<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"open sans";
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 2 6 3 5 4 5 2 3 4;}
@font-face
{font-family:"Helvetica Neue Light";
panose-1:2 0 4 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space
{mso-style-name:gmail-m_2261970767951819155gmail-m_7699306115020964352apple-converted-space;}
p.gmail-m2261970767951819155gmail-m7699306115020964352msobodytext, li.gmail-m2261970767951819155gmail-m7699306115020964352msobodytext, div.gmail-m2261970767951819155gmail-m7699306115020964352msobodytext
{mso-style-name:gmail-m_2261970767951819155gmail-m_7699306115020964352msobodytext;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Helvetica Neue";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:463501168;
mso-list-template-ids:-975373470;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1525247796;
mso-list-type:hybrid;
mso-list-template-ids:1665983208 262051016 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman \(Body CS\)";}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue"">I don’t understand why this topic continues to come up in our discussions.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2"><span style="font-size:12.0pt;font-family:"Helvetica Neue"">Reasonable Proactive steps to ensure RDS accuracy are provided by the annual reminder messages to Registrants to review/update
their data, under the WHOIS Data Reminder Policy<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2"><span style="font-size:12.0pt;font-family:"Helvetica Neue"">Reasonable, Proactive steps to ensure RDS accuracy include the Validation requirements (Sec. 1a-1e) and Verification of
email and/or telephone (Sec. 1f) under the WHOIS Accuracy Program Specification<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo2"><span style="font-size:12.0pt;font-family:"Helvetica Neue"">Carefully consider any challenges to Accuracy: Registrars are obligated to re-validate and re-verify data that has changed
(Sec. 2) or has been reported as inaccurate (Sec. 4) of the WHOIS Accuracy Program Specification.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><br>
Summary – <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue"">Regardless of whether we’re talking about Registrants or 3<sup>rd</sup> parties, existing contract language and Consensus Policies already satisfy the Accuracy requirements under
GDPR. So long as our report does not modify these other policies, I don’t think any additional recommendations are necessary in this ePDP. We have so much other work in front of us, we should welcome this one area that is already complete.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><br>
Thx.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue"">J.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue Light"">-------------<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-family:"Helvetica Neue Light";color:#00B050">James Bladel<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-family:"Helvetica Neue Light"">GoDaddy</span><span style="font-size:12.0pt;font-family:"Helvetica Neue Light""><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Helvetica Neue""><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Amr Elsadr <aelsadr@icannpolicy.ninja><br>
<b>Reply-To: </b>Amr Elsadr <aelsadr@icannpolicy.ninja><br>
<b>Date: </b>Thursday, December 13, 2018 at 07:16<br>
<b>To: </b>Alan Woods <alan@donuts.email><br>
<b>Cc: </b>GNSO EPDP <gnso-epdp-team@icann.org><br>
<b>Subject: </b>Re: [Gnso-epdp-team] Additional Information - Accuracy<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">Hi, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Very much agree with all 3 of the notes by Alan below. In terms of the EPDP’s limited scope, I don’t see what we might be attempting to achieve by pursuing the topic of accuracy. Even if the practicalities involved (such as potential reasonable
steps to be taken to correct or delete inaccurate data) might require further deliberation, either now or during the January F2F meeting, what is the overall objective we are aiming for that isn’t already addressed by existing policies, such as the WHOIS Accuracy
Program Specification? And considering Alan’s (in my view) accurate description of the scope of this EPDP being to either confirm or amend the provisions of the Temporary Specification, how would this objective fit within this scope?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I don’t see any mention of accuracy in the Temporary Specification, except for one in which it is included in a quote from the bylaws in section 4.3, and another in Appendix C, where Article 5 of the GDPR is basically repeated, and which
Alan has addressed in Note 1 below. Furthermore, I don’t see a review of WHOIS accuracy mentioned anywhere at all in the EPDP Team’s Charter. Unlike the topic of the access model, I don’t even understand how accuracy fits within the mandate of the next phase
of the EPDP.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In terms of a substantive look at the existing WHOIS Accuracy Program Specification, I would be happy to review this specification at some point in the future (in another PDP). It does include a few “reasonable” scenarios in which data
accuracy might need to be enhanced, either by validation or verification of this data. However, the very tight deadline of 15 days in which this is required to be done - with failure to do so resulting in the RNH being penalized by suspension of a domain
name involved - does not seem reasonable to me at all. GDPR addresses accuracy as a right of the data subject, not as an obligation that would result in the data subject being held accountable. So again…, this seems to me to be completely out of scope of what
we need to get done over the next couple of months.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Unless we first have a clear understanding and agreement on how this is relevant to our current work, and what we would like to achieve by pursuing it, I don’t see how it is constructive to spend more of the little time we have left on
this issue.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Amr<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Dec 11, 2018, at 2:02 PM, Alan Woods <<a href="mailto:alan@donuts.email">alan@donuts.email</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Thank you Margie for this comprehensive review. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I have 3 notes. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><b>1) Regarding the ICO statement: </b><i>"So if you are using the data to make decisions that may significantly affect the individual concerned <b>or others</b>, you need to put more effort into ensuring accuracy."</i> To be clear the
'you' here is relating to the controller's use of the data and whether that use, by the controller, in the processing of inaccurate data, has a
<b><u>significant</u></b> impact on the rights of the data subject, or 'others'. The USE of this data by the controller is the registration of a domain or the application of our T&Cs; this is not referring to the use by a 3rd party (be that the registrant or
indeed from your POV, Facebook). So from the Controller's POV, all registration data is tested and the registrant is indeed required to confirm that data (WHOIS Accuracy Specifications). This seems very reasonable, given the data collected and the use to which
it is put. Are you expecting the controller to second guess, not 1 but 2 (collection and confirmation process) approvals of the data subject, when the objective is to ensure that the registrant is contactable, in the event of query on the domain. Furthermore,
there is a secondary system of accuracy testing, insofar as where WHOIS data is found to be inaccurate, a complaints process does exist, and let's not forget that the consequence for the registrant for not updating their data, is the suspension of their domain.
