REVISED: Question for legal advisors
At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)'s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose "constitutes a legitimate interest of the data controller concerned." The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from "security researcher" as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn't matter _who_ the person making the inquiry is. It doesn't matter how "trustworthy" they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. "Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?" No, you can't do that. Balancing test means a balancing test. One party's interests are weighed against the other's. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca>; 'EPDP' <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)'s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose "constitutes a legitimate interest of the data controller concerned." The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from "security researcher" as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
I agree with Milton's comments, but I think I am interpreting the original questions differently. I interpreted as "If I am a data controller and a third party asks me to perform a balancing test, how much weight should the accreditation of a 3rd party represent in my decision-making process? If I want to introduce efficiencies into my process, I might want to assign more weight to certain known 3rd parties, or certain accreditations, or even 3rd parties who have committed to a specific code of conduct separate from any specific accreditor. But I am liable for performing the balancing test in a lawful way, so how do I know when assigning more weight is appropriate? Is there a way to quantify this?" From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mueller, Milton L Sent: Monday, July 29, 2019 1:44 PM To: Greg Aaron <greg@illumintel.com>; 'Alan Greenberg' <alan.greenberg@mcgill.ca>; 'EPDP' <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn't matter _who_ the person making the inquiry is. It doesn't matter how "trustworthy" they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. "Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?" No, you can't do that. Balancing test means a balancing test. One party's interests are weighed against the other's. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)'s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose "constitutes a legitimate interest of the data controller concerned." The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from "security researcher" as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
Mark's framing of the question is more reasonable, but I still don't see how accreditation per se bears on the balancing test. Maybe I'm just dense. Accreditation as I understand it means that the requestor is contractually obligated to a code of conduct. This means that a penalty can be imposed if disclosures are abused but it still doesn't tell you whether, in any specific instance, the requestor's legitimate interest outweighs (or does not outweigh) the privacy interest of the data subject. To resolve these questions it might be helpful for us, in discussing use cases, to run some trial/hypothetical balancing tests and find a couple of instances in which a request does and does not pass it. e.g. imagine a routine TM infringement case in which a domain confusingly similar to a TM appears to be a typo-squatting site selling ads. Request for registrant identity and contact info seems to me to pass the balancing test. Now imagine a case in which someone is curious about who is behind an organization's domain but the organization is a woman's shelter and there is a fear that disclosing contact info and names might facilitate abuse. Balancing tet failed, imho. In both cases I don't see how accreditation per se has any bearing on the outcome of the balancing test. From: Mark Svancarek (CELA) <marksv@microsoft.com> Sent: Monday, July 29, 2019 5:33 PM To: Mueller, Milton L <milton@gatech.edu>; Greg Aaron <greg@illumintel.com>; 'Alan Greenberg' <alan.greenberg@mcgill.ca>; 'EPDP' <gnso-epdp-team@icann.org> Subject: RE: [Gnso-epdp-team] REVISED: Question for legal advisors I agree with Milton's comments, but I think I am interpreting the original questions differently. I interpreted as "If I am a data controller and a third party asks me to perform a balancing test, how much weight should the accreditation of a 3rd party represent in my decision-making process? If I want to introduce efficiencies into my process, I might want to assign more weight to certain known 3rd parties, or certain accreditations, or even 3rd parties who have committed to a specific code of conduct separate from any specific accreditor. But I am liable for performing the balancing test in a lawful way, so how do I know when assigning more weight is appropriate? Is there a way to quantify this?" From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Mueller, Milton L Sent: Monday, July 29, 2019 1:44 PM To: Greg Aaron <greg@illumintel.com<mailto:greg@illumintel.com>>; 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn't matter _who_ the person making the inquiry is. It doesn't matter how "trustworthy" they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. "Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?" No, you can't do that. Balancing test means a balancing test. One party's interests are weighed against the other's. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)'s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose "constitutes a legitimate interest of the data controller concerned." The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from "security researcher" as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
That mischaracterizes. The issue is not "can the balancing test be avoided." The question is about inputs into the decision-making process, and involving use cases that the GDPR speaks actually speaks to specifically. We should research the issue; it's important to understand some issues that Alan mentioned. We're here to do reasonable research and diligence. Quashing such is not something we should be doing, and I'm sure none of us are afraid of answers. From: Mueller, Milton L <milton@gatech.edu> Sent: Monday, July 29, 2019 4:44 PM To: Greg Aaron <greg@illumintel.com>; 'Alan Greenberg' <alan.greenberg@mcgill.ca>; 'EPDP' <gnso-epdp-team@icann.org> Subject: RE: [Gnso-epdp-team] REVISED: Question for legal advisors I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn't matter _who_ the person making the inquiry is. It doesn't matter how "trustworthy" they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. "Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?" No, you can't do that. Balancing test means a balancing test. One party's interests are weighed against the other's. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org> > On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca <mailto:alan.greenberg@mcgill.ca> >; 'EPDP' <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> > Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)'s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose "constitutes a legitimate interest of the data controller concerned." The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from "security researcher" as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org> > On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> > Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
That mischaracterizes. The issue is not "can the balancing test be avoided." The question is about inputs into the decision-making process, and involving use cases that the GDPR speaks actually speaks to specifically.
