Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open
Call for
Comments
Close 
Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

20 April 2018

WITHDRAWN

Due to differing opinion within the ALAC on the submitted Statement, the ALAC Chair requested ICANN withdraw the Statement from Public Comment.


18 April 2018

20 April 2018

23 April 2018

ICANN Staff
gdpr@icann.org

Hide the information below, please click here 


FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 



FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

The At-Large Advisory Committee (ALAC) writes to provide its input on the European Union’s (E.U.’s) Working Party 29’s (WP29’s) letter to ICANN WP29 provided its opinion and recommendation on ICANN’s Interim Model for Compliance for WHOIS.  Although the ALAC continues to have concerns with the current iteration of the interim model, we also believe WP29’s recommendation places ICANN in an impossible situation where it listed out several recommendations that will be improbable  to accommodate given the timeline for the General Data Protection Regulation’s (GDPR’s) provisions to go into effect. The ALAC fears that ICANN will, in turn, avoid liability under the E.U. regulation by shutting down the WHOIS system until ICANN provides a permanent solution ensuring its compliance with the regulation. The ALAC proffers the following comments for ICANN’s consideration.

 

Defining Legitimate Purpose

The purpose of this interim model is to provide a temporary solution to comply with the E.U.’s GDPR that will be in full effect on May 25, 2018. Maintaining the integrity of the an individual’s personal information, either within the E.U. or outside of it, is a priority to the ALAC. WHOIS is a multifunctional enterprise that is invaluable for those attempting to protect their intellectual property rights and law enforcement. ICANN should promulgate a solution that balances the equities between protecting personal information that satisfies the requirements under the GDPR and the other essential functions of WHOIS to thwart IPR violations and other forms of law enforcement.

In its letter, WP29 lists out various amount of criticism of ICANN’s interim model and provides what it feels are measures by which ICANN can accommodate these criticism. For example, on issue of purpose specification, the WP29 believes the phrase “legitimate access..[to] accurate, reliable and uniform registration data” within the interim model’s text is too broad and would, thus, violate Article 5(1)(b) of the GDPR. WP29 recommends that ICANN better define the term “purposes” and take out the term “include” in this context to ensure that ICANN’s interim model meets the comprehensive-and-exhaustive standard under Article 5. Even though we believe that WP29’s recommendation is vague, the ALAC recommends that ICANN should reiterate its considerations for legitimate purposes under in its interim model, like allowing registrars to perform basic administrative functions and the protection against certain actions that would run afoul of other IPR rights (e.g., phishing attacks).

 

Retention Policy

WP29 criticizes ICANN’s interim model’s two year retention policy may not pass muster under 5(1)e of the regulation.  Thus, is perplexed why ICANN augmented its, initial, retention period of 60 days should be or provide insight as to why a two year policy is necessary satisfying article 5(2) of the GDPR. The ALAC does not take a particular position on a prescriptive timeframe, but believes that there exists legitimate reasons as to why a retention period past…is necessary to report and investigate crimes by a registrant. We believe there to be ample evidence for a retention policy to justify a retention policy of either 60 days or 2 years.  

 

The Use of Anonymized Emails to Address Concerns Related to Access to Non-Public WHOIS Data

The WP29 was welcomed the interim model’s tiered access mechanism generally, but it was concerned that certain details as to the justifications for granting access to non-public WHOIS data. The ALAC recommends that ICANN should look into the use of anonymized emails to address most of the concerns related to third-party access of such data. We believe it serves as a way for those whom feel as though their various rights have been violated to reach out to the necessary party, while not disclosing any personal information. Additionally, it allows the petitioning party to go through the accreditation process to seek the relevant data concurrently.

We appreciate the opportunity to share our views on this matter. Thank you in advance for your time and consideration on this important issue.



FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments begins.

The At-Large Advisory Committee (ALAC) writes to provide its input on the European Union’s (E.U.’s) Working Party 29’s (WP29’s) letter to ICANN WP29 provided its opinion and recommendation on ICANN’s Interim Model for Compliance for WHOIS.  Although the ALAC continues to have concerns with the current iteration of the interim model, we also believe WP29’s recommendation places ICANN in an impossible situation where it listed out several recommendations that will be improbable  to accommodate given the timeline for the General Data Protection Regulation’s (GDPR’s) provisions to go into effect. The ALAC fears that ICANN will, in turn, avoid liability under the E.U. regulation by shutting down the WHOIS system until ICANN provides a permanent solution ensuring its compliance with the regulation. The ALAC proffers the following comments for ICANN’s consideration.

