Hi Brian. I think you have this part:

“So, the data must be disclosed unless there’s a legal basis for withholding it.”

Exactly backwards. 

One of the key principles of GDPR (and other privacy laws, including California which will become the de facto US model) is privacy by design/privacy by default.  Any requests that the controller feels are in a gray area must be rejected unless/until the legal basis is strengthened.  So it would be more correct to say that 

“The data must be protected, unless there is a legal basis for disclosing it.”

Why do we keep harping on this?  Because as a contracted parties and data controllers, we need SSAD to work, but also stand up to scrutiny and the inevitable legal challenges.  If we work our tails off for two years to create a disclosure framework, only to see it promptly knocked down by courts or government regulators, then that puts us exactly in the same spot we were before the Temp Spec. 



James Bladel

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of King, Brian via Gnso-epdp-team <gnso-epdp-team@icann.org>
Sent: Friday, August 30, 2019 06:56
To: farzaneh badii
Subject: Re: [Gnso-epdp-team] Zero-Draft Doc- Assessment of the data being requested
Notice:This email is from an external sender.


Hi Farzaneh,

That’s not quite right. We decided that CPs could differentiate in the context of publication/redaction, not in the context of SSAD. 

In the SSAD context, the act of withholding data when someone needs it, without a legal basis for withholding it (i.e. application of privacy law), would be legally problematic for the entity withholding access. In this case, withholding the data could make the controller secondarily liable for the bad actor’s conduct.

So, the data must be disclosed unless there’s a legal basis for withholding it. For legal persons and natural persons not covered by data privacy law, there is no legal basis for withholding the data, and there should be no balancing test. 

Brian J. King
Director of Internet Policy and Industry Affairs
MarkMonitor / Part of Clarivate Analytics
Phone: +1 (443) 761-3726

On Aug 30, 2019, at 7:22 AM, farzaneh badii <farzaneh.badii@gmail.com> wrote:

I don't know if this has been flagged and I know that the zero draft is frozen for now but I believe the diagram about the assessment of the data requested Step 2, is not correct. It says that if the data is non-EEA data may be released with no balancing test performed. In phase one we agreed that the contracted parties can make geo diff if they want. The ones that do not do geo diff should definitely follow the disclosure policy we are coming up with and perform the balancing test regardless of EEA or non-EEA data. I don't think they should just release the data. As we argued, ICANN's policies are global. If disclosure is global, data protection has to be global too. 

Gnso-epdp-team mailing list
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=VeFjG9M5NbXD9OqeCXKleOaEpa6_jMxj3EseaMJ5H2U&e= ) and the website Terms of Service (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwICAg&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=YDnfsCS-C6PX-k9KBPaWdGMlomR5c6Qzl9pKeq21yqk&s=7E_OKnno3mhFtTwXIwua0a8Qwg3_dmrXTO150Q4GL8Y&e= ). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.