Home / Blogs

Article 22 of the GDPR Should Not Preclude Contemplated Automation

This post was co-authored by Russell Pangborn and Brigid Mahoney of Seed IP Law Group.

There is an ongoing disagreement among various members and groups in the ICANN community regarding automation — namely, whether and to what extent automation can be used to disclose registrant data in response to legitimate data disclosure requests. A major contributing factor to the complications around automation has been confusion about how to interpret and apply Article 22 of the GDPR. In its opening paragraph, Article 22 dictates that: "The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

Indeed, the GNSO Expedited Policy Development Process Team on the Temporary Specification for gTLD Registration Data Phase 2 (EPDP) has been bogged down by this very question. Several prominent voices, such as those from the Registries Stakeholder Group and Registrar Stakeholder Group (RySG and RrSG, respectively) and legal feedback from Bird & Bird LLP, have advocated a "conservative" approach that assumes such automation would be regulated — and thus not permitted — by Article 22. But a newly-published article by Mike Hintze, partner and privacy law specialist with the firm Hintze Law, opines that Article 22 does not apply to the automated processing contemplated for the System for Standardized Access/Disclosure (SSAD). Based on a comprehensive analysis of the language, policy, and provided explanations of the GDPR itself, this article concludes that "Article 22 should rarely if ever apply to automated decisions to disclose personal data to a third party."

First, the article breaks down the above-quoted language of Article 22 to demonstrate that it would not just be inappropriate, but flat-out incorrect, to apply Article 22 regulations to automated processing and disclosure of registrant data in response to legitimate disclosure requests. Specifically, the article highlights Article 22's certainty requirement — that the automatic disclosure "produces legal effects concerning him or her or similarly significantly affects him or her" (emphasis added). Note this language does not say "may produce," or "is likely to produce," suggesting there must be a degree of certainty that the automatic decision inherently will affect the data subject in a legal or similarly significant way. If such certainty were not inherent, how would the data producer be able to make such a determination in advance? As applied to the automation issue at hand, it is not certain that the disclosure of personal data will inherently result in a legal or similarly significant effect — the third party receiving the data may choose to do nothing with the information.

If the third party does, however, choose to take action against the data subject that has legal or similarly significant effect, the automatic disclosure is at best an indirect cause of such effect. While the GDPR does not explicitly address the direct vs. indirect causation question, Hintze notes that the GDPR's text and practical examples demonstrate direct causation scenarios only as those falling under Article 22. If the GDPR drafters wanted to include under Article 22 automated decisions that could have an indirect legal or similarly significant effect, the drafters could have included such language. To assume indirect, "butterfly effect" type causation was intended to be included by the drafters is to believe the drafters intentionally created an impossible-to-escape maze where all avenues lead back to Article 22 — any automated decision could indirectly result in a legal or similarly significant effect if one were to follow the chain of causation far enough.

Furthermore, the article quells potential concerns that automated decision-making for the disclosure of personal data would be left entirely unregulated if not under the purview of Article 22. To the contrary, the article points out, the GDPR contains other provisions that are more suitable for protecting data subjects' rights with respect to automated processing. For example, Article 6 requires a lawful basis for automated decision-making and for processing the disclosure of personal data to a third party. Advocates for automated responses to disclosure requests universally understand and support that there must be an underlying lawful basis, such as requests from law enforcement and in response to Uniform Domain Name Dispute Resolution Policy/Uniform Rapid Suspension System (UDRP/URS) providers for registrant verification in an active UDRP/URS proceeding. Additional examples that have been proposed as appropriate for automation include well-founded allegations of intellectual property infringement, phishing, fraud, and other similar matters of consumer protection, all of which comply with Article 6's requirement for a legal basis.

This article contributes an important, fresh, and well-grounded perspective to the discussion around automation and the GDPR. While Registries and Registrars may justify their position as ensuring they abide by the privacy rules set out by the GDPR, the well-reasoned analysis put forth by Hintze shows that there is no need to treat the automated processing contemplated for the SSAD as if it were regulated by Article 22. To do so is unnecessary and alarmist, and results in a misplaced and overbroad application of GDPR regulations to the detriment of the smooth functioning of the DNS system.

Free from the restrictions imposed by Article 22, it is important that the EPDP fully embraces and includes automation in its Final Report. Large-scale enforcement efforts by law enforcement, cybersecurity, and brand owners require automation to achieve meaningful results and improve online safety for end-users. Without access to automation, as currently stands, such enforcement efforts are routinely hampered by impractical and tedious reveal requests, which are all too often ignored, and thus require subsequent legal action such as filing a UDRP or lawsuit just to obtain registrant information. This convoluted process is inefficient, excessively time-consuming, and ultimately enables bad actors to continue carrying out DNS abuse in the absence of essential, effective tools for enforcement efforts. The health of the ICANN community and overall DNS system will thus benefit immensely from allowing automated processing and disclosure of registrant data in response to legitimate disclosure requests. As Hintze's article concludes, this can be done without fear of violating Article 22 of the GDPR as it does not apply to the automation contemplated by the EPDP.

By Russell Pangborn, Partner at Seed IP

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Are you or Mr. Hintze indemnifying my registrar? By Jothan Frakes  –  Jun 22, 2020 5:20 pm PST

Russ, as you no doubt understand, RISK drove shut the data access, as the consequences amount to business-ending costs for many registrars.

If Hintze's finding were ultimately true, it seems a safe bet for his or your firm to offer indemnification to registrars that would take on the risk.

Are we THERE yet?  That would be delightful.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

DNS Security

Sponsored byAfilias

IP Addressing

Sponsored byIPv4.Global

New TLDs

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Brand Protection

Sponsored byAppdetex

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Whois

Sponsored byWhoisXML API