20180110 eco proposal - icann · 2 illustration 1 illustration 2 illustration 1 shows categories of...

1

Proposal for a model to address the General Data ProtectionRegulation(GDPR)IntroductionPleasefindthe“ExecutiveSummary”ofthedatamodelinPartAofthisdocument.Part B responds to the requirements for a proposal published by ICANN athttps://www.icann.org/resources/pages/gdpr-proposed-models-guidelines-2017-12-08-en.Forfurtherdetailonthemodelandexplanationsonthelegalbasisofit,wehaveattachedthe“ECOGDPRPlaybook”andreferencetoitwithintheproposal.

A. ExecutiveSummary

Keyfindings–Collectionand“internal”processing

Thedatamodelisbasedonthreedatarisklevels(DRL).Theseare:

• DRL1–Lowrisk–Performanceofacontract(Art.6(1)lit.b)GDPR)

• DRL2–Mediumrisk–Legitimateinterest(Art.6(1)lit.f)GDPR)

Thedatasubjecthastherighttoobject,butbalancingofrightsfollows

• DRL3–Highrisk–Consent(Art.6(1)lit.a)GDPR)

Thedatasubjectcanwithdrawconsentatanytimewithoutanyreason

2

Illustration1 Illustration2

Illustration1showscategoriesofdatathatarerequiredtobeprocessedtoday.Muchof thatdata isnotpersonal.Someoftheregistry/registrardatacanbepersonaldata,butwetrustthecompaniescanmakesurethisisprocessedinacompliantfashion. Registrantsmaybenaturalor legalpersons.Therefore,thequestionarisesastowhetherenterprisedatamustbetreateddifferentlythandatafromprivatepersonsasregistrants.The different treatment, however, bears significant risks because enterprise names may also containpersonalreferencesandaself-identificationoftheregistrant inthisrespectwouldnotresult inareliabledistributionofdatainventory.Inthisrespect,adifferentiationbetweennaturalandlegalpersonsshouldnotbemade.Registrars:Illustration2showstheproposedsetofdatathatconstitutesregistrationdataintheproposedmodel. Admin-C, Tech-C and Billing-Cwill no longer be needed. Registrant data can be collected by theregistrarortheirresellersinDRL1.Nochangesarerecommendedtobemadetotheotherdataelements.However,thedataintheyellowbox(dataretentionspecification)shallnolongerbecollectedbasedonanICANNrequirement,butaccordingtolawsapplicabletotheregistrarorreseller.Registries:Tocarryoutandmaintainthedomainnameregistration,registriesdonotnecessarilyneedtheregistrantdata,butwhatmustbediscussedwithDPAsiswhetherICANNpolicyonThickRegistriescanbeusedasalegalbasisfordatabeingstoredwiththeregistry.Apartfromthat,registriescanspecifyadditionalrequirementsintheRegistryRegistrarAgreementsaccordingtowhichtheycanobtaindataincaseofnexus/ eligibility requirements (DRL1) or based on legitimate interests such as security checks or reasonsdeterminedbythecommunityinthecourseofthethickWhoispolicydevelopmentprocess(DRL2).

CantheRegistraradddataelements?

NoinvolvementofRegistry,ICANN,orEscrowAgents

Attheirownrisk

3

ResponsibilitiesForregistrationdata,theregistrar,theregistry,andICANNarejointcontrollers.Fordataescrow,ICANNisthedatacontrollerandtheescrowagentsaredataprocessors.TheEBEROisthedataprocessoronbehalfofICANN,thedatacontroller. Inresellersituations,thereselleristhedataprocessoronbehalfoftheregistrarforregistrationdata.Keyfindings-DisclosureofData PublicWhoisisnotsustainableinitscurrentform. Inordertoallowfortheconsistentprovisionofinformation,informationfromdifferentsourcesshouldbecompiledbymeansofRDAP(delegatedWhois).Furthermore,itneedstobeclarifiedthat,evenatthispoint,registriesandregistrarsmayhavemoreinformationthantheyprovideviatheWhoisservice.However,disclosure,accordingtothispaper,wouldonlygoasfarasrevealingtheregistrantdatafieldsascurrentlyshowninthepublicWhois.Thismeansthatthedataofaprivacyorproxyservicewillbeshownwheretheregistrantusessuchserviceswhengatedaccessisprovided.Disclosurebyprivacyorproxyserviceswouldbebasedontheprinciplesappliedtodayandremainunaffected.Thereareinstancesinwhichdatacanbedisclosed.Theseare:

