Re: [Gnso-epdp-team] Section 4.4.8
Hi Amr and All, I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”. The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure. Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8 "Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles. From: Amr Elsadr [mailto:aelsadr@protonmail.ch] Sent: Thursday, September 13, 2018 2:03 PM To: Arasteh Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia and Kavouss, The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”. We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party). I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet. As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-) Thanks. Amr On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com<mailto:kavouss.arasteh@gmail.com>> wrote: Dear All I agree almost with what Hadia said Kavouss Sent from my iPhone On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi All, Dear Alex and Amr, First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it. So my suggestion would be. 4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest. Kind Regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Alex Deacon Sent: Tuesday, September 11, 2018 10:34 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Section 4.4.8 Hi All, As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec. While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team. 4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC. Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts. Alex -- ___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com<mailto:alex@colevalleyconsulting.com> +1.415.488.6009 _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Hadia, If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49. But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments. I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In [Opinion 06/2014](http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/...) on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.” That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, and also against the data subject’s interests, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR. Best wishes, Ayden Férdeline
On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote:
Hi Amr and All,
I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”.
The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure.
Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8
"Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose
As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles.
From: Amr Elsadr [mailto:aelsadr@protonmail.ch] Sent: Thursday, September 13, 2018 2:03 PM To: Arasteh Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8
Hi Hadia and Kavouss,
The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”.
We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party).
I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet.
As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-)
Thanks.
Amr
On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com> wrote:
Dear All
I agree almost with what Hadia said
Kavouss
Sent from my iPhone
On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote:
Hi All,
Dear Alex and Amr,
First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it.
So my suggestion would be.
4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest.
Kind Regards
Hadia
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Alex Deacon Sent: Tuesday, September 11, 2018 10:34 PM To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Section 4.4.8
Hi All,
As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.
While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.
Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.
Alex
--
___________
Alex Deacon
Cole Valley Consulting
alex@colevalleyconsulting.com
+1.415.488.6009
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Ayden, I don’t understand your logic that a Recital from the current version of GDPR would be a less relevant source of insight than an Opinion of A29 from 2014 regarding a Directive which has itself been superseded by GDPR. From Recital 47: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing” In the pre-GDPR world, I think that the data subject *might* have had a reason to expect further processing based on preventing fraud in some undefined fashion (though *probably not*) and the data subject *would not* have had a reason to expect further processing for direct marketing purposes. (I use these examples simply because they are mentioned in the Recital.) In the new policy that we are creating, we should make it very clear to the data subject at the time of collection that the data may possibly be used for defined anti-fraud purposes. /marksv From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Ayden Férdeline Sent: Sunday, September 16, 2018 8:08 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia, If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49. But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments. I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In Opinion 06/2014<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0> on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.” That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, and also against the data subject’s interests, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR. Best wishes, Ayden Férdeline On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi Amr and All, I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”. The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure. Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8 "Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles. From: Amr Elsadr [mailto:aelsadr@protonmail.ch] Sent: Thursday, September 13, 2018 2:03 PM To: Arasteh Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia and Kavouss, The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”. We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party). I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet. As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-) Thanks. Amr On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com<mailto:kavouss.arasteh@gmail.com>> wrote: Dear All I agree almost with what Hadia said Kavouss Sent from my iPhone On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi All, Dear Alex and Amr, First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it. So my suggestion would be. 4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest. Kind Regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Alex Deacon Sent: Tuesday, September 11, 2018 10:34 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Section 4.4.8 Hi All, As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec. While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team. 4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC. Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts. Alex -- ___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com<mailto:alex@colevalleyconsulting.com> +1.415.488.6009 _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=R7K%2BLf9Bk4Xv8hE%2BXpVhGJKLZULunT5jAg61l7lWwY0%3D&reserved=0>
Hi Mark, Thanks for your email and for giving me the opportunity to clarify my remarks. I don’t want to suggest that we should ignore the contents of the Recitals — but we should not treat Recitals the same as we treat the Articles of the GDPR, because the Recitals have no independent legal value and are subordinate to, and cannot contradict, the legislative provisions. I did not see that distinction being made in the message that I responded to. It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR Best wishes, Ayden Férdeline P.S. Hopefully my response is received, as I will shortly be losing posting rights to this list, as I have appointed an alternate for this week’s calls.
