Hi Team, I agree that understanding the legal implications and limits of "semi-automated" processing is important as we collaborate on how to automate the SSAD process to the greatest extent permitted. The good news from a resource and timing perspective is that we already have a memo from Bird & Bird on automation (opinion here<https://community.icann.org/download/attachments/117604842/ICANN-EPDP%20-%20Question%203%20-%2010th%20September%202019%5B1%5D.pdf?version=1&modificationDate=1568143539000&api=v2>, summary of key points here<https://docs.google.com/document/d/1rV0Iwo6HCABfP8oaxPC_u_D-vvjud15b/edit> on pg. 98) that provides both the legal framework for assessing these questions and directly addresses the question of potential categories of requests for automation. Although we can characterize the entire system as a "semi-automated" SSAD, the ultimate question we are asking is can we allow the SSAD to make a specific decision in a fully automated manner. Here is the basic framework that Bird & Bird provided to answer that question: * GDPR does not permit decisions based solely on automated processing which produce legal or similarly significant effects on the data subject. * In most instances, a decision to release information via the SSAD will not in itself have a legal effect on the data subject. For our purposes, the question is whether the decision has a "similarly significant" effect on the data subject. * It may be possible to determine categories of requests where the decision to disclose data would not have a "similarly significant" effect. For example, the disclosure of administrative contact details for non-natural registrants in response to malware attacks or IP infringement would not have a "similarly significant" effect. * In other situations, disclosure of registrant data about a natural person may be much more likely to have a "similarly significant" effect. Considerable care would need to be taken over such analysis. * For decisions more likely to have a "similarly significant" effect, human review or oversight is necessary. Token human involvement does not suffice. For the human review element to count, the controller must ensure meaningful oversight by someone who has the authority and competence to change the decision. * Processes not involving a decision about the registrant can also be automated without producing "similarly significant" effects, for example authentication of an accredited requestor. I think the takeaway (at least based on the state of the law today) is that most decisions short of the ultimate decision whether or not to disclose data can be fully automated, but that most decisions involving disclosing registrant data of a natural person will require meaningful human review. To be clear, this shouldn't foreclose the possibility of a model that evolves towards further automation of disclosure decisions, or individual controllers automating their own decision-making processes based on their assessment of the risks. Hopefully this is helpful as we continue these discussions. Thanks, Matt -----Original Message----- From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Mark Svancarek (CELA) via Gnso-epdp-team Sent: Tuesday, January 21, 2020 11:16 AM To: Amr Elsadr <aelsadr@icannpolicy.ninja>; gnso-epdp-team@ICANN.org Subject: Re: [Gnso-epdp-team] [EXTERNAL] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird Hi, I also apologize for sending this in after the deadline. I didn't see any need to change any of the existing proposes questions. My concern is not about the questions already being readied for submission. Rather, I am concerned that we aren't asking about the implications and limits of semi-automated processing of disclosure requests. By "semi-automated processing", I mean processing which is mostly automated but which contains triggers which pass requests off to a human. Examples might be "your credentials are valid but I have never received a request from you", "the nature or volume of requests has suddenly changed", the data subject is a child", or "your credentials indicate that you are LEA from a jurisdiction of concern". All of the models we have discussed can support semi-automated request processing. - In the centralized model, the automation could happen at the central authorizer. - In the hybrid model, each CP could utilize automated processing within their own systems. - And we've had further suggestions for additional hybridization in the recent calls, where CPs pool resources to share an authorizer, or where a central authorizer automates a portion of the requests and hands off some subset of them back to the CP for processing. -----Original Message----- From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of Amr Elsadr Sent: Monday, January 20, 2020 1:55 AM To: Mark Svancarek via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [EXTERNAL] [Gnso-epdp-team] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird Hi, Apologies for not sending these in before the deadline, but attached is the NCSG Team feedback on the Batch 2 legal questions proposed by the Legal Committee to be sent to Bird & Bird. Thanks. Amr _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

We can revisit registrants' safeguards if needed. Registrants rights and safety are core elements of this work. Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Amr Elsadr Sent: Thursday, January 23, 2020 3:37 PM To: Crossman, Matthew Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] [EXTERNAL] NCSG Feedback on EPDP Phase 2/Batch 2 Legal Questions for Bird & Bird Hi, On Jan 23, 2020, at 2:05 AM, Crossman, Matthew <mmcross@amazon.com<mailto:mmcross@amazon.com>> wrote: [SNIP] I think the takeaway (at least based on the state of the law today) is that most decisions short of the ultimate decision whether or not to disclose data can be fully automated, but that most decisions involving disclosing registrant data of a natural person will require meaningful human review. Agree. To be clear, this shouldn’t foreclose the possibility of a model that evolves towards further automation of disclosure decisions, or individual controllers automating their own decision-making processes based on their assessment of the risks. I’m not sure what you mean by this. If you’re suggesting that the EPDP Team recommends that the use of automated decisions to disclose registrant data to third parties be somehow envisioned in our recommendations, but not used until certain conditions are met, then I imagine we would need to flesh those conditions out in detail before coming up with the appropriate recommendations. I’m not saying that the possibility of scenarios like this in the future need to be prohibited, but I don’t see how we can recommend something to this effect without addressing safeguards to registrants (not just Contracted Parties, even though the two are likely very interlinked). This might require that a DPIA be conducted, which is something we (as a team) have resisted doing so far. Thanks. Amr