 

Defining Legitimate Purpose

The purpose of this interim model is to provide a temporary solution to comply with the E.U.’s GDPR that will be in full effect on May 25, 2018. Maintaining the integrity of the an individual’s personal information, either within the E.U. or outside of it, is a priority to the ALAC. WHOIS is a multifunctional enterprise that is invaluable for those attempting to protect their intellectual property rights and law enforcement. ICANN should promulgate a solution that balances the equities between protecting personal information that satisfies the requirements under the GDPR and the other essential functions of WHOIS to thwart IPR violations and other forms of law enforcement.

In its letter, WP29 lists out various amount of criticism of ICANN’s interim model and provides what it feels are measures by which ICANN can accommodate these criticism. For example, on issue of purpose specification, the WP29 believes the phrase “legitimate access..[to] accurate, reliable and uniform registration data” within the interim model’s text is too broad and would, thus, violate Article 5(1)(b) of the GDPR. WP29 recommends that ICANN better define the term “purposes” and take out the term “include” in this context to ensure that ICANN’s interim model meets the comprehensive-and-exhaustive standard under Article 5. Even though we believe that WP29’s recommendation is vague, the ALAC recommends that ICANN should reiterate its considerations for legitimate purposes under in its interim model, like allowing registrars to perform basic administrative functions and the protection against certain actions that would run afoul of other IPR rights (e.g., phishing attacks).

 

Retention Policy

WP29 criticizes ICANN’s interim model’s two year retention policy may not pass muster under 5(1)e of the regulation.  Thus, is perplexed why ICANN augmented its, initial, retention period of 60 days should be or provide insight as to why a two year policy is necessary satisfying article 5(2) of the GDPR. The ALAC does not take a particular position on a prescriptive timeframe, but believes that there exists legitimate reasons as to why a retention period past…is necessary to report and investigate crimes by a registrant. We believe there to be ample evidence for a retention policy to justify a retention policy of either 60 days or 2 years.  

 

The Use of Anonymized Emails to Address Concerns Related to Access to Non-Public WHOIS Data

The WP29 was welcomed the interim model’s tiered access mechanism generally, but it was concerned that certain details as to the justifications for granting access to non-public WHOIS data. The ALAC recommends that ICANN should look into the use of anonymized emails to address most of the concerns related to third-party access of such data. We believe it serves as a way for those whom feel as though their various rights have been violated to reach out to the necessary party, while not disclosing any personal information. Additionally, it allows the petitioning party to go through the accreditation process to seek the relevant data concurrently.

We appreciate the opportunity to share our views on this matter. Thank you in advance for your time and consideration on this important issue.

18 Comments

  1. On Mon, Apr 16, 2018 at 6:58 PM, Holly Raiche wrote:

    Folks

    We are fast running out of time to develop any kind of response to the accreditation model, even though the deadline for a response has been extended to this Friday. And in the interim, ICANN has received advice from Article 29 on the Interim model. (Article 29 is an advisory Group made up of a data protection authority from each EU member state).  Their letter to ICANN, and Marby’s response, are on the home page of ICANN - and for those interested in the issue, I highly recommend reading both.  Clearly, the implications of the Article 29 letter are that the Interim Model that we did comment on still raises concerns with them.  Those concerns fall under the headings:

    • Breadth of purpose - saying the proposed purposes are too widely drawn
    • the link of purpose to processing - again, because the Whois data has been used does not qualify it as a purpose 
    • publication of the data must be linked to the original (and narrowly defined) purpose
    • any access should be limited - not blanket access
    • discussion about the length of retention of data
    • discussion about the transfer of data
    • Accreditation (particularly important in this context) - should only be for legitimate purpose, limited to the original purpose, not blanket access, and under limited conditions


    Below, I have copied in an email from Scott Hollenbeck, a long standing member of ICANN and one of those involved in the development of the RDAP (access protocol that would allow gated access to registration data) - simply because he has been involved in this issue for a long time and shows he has already worked on a technical solution to this issue - how access to data could work under GDPR.

