European Commission comments on Phase 1 report
Dear fellow members, the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2: https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904... "/The European Commission recognises this (the recommendation of purposes and association with processing activities) as a *long due and important step forward* in the ongoing reform of the WHOIS system. //Having a clear definition of the purposes for the processing of the data in the WHOIS system is an *essential pre-requisite* for ensuring a GDPR-compliant system./" "/the overall model would benefit from *making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items.*/" "/Accordingly, the European Commission considers that *the purposes* for processing WHOIS personal data by ICANN and/or the contracted parties *should not include enabling access by third parties*. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must *not be conflated with the interests of third parties* in accessing registration data./" "/Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between*ICANN’s own purposes* (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties./" "/In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest*needs to outweigh* the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The *balancing is *thus *a responsibility* (*not a prerogative*) of the data controller./" "/*Third parties seeking access also need a legal basis for processing the data*. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of *such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained*. This IPR rightholder might rely on Art. 6(1) (f)./" "/*GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities*/". "/With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an *international data transfer *under the GDPR should be considered./ (...) it is also necessary to identify *an appropriate legal ground *for the international transfer" "/the current situation is affecting EU Member State *authorities’ ability* to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime/" All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations. -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Thank you for highlighting this important and useful contribution, Volker. -- Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 18, 2019 4:37 PM, Volker Greimann <vgreimann@key-systems.net> wrote:
Dear fellow members,
the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2:
https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904...
"The European Commission recognises this (the recommendation of purposes and association with processing activities) as a long due and important step forward in the ongoing reform of the WHOIS system. Having a clear definition of the purposes for the processing of the data in the WHOIS system is an essential pre-requisite for ensuring a GDPR-compliant system."
"the overall model would benefit from making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items."
"Accordingly, the European Commission considers that the purposes for processing WHOIS personal data by ICANN and/or the contracted parties should not include enabling access by third parties. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must not be conflated with the interests of third parties in accessing registration data."
"Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between ICANN’s own purposes (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties."
"In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest needs to outweigh the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The balancing is thus a responsibility (not a prerogative) of the data controller."
"Third parties seeking access also need a legal basis for processing the data. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained. This IPR rightholder might rely on Art. 6(1) (f)."
"GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities".
"With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an international data transfer under the GDPR should be considered. (...) it is also necessary to identify an appropriate legal ground for the international transfer"
"the current situation is affecting EU Member State authorities’ ability to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime"
All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations.
-- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Indeed, thanks Volker. It is both important and useful. It is also confusing although that may only be to me. What is said below appears to be directly at odds with things being said by the DPAs and EC representatives. In its statement of 27 May 2018 (https://edpb.europa.eu/news/news/2018/european-data-protection-board-endorse... <https://edpb.europa.eu/news/news/2018/european-data-protection-board-endorse...>) the EDPB said: "As expressed also in earlier correspondence with ICANN (including this letter <http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48839> of December 2017 and this letter <http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51...> of April 2018), WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data." And during a Board GAC call last week on the Kobe GAC Communique (https://gac.icann.org/minutes/gac%20kobe%20communiqué%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf) <https://gac.icann.org/minutes/gac%20kobe%20communiqu%C3%A9%20-%20gac-board%2...> in a discussion about the need for an access model, the work carried out by the Technical Study Group to design one and how ICANN can get legal advice for the DPAs about the legality of that model, the Commission said that although it was not is a position to speak for the EU member of the GAC...: "European Commission reiterated its willingness to help facilitate communications with DPAs, and in particular the Belgian DPAs who it indicated has been chosen to be the lead DPA on this issue for the EU, a European Commission further suggested a two-step process: first, considering with legal advisors implementation options to achieve the aims of the EPDP report; and second, start consulting with the lead DPA to get their views before consulting the full EDPB once more, with facilitation from the Commission as needed" I’m struggling to align the above with the input below. Cheers, Chris
On 18 Apr 2019, at 16:08, Ayden Férdeline <icann@ferdeline.com> wrote:
Thank you for highlighting this important and useful contribution, Volker.
-- Ayden
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 18, 2019 4:37 PM, Volker Greimann <vgreimann@key-systems.net> wrote:
Dear fellow members,
the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2:
https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904... <https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904...> "The European Commission recognises this (the recommendation of purposes and association with processing activities) as a long due and important step forward in the ongoing reform of the WHOIS system. Having a clear definition of the purposes for the processing of the data in the WHOIS system is an essential pre-requisite for ensuring a GDPR-compliant system."
"the overall model would benefit from making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items."
"Accordingly, the European Commission considers that the purposes for processing WHOIS personal data by ICANN and/or the contracted parties should not include enabling access by third parties. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must not be conflated with the interests of third parties in accessing registration data."
"Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between ICANN’s own purposes (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties."
"In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest needs to outweigh the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The balancing is thus a responsibility (not a prerogative) of the data controller."
"Third parties seeking access also need a legal basis for processing the data. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained. This IPR rightholder might rely on Art. 6(1) (f)."
"GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities".
"With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an international data transfer under the GDPR should be considered. (...) it is also necessary to identify an appropriate legal ground for the international transfer"
"the current situation is affecting EU Member State authorities’ ability to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime"
All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations.
-- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <http://www.key-systems.net/>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Thanks, Chris. I also read the EC letter with some confusion, so glad to see I wasn’t alone. I think it muddied the waters more than clarified them. At the dawn of Phase 2, we’re left with (1) There needs to be some process for disclosing redacted RDS data, and (2) that process needs to be compliant with GDPR. Those aren’t controversial, but we need our friends in Brussels to help this group reconcile the two. And this letter doesn’t provide much help in doing that. Thanks— J. ------------- James Bladel GoDaddy From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Chris Disspain <chris@disspain.uk> Date: Tuesday, April 23, 2019 at 10:26 To: Volker Greimann <vgreimann@key-systems.net> Cc: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] European Commission comments on Phase 1 report Indeed, thanks Volker. It is both important and useful. It is also confusing although that may only be to me. What is said below appears to be directly at odds with things being said by the DPAs and EC representatives. In its statement of 27 May 2018 (https://edpb.europa.eu/news/news/2018/european-data-protection-board-endorse...) the EDPB said: "As expressed also in earlier correspondence with ICANN (including this letter<http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48839> of December 2017 and this letter<http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51...> of April 2018), WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data." And during a Board GAC call last week on the Kobe GAC Communique (https://gac.icann.org/minutes/gac%20kobe%20communiqué%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf)<https://gac.icann.org/minutes/gac%20kobe%20communiqu%C3%A9%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf)> in a discussion about the need for an access model, the work carried out by the Technical Study Group to design one and how ICANN can get legal advice for the DPAs about the legality of that model, the Commission said that although it was not is a position to speak for the EU member of the GAC...: "European Commission reiterated its willingness to help facilitate communications with DPAs, and in particular the Belgian DPAs who it indicated has been chosen to be the lead DPA on this issue for the EU, a European Commission further suggested a two-step process: first, considering with legal advisors implementation options to achieve the aims of the EPDP report; and second, start consulting with the lead DPA to get their views before consulting the full EDPB once more, with facilitation from the Commission as needed" I’m struggling to align the above with the input below. Cheers, Chris On 18 Apr 2019, at 16:08, Ayden Férdeline <icann@ferdeline.com<mailto:icann@ferdeline.com>> wrote: Thank you for highlighting this important and useful contribution, Volker. -- Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 18, 2019 4:37 PM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Dear fellow members, the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2: https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904... "The European Commission recognises this (the recommendation of purposes and association with processing activities) as a long due and important step forward in the ongoing reform of the WHOIS system. Having a clear definition of the purposes for the processing of the data in the WHOIS system is an essential pre-requisite for ensuring a GDPR-compliant system." "the overall model would benefit from making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items." "Accordingly, the European Commission considers that the purposes for processing WHOIS personal data by ICANN and/or the contracted parties should not include enabling access by third parties. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must not be conflated with the interests of third parties in accessing registration data." "Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between ICANN’s own purposes (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties." "In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest needs to outweigh the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The balancing is thus a responsibility (not a prerogative) of the data controller." "Third parties seeking access also need a legal basis for processing the data. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained. This IPR rightholder might rely on Art. 6(1) (f)." "GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities". "With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an international data transfer under the GDPR should be considered. (...) it is also necessary to identify an appropriate legal ground for the international transfer" "the current situation is affecting EU Member State authorities’ ability to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime" All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net/> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Chris There is no inconsistency between the two statements. I am struggling to understand why key members of ICANN’s board do not understand this. Purposes determine what data is collected and how it can be used by the controller. Disclosure to third parties with legitimate interests is not a purpose ICANN has in collecting and using registrant data, but disclosure Is nevertheless something that can happen legally when certain conditions are met. When a credit card company collects PII about me, its purpose is to facilitate financial transactions, it is not to provide my name and address to the police. But legally, the police can request disclosure of that information from the credit card company under certain conditions set by law. What is so difficult to understand there? In the statements below, the EC merely insists, correctly, upon distinguishing between ICANN’s purposes for collecting and using registrant data, and its reasons for disclosing it to third parties. This does not rule out all disclosure to third parties with legitimate interests. During the EPDP deliberations, the same point was made repeatedly by public comments, and a majority of the EPDP members. The law is clear. Some in this debate are trying to erect a false dichotomy: either we have ICANN collecting and disclosing registrant data indiscriminately, as it did during the old Whois, or there is no disclosure to third parties at all. Do you really think this is the choice we have? --MM From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Chris Disspain Sent: Tuesday, April 23, 2019 11:26 AM To: Volker Greimann <vgreimann@key-systems.net> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] European Commission comments on Phase 1 report Indeed, thanks Volker. It is both important and useful. It is also confusing although that may only be to me. What is said below appears to be directly at odds with things being said by the DPAs and EC representatives. In its statement of 27 May 2018 (https://edpb.europa.eu/news/news/2018/european-data-protection-board-endorse...) the EDPB said: "As expressed also in earlier correspondence with ICANN (including this letter<http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48839> of December 2017 and this letter<http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51...