• Disclosure to fulfill the contract (requests in conjunctionwith the preparation ofURS andUDRP

claims),Art.6(1)lit.b)GDPR;

• Disclosurenecessaryforcompliancewithalegalobligationtowhichthedatacontrollerissubject,

Art. 6 (1) lit. c) GDPR (this provision serves as the legal basis for disclosure to European law

enforcementagencies);and

• Disclosurebasedonalegitimateinterestofprivatestakeholders,Art.6(1)lit.f)GDPR,seefollowing

table:

3rdPartyGroup 3rdPartyInterest CriteriaforDisclosure Data to Be

Disclosed(IPR)AttorneysRightholders andTrademarkAgents

Legal action against(IP) lawinfringements

• proof of admission tothebar

• credibledemonstration of lawinfringementrelatedtoacertainDomain

DRL1

ConsumerProtectionAssociations

Legal Action againstconsumerprotectionlawinfringements

• proofofentitlementtoprosecution ofconsumer protectionlawinfringements

• credibledemonstration ofconsumer protectionlaw infringementrelated to a certaindomain

DRL1

4

CertificationAuthorities

Verification ofDomainOwnership

• proof of operation ofcertification services(orknowncertificationauthority)

• proof for request forcertification byregistrant

DRL1

Weshouldnotethatthe limitations imposedbytheGDPRwillhavesignificant impactoncompaniesandindividualsworkingonsafetyandsecurityissues.TheselimitationsshouldbediscussedwithDPAswiththegoaloffindingsolutionsthatallowforefficientworkonITandnetworksecurity. ThelegalbasisfordisclosuretolawenforcementagenciesislimitedtoauthoritiesactingonthegroundsofEUlawornationallawsofEUmemberstates.It is proposed to establish a certification program for certain user groups (public and private) and giveCertifiedRequestorsaccesstoWhoisdata(whichcanbeprivacyorproxyservicedata)basedonpre-definedcriteriaandlimitations(suchascaptcha,volumelimits,etc.)andonlytocertaindatasets.Limitationscouldbebasede.g.onthecountryofregistrant.It is further proposed that certification and handling of requests can be centralized in a Trusted DataClearinghousetoavoidduplicateefforts,toremovetheburdenoforganizational,proceduaralandfinancialefforts from the controllers and requesters, to ensure consistency of decision-making, and tomake thesystem“customerfriendly”.Illustrationoftheprocess:IfarequestortypesinaWhoisqueryonadomainname,theWhoisquerywillreturndatathatcomesfromtheregistrar,including:

DomainNameRegistryDomainIDRegistrarWhoisServerRegistrarURLUpdatedDateCreationDateRegistryExpiryDateRegistrar,RegistrarIANAIDRegistrarAbuseContactEmailRegistrarAbuseContactPhoneDomainStatus,NameServerDNSSECNameServerIPAddressLastUpdateofWhoisDatabase

Ifarequestorisinterestedinfurtherinformationaboutaregistereddomain,heisprovidedwiththefollowingoptions:

5

CertifiedusergroupssuchaspublicauthoritiesandthirdpartiesthatcanpresentlegitimateinterestscanaccessDRL1dataviatheCertifiedRequestorProgram:

For other general queries where disclosure cannot be justified under the GDPR, the requestor will beprovidedwithananonymizede-mailaddressorawebformfromwhichmessagescanbesenttotheregistrante-mailaddress.OutlookIdeally,thecontractedpartieswouldagreeonajointdatamodelwithICANN.Thepublicsectoralsoneedsto be consulted and worked with, as the limited access to Whois data raises concerns. In particular,certificationparametersfornon-EULEAsareanissuethatshouldbefurtherdiscussed.

