<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:347603972;
mso-list-template-ids:2069010894;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:625162310;
mso-list-template-ids:325109886;}
@list l1:level1
{mso-level-start-at:2;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:2047900677;
mso-list-template-ids:713557196;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>Dear EPDP Legal Committee:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Please find below the homework from Margie/Brian and Laureen/Georgios. All: please review the below questions and provide any additional edits or concerns by <b><u>close of business today, Monday, 13 January 2020.</u></b> For ease of reference, we have also included the already-approved questions in an attachment to this message.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><ol style='margin-top:0in' start=1 type=1><li class=MsoNormal style='color:black;mso-list:l2 level1 lfo2'><span style='font-size:11.0pt'>Brian and Margie’s proposed updated on <b>Territorial Scope</b>, now including suggestions from Volker and Matt:<o:p></o:p></span></li></ol><p class=MsoNormal><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;color:black'>In light of the Right to Be Forgotten Case regarding the reach of GDPR, and the recent guidelines published by the <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__edpb.europa.eu_sites_edpb_files_files_file1_edpb-5Fguidelines-5F3-5F2018-5Fterritorial-5Fscope-5Fafter-5Fpublic-5Fconsultation-5Fen.pdf&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=VH1lTBbXRHuGBzmHv6MDdFMGJFp4rxC3HNks7yXp8Ag&s=Wm0q2xFIYFO65E1T_FPWz5HfiNnV_iNT5JBbHTsyVQM&e=" title="https://urldefense.proofpoint.com/v2/url?u=https-3A__edpb.europa.eu_sites_edpb_files_files_file1_edpb-5Fguidelines-5F3-5F2018-5Fterritorial-5Fscope-5Fafter-5Fpublic-5Fconsultation-5Fen.pdf&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6p"><span style='color:#954F72'>EDPB on Geographic Scope</span></a>,<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:11.0pt;color:black'>Does this ruling and the Guidelines affect:<o:p></o:p></span></p><p class=MsoNormal style='text-indent:.5in'><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:8.0pt;margin-left:.8in;text-indent:-.25in;line-height:11.55pt'><span style='font-size:11.0pt;color:black'>1.</span><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'> </span><span style='font-size:11.0pt;color:black'>The advice given in <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fcommunity.icann.org-252Fdownload-252Fattachments-252F102138857-252FICANN-252520-2D-252520Memo-252520on-252520Territorial-252520Scope-252520.docx-253Fversion-253D1-2526modificationDate-253D1552176561000-2526api-253Dv2-26data-3D02-257C01-257CMarksv-2540microsoft.com-257C0fc10369b86b4fb54cdb08d745d81ad8-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C1-257C637054666773951714-26sdata-3D85hB3n-252BgHO5zltdzTm5Pmd-252FUeu0T7OL-252F4bywkCcb7dg-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DOGmtg_3SI10Cogwk-ShFiw%26r%3DqQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA%26m%3DqgqaikAoSyJzElcg7C-u09feQBWajzhT1JT2LBv05jg%26s%3D8TCbK69KiXCKrPpNO-KL9rKcsRkCISjzvCof8uKQBRs%26e%3D&data=02%7C01%7CMarksv%40microsoft.com%7C2925832daae546b63e0408d745f74dba%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637054800792839937&sdata=exadgrNqqCKVQ%2FLTBKZXXJMnBkfDjA9SNSTaJuX%2FH4Q%3D&reserved=0" title="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fcommunity.icann.org-252Fdownload-252Fattachments-252F102138857-252FI"><span style='color:#954F72'>Phase 1 Regarding Territorial Scope</span></a>, in Sections 6.2- 6.9? <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:8.0pt;margin-left:.8in;text-indent:-.25in;line-height:11.55pt'><span style='font-size:11.0pt;color:black'>2.</span><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'> </span><span style='font-size:11.0pt;color:black'>The advice given in Q1-2 with respect to liability (Section 4 of the memo)?<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:8.0pt;margin-left:.8in;text-indent:-.25in;line-height:11.55pt'><span style='font-size:11.0pt;color:black'>3.</span><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'> </span><span style='font-size:11.0pt;color:black'>In light of this ECJ decision and the <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__edpb.europa.eu_sites_edpb_files_files_file1_edpb-5Fguidelines-5F3-5F2018-5Fterritorial-5Fscope-5Fafter-5Fpublic-5Fconsultation-5Fen.pdf&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=VH1lTBbXRHuGBzmHv6MDdFMGJFp4rxC3HNks7yXp8Ag&s=Wm0q2xFIYFO65E1T_FPWz5HfiNnV_iNT5JBbHTsyVQM&e="><span style='color:#954F72'>Geographic Scope Guidelines</span></a>, using the same assumptions identified for Q1 and Q2, would there be less risk to EEA-based contracted parties if:<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;margin-bottom:8.0pt;margin-left:1.05in;text-indent:-.25in;line-height:11.55pt'><span style='font-size:11.0pt;color:black'>A.