[Gnso-epdp-team] IPC's Comments on the Legal Memo's

Alex Deacon alex at colevalleyconsulting.com
Thu May 16 04:50:53 UTC 2019 

Hi,

Here are the IPC's questions on the legal memos.





As a general question about the legal memos: are these to be considered
legal advice to the EPDP team? Are they legal advice to ICANN Org? Is there
an attorney/client relationship between Bird and Bird and ICANN Org? As our
work may impact the legal posture and liabilities of ICANN Org, we should
be clear that counsel has a fiduciary duty to the EPDP team and not to
ICANN Org, which could present a conflict of interest. This approach was
effective for the CCWG-Accountability group, and should be employed here.



* 6(1)(b)*


1. Has Bird and Bird considered that ICANN fulfills its contract with
registrants by coordinating a *secure, stable, resilient* DNS, which all of
ICANN’s advisory committees have clearly stated requires registration data
processing? To fulfill its end of the contractual framework that flows
through to registrants, it is necessary for ICANN to enable registration
data processing.



2. This legal memo addresses part of WP217. Has Bird and Bird considered
the allegory presented in WP217, “For example, the establishment of a
company-wide internal employee contact database containing the name,
business address, telephone number and email address of all employees, to
enable employees reach their colleagues, may in certain situations be
considered as necessary for the performance of a contract under Article
7(b)…” How does the 6(1)(b) basis apply in this context? What corollaries
can be drawn to registration data?



3. How does the Guidelines 2/2019 on the processing of personal data under
Article 6(1)(b) GDPR in the context of the provision of online services to
data subjects (
https://edpb.europa.eu/our-work-tools/public-consultations/2019/guidelines-22019-processing-personal-data-under-article-61b_en)
impact this advice?



*Natural vs. Legal and Technical Contact Memos*


1. Did Bird and Bird consider the obligations already present under
Sections 3.7.7 of the Registrar Accreditation Agreement, and under the
WHOIS Accuracy Program Specification (
https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#whois-accuracy)?
They are relevant, but are not cited. Considering these provisions, how
does this change the advice provided?


2. Accuracy of Personal Data: What is the definition of Accuracy and whom
determines the level of importance?

3. Risk of Liability: How is this defined? What are the perimeters of risk
associated with inaccuracy registrant data?

4. Is sending a confirmation associated with registrant data considered a
trigger to decrease the risk of liability?

*Accuracy*

1. It would be helpful to receive additional guidance would be helpful as
it pertains to “serious consequences” referenced in paragraph 8?

2.  Please identify the “relevant parties” referenced in paragraph 21?


*Thick WHOIS Memo*


1. In Paragraph 1.1 Bird and Bird claims that registrars and registries are
data controllers – why? It seems that ICANN, in its contracts and policies,
determines the purposes for which and means by which data is processed (
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en).
Registries and registrars do not become controllers by virtue of
participation in the policy development process; this logic would result in
non-contracted participants in the policy development process also being
data controllers, which would be an absurd result. In what other sense are
registrars and registries data controllers?



2. In Paragraph 3.1, considering Thick WHOIS consensus policy has
determined that thin WHOIS is insufficient to protect registrants, and
Thick WHOIS was determined to be necessary for the performance of the
contract, why does Bird and Bird disagree? As we note above, registering a
domain name in the ICANN-coordinated DNS comes with expectations about the
security, stability, and resilience of the service provided.



3. Why does Bird and Bird not consider the benefits of Thick WHOIS policy
to domain name registrants in Paragraph 3.7 or in 3.11-12?
https://gnso.icann.org/en/group-activities/active/thick-whois


Alex

On behalf of the IPC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190515/60e370cd/attachment.html>

More information about the Gnso-epdp-team mailing list