6

Implementation of the playbook model in a timely fashion poses an additional challenge to all partiesinvolved.Technicalimplementationneedstobeconducted,andregistryrequirementsneedtobedefinedbothcontractuallyaswellasinEPP.Registrarsmightneedtowaiveorshortennoticeperiodsforchangesofregistryrequirements.ItwouldbeadvisabletodefinedifferentclassesofregistryrequirementsandcentrallydefineEPPandRRAstandardizedlanguage.

7

B.DetailsoftheProposal1. Analysisofhowthemodelaccommodatesexistingcontractualobligationswhile

reconcilingthemwiththeGDPR,including:

a) Adescriptionoftheproposedchangeandhowitdiffersfromthecurrentimplementation;Themodelisbasedonthebasicprincipleofdataminimization.DRL1Therefore,inDRL1onlythedatarequiredfortheperformanceofthecontractiscollectedandprocessedbythecontractedparties.Thisdiffershighlyfromthecurrentimplementation.Theregistrarcollectsandprocesseslessdataelementsasinthecurrentsituation,e.g.thedataelementsofAdmin-C,Tech-CandBilling-Carenotcollectedastheyarenotabsolutelynecessaryfortheperformanceofthecontract.Fordetailsonthedatacollectedbytheregistrar,pleaserefertoPage22[SectionII1.a)]ofthePlaybook.Inaddition,theregistrardoestransferonlyalimitedamountofdataelementstotherespectiveregistrytominimize the data processes; regularly this is only the domain name as potential personal identifiableinformation according toourdatamodel.Any additional information collectedby the registrar from theregistrantisnotneededbytheregistrytoperformitspartofthecontractualperformance.FordetailsonthedataelementstransferredtotheregistriesfortheirfulfillmentofcontractualobligationsinDRL1pleaserefertoPage28[SectionII2.a)].Incasetheregistryhasadditionalrequirements(Nexusoreligibility)suchcanberequiredtobecollectedandtransferredtotheregistryalsofortheperformanceofcontractualobligationsinDRL1,Page41[SectionIII.1].DRL2Theregistrymaywishtoreceiveadditionaldataelementswhicharenotdirectlyrequiredfortheregistryfortheperformanceofthecontract.Suchrequirementsmustbebasedonlegitimateinterestandtherefore,theregistriesmustname legitimatepurposes for thecollectionand/or transferofsuchdataby theregistrar,Page49[SectionVII].ThePlaybooklistslegitimateintereststhatcouldbeclaimedbytheregistry,suchasmitigatingabuse,securityandstabilityandtheneedforacentralmanagement.However,thelistofpotentiallegitimateinterestsisnotexhaustive.DRL3Evenwithregardtodataminimizationandthedatamodeldescribedabove,theremaybeaspecificinterestfor registries toobtain (anddisclose) personal data in excess to thedescribeddata sets. This is possibleaccordingtoourmodelbasedonconsentbythedatasubject,Page54[SectionVIII].It should be noted that all of these possibilities of justification of data processing are equally valid. TheclassificationinDataRiskLevelsshallonlyemphasizethepossibleriskofdifferentinterpretationbythedata

8

subjectortheauthority.ThedataelementsasdescribedinDRL1shouldbecommonlyacceptedasnecessaryforthecontractedpartiestofulfilltheircontractualobligations.Ahigherriskisinvolvedwhenjustifyingtheprocesswithlegitimateinterest;notonlybecauseofthedatasubject´srightofobjectionbutalsobecausetheterm“legitimateinterest”isveryopenforinterpretation.Therefore,thegoalofthemodelistoclearlyoutlineabasisofdataprocesseswhichareclearlycompliant.Other processes can be compliant as well but might need some more argumentation. The model alsoprovidesexamplesofpossibleinterestsforadditionalprocesses,Page49[SectionVII].DisclosureThemodelabandonspublicWhoisandimplementsamodeloflayeredaccesstodatafordifferentuserssuchasLawEnforcementAuthorities,IP-LaywersandothersPage56[PartCSectionI].FinallythemodelsuggeststheimplementationofaTrustedClearinghouse,Page75[PartCSectionV].