</span><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'> </span><span style='font-size:11.0pt;color:black'>an SSAD operated by ICANN (as opposed to the EEA-based contracted party) based in ICANN’s Los Angeles Headquarters allowed automated disclosure responses for redacted data of registrants located outside of the EU where such data may or may not be processed by processors or additional controllers inside the EU or otherwise subject to the GDPR, for legitimate, for legitimate purposes (such as cybersecurity investigations and mitigation)<b> </b>and/or other fundamental rights such as intellectual property infringement investigations (See EU Charter of Fundamental Rights Article 17, Section 2 <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Feur-2Dlex.europa.eu-252Flegal-2Dcontent-252FEN-252FTXT-252F-253Furi-253DCELEX-253A12012P-252FTXT-26data-3D02-257C01-257CMarksv-2540microsoft.com-257C2925832daae546b63e0408d745f74dba-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C1-257C637054800792819948-26sdata-3DRxgqL9eYdRavnaFqIDjzDOT4GPHJRSsmQ1-252Favz10vKw-253D-26reserved-3D0&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=VLG2NlF9SKlO5Br01dwddo_lA4oncgv7PkSSSsw8ZV4&s=fPD2dxvOeBSKNBXQT0rUNkNPmaova0kNQcFCii_4G6Y&e=" title="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Feur-2Dlex.europa.eu-252Flegal-2Dcontent-252FEN-252FTXT-252F-253Furi-253DCELEX-253A12012P-252FTXT-26data-3D02-257C01-257CMarksv-2540mic"><span style='color:#954F72'>https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT</span></a><o:p></o:p></span></p><ol style='margin-top:0in' start=2 type=1><li class=MsoNormal style='mso-list:l1 level1 lfo3'><span style='font-size:11.0pt;color:black'>Laureen and Georgios’ proposed updated <b>WHOIS Accuracy</b> questions: </span><span style='font-size:11.0pt'><o:p></o:p></span></li></ol><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt;color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Bird & Bird’s memo on the meaning of the GDPR’s Accuracy Principle concluded that this Principle “requires controllers to take ‘reasonable steps’ to ensure that personal data is accurate and up to date. Memo at ¶15.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>This memo also cited to the United Kingdom Information Commissioner Office’s guidance: <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>The more important it is that the personal data is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the data to make decisions that may significantly affect the individual concerned <b><i>or others</i></b>, you need to put more effort into ensuring accuracy. [emphasis added]. Memo at ¶7.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>Finally, the memo observed that:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>a. controllers collect registration data in part to ensure the security, stability and resiliency of the Domain Name System in accordance with ICANN’s mission through the enabling of lawful access for legitimate third-party interests [ICANN Purpose, Final Report EPDP at p. 21] and <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>b. the current Registrar Accreditation Agreement (RAA) requires registrars to take certain steps to ensure the accuracy of data provided by registered domain name holder (registrants),<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>In light of these conclusions and observations, in addition to the requirements set forth in the current RAA, <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>1) What additional reasonable steps should data controllers take to ensure the accuracy of the data submitted with regard to the purposes for which they are processed? <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>2) What additional reasonable steps should data controllers take to ensure the overall appropriate levels of data accuracy? In particular, would it be advisable for data controllers to implement the methods identified in Bird and Bird’s January 25, 2019 memo on liability related to a registrant's self-identification as a natural or non-natural person:<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>a. Confirmation emails seeking certification of the accuracy of the data submitted<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>b. Independent verification<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>c. Communicating consequences of submitting inaccurate data (under RAA, can suspend or cancel registration under certain circumstance)<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>in order to ensure the overall appropriate levels of data accuracy? <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>3) If statistics indicate that overall levels of data accuracy fall below a reasonable threshold (to be determined), would that demonstrate that the data controller’s methods to ensure data accuracy are not reasonable?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:.5in'><span style='font-size:11.0pt'>4) If the data controllers engage third parties to assist with processing personal data, how would that affect the risk of liability to the data controllers?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Times New Roman",serif;color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Marika, Berry, and Caitlin<o:p></o:p></span></p></div></body></html>