> of April 2018), WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data." And during a Board GAC call last week on the Kobe GAC Communique (https://gac.icann.org/minutes/gac%20kobe%20communiqué%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf)<https://gac.icann.org/minutes/gac%20kobe%20communiqu%C3%A9%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf)> in a discussion about the need for an access model, the work carried out by the Technical Study Group to design one and how ICANN can get legal advice for the DPAs about the legality of that model, the Commission said that although it was not is a position to speak for the EU member of the GAC...: "European Commission reiterated its willingness to help facilitate communications with DPAs, and in particular the Belgian DPAs who it indicated has been chosen to be the lead DPA on this issue for the EU, a European Commission further suggested a two-step process: first, considering with legal advisors implementation options to achieve the aims of the EPDP report; and second, start consulting with the lead DPA to get their views before consulting the full EDPB once more, with facilitation from the Commission as needed" I’m struggling to align the above with the input below. Cheers, Chris On 18 Apr 2019, at 16:08, Ayden Férdeline <icann@ferdeline.com<mailto:icann@ferdeline.com>> wrote: Thank you for highlighting this important and useful contribution, Volker. -- Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, April 18, 2019 4:37 PM, Volker Greimann <vgreimann@key-systems.net<mailto:vgreimann@key-systems.net>> wrote: Dear fellow members, the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2: https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904... "The European Commission recognises this (the recommendation of purposes and association with processing activities) as a long due and important step forward in the ongoing reform of the WHOIS system. Having a clear definition of the purposes for the processing of the data in the WHOIS system is an essential pre-requisite for ensuring a GDPR-compliant system." "the overall model would benefit from making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items." "Accordingly, the European Commission considers that the purposes for processing WHOIS personal data by ICANN and/or the contracted parties should not include enabling access by third parties. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must not be conflated with the interests of third parties in accessing registration data." "Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between ICANN’s own purposes (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties." "In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest needs to outweigh the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The balancing is thus a responsibility (not a prerogative) of the data controller." "Third parties seeking access also need a legal basis for processing the data. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained. This IPR rightholder might rely on Art. 6(1) (f)." "GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities". "With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an international data transfer under the GDPR should be considered. (...) it is also necessary to identify an appropriate legal ground for the international transfer" "the current situation is affecting EU Member State authorities’ ability to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime" All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net/> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Chris, I am with Milton here as I felt that the statements in the letter were more than clear when it comes to disclosures to law enforcement and third parties. The purposes of law enforcement and third parties are not purposes of ICANN and ICANN should stop trying to fit a square peg through the round hole of its own purposes. Law enforcement has legal rights under which access to data processed for various other purposes may be requested, for example under Art. 6 I (c) GDPR. Similarly, third parties will need a legal basis for any and every access request and controllers must in their own responsibility carry out a balancing between the rights of the data subject affected in each case and the rights of the requester. When they note under "Next Steps" that law enforcement needs a timely and workable solution going forward to ensure the ability of LEAs to access the data legitimately, that does not invalidate the basic legal assumptions they make before that. On the contrary, it supports their view that a disclosure model for LEAs that is compliant with the legal requirements as well as stable, transparent and predictable is necessary. No one said this was going to be easy but there is no contradiction in the letter when it comes to its messages. Best regards, Volker Greimann Am 23.04.2019 um 20:04 schrieb Mueller, Milton L:
Chris
There is no inconsistency between the two statements. I am struggling to understand why key members of ICANN’s board do not understand this.
Purposes determine what data is collected and how it can be used by the controller. Disclosure to third parties with legitimate interests is not a purpose ICANN has in collecting and using registrant data, but disclosure Is nevertheless something that can happen legally when certain conditions are met. When a credit card company collects PII about me, its purpose is to facilitate financial transactions, it is not to provide my name and address to the police. But legally, the police can request disclosure of that information from the credit card company under certain conditions set by law. What is so difficult to understand there?
In the statements below, the EC merely insists, correctly, upon distinguishing between ICANN’s purposes for collecting and using registrant data, and its reasons for disclosing it to third parties. This does not rule out all disclosure to third parties with legitimate interests.
During the EPDP deliberations, the same point was made repeatedly by public comments, and a majority of the EPDP members.
The law is clear. Some in this debate are trying to erect a false dichotomy: either we have ICANN collecting and disclosing registrant data indiscriminately, as it did during the old Whois, or there is no disclosure to third parties at all. Do you really think this is the choice we have?
--MM
*From:*Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Chris Disspain *Sent:* Tuesday, April 23, 2019 11:26 AM *To:* Volker Greimann <vgreimann@key-systems.net> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] European Commission comments on Phase 1 report
Indeed, thanks Volker. It is both important and useful. It is also confusing although that may only be to me. What is said below appears to be directly at odds with things being said by the DPAs and EC representatives.
In its statement of 27 May 2018 (https://edpb.europa.eu/news/news/2018/european-data-protection-board-endorse...) the EDPB said:
/"As expressed also in earlier correspondence with ICANN (including //*this letter*/ <http://ec.europa.eu/newsroom/just/document.cfm?doc_id=48839>/ of December 2017 and //*this letter*/ <http://ec.europa.eu/newsroom/article29/document.cfm?action=display&doc_id=51021>/ of April 2018), WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data."/
And during a Board GAC call last week on the Kobe GAC Communique (https://gac.icann.org/minutes/gac%20kobe%20communiqué%20-%20gac-board%20clarification%20call%20notes%20-%2015april2019%20(final).pdf) <https://gac.icann.org/minutes/gac%20kobe%20communiqu%C3%A9%20-%20gac-board%2...> in a discussion about the need for an access model, the work carried out by the Technical Study Group to design one and how ICANN can get legal advice for the DPAs about the legality of that model, the Commission said that although it was not is a position to speak for the EU member of the GAC...:
"European Commission reiterated its willingness to help facilitate communications with DPAs, and in particular the Belgian DPAs who it indicated has been chosen to be the lead DPA on this issue for the EU, a European Commission further suggested a two-step process: first, considering with legal advisors implementation options to achieve the aims of the EPDP report; and second, start consulting with the lead DPA to get their views before consulting the full EDPB once more, with facilitation from the Commission as needed"
I’m struggling to align the above with the input below.
Cheers,
Chris
On 18 Apr 2019, at 16:08, Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote:
Thank you for highlighting this important and useful contribution, Volker.
-- Ayden
‐‐‐‐‐‐‐Original Message ‐‐‐‐‐‐‐
On Thursday, April 18, 2019 4:37 PM, Volker Greimann <vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>> wrote:
Dear fellow members,
the European Commission just provided very valuable and constructive insights into our reports that we would be well-advised to take into account in Phase 2:
https://mm.icann.org/pipermail/comments-epdp-recs-04mar19/attachments/201904...