b) Identification of how the model impacts current ICANN contractual obligations andspecificationofthecontractprovisionorpolicythatisimpactedbythecitedlaw;

Accordingtothemodelproposedbyus,onlythedatafromDRL1aremandatoryfortheregistrationofadomainandmustthereforebetransmittedbytheregistrarstotheregistries(seeanswertoquestion1a).Fortheregistries,itispossibletocontinuetoobtaintheregistrant'sdataonthebasisoflegitimateinterest(seePage49[SectionVII]),sothataThick-Whois-Modelcanalsobemaintained.However,onlythedatafromDRL1isrequiredfortheregistrationofadomainname,sothatonlythisdatashouldbeenforcedwithintheframeworkofthecontractualobligations.Sowithregardtotheregistrant'sdata,onlythedomainname(whichcanbeapersonaldate),seePage31[SectionII2.a)aa)]istransferredfromtheregistrartotheregistry.Inaddition,registriesmaycontinuetorequestandreceivedatafromregistrantsonthebasisoflegitimateinterest.Inthisrespect,thetransferoftheregistrant'sdatatotheregistriesisthenalsocarriedoutforthepurposesofcontractualobligations/policiesofICANN.ICANNshouldenforceonlythosecontractualobligationsforthepartiesconcernedthatcorrespondtothedatafromcategoryDRL1.ThePlaybookdetails the flowofdataand the roles and responsibilitiesof theparties involved. Thus, allcontractualobligationsrelatingtotheprocessingofregistrationdataareaffected.Thesearethecollectionofdataforthevariouscontacts,transmissionofdatatotheregistry,publicationofdataviapublicWhois,escrowingdata,agreementswiththeEBERO,thepublicationofzonefiles,reportingandtransmissiondutiestoICANNaswellasICANNconsensuspolicies.

c) Identificationoftheapplicablesection(s)oftheGDPR;

• Art.2,3:Materialandterritorialscope• Art.5:Principlesrelatingtoprocessingofpersonaldata• Art.6:Lawfulnessofprocessing• Art.7:Conditionsforconsent• Art.12:Transparentinformation,communicationandmodalitiesfortheexerciseoftherightsofthe

datasubject• Art.13:Informationtobeprovidedwherepersonaldataarecollectedfromthedatasubject

9

• Art. 14: Information to be providedwhere personal data have not beenobtained from the datasubject

• Art.15:Rightofaccessbythedatasubject• Art.16:Righttorectification• Art.17:Righttoerasure(‘righttobeforgotten’)• Art.18:Righttorestrictionofprocessing• Art.19:Notificationobligationregardingrectificationorerasureofpersonaldataorrestrictionof

processing• Art.20:Righttodataportability• Art.21:Righttoobject• Art.22:Automatedindividualdecision-making,includingprofiling• Art.24:Responsibilityofthecontroller• Art.25:Dataprotectionbydesignandbydefault• Art.26:Jointcontrollers• Art.27:RepresentativesofcontrollersorprocessorsnotestablishedintheUnion• Art.28:Processor• Art.30:Recordsofprocessingactivities• Art.32:Securityofprocessing• Art.33:Notificationofapersonaldatabreachtothesupervisoryauthority• Art.34:Communicationofapersonaldatabreachtothedatasubject• Art.35:Dataprotectionimpactassessment• Art.37etseq:Dataprotectionofficer• Art.44etseq:Transfersofpersonaldatatothirdcountriesorinternationalorganisations• Art.77:Righttolodgeacomplaintwithasupervisoryauthority• Art.82:Righttocompensationandliability• Art.83:Generalconditionsforimposingadministrativefines• Art.84:Sanctions