I don't think I have mischaracterized the question. Any use case that requires a balancing test, requires a balancing test, not an assessment of the reputation of the requestor.
We're here to do reasonable research and diligence. Quashing such is not something we should be doing, and I'm sure none of us are afraid of answers.
Not at all afraid of the answer; my problem is that I think the answer is obvious. Since our ability to pose questions to legal experts is limited and it's quite likely that not all of them will get posed, I believe this one doesn't rise to the level. But if the team as a whole really wants to devote scarce time to this, I'll not stand in the way. From: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>> Sent: Monday, July 29, 2019 4:44 PM To: Greg Aaron <greg@illumintel.com<mailto:greg@illumintel.com>>; 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: [Gnso-epdp-team] REVISED: Question for legal advisors I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn't matter _who_ the person making the inquiry is. It doesn't matter how "trustworthy" they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. "Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?" No, you can't do that. Balancing test means a balancing test. One party's interests are weighed against the other's. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)'s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose "constitutes a legitimate interest of the data controller concerned." The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from "security researcher" as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan
It really pains me to blow our legal budget asking stupid questions like this one. Forgive me for being blunt. As Milton has indicated very clearly, these are two separate issues, not to mention deliberative procedures, for which guidelines have been written by numerous DPAs, and we continue to conflate them. We all recognize that the ICANN data sharing ecosystem, like the cybercrime fighters data sharing ecosystem, has long relied on a trusted player system. Data protection law does not. If you don't care to believe me, then go ask a data protection commissioner. Maybe Joe Cannataci will be kind, despite the long interval during which we never got back to him (i.e. since March 2017), and answer for free. Please don't blow our budget on this, we need it for really serious questions. Stephanie PS you all should have let us put Peter Kimpian on this committee as an expert observer. He could answer this one for free too. On 2019-07-30 10:04, Mueller, Milton L wrote:
That mischaracterizes. The issue is not “can the balancing test be avoided.” The question is about inputs into the decision-making process, and involving use cases that the GDPR speaks actually speaks to specifically.
I don’t think I have mischaracterized the question. Any use case that requires a balancing test, requires a balancing test, not an assessment of the reputation of the requestor.
We’re here to do reasonable research and diligence. Quashing such is not something we should be doing, and I’m sure none of us are afraid of answers.