"/The European Commission recognises this (the recommendation of purposes and association with processing activities) as a *long due and important step forward* in the ongoing reform of the WHOIS system. Having a clear definition of the purposes for the processing of the data in the WHOIS system is an *essential pre-requisite* for ensuring a GDPR-compliant system./"
"/the overall model would benefit from *making even more explicit the links between the purposes for processing personal data and the specific processing activity(ies) as well as the specific personal data items.*/"
"/Accordingly, the European Commission considers that *the purposes* for processing WHOIS personal data by ICANN and/or the contracted parties *should not include enabling access by third parties*. This is also at the core of the concerns expressed for some time by the DPAs and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must *not be conflated with the interests of third parties* in accessing registration data./"
"/Notwithstanding the above, the European Commission would like to acknowledge that maintaining such a distinction does not per se limit WHOIS data access by/disclosure to third parties, but merely differentiates between*ICANN’s own purposes* (e.g. maintaining the security, stability and resilience of the Domain Name System) which are capable of justifying collection of the data in the first place, and subsequent processing (enabling access to and disclosing WHOIS data) for legitimate purposes pursued by third parties./"
"/In the Report, Article 6(1) (f) of the GDPR is often invoked. The European Commission would like to recall that legitimate interest is one of the six possible legal bases provided under the GDPR1. (...) Specifically, the legitimate interest*needs to outweigh* the interest of the individual concerned. Given that there is an interference with the fundamental right to data protection of an individual, a balancing of interests is necessary to properly justify the reasons for such an interference. (...) The *balancing is *thus *a responsibility* (*not a prerogative*) of the data controller./"
"*/Third parties seeking access also need a legal basis for processing the data/*/. For instance, an IPR rightholder might have a legitimate interest to gain access to WHOIS personal data in order to ensure his/her IP right is protected and not abused. The existence of *such a right needs to be substantiated and the necessity/proportionality of accessing that data ascertained*. This IPR rightholder might rely on Art. 6(1) (f)./"
"*/GDPR legitimate interest cannot be used as a legal basis for data processing by public authorities/*".
"/With regard to the various processing activities involved in the WHOIS system, the issue of whether they involve an *international data transfer *under the GDPR should be considered./ (...) it is also necessary to identify *an appropriate legal ground *for the international transfer"
"/the current situation is affecting EU Member State *authorities’ ability* to obtain legitimate access to this data, necessary to enforce the law online, including in relation to the fight against cybercrime/"
All this seems to point in a very clear direction for our path ahead with regard to the disclosure model we will be working on. More on that when we get to this part of our deliberations.
--
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net <http://www.key-systems.net/>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Hello All, As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference. A response has now been received from the Commission and I attach that for your information. Cheers, CD
Thank you Chris for forwarding this. As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations. By stating that access should be enabled "/_upon request _(...) _showing a legitimate interest_, provided both the controller (...) and the third party _have a legal basis _for such processing (...)" /they basically support a point many participants of Phase 1 have been making all along in this debate: _Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure._ This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates. Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example. For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "/Instead, they need to rely on another legal basis, which is normally provided for in national law./" It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled. Best regards, Volker Greimann Am 03.05.2019 um 13:10 schrieb Chris Disspain:
Hello All,
As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference.
A response has now been received from the Commission and I attach that for your information.
Cheers,
CD
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
I totally support this suggestion from Volker. This is indeed the logical way to proceed, and we have over many years received a great deal of advice from the DPAs to do exactly this. Isolating the purpose, legal authorities, and methodologies required for lawful access to personal information of each jurisdiction and actor (eg police vs the dog catcher vs the banking regulatory body) will doubtless prove to be instructive, and help determine the kinds of analysis we need to apply in the private sector, where the thresholds for disclosure are arguably higher. Thanks for stating this Volker, in particular the underlined sentence needs to be pasted on the wiki so nobody forgets it. Kind regards, Stephanie Perrin On 2019-05-03 08:29, Volker Greimann wrote: Thank you Chris for forwarding this. As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations. By stating that access should be enabled "upon request (...) showing a legitimate interest, provided both the controller (...) and the third party have a legal basis for such processing (...)" they basically support a point many participants of Phase 1 have been making all along in this debate: Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure. This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates. Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example. For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "Instead, they need to rely on another legal basis, which is normally provided for in national law." It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled. Best regards, Volker Greimann Am 03.05.2019 um 13:10 schrieb Chris Disspain: Hello All, As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference. A response has now been received from the Commission and I attach that for your information. Cheers, CD _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<http://www.key-systems.net> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Volker, Thanks for such a quick response commenting on the letter. I do not agree that the selected quotes that you have used lead to the conclusion that the EC ‘basically support’ a view that you propound. In addition and speaking personally, I think: …."we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR). The European Commission considers this to be both vital and urgent, and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively.”….. ….clearly shows that the EC supports a UAM which by definition means that the concept of a UAM is perfectly acceptable under GDPR. I think: …."As the Commission already noted, the current situation where access to non-public registration data for public policy objectives is left at the discretion of registries and registrars affects the EU Member States authorities’ ability to obtain legitimate access to non-public registration data necessary to enforce the law online, including in relation to the fight against cybercrime. The need to ensure effective and secure treatment of third party access requests requires therefore ICANN and the community developing a unified method for accessing non-public gTLD registration data.”….. ….clearly demonstrates that the EC is unhappy with the status quo and that in their view a UAM is essential. and I think: …."Accordingly, we consider that a clear distinction needs to be made between ICANN's own purposes for processing personal data and the purposes pursued by the third parties in accessing the data. For this reason, we would recommend revising the formulation of purpose two by excluding the second part of the purpose "through enabling responses to lawful data disclosure requests" and maintaining a broader purpose to "contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission", which is at the core of the role of ICANN as the “guardian” of the Domain Name System. …..means that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited. Cheers, CD
On 3 May 2019, at 15:29, Volker Greimann <vgreimann@key-Systems.net> wrote:
Thank you Chris for forwarding this. As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations. By stating that access should be enabled "upon request (...) showing a legitimate interest, provided both the controller (...) and the third party have a legal basis for such processing (...)" they basically support a point many participants of Phase 1 have been making all along in this debate:
Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure.