On 17 Sep 2018, at 01:47, Mark Svancarek (CELA) <marksv@microsoft.com> wrote:
Ayden, I don’t understand your logic that a Recital from the current version of GDPR would be a less relevant source of insight than an Opinion of A29 from 2014 regarding a Directive which has itself been superseded by GDPR.
From Recital 47: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing”
In the pre-GDPR world, I think that the data subject *might* have had a reason to expect further processing based on preventing fraud in some undefined fashion (though *probably not*) and the data subject *would not* have had a reason to expect further processing for direct marketing purposes. (I use these examples simply because they are mentioned in the Recital.)
In the new policy that we are creating, we should make it very clear to the data subject at the time of collection that the data may possibly be used for defined anti-fraud purposes.
/marksv
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Ayden Férdeline Sent: Sunday, September 16, 2018 8:08 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8
Hi Hadia,
If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49.
But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments.
I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In [Opinion 06/2014](https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0) on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.”
That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, and also against the data subject’s interests, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR.
Best wishes,
Ayden Férdeline
On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote:
Hi Amr and All,
I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”.
The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure.
Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8
"Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose
As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles.
From: Amr Elsadr [mailto:aelsadr@protonmail.ch] Sent: Thursday, September 13, 2018 2:03 PM To: Arasteh Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8
Hi Hadia and Kavouss,
The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”.
We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party).
I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet.
As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-)
Thanks.
Amr
On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com> wrote:
Dear All
I agree almost with what Hadia said
Kavouss
Sent from my iPhone
On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote:
Hi All,
Dear Alex and Amr,
First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it.
So my suggestion would be.
4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest.
Kind Regards
Hadia
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Alex Deacon Sent: Tuesday, September 11, 2018 10:34 PM To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Section 4.4.8
Hi All,
As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.
While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.
Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.
Alex
--
___________
Alex Deacon
Cole Valley Consulting
alex@colevalleyconsulting.com
+1.415.488.6009
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org [https://mm.icann.org/mailman/listinfo/gnso-epdp-team](https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=R7K%2BLf9Bk4Xv8hE%2BXpVhGJKLZULunT5jAg61l7lWwY0%3D&reserved=0)
Hi Ayden, You say in your email below " It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR" Just a quick clarification normally recitals are used by the court of justice to establish what any directive means. However you should keep in mind that the recitals of the GDPR are not only going to be used by the courts of justice but also by the European Data Protection Board (EDPB) when carrying its role in ensuring that the regulation is applied. Hadia From: Ayden Férdeline [mailto:icann@ferdeline.com] Sent: Monday, September 17, 2018 9:12 AM To: Mark Svancarek Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Mark, Thanks for your email and for giving me the opportunity to clarify my remarks. I don’t want to suggest that we should ignore the contents of the Recitals — but we should not treat Recitals the same as we treat the Articles of the GDPR, because the Recitals have no independent legal value and are subordinate to, and cannot contradict, the legislative provisions. I did not see that distinction being made in the message that I responded to. It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR Best wishes, Ayden Férdeline P.S. Hopefully my response is received, as I will shortly be losing posting rights to this list, as I have appointed an alternate for this week’s calls. On 17 Sep 2018, at 01:47, Mark Svancarek (CELA) <marksv@microsoft.com<mailto:marksv@microsoft.com>> wrote: Ayden, I don’t understand your logic that a Recital from the current version of GDPR would be a less relevant source of insight than an Opinion of A29 from 2014 regarding a Directive which has itself been superseded by GDPR. From Recital 47: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing” In the pre-GDPR world, I think that the data subject *might* have had a reason to expect further processing based on preventing fraud in some undefined fashion (though *probably not*) and the data subject *would not* have had a reason to expect further processing for direct marketing purposes. (I use these examples simply because they are mentioned in the Recital.) In the new policy that we are creating, we should make it very clear to the data subject at the time of collection that the data may possibly be used for defined anti-fraud purposes. /marksv From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Ayden Férdeline Sent: Sunday, September 16, 2018 8:08 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia, If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49. But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments. I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In Opinion 06/2014<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0> on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.” That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, and also against the data subject’s interests, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR. Best wishes, Ayden Férdeline On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi Amr and All, I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”. The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure. Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8 "Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles. From: Amr Elsadr [mailto:aelsadr@protonmail.ch] Sent: Thursday, September 13, 2018 2:03 PM To: Arasteh Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia and Kavouss, The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”. We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party). I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet. As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-) Thanks. Amr On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com<mailto:kavouss.arasteh@gmail.com>> wrote: Dear All I agree almost with what Hadia said Kavouss Sent from my iPhone On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi All, Dear Alex and Amr, First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it. So my suggestion would be. 4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest. Kind Regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Alex Deacon Sent: Tuesday, September 11, 2018 10:34 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Section 4.4.8 Hi All, As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec. While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team. 4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC. Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts. Alex -- ___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com<mailto:alex@colevalleyconsulting.com> +1.415.488.6009 _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=R7K%2BLf9Bk4Xv8hE%2BXpVhGJKLZULunT5jAg61l7lWwY0%3D&reserved=0>
I fully support the view points and arguments submitted by Mark and Hadia . I think arguments launched by Ayden are a narrow thinking and soft reading of the process. Ar 29 SHALL NOT prevail the basic requirements and mandatory provisions of GPDR Regards Kavouss On Mon, Sep 17, 2018 at 9:29 AM Hadia Abdelsalam Mokhtar EL miniawi < Hadia@tra.gov.eg> wrote:
Hi Ayden,
You say in your email below " It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR"
Just a quick clarification normally recitals are used by the court of justice to establish what any directive means. However you should keep in mind that the recitals of the GDPR are not only going to be used by the courts of justice but also by the European Data Protection Board (EDPB) when carrying its role in ensuring that the regulation is applied.
Hadia
*From:* Ayden Férdeline [mailto:icann@ferdeline.com] *Sent:* Monday, September 17, 2018 9:12 AM *To:* Mark Svancarek *Cc:* Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Section 4.4.8
Hi Mark,
Thanks for your email and for giving me the opportunity to clarify my remarks.
I don’t want to suggest that we should ignore the contents of the Recitals — but we should not treat Recitals the same as we treat the Articles of the GDPR, because the Recitals have no independent legal value and are subordinate to, and cannot contradict, the legislative provisions. I did not see that distinction being made in the message that I responded to.
It is true that the opinions of A29 were also non-binding, but their guidance should carry weight and credibility with us, because EU Courts have typically taken their opinions into consideration, and now that A29 has morphed into the Data Protection Board, it has new legal powers and their previous opinions heavily shaped the construction of the GDPR
Best wishes,
Ayden Férdeline
P.S. Hopefully my response is received, as I will shortly be losing posting rights to this list, as I have appointed an alternate for this week’s calls.
On 17 Sep 2018, at 01:47, Mark Svancarek (CELA) <marksv@microsoft.com> wrote:
Ayden, I don’t understand your logic that a Recital from the current version of GDPR would be a less relevant source of insight than an Opinion of A29 from 2014 regarding a Directive which has itself been superseded by GDPR.
From Recital 47: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing”
In the pre-GDPR world, I think that the data subject **might** have had a reason to expect further processing based on preventing fraud in some undefined fashion (though **probably not**) and the data subject **would not** have had a reason to expect further processing for direct marketing purposes. (I use these examples simply because they are mentioned in the Recital.)
In the new policy that we are creating, we should make it very clear to the data subject at the time of collection that the data may possibly be used for defined anti-fraud purposes.
/marksv
*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Ayden Férdeline *Sent:* Sunday, September 16, 2018 8:08 AM *To:* Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Section 4.4.8
Hi Hadia,
If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49.
But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. *While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments.*
I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In Opinion 06/2014 <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0> on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.”
That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, *and also against the data subject’s interests*, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR.
Best wishes,
Ayden Férdeline
On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi < Hadia@tra.gov.eg> wrote:
Hi Amr and All,
I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”.
The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure.
Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8
"Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose
As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles.
*From:* Amr Elsadr [mailto:aelsadr@protonmail.ch <aelsadr@protonmail.ch>] *Sent:* Thursday, September 13, 2018 2:03 PM *To:* Arasteh *Cc:* Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Section 4.4.8
Hi Hadia and Kavouss,
The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”.
We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party).
I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet.
As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-)
Thanks.