Not at all afraid of the answer; my problem is that I think the answer is obvious. Since our ability to pose questions to legal experts is limited and it’s quite likely that not all of them will get posed, I believe this one doesn’t rise to the level. But if the team as a whole really wants to devote scarce time to this, I’ll not stand in the way. From: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>> Sent: Monday, July 29, 2019 4:44 PM To: Greg Aaron <greg@illumintel.com<mailto:greg@illumintel.com>>; 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: [Gnso-epdp-team] REVISED: Question for legal advisors I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn’t matter _who_ the person making the inquiry is. It doesn’t matter how “trustworthy” they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. “Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?” No, you can’t do that. Balancing test means a balancing test. One party’s interests are weighed against the other’s. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)’s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose “constitutes a legitimate interest of the data controller concerned.” The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from “security researcher” as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
I am three weeks overdue to apologize for labeling this question as "stupid". Perhaps a better word would have been "basic". However, I am sorry if anyone, particularly Alan Greenberg and ALAC members generally have taken offense to the characterization of the question (not Alan) as stupid. Meanwhile, members may recall that I argued as hard as I could, along with Ayden, for some serious training in data protection law for team members, so that folks would become acclimatized to the concepts and basic precepts. I also have argued for having a data protection lawyer present in the room who could raise his/her flag when we head off on a dead end because we are arguing something that simply will not hold water in an argument with a DPA. Sadly, we do not have such a person in the room most of the time, no offence intended to the ICANN legal team who is present. Apologies for cross posting, but a manual for data protection officers has been published, funded by the EU and a number of Data Protection Commissioners. I think it is excellent, contains a good history of relevant law and guidance for how data protection officers and the new role in the GDPR ought to be managed. It is written by two folks who have been at this since the 90s (colleagues so perhaps I am biased) Douwe Korff (emeritus London Metropolitan University) and Marie Georges (ex-CNIL, also had been seconded by the CNIL to the European Commission during the struggle to get the original Directive 95/46 Directive passed). In case anyone thinks the concept of the DPO within an organization is new, it is not, during the 90s the German data protection laws provided for this in companies of a certain size, and when Douwe wrote the annual compliance report for the Article 29 Working Party/the European Commission in 1998, he recommended that this concept be implemented more broadly. Eventually, this happened, as it now forms part of the Regulation. Available here http://www.fondazionebasso.it/2015/wp-content/uploads/2019/07/T4DATA-MANUAL-... Stephanie -------- Forwarded Message -------- Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Date: Tue, 30 Jul 2019 10:33:24 -0400 From: Stephanie Perrin <stephanie.perrin@mail.utoronto.ca><mailto:stephanie.perrin@mail.utoronto.ca> To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> It really pains me to blow our legal budget asking stupid questions like this one. Forgive me for being blunt. As Milton has indicated very clearly, these are two separate issues, not to mention deliberative procedures, for which guidelines have been written by numerous DPAs, and we continue to conflate them. We all recognize that the ICANN data sharing ecosystem, like the cybercrime fighters data sharing ecosystem, has long relied on a trusted player system. Data protection law does not. If you don't care to believe me, then go ask a data protection commissioner. Maybe Joe Cannataci will be kind, despite the long interval during which we never got back to him (i.e. since March 2017), and answer for free. Please don't blow our budget on this, we need it for really serious questions. Stephanie PS you all should have let us put Peter Kimpian on this committee as an expert observer. He could answer this one for free too. On 2019-07-30 10:04, Mueller, Milton L wrote:
That mischaracterizes. The issue is not “can the balancing test be avoided.” The question is about inputs into the decision-making process, and involving use cases that the GDPR speaks actually speaks to specifically.
I don’t think I have mischaracterized the question. Any use case that requires a balancing test, requires a balancing test, not an assessment of the reputation of the requestor.
We’re here to do reasonable research and diligence. Quashing such is not something we should be doing, and I’m sure none of us are afraid of answers.