This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates. Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example. For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "Instead, they need to rely on another legal basis, which is normally provided for in national law." It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled. Best regards,
Volker Greimann
Am 03.05.2019 um 13:10 schrieb Chris Disspain:
Hello All,
As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference.
A response has now been received from the Commission and I attach that for your information.
Cheers,
CD
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>-- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net <http://www.key-systems.net/>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Chris, it really depends what one means by the term Unified Access Model. Currently under the temp spec, we have a system that introduces many uncertaincies as basically every contracted party is asked to make up their own access model and define the terms of access. A requester does not clearly know what is being required to be granted disclosure and many contracted parties also have difficulties defining hard and fast rules. Clearly, this is unsustainable for the future, as the EC clearly states as a requester will have to accommodate the requirements of every single model and still will not have certaincy of the disclosure. However this does not mean that the basic principle is flawed. Ultimately, the existing models developed by the parties will have to be condensed or refined into a unified model with clear rules of what is being expected of them when they make a request and that provides for a set of requirements that when met will result in a certain outcome. This model can still take into account the various legal requirements a contracted party may face under its applicable jurisdiction, but it would reduce the variety that a requester has to put in. Lets take the following example: Law enforcement agencies A and B are in different jurisdictions. A is in the jurisdiction of the contracted party holding the data, B is not. Under a unified model, both would now be able to immediately find out the requirements for disclosure of the data needed for their investigation. Ideally, the template to use for them would be the same but the output they get may be different. All EU Member States authorities' would under such a model obtain the ability to obtain legitimate access to the data needed to enforce laws in compliance with the requirements and restrictions put in place by the applicable national laws. I am sure no one here is advocating or proposing we allow anyone to circumvent the restrictions put in place by the applicable national laws. Accreditation and certification also still have a place as they reduce the time needed to provide evidence of identity of the requester from having to do this every time to having to do this only every couple of years. I do not see a conflict with anything I have proposed with anything in the response letter. Nothing in that letter requires an all-access model. Developing a unified access model that meets the needs of law enforcment and public agencies withjin the framework of their right to access such data provided for in their applicable national laws is absolutely doable, centrally or distributedly implementable and consistent with the advice we just received. Best regards, Volker Am 03.05.2019 um 15:41 schrieb Chris Disspain:
Hi Volker,
Thanks for such a quick response commenting on the letter.
I do not agree that the selected quotes that you have used lead to the conclusion that the EC ‘basically support’ a view that you propound.
In addition and speaking personally, I think:
…."we have constantly urged ICANN and the community to develop a *unified access model *that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR). The European Commission considers this to be both *vital and urgent,*and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively.”…..
….clearly shows that the EC supports a UAM which by definition means that the concept of a UAM is perfectly acceptable under GDPR.
I think:
…."As the Commission already noted, *the current situation* where access to non-public registration data for public policy objectives is left at the discretion of registries and registrars *affects the EU **Member States authorities’ ability to obtain legitimate access to **non-public registration data *necessary to enforce the law online, including in relation to the fight against cybercrime. The need to ensure effective and secure treatment of third party access requests requires therefore ICANN and the community developing a *unified* method for accessing non-public gTLD registration data.”…..
….clearly demonstrates that the EC is unhappy with the status quo and that in their view a UAM is essential.
and I think:
…."Accordingly, we consider that a clear distinction needs to be made between ICANN's own purposes for processing personal data and the purposes pursued by the third parties in accessing the data. For this reason, we would recommend revising the formulation of purpose two by excluding the second part of the purpose "through enabling responses to lawful data disclosure requests" and *maintaining a broader purpose* to "contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission", which is at the core of the role of ICANN as the “guardian” of the Domain Name System.
…..means that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited.
Cheers,
CD
On 3 May 2019, at 15:29, Volker Greimann <vgreimann@key-Systems.net <mailto:vgreimann@key-Systems.net>> wrote:
Thank you Chris for forwarding this.
As expected, the response is very helpful in providing further clarity in how future disclosure models should work and it is also very helpful that they provided a quick response just in time to the tstart of our deliberations.
By stating that access should be enabled "/_upon request _(...) _showing a legitimate interest_, provided both the controller (...) and the third party _have a legal basis _for such processing (...)" /they basically support a point many participants of Phase 1 have been making all along in this debate:
_Disclosure can only work on a per-request basis and each such request must show both the legitimate interest for the disclosure and the legal basis for the processing activity requested for all parties involved in the disclosure._
This explicitly excludes any concepts of "all-access" models where a requester need only acquire some form of certification or accreditation prior to being restored to the access to the whois of yore. I therefore propose that we abandon these concepts at the start of our deliberations to avoid wasting time on ultimately futile debates.
Another shortcut we could use to save time is to initially focus our discussions of the UDM (Unified Disclosure Model) by looking exclusively at those parties with the best legal basis for disclosure: national law enforcement agencies and other public authorities in the same jurisdiction as the data controller. Once we have a model for these parties, the rest can follow from there. Obviously, the disclosure methods these parties have legal rights to (that turn into legal obligations for the data compliance) would vary on the legal bases of their appropriate jurisdictions and that is ultimately something that we would need to ask the individual GAC members to provide for example.
