Hi Margie,

 

• A unified system for third party access, for multiple parties, is necessary.  The EC letter recognizes that the current situation is unworkable.   Volker’s statement that “Disclosure can only work on a per-request basis…”  seems to contradict the EC’s concerns regarding the current situation where access is “left at the discretion of registries and registrars”.  As noted in the letter, this affects the … “ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime.”

This need not be a contradiction. Currently, contracted bear the legal risk for any non-compliant disclosure, so if that issue is fixed, the level of discretion can be reduced. Also, the model may include stricter guidelines for both contracted parties that create a much higher level of predictability towards the results of each request.

But even if the discretion is placed elsewhere, away from contracted parties, someone somewhere will have to make a determination whether any particular request demonstrates a legitimate interest of the requester that outweighs the rights of the data subject.

In other words: The UDM is needed and wanted, but it needs to comply with the legal principles of the GDPR. Or as the letter clearly states: "Such a unified access model should be fully in line with EU data protection rules, in particular the GDPR."

If that goal is missed, any model we design would be doomed to fail.

 

• The Final Report was Too Restrictive. The EC letters clearly state that WHOIS is in the public interest, and that the EPDP Final Report was too restrictive when it only relied on Articles 6(1)(f) as the legal basis for the new policy.  This is consistent with the BC’s position in Phase 1.  We need to update our analysis to recognize the other basis applicable (consent (Art. 6(1)a); performance of a contract(Art. 6(1)b); compliance with a legal obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d); and public interest (Art. 6(1)e)), and ask that Bird & Bird revisit its legal analysis in light of these developments.  
  

It is clear that other bases are possible, however they all come with their own set of issues that will have to be addressed once we get to that. Any legal review would have to factor in such issues so it is too early to call for a review without first being able to define the scope of such a review.

 

• The EC Guidance Reduces GDPR Risk. The EC letter notes that it has facilitated discussions between ICANN and the EDPB, and will continue to do so.   This is good news, and means that the advice likely reflects input from those discussions.  Following this advice should reduce GDPR risk for ICANN and contracted parties in creating a UAM.

I agree in as much as keeping the discussion going reduces the risk of immediate DPA compliance action, however this is not a carte blanche. If we were to develop something that has legal issues, the risk of contracted parties may actually increase as ICANN and by extention the CPs have been told repeatedly to get into compliance and if that is not achieved, we may be subject to harsher penalties than if no such advice had been received.

  

Therefore, on the points of access and purposes, the BC submits that the wording of today’s EC letter leaves little room for creative interpretation.  They have repeated now, several times, the points listed above, and have done so clearly.