Hi Chris,

it really depends what one means by the term Unified Access Model.

Currently under the temp spec, we have a system that introduces many uncertaincies as basically every contracted party is asked to make up their own access model and define the terms of access. A requester does not clearly know what is being required to be granted disclosure and many contracted parties also have difficulties defining hard and fast rules.

Clearly, this is unsustainable for the future, as the EC clearly states as a requester will have to accommodate the requirements of every single model and still will not have certaincy of the disclosure. However this does not mean that the basic principle is flawed.

Ultimately, the existing models developed by the parties will have to be condensed or refined into a unified model with clear rules of what is being expected of them when they make a request and that provides for a set of requirements that when met will result in a certain outcome. This model can still take into account the various legal requirements a contracted party may face under its applicable jurisdiction, but it would reduce the variety that a requester has to put in.

Lets take the following example:

Law enforcement agencies A and B  are in different jurisdictions. A is in the jurisdiction of the contracted party holding the data, B is not. Under a unified model, both would now be able to immediately find out the requirements for disclosure of the data needed for their investigation. Ideally, the template to use for them would be the same but the output they get may be different. All EU Member States authorities' would  under such a model obtain the ability to obtain legitimate access to the data needed to enforce laws in compliance with the requirements and restrictions put in place by the applicable national laws.

I am sure no one here is advocating or proposing we allow anyone to circumvent the restrictions put in place by the applicable national laws.

Accreditation and certification also still have a place as they reduce the time needed to provide evidence of identity of the requester from having to do this every time to having to do this only every couple of years.

I do not see a conflict with anything I have proposed with anything in the response letter. Nothing in that letter requires an all-access model.

Developing a unified access model that meets the needs of law enforcment and public agencies withjin the framework of their right to access such data provided for in their applicable national laws is absolutely doable, centrally or distributedly implementable and consistent with the advice we just received.

Best regards,

Volker


Am 03.05.2019 um 15:41 schrieb Chris Disspain:
Hi Volker,

Thanks for such a quick response commenting on the letter. 

I do not agree that the selected quotes that you have used lead to the conclusion that the EC ‘basically support’ a view that you propound.

In addition and speaking personally, I think:

…."we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR). The European Commission considers this to be both vital and urgent, and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively.”…..

….clearly shows that the EC supports a UAM which by definition means that the concept of a UAM is perfectly acceptable under GDPR.

I think:

…."As the Commission already noted, the current situation where access to non-public registration data for public policy objectives is left at the discretion of registries and registrars affects the EU Member States authorities’ ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime. The need to ensure effective and secure treatment of third party access requests requires therefore ICANN and the community developing a unified method for accessing non-public gTLD registration data.”…..

….clearly demonstrates that the EC is unhappy with the status quo and that in their view a UAM is essential.

and I think:

…."Accordingly, we consider that a clear distinction needs to be made between ICANN's own purposes for processing personal data and the purposes pursued by the third parties in accessing the data. For this reason, we would recommend revising the formulation of purpose two by excluding the second part of the purpose "through enabling responses to lawful data disclosure requests" and maintaining a broader purpose to "contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission", which is at the core of the role of ICANN as the “guardian” of the Domain Name System.

…..means that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited.



Cheers,


CD


On 3 May 2019, at 15:29, Volker Greimann <vgreimann@key-Systems.net> wrote:

Thank you Chris for forwarding this.

As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations.

By stating that access should be enabled "upon request (...) showing a legitimate interest, provided both the controller (...) and the third party have a legal basis for such processing (...)" they basically support a point many participants of Phase 1 have been making all along in this debate:

Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure.

This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates.

Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example.

For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "Instead, they need to rely on another legal basis, which is normally provided for in national law." It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled.

Best regards,

Volker Greimann


Am 03.05.2019 um 13:10 schrieb Chris Disspain:
Hello All,

As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference. 

A response has now been received from the Commission and I attach that for your information. 


Cheers,

CD



_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team

--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.