<div dir="ltr">I agree with Stephanie, and would further like to strongly caution us from assuming that ICANN are a sole controller for 'ALL' processing here. <div><br></div><div>Should ICANN be considered sole controller for the whole kit and caboodle here, then we are stating that the CPs have <b><i><u>zero</u></i></b> influence on the manner in which we process data. In such an instance, it is up to ICANN to provide us with documented instructions as to all aspects of the processing. I think we should consider what such a statement means for ICANN and indeed the substantial ramifications that such a statement would have for the the Multistakeholder model itself here. In addition, I think we shall find that the legal reality of the situation is never going support the finding of a sole controllership (in all aspects). Pragmatically, any CP could confirm that our requirements under the RA or RAA is simply nowhere near 'comprehensive' enough to qualify as 'documented instructions' for our processing. Let alone the complications regarding aspects such as Sub-processor arrangements, 'technical and organizational measures', and of huge importance, the taking care of any and all data subject requests re registration (which are the Controller's responsibility). The means of processing the CPs implement are varying, but with united goals, but this still suggests such processing means extend beyond the contracts, and we need to be mindful of that in our assessment of the facts here. Additionally ICANN cannot possibly implement and monitor, and enforce compliance with their 'processing' instructions as would be required under Art 28 in any meaningful manner. </div><div><br></div><div>I have always maintained that we do not, as an industry, fit nicely into the clean controller/processor relationship and thus defining our exact relationship must be the work of new thinking on our combined behalf. Thankfully such an approach fits with the intention of the GDPR, and within the expanded appreciation of non-traditional processing situations, as is supported by Art 26 of the GDPR. Hence why the Joint Controller path with a detailed roles and responsibility carve up is the most pragmatic and likely only viable path open to us.</div><div><br></div><div>Alan</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><table style="padding:0px;margin:10px 0;border:none"><tbody><tr><td style="vertical-align:middle;padding:0px 7px 0px 0px"><a href="http://donuts.domains" rel="nofollow" target="_blank"><img alt="Donuts Inc." height="75" src="https://storage.googleapis.com/signaturesatori/customer-C02zzlf7k/images/-54f9d8ac97e7f575bf497d10ac1f1aafafddf8afceab5f269d49034f01b3217b.png" width="75"></a></td><td style="vertical-align:middle;padding:0px 7px 0px 0px;text-align:left">
<div style="font-family:'tahoma',sans-serif;font-size:14px;line-height:17px;font-weight:bold;color:black"><span style="font-size:12px"><span style="font-family:'arial','helvetica',sans-serif"><span style="color:rgb(51,51,51)">Alan Woods</span></span></span></div>
<div><span style="font-size:12px"><span style="font-family:'arial','helvetica',sans-serif"><span style="color:#333333">Senior Compliance & Policy Manager, Donuts Inc.</span></span></span>
<hr><span style="font-size:11px"><span style="font-family:'arial','helvetica',sans-serif"><span style="color:#333333">The Victorians, </span></span></span></div><div><font color="#333333" face="arial, helvetica, sans-serif"><span style="font-size:11px">15-18 Earlsfort Terrace<br style="background-color:rgb(34,34,34)">
Dublin 2, County Dublin</span></font><br style="color:rgb(214,214,214);font-family:'open sans';font-size:12px;background-color:rgb(34,34,34)"><font color="#333333" face="arial, helvetica, sans-serif"><span style="font-size:11px">
Ireland</span></font><br>
<span style="font-size:11px"><span style="font-family:'arial','helvetica',sans-serif"></span></span><br>
<span style="line-height:36px"><a href="https://www.facebook.com/donutstlds" rel="nofollow" target="_blank"><img src="http://storage.googleapis.com/signaturesatori/icons/facebook.png"></a> <a href="https://twitter.com/DonutsInc" rel="nofollow" target="_blank"><img src="http://storage.googleapis.com/signaturesatori/icons/twitter.png"></a> </span><a href="https://www.linkedin.com/company/donuts-inc" rel="nofollow" target="_blank"><span style="font-size:14px"><img src="http://storage.googleapis.com/signaturesatori/icons/linkedin.png"></span></a></div>
</td></tr></tbody></table><br>
</div><div><span style="font-size:12pt;font-family:Cambria,serif">Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . </span><span style="font-size:12pt;font-family:Cambria,serif">Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.</span><br></div></div></div></div></div></div></div></div></div></div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 13, 2018 at 4:44 PM Stephanie Perrin <<a href="mailto:stephanie.perrin@mail.utoronto.ca">stephanie.perrin@mail.utoronto.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p><font size="+1"><font face="Lucida Grande">If you are talking about the IPC team agreeing, Brian, fine. I don't think the EPDP has any consensus position on controllership at all, which is why I support delaying the release of the report until we can at
least frame our questions. ICANN as a body, including this PDP, needs to analyze the current situation and determine status. Given the inattention to registrant rights and data protection law throughout the history of ICANN, not much is clear....the contracts
have embedded policy that was not community-developed, ICANN has taken on sole responsibility for some functions that are normal business requirements (eg Escrow), so determining what the framework is is not so simple. WE need to do that to figure out quite
a few things under GDPR.</font></font></p>
<p><font size="+1"><font face="Lucida Grande">Stephanei</font></font><br>
</p>
<div class="m_-9215874221657485522moz-cite-prefix">On 2018-11-13 11:03, King, Brian via Gnso-epdp-team wrote:<br>
</div>
<blockquote type="cite">
<div class="m_-9215874221657485522WordSection1">
<p class="MsoNormal">Hi All,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">If I still have posting rights to the list, here is some language for your consideration as a first draft of the EPDP’s position on ICANN controllership for the Initial Report:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">The team agrees that ICANN is at least a controller for all purposes identified, and perhaps the sole controller for some or all purposes. The team eagerly awaits the receipt of the legal memorandum about ICANN’s controllership role that
is currently being drafted. As the memorandum was not received prior to the publication deadline for the Initial Report, the team requests that this memorandum be produced as soon as possible to inform both public comment and the group’s views on controllership
for the Final Report. <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’ll defer to Alex and Diane on further IPC input from here.
<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;color:#1f497d">Brian J. King</span></b><b><span style="font-size:10.0pt;color:#1f497d"><u></u><u></u></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;color:gray">Director of Internet Policy & Industry Affairs<u></u><u></u></span></b></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;color:#365f91">MarkMonitor </span>
</b><span style="font-size:10.0pt;color:#505050">/ </span><b><span style="font-size:10.0pt;color:#ff9100">Part of Clarivate Analytics
<u></u><u></u></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1f497d">Phone: +1 (443) 761-3726<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1f497d"><a href="mailto:brian.king@markmonitor.com" target="_blank"><span style="color:#0563c1">brian.king@markmonitor.com</span></a><u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br>
<fieldset class="m_-9215874221657485522mimeAttachmentHeader"></fieldset>
<pre class="m_-9215874221657485522moz-quote-pre">_______________________________________________
Gnso-epdp-team mailing list
<a class="m_-9215874221657485522moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a>
<a class="m_-9215874221657485522moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></pre>
</blockquote>
</div>
_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a></blockquote></div>