    I will try to attend as much as possible of the capacity building webinar on this issue, but have been scheduled to attend an all-day course in the Sydney CBD so may have to miss some of the discussion.  I imagine Tom will be very up to date on these issues, but I would like to have been attending the whole of the webinar myself 

    In any case, if at all possible, we should be saying something.  Quite apart from the original contribution from the IPC/BC model, the NCSG and Registrars have also made comments (largely challenging the IPC/BC model). I hope we are the one constituency that doesn’t make comments - although I realise that agreement on what to say will be difficult at the best of times.

    And if it isn’t too late - maybe put this issue on the ALAC policy page - and with it, links to the Article 29 letter, Marby’s response, the registrars’ response and the NCSG response (and any others I have missed - I have copies if that helps)

    Holly

  2. On  Tuesday, April 17, 2018 at 11:27 AM, Carlton Samuels wrote:

    In my own view the expectations by ICANN from the request to Article 29 WP folks presaged either a woeful misunderstanding of the role/function of the Article 29 WP in the EU/EC framework or the first move in a fiendishly clever ploy to get them on record for purpose.  

     

    Because quite frankly, them fellas didn't say anything that a moderately sentient observer that is conversant with the issues and have some time in place could not have anticipated.

     

    -Carlton

  3. The GDRP issue is not new. Please let me reiterate my earlier proposal:

    • Acknowledge the fact, that legal systems do differ in different parts of the world.
    • Accept the fact, that legal systems evolve (rather quickly), so any solution may be invalidated at any unforeseen time.
    • Therefore: Do not collect or store data at points where the data was not generated. This solves the problem of transferring personal data from one jurisdiction to another.
    • Try to find out, which use cases are really existent. Which data should be available and for whom. Be honest.
    • Whois does offer a redirection scheme: A whois server can respond with partial information and point to a different server to get more information.
    • Favor an ultra thin whois:
      • Every response contains only the information about the contract local to the queried server.
      • Start always at whois.iana.org (which is already implementing such a thin whois there).
      • Do not stop at the registry level. The registry should respond with the contract details and a referral to the accredited registrar, who was registering the object.
      • Include registrar level whois into the Registrar Accreditation Agreement. Allow subdelegation to resellers for whois data. In the case of subdelegation, the whois response at registrar level should contain the reselling contract details and the referal to the reseller-whois.
      • If the reseller or the registrar is unable to run the whois service according to the ICANN enforced Service Level Agreements, they have to use the upper level whois and clear all the legal issues themselves.
    • Now back to the Law Enforcement Agencies and their private operated surroundings: They have to follow the whois referral tree down to the registrar/reseller whois. It's likely, that they will not have access to the data, they want, if they are querying from a foreign country. So they do have to use the legal ways to ask the LEA in the destination country. In order to ease this process, all contract based referal data should not be hidden. This might be part of the contracts. End customer data should be handled according to the local law.
  4. On 17 April 2018, Alan Greenberg said:

    To be clear, it IS *OUR* job to make sure that the DNS is safe and reliable. That is our only job! Law enforcement, or anyone else that can justify their need can get data only if we first collect it.

    But that is not relevant to the accreditation model as Scott says.
  5. On 18 April 2018, Holly Raiche said:

    I am not disputing the ALAC’s rightful concern with making the DNS as safe and reliable as possible.  But we need to do that in the legal framework we are given.

    So yes, the model Scott explained does try to provide access to those entitled to access within a legal framework - both are important..

    I do hope others comment because this is a very important discussion

  6. On 18 April 2018, Tijani Ben-Jemaa said:

    Of course, we must ensure the safety and reliability of the DNS. Bute can you explain how collecting such huge amount of registrant data can make us sure that the DNS is safe and reliable? In case of unlawful harmful use, the registrar can immediately stop it, and this is true whatever the amount of data collected is.
    On the other hand, what you say is almost as if you say: since we know there will be criminals, we must surveil all the population so that we can catch anyone who will act badly. 

    ...we must comply with GDPR, and try to negotiate with Article 29 in Brussels to have a waiver for a few more months to finalize our interim model.

