Observations on the EC Letter Shared Today
Dear all: I appreciate the perspectives shared so far. From a high level, the EC letters are very helpful for us to arrive at some conclusions. Let me share some thoughts from the BC. First, there’s little in today’s letter that’s new. In fact, it’s repetitious, as the author points out. Prior communications from the EC shows they’ve advised that: * A solution to non-public data access must be a priority, and an immediate one. * The EC supports an access model, provided it is within the bounds of GDPR law. * The current “no access” situation is degrading the ability of LEAs, cybersecurity authorities and others to perform in their roles; thus, the need for a speedy solution. * Access by Law Enforcement uses a different basis than 6(1)f and should be treated differently than other types of 3rd party access. * No conflation should be made between ICANN’s purposes and those of third parties (e.g., ICANN’s purposes can’t be used by others to justify access – a separate legitimate purpose is required). * WHOIS is in the public interest. These points were made in the previous communications from the EC, and are now echoed in today’s letter. From the perspective of the BC, the themes in today’s letter are familiar: * We need an access model quickly. According to the letter: …we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR).The European Commission considers this to be both vital and urgent, and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively. and Your understanding is correct that we do not suggest that ICANN or the contracted parties should not be able to disclose registration data to third parties. On the contrary, finding a timely and workable solution for access to non-public gTLD registration data is a matter of priority. * Don’t conflate purposes, and don’t unnecessarily restrict definition of ICANN’s purposes. A simple fix here is to split Purpose 2 into two purposes, where one focuses on ICANN’s purpose, and the second one focuses on the third party purposes allowable under GDPR. * A unified system for third party access, for multiple parties, is necessary. The EC letter recognizes that the current situation is unworkable. Volker’s statement that “Disclosure can only work on a per-request basis…” seems to contradict the EC’s concerns regarding the current situation where access is “left at the discretion of registries and registrars”. As noted in the letter, this affects the … “ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime.” * The Final Report was Too Restrictive. The EC letters clearly state that WHOIS is in the public interest, and that the EPDP Final Report was too restrictive when it only relied on Articles 6(1)(f) as the legal basis for the new policy. This is consistent with the BC’s position in Phase 1. We need to update our analysis to recognize the other basis applicable (consent (Art. 6(1)a); performance of a contract(Art. 6(1)b); compliance with a legal obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d); and public interest (Art. 6(1)e)), and ask that Bird & Bird revisit its legal analysis in light of these developments. * The EC Guidance Reduces GDPR Risk. The EC letter notes that it has facilitated discussions between ICANN and the EDPB, and will continue to do so. This is good news, and means that the advice likely reflects input from those discussions. Following this advice should reduce GDPR risk for ICANN and contracted parties in creating a UAM. Therefore, on the points of access and purposes, the BC submits that the wording of today’s EC letter leaves little room for creative interpretation. They have repeated now, several times, the points listed above, and have done so clearly. As I say, there’s little new here. We believe it’s time to expeditiously move forward with Phase 2 and establish an access model that balances the needs of all parties. All the best, Margie and Mark, On behalf of the BC
Hi Margie,
* _A unified system for third party access, for multiple parties, is necessary_. The EC letter recognizes that the current situation is unworkable. Volker’s statement that “/Disclosure can only work on a per-request basis…” / seems to contradict the EC’s concerns regarding the current situation where access is “left at the discretion of registries and registrars”. As noted in the letter, this affects the … “ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime.”
This need not be a contradiction. Currently, contracted bear the legal risk for any non-compliant disclosure, so if that issue is fixed, the level of discretion can be reduced. Also, the model may include stricter guidelines for both contracted parties that create a much higher level of predictability towards the results of each request. But even if the discretion is placed elsewhere, away from contracted parties, someone somewhere will have to make a determination whether any particular request demonstrates a legitimate interest of the requester that outweighs the rights of the data subject. In other words: The UDM is needed and wanted, but it needs to comply with the legal principles of the GDPR. Or as the letter clearly states: "/Such a unified access model should be fully in line with EU data protection rules, in particular the GDPR./" If that goal is missed, any model we design would be doomed to fail.
* _The Final Report was Too Restrictive_. The EC letters clearly state that WHOIS is in the public interest, and that the EPDP Final Report was too restrictive when it only relied on Articles 6(1)(f) as the legal basis for the new policy. This is consistent with the BC’s position in Phase 1. We need to update our analysis to recognize the other basis applicable (consent (Art. 6(1)a); performance of a contract(Art. 6(1)b); compliance with a legal obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d); and public interest (Art. 6(1)e)), and ask that Bird & Bird revisit its legal analysis in light of these developments.
It is clear that other bases are possible, however they all come with their own set of issues that will have to be addressed once we get to that. Any legal review would have to factor in such issues so it is too early to call for a review without first being able to define the scope of such a review.
* _The EC Guidance Reduces GDPR Risk_. The EC letter notes that it has facilitated discussions between ICANN and the EDPB, and will continue to do so. This is good news, and means that the advice likely reflects input from those discussions. Following this advice should reduce GDPR risk for ICANN and contracted parties in creating a UAM.