Amr
On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com> wrote:
Dear All
I agree almost with what Hadia said
Kavouss
Sent from my iPhone
On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi < Hadia@tra.gov.eg> wrote:
Hi All,
Dear Alex and Amr,
First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it.
So my suggestion would be.
4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection.
I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest.
Kind Regards
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org <gnso-epdp-team-bounces@icann.org>] *On Behalf Of *Alex Deacon *Sent:* Tuesday, September 11, 2018 10:34 PM *To:* gnso-epdp-team@icann.org *Subject:* [Gnso-epdp-team] Section 4.4.8
Hi All,
As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec.
While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team.
4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations *related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. *
The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC.
Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts.
Alex
--
___________
*Alex Deacon*
Cole Valley Consulting
alex@colevalleyconsulting.com
+1.415.488.6009
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=R7K%2BLf9Bk4Xv8hE%2BXpVhGJKLZULunT5jAg61l7lWwY0%3D&reserved=0>
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Mark you have just said what was actually on my mind when I wrote the previous email. When you give your address to a burger shop to deliver you a burger you expect him to use it for such purpose and not give it to the pasta place next door for marketing purposes. When you give your data to register a domain you should expect that the data will be used in issues related to domain names and nothing else. Combating fraud in the domain names space is one of the issues related to domain names registration and yes indeed data subjects be enlightened about the matter and I agree that this should be mentioned in the new specification. Ayden as for what the recitals say or do not say, I shall leave this to the legal people, however I would like to note that recitals establish what any regulation means. Best hadia From: Mark Svancarek (CELA) [mailto:marksv@microsoft.com] Sent: Monday, September 17, 2018 1:48 AM To: Ayden Férdeline; Hadia Abdelsalam Mokhtar EL miniawi Cc: gnso-epdp-team@icann.org Subject: RE: [Gnso-epdp-team] Section 4.4.8 Ayden, I don’t understand your logic that a Recital from the current version of GDPR would be a less relevant source of insight than an Opinion of A29 from 2014 regarding a Directive which has itself been superseded by GDPR. From Recital 47: “The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing” In the pre-GDPR world, I think that the data subject *might* have had a reason to expect further processing based on preventing fraud in some undefined fashion (though *probably not*) and the data subject *would not* have had a reason to expect further processing for direct marketing purposes. (I use these examples simply because they are mentioned in the Recital.) In the new policy that we are creating, we should make it very clear to the data subject at the time of collection that the data may possibly be used for defined anti-fraud purposes. /marksv From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Ayden Férdeline Sent: Sunday, September 16, 2018 8:08 AM To: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia, If we consider Recital 47 in its entirety and thus in its context, I don’t think it necessarily means what you say it does. The same goes for Recital 49. But let’s not get ahead of ourselves. We need to distinguish between a Recital of the GDPR and an Article of the GDPR, as they are not the same. While the recitals may inform the interpretation of the GDPR's articles, they are not legally binding. Only the GDPR's articles are binding instruments. I would suggest that we should be considering published guidance from the Article 29 Working Party on what a legitimate interest is. In Opinion 06/2014<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fec.europa.eu%2Fjustice%2Farticle-29%2Fdocumentation%2Fopinion-recommendation%2Ffiles%2F2014%2Fwp217_en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=LSQvf6gGN3Bcf%2Bq6gmcKA5Nadda26oXBLRzFfS9%2BdYk%3D&reserved=0> on the “Notion of Legitimate Interests”, they caution that legitimate interests "should thus not be considered as 'the weakest link' or an open door to legitimise all data processing activities which do not fall under any of the other legal grounds” for processing. Rather, it is intended to give "necessary flexibility for data controllers for situations where there is no undue impact on data subjects.” That’s the important distinction here. Anyone who intends to use personal data must balance its own legitimate interest against the rights of the data subject, and also against the data subject’s interests, irrespective of whether those interests are legitimate or not. See Article 6(f) of the GDPR. Best wishes, Ayden Férdeline On 16 Sep 2018, at 16:43, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi Amr and All, I don't think that a final agreement was actually reached on moving items 4.4.2, 4.4.8, 4.4.9 and 4.4.10 from under the header “Purposes for Processing gTLD Registration Data”. The whole confusion in my opinion comes from two considerations the first is our lack