  7. On 18 April 2018, Alan Greenberg said:

    The data (much of it, but perhaps not all) has proven useful and necessary for DETECTING and IDENTIFYING the problems. It is only after that work that registrars/registries can be asked to take sites down.

    Once a phishing site is identified, it can be taken down *IF* the registrar agrees - some to not!  WHOIS data can lead to other domain names that may be implicated or will be used for phishing in the future. And it has proven very useful for ultimately identifying the perpetrator and not just taking down a single site.

    ...Of course we must comply. But we also have to consider advice from the GAC and our mission.

    My understanding is that data commissioners do not have the authority to grant such waivers. Only the courts do.

  8. On 18 April 2018. Andrei Kolesnikov said:

    It's not possible to make the issue simple. But always good to go back to the basics. 

    1. Registrant need an anchor, very solid data to make sure domain is recognizable as an asset of the registrant to do the job: delegate, change technical data, transfer, pay, etc. This might be personal data (such as ID or passport or combination of properties);
    2. Registrar binds to registrant solid data to make sure domain is under registrant control and thing works. Technically, there is no need for registrar to keep all personal data (and WHOIS it) to maintain its operations, but only portion which says it is registrant's domain. But this is registrant-registrar relations, it's not public WHOIS issue. The trust for this pair can be done via keys for example or chain of blocks :)
    3. Registry takes care of the domain name hierarchy and keeps some of the registrant technical data to make sure domain name is running. Also there are tools to keep domain name with registrant if registrar fails. There is no need to keep personal data (and WHOIS it). 

    1, 2 and 3 trust the jurisdiction (ID, passport, credit card) registrant belongs to, only for the reason to do administrative things with domain names. 
     
    A. There are governments, they need to know the "owner" of the domain name for many reasons. They do need to know the personal data and some kind of tool to dig down to the owner (lets assume it is WHOIS). They also have enforcement tools to get it (lets assume there is no problem with international user data transfer);
    B. There are legal guys in some jurisdictions trying to get a digging tool to keep their legal properties under control (lets assume it is WHOIS). But this won't work in many jurisdictions, so they have a path through point (A);
    C. There are collective EU bureaucrats taking care of the privacy issues, trying to make sure personal data of the European registrants is protected from the bad guys. Those guys look like a superuser with an assumption everybody around are the bad guys. 

    D. There are new players on the legal market, like this "article" whatever, balancing between 1, 2, 3, A, B and C. Lets say good luck for those guys. 

    As I see a combination of the issues from the end user point of view (the guy with personal data): it is not AtLarge role to make sure A, B and C are happy with whatever legal version of digital divide achieved. We must maintain our focus to a simple things: user can register and run domain, transfer it, pay, change NSes, etc. There is risk that end user's life will be more complicated, because there will be new stuff in a simple process of registering and running the domain name. Lets focus on this. 

    1. You forget the real use case of Whois: Keeping the net running by contacting the relevant people (out-of-band) directly.

      Your 1,2,3 results in "ultra thin whois".

  9. Folks,

    I don't know if this will work but I took a crack at finding the common ground among all these comments. check it out ASAP if we want to participate in this discussion.

    Jonathan


  10. Jonathan, this fails to make a point that I raised in an e-mail (but which sadly did not make it into those posted above) and was also in the Capacity Building Webinar presentation that I made.

    The Article 29 letter says "Finally, ICANN should take care in defining purposes in a manner which corresponds to its own organisational mission and mandate, which is to coordinate the stable operation of the Internet's unique identifier systems. Purposes pursued by other interested third parties should not determine the purposes pursued by ICANN. The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case."

    The mission of the Internet Corporation for Assigned Names and Numbers ("ICANN") is to ensure the stable and secure operation of the Internet's unique identifier systems… (a quote from the ICANN Bylaws).

    Implicit in this is to ensure that the DNS is trusted. Without trust, it is meaningless. Why would you ask the DNS to translate a domain name into and IP Address if you did not fully trust it?

    If we ignore the uses that law enforcement, cyber abuse fighters, etc.make of WHOIS, we cannot COLLECT the data they need. If it isn’t collected, it cannot be used (no matter what the need!).

    If ICANN, the only body that can set the rules for what is collected, cannot do so, the parties who COULD justify the use of that data has nowhere to make their case.