For example, we could start out by asking a GAC members to provide data on how individual law enforcement bodies and public authorities have to go about in their specific jurisdiction with obtaining data from comparable data controllers, like telephone companies, internet access providers or hosting providers. Are there special processes that entities would need to follow? If so, could our model be based on these processes for these jurisdictions? If, for example, a local police has to obtain a court warrant or subpoena to demand disclosure personal data held by a webhoster, is that not also sufficiently equivalent to a demand towards a contracted party? This does mean we would have to vary our model by jurisdiction, but ultimately it seems to be the most legally sound way to operate. This is also supported by the letter, which states: "/Instead, they need to rely on another legal basis, which is normally provided for in national law./" It is the job of the GAC to tell us what this legal basis is in each instance and it is our job to reflect this basis in our model for access of the entities so entitled.
Best regards,
Volker Greimann
Am 03.05.2019 um 13:10 schrieb Chris Disspain:
Hello All,
As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference.
A response has now been received from the Commission and I attach that for your information.
Cheers,
CD
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team -- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH*
T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Chris, We appreciate your relaying of information about ICANN Corp’s interactions with the EDPB. We also appreciate your efforts to clarify certain positions. With this last message, however, I think you are in danger of crossing the line into advocacy of a particular position, and this is inappropriate. Under the ICANN bylaws the community develops policy and the board reviews and approves community developed policies with an eye to the larger picture. As a board liaison to the EPDP, your job is to serve as an information channel between the team and the board and to advise the EPDP team about any issues and concerns the board has that the EPDP might not be taking into account. It is not to advocate for a particular position. With regard to “UAM,” it is already established policy, as developed by phase 1 of the EPDP, that we are no longer talking about “access” models we are talking about disclosure models. See Recommendation 3 of the final report, which has been approved by the Council. So we’d appreciate it if you get up to speed and adopt the approved and correct terminology. Legitimately, the EC is motivated by BOTH the need to comply with its own law AND its desire for convenient disclosure processes. There is no inherent tension between these two as long as the disclosure processes are consistent with data protection principles. That will be a difficult job, so let us work it out. All stakeholders and views are represented here; the EC can and does speak for itself. So we don’t need your attempt to push a tendentious interpretation of their views upon us. Finally, when you say this: ….. that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited. No…you are so far off base that it is laughable. The EC’s position on Purpose 2 could not be clearer. It was directly challenged in their comments. Taking out selective snippets and trying to twist their words in ways that conform to the position you are pushing is not helping this process at all. It is also, as I said before, not an appropriate thing for a board member to be doing. Please stay in your lane, and let the multistakeholder process work. Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy Internet Governance Project<https://internetgovernance.org/>
Thanks Milton. You are, of course, entitled to your opinion. Cheers, CD
On 3 May 2019, at 17:52, Mueller, Milton L <milton@gatech.edu> wrote:
Chris, We appreciate your relaying of information about ICANN Corp’s interactions with the EDPB. We also appreciate your efforts to clarify certain positions.
With this last message, however, I think you are in danger of crossing the line into advocacy of a particular position, and this is inappropriate. Under the ICANN bylaws the community develops policy and the board reviews and approves community developed policies with an eye to the larger picture. As a board liaison to the EPDP, your job is to serve as an information channel between the team and the board and to advise the EPDP team about any issues and concerns the board has that the EPDP might not be taking into account. It is not to advocate for a particular position.
With regard to “UAM,” it is already established policy, as developed by phase 1 of the EPDP, that we are no longer talking about “access” models we are talking about disclosure models. See Recommendation 3 of the final report, which has been approved by the Council. So we’d appreciate it if you get up to speed and adopt the approved and correct terminology.
Legitimately, the EC is motivated by BOTH the need to comply with its own law AND its desire for convenient disclosure processes. There is no inherent tension between these two as long as the disclosure processes are consistent with data protection principles. That will be a difficult job, so let us work it out. All stakeholders and views are represented here; the EC can and does speak for itself. So we don’t need your attempt to push a tendentious interpretation of their views upon us.
Finally, when you say this: ….. that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited. No…you are so far off base that it is laughable. The EC’s position on Purpose 2 could not be clearer. It was directly challenged in their comments. Taking out selective snippets and trying to twist their words in ways that conform to the position you are pushing is not helping this process at all. It is also, as I said before, not an appropriate thing for a board member to be doing. Please stay in your lane, and let the multistakeholder process work.
Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy Internet Governance Project <https://internetgovernance.org/>
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
I don't think it is appropriate to just brush off such criticism Chris by saying that we are entitled to our opinion. Board is in danger of advocating for a certain position and we raised this during our NCSG Board meetings multiple times. CEO intended from the beginning to facilitate access to WHOIS personal information. It is quite clear from the communications. I invite you to act as a Board liaison and not a policymaker. If the Board thinks that disclosure should be done in a way it has envisioned, then what are we doing here? We can wrap up the show. Farzaneh On Fri, May 3, 2019 at 10:55 AM Chris Disspain <chris@disspain.uk> wrote:
Thanks Milton. You are, of course, entitled to your opinion.
Cheers,
CD
On 3 May 2019, at 17:52, Mueller, Milton L <milton@gatech.edu> wrote:
Chris, We appreciate your relaying of information about ICANN Corp’s interactions with the EDPB. We also appreciate your efforts to clarify certain positions.
With this last message, however, I think you are in danger of crossing the line into advocacy of a particular position, and this is inappropriate. Under the ICANN bylaws the community develops policy and the board reviews and approves community developed policies with an eye to the larger picture. As a board liaison to the EPDP, your job is to serve as an information channel between the team and the board and to advise the EPDP team about any issues and concerns the board has that the EPDP might not be taking into account. It is not to advocate for a particular position.
With regard to “UAM,” it is already established policy, as developed by phase 1 of the EPDP, that we are no longer talking about “*access*” models we are talking about *disclosure* models. See Recommendation 3 of the final report, which has been approved by the Council. So we’d appreciate it if you get up to speed and adopt the approved and correct terminology.