d) Adescriptionofhowthischangewillcomplywiththeapplicablelaw.TheproposedmodelisdrivenbythebasicprinciplesofGDPR,inparticulartheprincipleofdataminimizationandpurposelimitation.ThePlaybookincludesalegalassessmentoftheentiredatamodel.2. Changestothecollection,storage,display,transfer,andretentionofdata.ThePlaybookexplainsindetailwhatdatacanbecollected,stored,displayedandtransferred.ItalsospeakstothequestionofdataretentionandICANN’sroleinthatregard.3. Whowillbeimpactedbythechangeandhow(forexample:registrants,usersof

WHOISdata,othercontractedparties).Registrants:Theregistrantisrequiredtoprovidelessdata,inparticularthenamingofAdmin-C,Tech-CandBilling-Cisnolongernecessaryasadefault.Thedata iscollectedbytheregistrarsorresellers.Thisdata isno longertransferredautomatically totheregistry,butonly if this is requiredeither in thecaseofnexus /eligibility requirements (DRL1)or if theregistryrequeststhedatatransferonthebasisofalegitimateinterest(DRL2).

10

UserofWHOISdata:ThemodelabandonspublicWHOISandimplementsamodeloflayeredaccesstodatafordifferentuserssuchasLawEnforcementAuthorities, IP-LawyersandothersPage56 [PartCSectionI],Page 3 and Question 5 of this proposal. Finally, the model suggests the implementation of a TrustedClearinghouse,Page75[PartCSectionV].Registrar:Theregistrarscollectlessdata,inparticularthedataAdmin-C,Tech-CandBilling-Carenolongercollected.Basically,thereisnoautomatictransferoftheregistrant'sdatafromtheregistrartotheregistry,seetheansweraboveto"Registrant".Registry:Inordertocarryoutandmaintaintheregistrationofthedomainname,theregistriesdonotrequireany registrant data, so that only the domain name as a potential personal date is transferred from theregistrar to the registry. Apart from that, registries can specify additional requirements in the RegistryRegistrarAgreements,accordingtowhichtheycanobtaindata incaseofnexus/eligibilityrequirements(DRL1)orbasedonlegitimateinterestssuchassecuritychecks(DRL2).Inaddition,nomorepublicWHOISwillbeprovided.ICANN: ICANN’s role will be redefined and changed, particularly with respect to enforcing contractualobligationsandformallyestablishingthatICANNisajointcontroller/datacontroller.ICANNmustalsoensurethatdataisonlytransferredtoEBEROsthatarecompliantwithGDPR.EBERO:EBEROsmustbeGDPRcompliant.TheymustadheretothedataflowsaccordingtothedatamodeldescribedinthePlaybook.EscrowAgents:EscrowagentsmustbeGDPRcompliant.Theymustadjusttheformatofdatatobeescrowed.4. Interoperabilitybetweenregistryoperatorsandregistrars.Interoperabilitybetweenregistryandregistrarisgiven.Allcurrentlyuseddatafieldsremainunchanged,butnotalldatafieldswillbepopulated.Somedatafieldswillbepopulatedwithsyntacticallycorrectplaceholderdata.Allhandlingofdatathatisnot(potentially)personaldataremainsunchanged.Certainchangesneedtobe made, particularly when it comes to transferring domain names, but the Playbook outlines howinteroperabilitycanbeensuredifallpartiesoperationalizethedatamodel.5. Howuserswithalegitimateneedfordatawillrequestandobtaindataifitisno

longeravailableinpublicWHOIS.Themodel implements amodel of layered access to data for different users such as Law EnforcementAuthorities,IP-LawyersandothersPage56[PartCSectionI]andPage3ofthisproposal.FinallythemodelsuggeststheimplementationofaTrustedClearinghouse,Page75[PartCSectionV].Thereareinstancesinwhichdatacanbedisclosed.Theseare:

• Disclosure to fulfill the contract (requests in conjunctionwith the preparation ofURS andUDRP

claims),Art.6(1)lit.b)GDPR;