    There is no doubt that we need to beef up the rationales for collecting data, but it is a useless exercise if we cannot ensure that the DNS can be properly policed and protected.

    In a similar vein, e-mail addresses are used to recognize patterns in DNS abuse (and in IP violations). Anonymized addresses can be used, but ONLY if the same e-mail address always translates to the same anonymized address (specifically across multiple registrations and multiple registrars).


    I will make these points in my own response, but feel free to incorporate them here if you wish.


    1. It can be collected, but does not need to be distributed and covered by centralized access. There are other ways of providing information -> Thin Whois.

      Trust does not rely on Whois, it does depend on transparent policies, processes and DNSSEC.

      1. Under GDPR collection is "processing". if we ignore the uses that law enforcement and others may have for the date (as the Article 29 letter instructs), it cannot be collected.

    2. Alan,

      I personally agree with all of your points. I was engaged in a probably futile exercise of basing a draft on what everyone agreed on for the most part but it seems like we're not going to reach consensus on this in this sort time frame. There will be other opportunities to comment. Let's work on the consensus position of the ALAC sooner rather than later.

  11. First, I want to thank Tijani for holding a webinar on Article 29, which was very informative.  Next, I want to thank Jonathan for agreeing to draft a statement.   I believe he is correct - finding consensus will be almost impossible.  In our response to the Interim Model, our final statement was able to both point to the areas of agreement, and areas where agreement was not possible.  I think we need to try to do the same for this statement.

    I agree with Jonathan's statement's defense of a two year retention policy and the use of anonymized emails.  However, I do not agree with his inclusion of the protection of intellectual property rights (IPR) in our concerns.

    Alan, quite properly, began with presentation at the webinar with a statement about ALAC's concerns.  He rightly said that, from the perspective of the users (our perspective) the security and safety of the DNS System is paramount - and I agree with that statement.  But I would also add a second concern - protection of an individual's privacy.  Many users are also registrants - and deserve protection of their privacy.  And as I've said before, the GDPR is not the only data protection legislation,  Many other jurisdictions, including Canada, South America, Asia and Ausralia have data protection laws founded on the same principles as the GDPR.  Indeed, I would hate to see an outcome that gives only European citizens privacy protection - the rest of the citizens of the world deserve better.

    So my suggested draft for consideration.

    ALAC welcomes this opportunity to respond to the guidance provided by Article 29 on the Interim Model proposed by ICANN for compliance with the GDPR.  We also welcome the growing number of responses to this advice - from the IPC/BC, the NCSG, registrars, the Forum of Incident Response and Security Teams, and comments from the GAC - clearly broadening the discussion to include the many perspectives there are on this issue.

    The ALAC's concerns are for its constituents - Internet users, many of whom are also registrants.  Our primary concerns from that perspective are the trust users should have in the safety and security of the DNS system and apporpriate privacy protections for Internet users. 

    Please note, this response is in addition to the response the ALAC has already provided to the Interim Model. (add link).

    Limitation on Collection

    We note Article 29's clarification on the limitation of collection of data: only that data necessary for the functions of the data collector/data processor should be collected - with the data subject's consent.  As Aticle 29 stresses, the purpose of collection - which determines what data is collected - is  NOT determined by who uses/has used it in the past. 

    Law Enforcement and Security access

    We do note, however, that there is considerable scope for permitting Law Enforcement Agencies and other governmental authorities (such as consumer protection and corporate regulators) to be given access to personal data - but only in specific circumstances and by those accredited for such access. 

    Retention Policy

    Article 29 criticizes ICANN’s interim model’s two year retention policy saying it may not pass muster under 5(1)e of the regulation.  It is perplexed why ICANN augmented its initial retention period of 60 days and should provide insight as to why a two year policy is necessary  in satisfying article 5(2) of the GDPR. The ALAC does not take a particular position on a prescriptive timeframe, but believes that there exists legitimate reasons as to why a retention period past 60 days is necessary to report and investigate crimes by a registrant. We believe there to be ample evidence for a retention policy to justify a retention policy of either 60 days or 2 years.  