Legitimately, the EC is motivated by BOTH the need to comply with its own law AND its desire for convenient disclosure processes. There is no inherent tension between these two as long as the disclosure processes are consistent with data protection principles. That will be a difficult job, so let us work it out. All stakeholders and views are represented here; the EC can and does speak for itself. So we don’t need your attempt to push a tendentious interpretation of their views upon us.
Finally, when you say this: ….. that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited. No…you are so far off base that it is laughable. The EC’s position on Purpose 2 could not be clearer. It was directly challenged in their comments. Taking out selective snippets and trying to twist their words in ways that conform to the position you are pushing is not helping this process at all. It is also, as I said before, not an appropriate thing for a board member to be doing. Please stay in your lane, and let the multistakeholder process work.
Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy Internet Governance Project <https://internetgovernance.org/>
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Thanks for you feedback Farzaneh. Appreciated. I would refer you to the line in my note copied below.
In addition and speaking personally, I think:
Cheers, CD
On 3 May 2019, at 18:03, farzaneh badii <farzaneh.badii@gmail.com> wrote:
I don't think it is appropriate to just brush off such criticism Chris by saying that we are entitled to our opinion. Board is in danger of advocating for a certain position and we raised this during our NCSG Board meetings multiple times. CEO intended from the beginning to facilitate access to WHOIS personal information. It is quite clear from the communications.
I invite you to act as a Board liaison and not a policymaker. If the Board thinks that disclosure should be done in a way it has envisioned, then what are we doing here? We can wrap up the show.
Farzaneh
On Fri, May 3, 2019 at 10:55 AM Chris Disspain <chris@disspain.uk <mailto:chris@disspain.uk>> wrote: Thanks Milton. You are, of course, entitled to your opinion.
Cheers,
CD
On 3 May 2019, at 17:52, Mueller, Milton L <milton@gatech.edu <mailto:milton@gatech.edu>> wrote:
Chris, We appreciate your relaying of information about ICANN Corp’s interactions with the EDPB. We also appreciate your efforts to clarify certain positions.
With this last message, however, I think you are in danger of crossing the line into advocacy of a particular position, and this is inappropriate. Under the ICANN bylaws the community develops policy and the board reviews and approves community developed policies with an eye to the larger picture. As a board liaison to the EPDP, your job is to serve as an information channel between the team and the board and to advise the EPDP team about any issues and concerns the board has that the EPDP might not be taking into account. It is not to advocate for a particular position.
With regard to “UAM,” it is already established policy, as developed by phase 1 of the EPDP, that we are no longer talking about “access” models we are talking about disclosure models. See Recommendation 3 of the final report, which has been approved by the Council. So we’d appreciate it if you get up to speed and adopt the approved and correct terminology.
Legitimately, the EC is motivated by BOTH the need to comply with its own law AND its desire for convenient disclosure processes. There is no inherent tension between these two as long as the disclosure processes are consistent with data protection principles. That will be a difficult job, so let us work it out. All stakeholders and views are represented here; the EC can and does speak for itself. So we don’t need your attempt to push a tendentious interpretation of their views upon us.
Finally, when you say this: ….. that the EC’s view is that attempts to narrow ICANN’s purpose are counter-productive and the current wording needs to be revisited. No…you are so far off base that it is laughable. The EC’s position on Purpose 2 could not be clearer. It was directly challenged in their comments. Taking out selective snippets and trying to twist their words in ways that conform to the position you are pushing is not helping this process at all. It is also, as I said before, not an appropriate thing for a board member to be doing. Please stay in your lane, and let the multistakeholder process work.
Dr. Milton L Mueller Georgia Institute of Technology School of Public Policy Internet Governance Project <https://internetgovernance.org/>
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
Thanks Chris for forwarding these letters to the team. And thanks also to both ICANN org and the European Commission for this important input and very helpful clarification. The EC letter makes it very clear that the development of a unified access model is not only vital, urgent and a matter of priority, but also that such a model would be fully in line with EU data protection rules (i.e., the GDPR). Clearly we have a lot of work to do to attain this goal and our main focus should be to chart a path (work plan, schedule, etc.) to achieve it and then get to work. In response to these letters: First, the IPC agrees completely that "ICANN and the contracted parties may enable access to and disclose registration data upon request from a third party showing a legitimate interest, provided both the controller - ICANN and/or the contracted parties - and the third party have a legal basis for such processing (see below)." Second, we do not understand assertions that some are arguing for an "all-access" WHOIS model or that there exists a set of people who believe we can somehow return to unfettered WHOIS access. Spending time arguing against positions that do not exist in the ePDP is distracting and a waste of time. Lastly, while we appreciate Volker’s suggestion to create shortcuts to save time, we do not agree that issues related to access for LEA should be prioritized ahead of issues related to other third party legitimate interests. LEA have their own processes for getting standardized access to data, which are different from the private sector. IP and consumer protection do not, and LEA access methods will not be particularly relevant in addressing these issues. To expeditiously complete a standardized access model, we should focus on answering the questions as outlined in the charter - and build a framework to accommodate standardized access for all legitimate interests in compliance with the law. Regards, Alex ___________ *Alex Deacon* Cole Valley Consulting alex@colevalleyconsulting.com +1.415.488.6009 On Fri, May 3, 2019 at 4:11 AM Chris Disspain <chris@disspain.uk> wrote:
Hello All,
As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference.
A response has now been received from the Commission and I attach that for your information.
Cheers,
CD
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Alex, I actually read the letter a bit differently. You are correct that it stresses the need for such a model, particulararly for law enforcement and government agencies, but it does not state that such a model is per se compliant with GDPR, but rather that care must be taken that the model is compliant. We cannot simply design any old model and call it compliant, the model we design must comply with the principles I referred to in my earlier mail to be compliant. I do not doubt we will be able to design such a compliant model though. And believe me, I have talked to many at ICANN meetings and other venues who still believe that access to the UAM will mean full access. While I don't know whether such beliefs or hopes are also held by members here (I sure hope not), it would be helpful if we can agree on that as a basis. Best, Volker Am 04.05.2019 um 22:55 schrieb Alex Deacon:
Thanks Chris for forwarding these letters to the team. And thanks also to both ICANN org and the European Commission for this important input and very helpful clarification.
