You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

The next meeting of the EPDP– Phase 2 PDP Legal subteam is scheduled on Tuesday, 07 January 2020 at 15:00 UTC for 2 hours

For other times: https://tinyurl.com/rnl7aka

PROPOSED AGENDA

Proposed Agenda


  1. Roll Call & SOI Updates 
  2. Continued Substantive Review of Priority 1 (SSAD) Legal Questions Submitted to Date

         a)      Substantive review of SSAD questions  

  • Updated Territorial Scope Question (Margie)


In light of the Right to Be Forgotten Case regarding the reach of GDPR, and the recent guidelines published by the EDPB on Geographic Scope [edpb.europa.eu],

Does this ruling and the Guidelines affect:

  1. The advice given inPhase 1 Regarding Territorial Scope, in Sections 4.2 or 6.2- 6.9?     
  2. The advice given in Q1-2 with respect to liability (Section 4 of the memo)?

In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if:

          a. the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation)and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or   

         b. ICANN served as the sole entity making disclosure decisions for the SSAD, and directly provided access to the redacted data from a processing center outside of the EU (such as from ICANN’s Los Angeles Headquarters)?

Previously-worded question (for reference): In light of the finalized guidelines on the territorial scope of the GDPR and the ECJ opinion on regarding the right to be forgotten (Google case), are there any modifications you would propose to your previous memo on the territorial scope of the GDPR?

         b)      Agree on next steps


     3. Continue review of Priority 2 Legal Questions

          a. Substantive review of Priority 2 Legal Questions:

     i. Legal vs. Natural:

Updated question from Tara:

Registration data submitted by legal person registrants may contain the data of natural persons.  A Phase 1 memo stated that registrars can rely on a registrant's self-identification as legal or natural person if risk is mitigated by taking further steps to ensure the accuracy of the registrant's designation. 

As a follow-up to that memo: what are the consent options and requirements related to such designations?  Specifically: can data controllers state that it is the responsibility of a legal person registrant to obtain consent from any natural person who will act as a contact, and whose data may be displayed publicly in RDS?

As part of your analysis, please consult the GDPR policies and practices of the Internet protocol (IP address) registry RIPE-NCC (the registry for Europe, based in the Netherlands).  RIPE-NCC’s customers (registrants) are legal persons, usually corporations.  Natural persons can serve as their contacts, resulting in the data of natural persons being displayed publicly in WHOIS.  RIPE-NCC places the responsibility on its legal-person registrants to obtain permission from those natural persons, and provides procedures and safeguards for that.  RIPE-NCC states mission justifications and data collection purposes similar to those in ICANN's Temporary Specification.  Could similar policies and procedures be used at ICANN? 

 Please see these specific references:

1) “How We're Implementing the GDPR: Legal Grounds for Lawful Personal Data Processing and the RIPE Database”:

https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database [labs.ripe.net]  

2)  “How We're Implementing the GDPR: The RIPE Database”: https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database [labs.ripe.net]


If time permits, also see the policies of ARIN, the IP address registry for North America.  ARIN has some customers located in the EU.  ARIN also publishes the data of natural persons in its WHOIS output.  ARIN’s customers are natural persons, who submit the data of natural person contacts.

3) ARIN "Data Accuracy": https://www.arin.net/reference/materials/accuracy/ [arin.net]

4) ARIN Registration Services Agreement, paragraph 3: https://www.arin.net/about/corporate/agreements/rsa.pdf [arin.net]

"Personal Data Privacy Considerations At ARIN": https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/ [teamarin.net]  especially the first two paragraphs

            ii. WHOIS Accuracy and ARS (Support Staff to pull up document submitted by Laureen):


Legal Committee Proposed Questions Related to Data Accuracy

Suggested Status on GAC Questions:

GAC Question

Status:  Keep, Delete, Proposed edits

Rationale

4. If current verification statistics provide that a number of data is inaccurate, would that be considered a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR? (GAC)

 

Delete.  Consider how to make this question more concrete in light of specific data.  


5. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate? (GAC)

Delete.  The current Question 1 on Legal vs. Natural asks whether third parties also have an interest in the accuracy of the registration data and references ICO guidance about the importance of data accuracy.  This gets at the same issue, albeit from a different angle.


6. Can you provide an analysis on the third parties mentioned in para 19 on which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Do they become in such a scenario data processors? (GAC)

Keep.  Proposed edit: 

Can you provide further information and explanation on the reference to third parties mentioned in para 19 in which "ICANN and the relevant parties may rely on to confirm the accuracy of personal data if it is reasonable to do so"? Please describe these third parties and their contemplated role.  Do they become in such a scenario data processors?

