provided on how the balancing test under 6(1)(f) is to be conducted, and under which circumstances 6(1)(f) might require a manual review of a request? (BC) 10. If not all requests benefit from manual review, is there a legal methodology to define categories of requests (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer) which can be structured to reduce the need for manual review? (BC). 11.Can legal counsel be consulted to determine whether GDPR prevents higher volume access for properly credentialed cybersecurity professionals, who have agreed on appropriate safeguards? If such access is not prohibited, can counsel provide examples of safeguards (such as pseudonymization) that should be considered? (BC) 12. To identify 6(1)(b) as purpose for processing registration data, we should follow up on the B & B advice that- “it will be necessary to require that the specific third party or at least the processing by the third party is, at least abstractly, already known to the data subject at the time the contract is concluded and that the controller, as the contractual partner, informs the data subject of this prior to the transfer to the third party” B&B should clarify why it believes that the only basis for providing WHOIS is for the prevention of DNS abuse. Its conclusion in Paragraph 10 does not consider the other purposes identified by the EPDP in Rec 1, and, in any event should consider the recent EC recognition that ICANN has a broad purpose to: ‘contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission’, which is at the core of the role of ICANN as the “guardian” of the Domain Name System.” 13. B&B should advise on the extent to which GDPR’s public interest basis 6(1)e is applicable, in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.” BACKGROUND DOCUMENTS |
Info | ||
---|---|---|
| ||
Tip | ||
---|---|---|
| ||
Apologies: Laureen Kapin (GAC), Tatiana Tropina (NCSG), Thomas Rickert (ISPCP) Alternates: Stephanie Perrin (NCSG) |
Note |
---|
Notes/ Action Items Question for ICANN org
Action Items/Conclusions
2. With respect to question 1, the Phase 2 LC has noted this question as premature at this time and will mark the question as “on hold”. The question will be revisited once the EPDP Team has identified the purposes for disclosure. 3. With respect to questions 2 and 5, Brian King to consolidate these questions into one question and, where possible, include more detail in the wording. Following receipt of Brian’s draft, evaluate the best time to pose this question to legal counsel. 4. With respect to question 3, the LC notes this question will be put on hold and revisited once the EPDP Team further deliberates the meaning of accreditation. 5. With respect to question 4, the LC is requesting further clarity from the author (ISPCP) re: the meaning and goal of this question. 6. LC Members to continue discussing remaining questions on the list to see if/how questions can be consolidated and prioritized. -- For reference, here is a list of the questions:
2. Answer the controllership and legal basis question for a system for Standardized Access to Non-Public Registration Data, assuming a technical framework consistent with the TSG, and in a way that sufficiently addresses issues related to liability and risk mitigation with the goal of decreasing liability risks to Contracted Parties through the adoption of a system for Standardized Access (Suggested by IPC) 3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (Suggested by ISPCP) 4. The question of disclosure to non-EU law enforcement based on Art 6 I f GDPR should be presented to legal counsel. (Suggested by ISPCP) 5. Can a centralized access/disclosure model (one in which a single entity is responsible for receiving disclosure requests, conducting the balancing test, checking accreditation, responding to requests, etc.) be designed in such a way as to limit the liability for the contracted parties to the greatest extent possible? IE - can it be opined that the centralized entity can be largely (if not entirely) responsible for the liability associated with disclosure (including the accreditation and authorization) and could the contracted parties’ liability be limited to activities strictly associated with other processing not related to disclosure, such as the collection and secure transfer of data? If so, what needs to be considered/articulated in policy to accommodate this? (Suggested by GAC) 6. Within the context of an SSAD, in addition to determining its own lawful basis for disclosing data, does the requestee (entity that houses the requested data) need to assess the lawful basis of the third party requestor? (Question from ICANN65 from GAC/IPC) 7. To what extent, if any, are contracted parties accountable when a third party misrepresents their intended processing, and how can this accountability be reduced? (BC) 8. BC Proposes that the EPDP split Purpose 2 into two separate purposes:
Can legal counsel be consulted to determine if the restated purpose 2 (as stated above) is possible under GDPR? If the above language is not possible, are there suggestions that counsel can make to improve this language? (BC) 9. Can legal analysis be provided on how the balancing test under 6(1)(f) is to be conducted, and under which circumstances 6(1)(f) might require a manual review of a request? (BC) 10. If not all requests benefit from manual review, is there a legal methodology to define categories of requests (e.g. rapid response to a malware attack or contacting a non-responsive IP infringer) which can be structured to reduce the need for manual review? (BC) 11. Can legal counsel be consulted to determine whether GDPR prevents higher volume access for properly credentialed cybersecurity professionals, who have agreed on appropriate safeguards? If such access is not prohibited, can counsel provide examples of safeguards (such as pseudonymization) that should be considered? (BC) 12. To identify 6(1)(b) as purpose for processing registration data, we should follow up on the B & B advice that- “it will be necessary to require that the specific third party or at least the processing by the third party is, at least abstractly, already known to the data subject at the time the contract is concluded and that the controller, as the contractual partner, informs the data subject of this prior to the transfer to the third party” B&B should clarify why it believes that the only basis for providing WHOIS is for the prevention of DNS abuse. Its conclusion in Paragraph 10 does not consider the other purposes identified by the EPDP in Rec 1, and, in any event should consider the recent EC recognition that ICANN has a broad purpose to: ‘contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission’, which is at the core of the role of ICANN as the “guardian” of the Domain Name System.” 13. B&B should advise on the extent to which GDPR’s public interest basis 6(1)e is applicable, in light of the EC’s recognition that: “With regard to the formulation of purpose two, the European Commission acknowledges ICANN’s central role and responsibility for ensuring the security, stability and resilience of the Internet Domain Name System and that in doing so it acts in the public interest.” -- Notes and Action Items
Questions/Concerns from Legal Committee
3. Substantive Review of Priority 1 Legal Questions Submitted to Date
2. Answer the controllership and legal basis question for a system for Standardized Access to Non-Public Registration Data, assuming a technical framework consistent with the TSG, and in a way that sufficiently addresses issues related to liability and risk mitigation with the goal of decreasing liability risks to Contracted Parties through the adoption of a system for Standardized Access (Suggested by IPC)
3. Legal guidance should be sought on the possibility of an accreditation-based disclosure system as such. (Suggested by ISPCP)
4. The question of disclosure to non-EU law enforcement based on Art 6 I f GDPR should be presented to legal counsel. (Suggested by ISPCP)
|