11

• Disclosurenecessaryforcompliancewithalegalobligationtowhichthedatacontrollerissubject,

Art. 6 (1) lit. c) GDPR (this provision serves as the legal basis for disclosure to European law

enforcementagencies);and

• Disclosurebasedonalegitimateinterestofprivatestakeholders,Art.6(1)lit.f)GDPR,seefollowing

table:

3rdpartygroup 3rdpartyinterest CriteriaforDisclosure Data to be

disclosed(IPR)AttorneysRightholders andTrademarkAgents

Legal action against(IP) lawinfringements

• proof of admission tothebar

• credibledemonstration of lawinfringementrelatedtoacertainDomain

DRL1

ConsumerProtectionAssociations

Legal Action againstconsumerprotectionlawinfringements

• proofofentitlementtoprosecution ofconsumer protectionlawinfringements

• credibledemonstration ofconsumer protectionlaw infringementrelated to a certaindomain

DRL1

CertificationAuthorities

Verification ofDomainOwnership

• proof of operation ofcertification services(orknowncertificationauthority)

• proof for request forcertification byRegistrant

DRL1

It is proposed to establish a certification program for certain user groups (public and private) and giveCertifiedRequestorsaccesstoWhoisdata(whichcanbeprivacyorproxyservicedata)basedonpre-definedcriteriaandlimitations(suchascaptcha,volumelimitsetc)andonlytocertaindatasets.Limitationscouldbebasede.g.onthecountryofregistrant.It is further proposed that certification and handling of requests can be centralized in a Trusted DataClearinghousetoavoidduplicateefforts,totakeofftheburdenoforganizational,proceduaralandfinancialeffortsoffthecontrollersandrequesters,toensureconsistencyofdecision-makingandtomakethesystem“customerfriendly”.6.Whetherdatahandlingwillbeuniformoriftherewillbevariationbasedonthingssuchas"naturalperson"vs.anorganization,physicaladdressofapointofcontact,locationoftheregistryoperatororregistrar,etc.Datahandlingwillbeuniform,duetodifficultieswithdifferentiationbetweendata.

12

Registrantsmaybenaturalorlegalpersons.Therefore,thequestionariseswhetherenterprisedatamustbetreateddifferently thandata fromprivatepersonsas registrants.Thedifferent treatmenthoweverbearssignificantrisksbecauseenterprisenamesmayalsocontainpersonalreferencesandaself-identificationoftheregistrantinthisrespectwouldnotresultinareliabledistributionofdatainventory.Inthisrespect,adifferentiationbetweennaturalandlegalpersonsshouldnotbemade.However, input from DPAs should be sought whether a distinction could be made based on a self-identificationbytheregistrant.Shouldthatbedeemedtobeacceptablesafeguard,differentiatedtreatmentcouldbeconsidered,Page23[SectionII1.a)aa)].7.Whether thismodel has been reviewed by a data protection authority. If so,indicatewhichdataprotectionauthority,when,andanydetailsoftheirresponse.No.8.High-leveldescriptionofanychangestootheragreementsbeyondtheRegistryAgreementandRegistrarAccreditationAgreement(forexample:Registry-RegistrarAgreement, Data Escrow Agreement, Registration Agreement, Registrar ResellerAgreement,PrivacyPolicies,etc.).Asdescribedinquestion1(b),themodelproposedherewillfundamentallychangethedataavailabletothepartiesinvolved.Inparticular,registrieswillinprincipleonlyreceivedatafromDRL1,sothatthismodelwillaffectalmostall ICANN's contractualobligations, inparticularRegistry-RegistrarAgreement,DataEscrowAgreement,RegistryRegistrationDataDirectoryServicesConsistentLabelingandDisplayPolicy,AdditionalWhoisInformationPolicy. 9.Ifapplicable,howthisdiffersfromothermodelsandwhetheryouendorseanyothermodel.Ifyouendorseanothermodel,pleaseidentifywhetheryouendorsetheentiremodelorspecificsections.N/A