The EC letter makes it very clear that the development of a unified access model is not only vital, urgent and a matter of priority, but also that such a model would be fully in line with EU data protection rules (i.e., the GDPR). Clearly we have a lot of work to do to attain this goal and our main focus should be to chart a path (work plan, schedule, etc.) to achieve it and then get to work.
In response to these letters:
First, the IPC agrees completely that "ICANN and the contracted parties may enable access to and disclose registration data upon request from a third party showing a legitimate interest, provided both the controller - ICANN and/or the contracted parties - and the third party have a legal basis for such processing (see below)."
Second, we do not understand assertions that some are arguing for an "all-access" WHOIS model or that there exists a set of people who believe we can somehow return to unfettered WHOIS access. Spending time arguing against positions that do not exist in the ePDP is distracting and a waste of time.
Lastly, while we appreciate Volker’s suggestion to create shortcuts to save time, we do not agree that issues related to access for LEA should be prioritized ahead of issues related to other third party legitimate interests. LEA have their own processes for getting standardized access to data, which are different from the private sector. IP and consumer protection do not, and LEA access methods will not be particularly relevant in addressing these issues. To expeditiously complete a standardized access model, we should focus on answering the questions as outlined in the charter - and build a framework to accommodate standardized access for all legitimate interests in compliance with the law.
Regards, Alex
___________ *Alex Deacon* Cole Valley Consulting alex@colevalleyconsulting.com <mailto:alex@colevalleyconsulting.com> +1.415.488.6009
On Fri, May 3, 2019 at 4:11 AM Chris Disspain <chris@disspain.uk <mailto:chris@disspain.uk>> wrote:
Hello All,
As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference.
A response has now been received from the Commission and I attach that for your information.
Cheers,
CD
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Volker, thanks for clarifying. Like you, I am confident that we’ll be able to design a compliant model which is practical for the needs of both LEA and 3rd parties. /marksv From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Monday, May 6, 2019 02:34 To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] European Commission comments on Phase 1 report - additional information Hi Alex, I actually read the letter a bit differently. You are correct that it stresses the need for such a model, particulararly for law enforcement and government agencies, but it does not state that such a model is per se compliant with GDPR, but rather that care must be taken that the model is compliant. We cannot simply design any old model and call it compliant, the model we design must comply with the principles I referred to in my earlier mail to be compliant. I do not doubt we will be able to design such a compliant model though. And believe me, I have talked to many at ICANN meetings and other venues who still believe that access to the UAM will mean full access. While I don't know whether such beliefs or hopes are also held by members here (I sure hope not), it would be helpful if we can agree on that as a basis. Best, Volker Am 04.05.2019 um 22:55 schrieb Alex Deacon: Thanks Chris for forwarding these letters to the team. And thanks also to both ICANN org and the European Commission for this important input and very helpful clarification. The EC letter makes it very clear that the development of a unified access model is not only vital, urgent and a matter of priority, but also that such a model would be fully in line with EU data protection rules (i.e., the GDPR). Clearly we have a lot of work to do to attain this goal and our main focus should be to chart a path (work plan, schedule, etc.) to achieve it and then get to work. In response to these letters: First, the IPC agrees completely that "ICANN and the contracted parties may enable access to and disclose registration data upon request from a third party showing a legitimate interest, provided both the controller - ICANN and/or the contracted parties - and the third party have a legal basis for such processing (see below)." Second, we do not understand assertions that some are arguing for an "all-access" WHOIS model or that there exists a set of people who believe we can somehow return to unfettered WHOIS access. Spending time arguing against positions that do not exist in the ePDP is distracting and a waste of time. Lastly, while we appreciate Volker’s suggestion to create shortcuts to save time, we do not agree that issues related to access for LEA should be prioritized ahead of issues related to other third party legitimate interests. LEA have their own processes for getting standardized access to data, which are different from the private sector. IP and consumer protection do not, and LEA access methods will not be particularly relevant in addressing these issues. To expeditiously complete a standardized access model, we should focus on answering the questions as outlined in the charter - and build a framework to accommodate standardized access for all legitimate interests in compliance with the law. Regards, Alex ___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com<mailto:alex@colevalleyconsulting.com> +1.415.488.6009 On Fri, May 3, 2019 at 4:11 AM Chris Disspain <chris@disspain.uk<mailto:chris@disspain.uk>> wrote: Hello All, As you will know, on 26 April Göran Marby wrote to the European Commission seeking additional information regarding their comments of 17 April. That letter is attached for ease of reference. A response has now been received from the Commission and I attach that for your information. Cheers, CD _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=01%7C01%7Cmarksv%40microsoft.com%7C27145d0fe15743c7679b08d6d205fa7b%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=QgzQ4ljrFKJp%2FC4Vml55i9KQvs3RD4ur%2FhzOgZ%2FxZDw%3D&reserved=0> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=01%7C01%7Cmarksv%40microsoft.com%7C27145d0fe15743c7679b08d6d205fa7b%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=QgzQ4ljrFKJp%2FC4Vml55i9KQvs3RD4ur%2FhzOgZ%2FxZDw%3D&reserved=0> -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.key-sys...> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
participants (9)
-
Alex Deacon -
Ayden Férdeline -
Chris Disspain -
farzaneh badii -
James M. Bladel -
Mark Svancarek (CELA) -
Mueller, Milton L -
Stephanie Perrin -
Volker Greimann