GDPR and Its potential impact: Looking for practical solutions

Event report

The chair of the session, Ms Cheryl Langdon-Orr (Vice-chair, ALAC, ICANN) started the meeting by clarifying that the ICANN community needed awareness raising exercises to prepare for the impact of the new European General Data Protection Regulation (GDPR). She said that it was necessary to find a clear set of basic concepts and understanding of what it is that the community has to deal with concerning the implementation of the GDPR.

Ms Cathrin Bauer-Bulst (Deputy head of the unit for cybercrime and child sexual abuse, DG Migration and Home Affairs, European Commission) took the floor to suggest one such set of key basic concepts. Bauer-Bulst noted that the overall fundamental right to data protection as enshrined in legal instruments, in practice translates into specific rights for individuals. She mentioned the right to be informed, the right of access, the right to rectify inaccurate or incomplete information, the right to erase data which is no longer necessary or whose consent to process or store was withdrawn, the right to restrict the purpose of collection or processing, the right to data portability, and the right to object to specific types of processing. Another key concept, she mentioned, is the personal data itself, regarded as any information relating to an identified or identifiable person, information which together with other elements might reveal who someone is. Bauer-Bulst highlighted that, basically anything which is done with the data may amount to processing, and that three key actors were relevant to the GDPR, namely controllers, processors, and data subjects. Concerning the applicable principles, she pointed out lawful, fair, and transparent processing, balanced with the interests of data subjects, purpose limitation, and data minimisation. She ended by explaining that the governance structure comprised national authorities, courts, the Court of Justice of the European Union, the European Data Protection Board, and the European Data Protection Supervisor.

Ms Becky Burr (Chief Privacy Officer, Newstar) said that more than 60 data elements that her company (Newstar) collects as part of its privacy duties for contracted parties, are personal identifiable information (PII). She said that merely relying on consent is currently not considered enough as a lawful basis for processing personal data, and that legitimacy should also be taken into consideration, as well as a verification whether the data subject’s privacy interests are not being unduly outweighed, and even then, adequate safeguards must be in place. Burr mentioned proportionality as an element to test legitimate interests, which would include an investigation into who wants to use the data element, why, and for what. Only once these issues have been incorporated into the safeguards in place, will the GDPR allow the processing to take place.

Ms Theresa Swinehart (Senior Vice President, Multistakeholder Strategy And Strategic Initiatives, ICANN) started by stating that what ICANN as an organisation is dealing with in terms of the challenges of implementing the GDPR, is a situation which is unique. She said that considering the existence of a deadline, different approaches were necessary to tackle different issues. First, she said that it was essential to understand the implications of the GDPR to ICANN as an organisation, and that an internal task force is currently helping identify where the organisation stands. Concerning the engagement with contracted parties, there is a need to understand the current situation and the implications that the GDPR has on the relevant domain name registration elements that are required from registrars. Swinehart said that she wants to work with the community at events and other dialogue spaces, to help identify which elements are relevant and which steps are necessary under different circumstances, by different actors.