    The Use of Anonymized Emails to Help Address Concerns Related to Access to Non-Public WHOIS Data

    Article 29  welcomed the Interim Model’s tiered access mechanism generally, but it was concerned with certain details as to the justifications for granting access to non-public WHOIS data. The ALAC recommends that ICANN should look into the use of anonymized emails to address the concerns related to third-party access of such data. We believe it serves as a way for those whom feel as though their various rights have been violated to reach out to the necessary party, while not disclosing any personal information. Additionally, it allows the petitioning party to go through the accreditation process to seek the relevant data concurrently.

    We appreciate the opportunity to share our views on this matter. Thank you in advance for your time and consideration on this important issue.


  12. First a comment on deadlines. There was no explicit deadline set for submitting comments, but the real deadline is that ICANN is meeting with DPAs in Brussels on this coming Monday (ie a bit over 48 hours from now).

    This statement is substantially different from the previous version and it includes at least statements that I cannot support. I have no problem with a statement submitted that I cannot support - I am just one ALAC member and I can vote against it if I choose. But we now have two statements both of which people (well, at least Holly and me) have said thet cannot support. So I would suggest that we withdraw the original one submitted by Jonathan and rely on individual statements.

    To be specific some of my concerns are:

    • The implication that we support IP rights as a matter of principle. Certainly in my case, I do.not take that position. But ALAC has often been allied with the IPC because one of their concerns in ICANN is the misappropriation of TMs in domain names to mislead the public. The domain name facebock.com (for example) was a direct attempt to capitalize on a spelling error and attract traffic destined for facebook.com. Once there, there are a number of things can be done most likely being at attempt to get a user to sign in to steal their name and password. I have no qualms about supporting the IPC where user confusion or mischief is the target.
    • The statement that we support uses of WHOIS because it was possible before. I cannot recall anyone in At-Large ever saying that. I believe that all usage must be justified and I strongly support an authentication and accreditation system that will give people what they reasonably need to do things that I support (such as fighting cyber abuse).
    • You note "there is considerable scope for permitting Law Enforcement Agencies and other governmental authorities (such as consumer protection and corporate regulators) to be given access to personal data - but only in specific circumstances and by those accredited for such access." but you do not explain how they can ever get access to that data if ICANN firstly ensures that it is collected - and collection is "processing" that we need approval to do.

    1. Hey Alan

      We really are not that far apart.  For instances of fraud or misuse, yes an accredited agency should have access to personal information for that instance.

      If you put a few more words in, I also support an authentication and accreditation system to give ACCREDITED people access to personal information so they can deal with  THAT specific issue of fraud/misuse

      I don't understand your third dot point.  Like you (and most of ALAC), I am in favour of the collection of  THICK Whois data, collected by registries, and then for the legitimate purposes explained in the Interim Model, given to registrars and escrow agencies.  So the information is there - just not publicly available as it is now.  So the issue isn't collection per se - I have already read enough explanation of why registries/ICANN collects the data.  In the gated access system that we all agree on, the issues then are about who should have access, in what specific circumstances, how they are accredited - and checked.

      (and the reason I put Scott Hollenbeck's text in one of my emails was to demonstrate that it is possible to authentic individual requests - but with more  to work through) So no - I don't go into that level of detail.  What I do like is Jonathan's suggestion about anonymised emails as part of a solution.

  13. And what I should have pointed out is that I have actually incorporated over 2/3rds of Jonathan's statement into my proposed statement. 

    My only concern was with two of his sentences:

    WHOIS is a multifunctional enterprise that is invaluable for those attempting to protect their intellectual property rights and law enforcement. ICANN should promulgate a solution that balances the equities between protecting personal information that satisfies the requirements under the GDPR and the other essential functions of WHOIS to thwart IPR violations and other forms of law enforcement.

    My concern with the statement is twofold:   First, ALAC should focus on its constituency;  the IPC can (and has) run its own case; we don't need to do it is well.  Second: the term 'other essential functions that includes IPR violations'.  Again, they can run their own case. What Article 29 is saying is that you must start with the original purpose of collection - which sets the limits of consent and use.  Where the IPC/BC submission starts with is 'use' - who has used data in the past.  This is specifically rejected by Article 29 (and most other data regimes as well). And I am not comfortable with the idea of balancing basic data potection law against the use of personal information that others have used in the past, but do not come under the reason the information was collected in the first place.

    Law enforcement has always been an exception and for legitimate law enforcement queries by agencies that come under the recommendations of GAC, there are no objections.