Not at all afraid of the answer; my problem is that I think the answer is obvious. Since our ability to pose questions to legal experts is limited and it’s quite likely that not all of them will get posed, I believe this one doesn’t rise to the level. But if the team as a whole really wants to devote scarce time to this, I’ll not stand in the way. From: Mueller, Milton L <milton@gatech.edu<mailto:milton@gatech.edu>> Sent: Monday, July 29, 2019 4:44 PM To: Greg Aaron <greg@illumintel.com<mailto:greg@illumintel.com>>; 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: [Gnso-epdp-team] REVISED: Question for legal advisors I find the discussions of this proposed question to be fundamentally detached from legal and practical reality. Essentially, this question boils down to this: can we avoid doing a balancing test if someone we think we trust wants the data? The answer to that should be obvious. If the law requires a balancing test, it doesn’t matter _who_ the person making the inquiry is. It doesn’t matter how “trustworthy” they are, now nicely they ask, how sweetly they smile, the point here is that the interest of the requestor in obtaining the information must be weighed against the rights to privacy of the data subject. You cannot skirt that balancing test without breaking the law. Full stop. This question makes about as much sense as asking the data subject to unilaterally determine the outcome of the test. “Hey, if we have a data subject we think is good and trustworthy, can we automatically nix any disclosure requests because we think they are good guys?” No, you can’t do that. Balancing test means a balancing test. One party’s interests are weighed against the other’s. I hope we do not waste our scarce legal time with something like this. Dr. Milton L Mueller School of Public Policy Georgia Institute of Technology From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Greg Aaron Sent: Monday, July 29, 2019 3:22 PM To: 'Alan Greenberg' <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>>; 'EPDP' <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] REVISED: Question for legal advisors Dear Alan, Mark, legal team: Yes, this issue is a vital one to ask the legal advisers, and we must make sure they understand the issue. An additional way to explain it is below. Feel free to adapt or include any of this suggested language below if you like. <snip> 6(f) says that processing is lawful if it "is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject." This language describes a general requirement that must be met. It does not describe any specific decision-making process or the threshold that must be reached to satisfy the balancing test in any specific case. Question: can a data controller rely on advice or assertions that come from a qualified and trusted party in order to satisfy 6(f)’s balancing test? If it is possible, then what are the considerations? If not, why? Example: a third party is trying to mitigate a phishing attack. This third party is the victim of the attack, or is defending its customers. GDPR Recital 49 says that processing personal data for such a purpose “constitutes a legitimate interest of the data controller concerned.” The third party makes a data request to the controller. The third party is in some way accredited, its identity and subject matter expertise are known to the data controller, and the third party makes representations about the legitimacy and accuracy of its request. Can the data processor rely on this information and relationship? </snip> (And I also assume what you wrote -- accreditation could be withdrawn, the requestor is following data minimization practices, etc. etc.) BTW, am hoping to move away from “security researcher” as a blanket term to include those involved in operational security, for some previously explained reasons. Thanks, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Alan Greenberg Sent: Wednesday, July 24, 2019 11:18 PM To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] REVISED: Question for legal advisors At Mark's suggestion, I have reformatted/reworded this for additional (hopefully) clarity. ============== Background: If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Examples: As a simple case, if a UDRP provider (who is authenticated as such) makes a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. For a more nuanced situation, if a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example) makes a request for specific data, can we assume that given the process under which they are accredited, we can be assured that they need this data, have no practical alternative way of addressing the issue, and will only use/store the data appropriately Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Summary: Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Question: If a requester is properly vetted (accredited, authenticated) and has provided assurances they understand they may only request data that meets the balance test (ie their need is sufficiently great that it warrants releasing to them otherwise redacted data), can an automated system presume that the GDPR balancing test has been satisfied? Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. At 24/07/2019 04:27 PM, Alan Greenberg wrote: As requested during the last meeting, here is a question to go to the Legal Committee looking for a clear legal opinion. =============================== If information is to be requested released to third parties, the controller or other party(ies) must decide whether the need for the data outweighs the data subject's right to privacy. If the decision is made by a human, the competing needs/rights can be carefully weighed to decide whether the request should be honoured. If we are to consider any form of automated decision process, it is unlikely that we can build a sufficiently robust artificial intelligence engine to carry out the balancing operation. That raises the question of to what extent, based on appropriate accreditation processes, can we rely on the vetting during accreditation and the commitments made by the requester in order to be accredited can be relied upon. Specifically, if a requester is properly vetted and provides assurances (and proof?) they understand the balancing that must be done, can the automated system presume that the balancing test has been satisfied. Of course, accreditation could be revoked if it comes to light that inappropriate requests are being made. In one simple case, if a UDRP provider (who is authenticated as such) make a request claiming it is for an ongoing UDRP process, can it be presumed that it is an authentic request and simply grant it. A less clear case is that of a cyber security researcher who has been properly accredited (the Anti-Phishing WG as an example). Perhaps other specific cases should be cited in the question, but we do need guidance in the general case. Without being able to rely on the reputation and assurances of the requester, I do not see how ANY automated process will be possible. Alan _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
participants (5)
-
Alan Greenberg
-
Greg Aaron
-
Mark Svancarek (CELA)
-
Mueller, Milton L
-
Stephanie Perrin