This question would provide further clarification on a passage already flagged by the legal team as needing explanation. The current question focuses on the interests of “relevant parties” as mentioned in the Legal Memo, and whether these parties are distinct from the data controllers.  However, clarification is also needed on what is meant by “third parties to confirm the accuracy of personal data.”  Such clarity would assist the team in creating policy that ensures the accuracy of the data collected, consistent with the GDPR.

7. How is the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV of the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)? (GAC)

Keep in part.  Proposed edit:

Provide further discussion on the liability risks to the data controllers and processors with regard to the accuracy of data provided by registrants, in light of GDPR Article 5?  Article 5 requires, among other things,  that personal data shall be “accurate and, where necessary, kept up to date, every reasonable step must be taken to ensure that personal data are that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” What are the responsibilities of ICANN and the contracted parties with respect to ensuring data accuracy?  If the data controllers engage third parties to assist with processing personal data, how would that affect the risk of liability to the data controllers?

This question relates to the proposed question 2 regarding liability but seeks more specific guidance on identification of the liability risks and the specific responsibilities of the data controllers, either acting alone or with the assistance of third parties.  

8. While it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLDs? (GAC)

Keep with edits:  Recognizing that registrants provide the personal information about themselves and identify as either “natural” or “legal” entities, are there nevertheless reasonable pro-active steps that are advisable for contracted parties to take in order to ensure the reliability of the information provided (including the registrant contact details), including through measures to independently verify the data? Do the practices of ccTLD’s with regard to data verification provide reasonable models?   

This question seeks practical guidance on what steps would be reasonable for contracted parties to take in order to ensure data accuracy.  This is a logical follow up tour current questions on liability risks. 


           b)      Agree on next steps

 

     4. Wrap and confirm next meeting to be scheduled 

           a) Confirm action items

           b) AOB

  • Note: No objections received re: Bird and Bird’s updates to the memo summaries by the pre-holiday deadline. The summaries are now included in the Initial Report Google Doc.
  • Note: No objections received regarding questions to submit for plenary review by the pre-holiday deadline. Following this call, EPDP Support Staff forward the questions to the plenary for its review (with highlighting removed).


          c)The next Legal Committee meeting is scheduled for Tuesday, 21 January at 15:00 UTC.


BACKGROUND DOCUMENTS


RECORDINGS

Audio Recording

Zoom Recording

Chat Transcript

PARTICIPATION

Attendance 

Apologies: none

Alternates: none

Notes/ Action Items


Action Items

  1. Brian and Margie to review 2A of the Territorial Scope question to clarify the ask based on the Legal Committee’s discussion, for example, consider adding a matrix.

Question provided for reference:

  1. The advice given in Q1-2 with respect to liability (Section 4 of the memo)?

In light of this ECJ decision and the Geographic Scope Guidelines [edpb.europa.eu], using the same assumptions identified for Q1 and Q2, would there be less risk under GDPR to contracted parties if:

      1. the SSAD allowed automated disclosure responses to requests submitted by accredited entities for redacted data of registrants and/or controllers located outside of the EU, for legitimate purposes (such as cybersecurity investigations and mitigation) and/or other fundamental rights such as intellectual property infringement investigations (See Article 17, Section 2 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT);and/or   


  1. Laureen and Georgios to review and consider combining GAC-proposed questions 4, 5, 7, and 8 based on the Legal Committee’s discussion as well as the Phase 1 Accuracy Memo.


Questions provided for reference:


  1. If current verification statistics provide that a number of data is inaccurate, would that be considered a metric to deduce that the accuracy principle is not served in a reasonable manner as demanded by the GDPR?


  1. According to the GDPR all personal data are processed based on the principle that they are necessary for the purpose for which they are collected. If those data are necessary, how can the purpose be served while the data are inaccurate?


  1. How is the accuracy principle in connection to the parties' liability has to be understood in light of the accountability principle of the GDPR? What are the responsibilities of ICANN and the contracted parties (who are subject to the GDPR) under Chapter IV of the GDPR? If the contracted parties (as data controllers) engage third entities as processors (e.g. to provide data back-up services), what are the responsibilities of these entities? What does this mean in terms of liabilities (in light of Art. 82 GDPR)?


  1. While it is up to the registrants to provide accurate details about themselves and it is up to the registrants not to mistakenly identify themselves as natural or legal persons, the Memo on "Natural vs Legal persons" provides interesting ideas/suggestions for the contracted parties to proactively ensuring the reliability of information provided, including through measures to independently verify the data. Could similar mechanisms be identified also for ensuring the reliability of the contact details of the registrant? Can best practices be drawn from the ccTLDs? 



  • No labels