I agree in as much as keeping the discussion going reduces the risk of immediate DPA compliance action, however this is not a carte blanche. If we were to develop something that has legal issues, the risk of contracted parties may actually increase as ICANN and by extention the CPs have been told repeatedly to get into compliance and if that is not achieved, we may be subject to harsher penalties than if no such advice had been received.
Therefore, on the points of access and purposes, the BC submits that the wording of today’s EC letter leaves little room for creative interpretation. They have repeated now, several times, the points listed above, and have done so clearly.
Agreed. I never fully understood the quest for clarity by ICANN as I felt that the DPAs and the EC have always been quite clear. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Hi, Volker, my comments are inline, below. Please LMK if they are not clear or helpful /marksv From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Monday, May 6, 2019 02:57 To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Observations on the EC Letter Shared Today Hi Margie, * A unified system for third party access, for multiple parties, is necessary. The EC letter recognizes that the current situation is unworkable. Volker’s statement that “Disclosure can only work on a per-request basis…” seems to contradict the EC’s concerns regarding the current situation where access is “left at the discretion of registries and registrars”. As noted in the letter, this affects the … “ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime.” This need not be a contradiction. Currently, contracted bear the legal risk for any non-compliant disclosure, so if that issue is fixed, the level of discretion can be reduced. Also, the model may include stricter guidelines for both contracted parties that create a much higher level of predictability towards the results of each request. [Mark Svancarek] Regarding non-contradiction: Perhaps we are talking past each other – maybe we are in agreement but using different terms. We tried to develop terminology defining “disclosure” and “access” and other things during Phase 1, but we started too late and we weren’t completely successful. Developing a shared terminology/taxonomy earlier in Phase 2 will benefit us all. But even if the discretion is placed elsewhere, away from contracted parties, someone somewhere will have to make a determination whether any particular request demonstrates a legitimate interest of the requester that outweighs the rights of the data subject. [Mark Svancarek] Regarding discretion: Regardless whether responsibility resides with contracted parties, or moves elsewhere, I’d like us to confirm whether the discretion can be programmatic and automatable. [Mark Svancarek] (That is, if a currently accredited party is currently authorized to perform specific processing of specific data under a specific legal basis in jurisdiction and under a specific code of conduct, and if the identity of the party can be authenticated in a secure fashion, and if the system can be audited, then the process of authorizing the disclosure of data based on these criteria and these proofs of identity and authorization could probably be programmatically approved in an automated fashion over time, with only a small number of exceptional cases requiring additional scrutiny.) In other words: The UDM is needed and wanted, but it needs to comply with the legal principles of the GDPR. Or as the letter clearly states: "Such a unified access model should be fully in line with EU data protection rules, in particular the GDPR." If that goal is missed, any model we design would be doomed to fail. [Mark Svancarek] I don’t think anyone ever disagreed that we must be compliant 😊 We just didn’t have full certainty which designs are defensible, so we are still working in part from our own existing assumptions (such as mine, above). I think we’ve made progress, though (latest B&B opinions; EC letters; etc.) so I remain confident that we won’t remain blocked for too long. * The Final Report was Too Restrictive. The EC letters clearly state that WHOIS is in the public interest, and that the EPDP Final Report was too restrictive when it only relied on Articles 6(1)(f) as the legal basis for the new policy. This is consistent with the BC’s position in Phase 1. We need to update our analysis to recognize the other basis applicable (consent (Art. 6(1)a); performance of a contract(Art. 6(1)b); compliance with a legal obligation(Art. 6(1)c); protection of vital interest (Art. 6(1)d); and public interest (Art. 6(1)e)), and ask that Bird & Bird revisit its legal analysis in light of these developments. It is clear that other bases are possible, however they all come with their own set of issues that will have to be addressed once we get to that. Any legal review would have to factor in such issues so it is too early to call for a review without first being able to define the scope of such a review. [Mark Svancarek] Probably another example of “need not be a contradiction”. * The EC Guidance Reduces GDPR Risk. The EC letter notes that it has facilitated discussions between ICANN and the EDPB, and will continue to do so. This is good news, and means that the advice likely reflects input from those discussions. Following this advice should reduce GDPR risk for ICANN and contracted parties in creating a UAM. I agree in as much as keeping the discussion going reduces the risk of immediate DPA compliance action, however this is not a carte blanche. If we were to develop something that has legal issues, the risk of contracted parties may actually increase as ICANN and by extention the CPs have been told repeatedly to get into compliance and if that is not achieved, we may be subject to harsher penalties than if no such advice had been received. [Mark Svancarek] I would hope potential penalties would only be harsher if we disregarded the advice. I don’t know that we can demonstrate best effort or good faith if we don’t ask clarifying questions up front… but maybe I misunderstood your comment, sorry. Therefore, on the points of access and purposes, the BC submits that the wording of today’s EC letter leaves little room for creative interpretation. They have repeated now, several times, the points listed above, and have done so clearly. Agreed. I never fully understood the quest for clarity by ICANN as I felt that the DPAs and the EC have always been quite clear. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.key-sys...> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
participants (3)
-
Margie Milam -
Mark Svancarek (CELA) -
Volker Greimann