of understanding of the interests which lets us sometimes put some interests that are typically ICANN purposes as third party purposes and the second is that when we talk about data processing we mix collection with disclosure. Recital 47 of the GDPR states that " The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned" Therefore fraud prevention constitutes a legitimate interest, and recital 49 of the GDPR states that the necessary and proportionate processing for network security also constitutes a legitimate interest. So when we speak about the original text of 4.4.8 "Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection;" First we should not deduce that the text speaks only about the access, in order to have a framework through which access can be provided you should also have the data itself (that is the collection of the data). Second I would argue that the collection of the data for the above purpose is not only a third party's purpose but it is also an ICANN purpose As for the difference between a framework and a model, a framework is a guide or some principles that make you implement the model, while the model is the tool itself. I would rather see the actual model than just the principles. From: Amr Elsadr [mailto:aelsadr@protonmail.ch] Sent: Thursday, September 13, 2018 2:03 PM To: Arasteh Cc: Hadia Abdelsalam Mokhtar EL miniawi; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Section 4.4.8 Hi Hadia and Kavouss, The volunteer team working on 4.4.8 did so with the understanding that sections 4.4.2, 4.4.8, 4.4.9 and 4.4.10 would be moved out from under the header “Purposes for Processing gTLD Registration Data”. This was following Kurt’s email to the EPDP list on 4 September, titled “Project Plan Adjustments and Policy Organization”. We did consider an earlier suggestion by Mark; to split the processing purposes to two lists, one to achieve the purposes of controllers and one of third-parties. However, we did not pursue this too aggressively. Speaking for myself, I agree that 4.4.8 in both its original and proposed altered forms do not describe purposes for processing (for any party). I am not sure why a “model” would be preferable to a “framework”, so if you could elaborate on why you believe it to be more specific, I would be grateful. Within NCSG, we have considered both these terms, as well as others such as “Methodology” and “Mechanism”. We haven’t settled on any one, just yet. As Alex suggested in his original email, this is still a tentative proposal. We like it, or at least prefer it to other alternatives previously suggested, but we’re not exactly married to it just yet. :-) Thanks. Amr On Sep 13, 2018, at 12:49 PM, Arasteh <kavouss.arasteh@gmail.com<mailto:kavouss.arasteh@gmail.com>> wrote: Dear All I agree almost with what Hadia said Kavouss Sent from my iPhone On 13 Sep 2018, at 10:45, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi All, Dear Alex and Amr, First off thank you for your effort and time on this proposal. But are you saying that among the purposes of the processing of the data is the " identification of third-parties with legitimate interests". This is surely not one of the purposes for the processing of the data therefore a suggest removing it. So my suggestion would be. 4.4.8 Supporting a Model that provides access to parties with legitimate interests grounded in legal bases to Registration Data relevant to addressing specific issues involving domain name registrations; such as issues related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. I put model as I think it is more specific but I am fine with using the term framework if you see it more appropriate. I also suggest adding "such as issues related to" which would serve to provide examples of third parties with legitimate interest. Kind Regards Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Alex Deacon Sent: Tuesday, September 11, 2018 10:34 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Section 4.4.8 Hi All, As you know a group of us has been working to recommend an update to Section 4.4.8 of the temp spec. While we haven't come to full agreement on the update, we are pretty close and wanted to share the current/tentative output of the volunteer team with the broader team. 4.4.8 Supporting a framework that enables identification of third-parties with legitimate interests grounded in legal bases, and providing these third-parties with access to Registration Data relevant to addressing specific issues involving domain name registrations related to consumer protection, investigation of cybercrime, DNS abuse and intellectual property protection. The non-bold text was suggested by Amr/NCSG and the added bold text was an updated suggested by me/IPC and supported by the BC. Giving it a re-read again today I think additional word-smithing could be warranted, but for now I will resist and step away and let others share their thoughts. Alex -- ___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com<mailto:alex@colevalleyconsulting.com> +1.415.488.6009 _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C6adbb61be8a54c02826508d61be645d4%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636727073200055158&sdata=R7K%2BLf9Bk4Xv8hE%2BXpVhGJKLZULunT5jAg61l7lWwY0%3D&reserved=0>
participants (4)
-
Ayden Férdeline -
Hadia Abdelsalam Mokhtar EL miniawi -
Kavouss Arasteh -
Mark Svancarek (CELA)