Dear Janis,

 

As we continue to develop Org’s assessment for the SSAD ODP, we came to additional questions/assumptions that we would like GNSO Council’s confirmation and/or clarifications.

Contractual Compliance

In the SSAD, there are two areas that implicate ICANN Contractual Compliance intervention:

1. Alert mechanisms/complaints regarding Contracted Party behavior (Recs 5.3, 5.4)

The recommendation states the “alert mechanism is not an appeal mechanism – to contest disclosure or non-disclosure affected parties are expected to use available dispute resolution mechanisms such as courts or Data Protection Authorities…”

 

As a result, Compliance’s role is limited to investigating complaints related to procedural failures by the contracted party.

 

2. Contracted Party SLA requirements (Rec 10)

 

Similar to existing processes, complaints or investigations related to contracted party requirements for SSAD may be received and processed through public-facing complaint forms that feed into the Naming Services portal (NSp) and result in individual cases. 

 

If needed, develop automation of complaints related to violations as those may be triggered from internal reporting.

 

Question 1: Does the proposed approach regarding development of potential complaint forms or automated notifications (where possible) fulfill the intentions of the recommendations?

Automation of Disclosure Request Processing

Per recommendation 9.4, only the following categories are considered to meet the criteria for automated processing of data disclosure:

• Requests from Law Enforcement in local or otherwise applicable jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2) processing is to be carried out under a GDPR, Article 2 exemption;
• The investigation of an infringement of the data protection legislation allegedly committed by ICANN/Contracted Parties affecting the registrant;
• Request for city field only, to evaluate whether to pursue a claim or for statistical purposes;
• No personal data on registration record that has been previously disclosed by the Contracted Party.

 

Question 2: We note the first bullet specifically references the GDPR. Our understanding is the above categories were included in the legal guidance provided to the EPDP Team, and the legal guidance specifically referenced the GDPR. Our assumption is the EPDP Team considered this guidance in developing this recommendation but did not intend to exclude privacy laws outside the GDPR. In other words, though this first use case only references the specific scenario in which a law enforcement requestor has a legal basis for processing under GDPR 6(1)e (or whose processing is explicitly exempted from GDPR’s restrictions on data processing), other law enforcement authorities who are outside the EU might also qualify for automated disclosure if they have a comparable legitimate interest in processing such data under their own local law. Can you please confirm if this assumption is correct (or if, conversely, the intention was only for EU law enforcement requests to have the potential for automation under this use case)? 

 

We would very much appreciate your help in relaying these questions to the GNSO Council. If you have any questions, please do not hesitate to contact us.

 

Regards,