Thank you Chris for forwarding this.

As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations.

By stating that access should be enabled "upon request (...) showing a legitimate interest, provided both the controller (...) and the third party have a legal basis for such processing (...)" they basically support a point many participants of Phase 1 have been making all along in this debate:

Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure.

This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates.

Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example.

For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "Instead, they need to rely on another legal basis, which is normally provided for in national law." It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled.

Best regards,

Volker Greimann


Am 03.05.2019 um 13:10 schrieb Chris Disspain:
Hello All,

As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference. 

A response has now been received from the Commission and I attach that for your information. 



Cheers,


CD




_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.