(Which, as Stephanie Perrin has rightly reminded us, is a pretty severe and hefty consequence for the data subject on a very tight turnaround) <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"<b><i>Other" interests</i></b> : Beyond this, the impact of inaccurate registration data in the USE by the controller, i.e. the registration of the domain, to your interests as an 'other', if I may surmise, only goes so far as to your
ability to seek redress for matter you perceive to be IP infringement in the domain name itself. Continued inaccuracy of the registrant data (if any remains) does not however affect the availability of the RPMs which do not require the registration data to
be accurate, as under the temp spec, even doe claims are now valid. In addition should you choose to go the court route, obtaining service, substituted or otherwise, should be a simple matter for any lawyer. I fail to see the how the 'use', therefore is objectively
prejudicing you, or how more watertight accuracy would make any substantial difference on the avenues already available. I must say it seems pretty unnecessary, and likely unreasonable, given the use to which the data is put! <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">So my point is I fail to see how the use of the data, by the controller, is substantially prejudicing the interests for which the BCs stand. Accuracy in this context, and the safeguards inbuilt are objectively reasonable given the nature
of the data and the avenues of redress present. As such, this is accuracy sufficient to meet the requirements of the GDPR. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><b>2) SCOPE</b> I am also struggling to see how this is in scope of the ePDP team. Our task, again, is to decide whether the provisions of the temp spec are capable of being confirmed as consensus policy, with or without modification, as
is necessary, to ensure compliance with Data Protection law. Our job is not to rewrite the WHOIS accuracy specification, but to apply the expectations of the GDPR (and other legislation as may be applicable). As written, the temp spec's approach to accuracy
vis á vis the use of the data in the registration process, is reasonable in the circumstances, and prejudice caused by inaccuracy present is mitigated by the availability of redress mechanisms that are not actually dependent on the accuracy of the data, surely
this is objectively a sufficient level of accuracy for that purpose. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">3) <b>Viable Alternative?</b> Although I don't believe an alternative is necessary, nor do I believe this task is in scope for the ePDP, you have also have not provided us with a workable or viable alternative . Perhaps you could provide
us with such a viable option as to how you think accuracy may be improved in the registration of a domain, in a manner that is proportional to the objective of the use (i.e the registration). Perhaps then we may be in a position to make a recommendation to
the GNSO for future policy development?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Kind regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Alan <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:0in 5.25pt 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
<a href="http://donuts.domains/" target="_blank"><span style="text-decoration:none"><span style="color:blue"><img border="0" width="75" height="75" style="width:.7812in;height:.7812in" id="_x0000_i1029" src="https://storage.googleapis.com/signaturesatori/customer-C02zzlf7k/images/-54f9d8ac97e7f575bf497d10ac1f1aafafddf8afceab5f269d49034f01b3217b.png" alt="Donuts Inc."></span></span></a><o:p></o:p></p>
</td>
<td style="padding:0in 5.25pt 0in 0in">
<div>
<p class="MsoNormal" style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;line-height:12.75pt">
<b><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333">Alan Woods</span></b><b><span style="font-size:10.5pt;font-family:"tahoma",sans-serif"><o:p></o:p></span></b></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
<span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#333333">Senior Compliance & Policy Manager, Donuts Inc.</span>
<o:p></o:p></p>
<div class="MsoNormal" align="center" style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in;text-align:center">
<hr size="0" width="100%" align="center">
</div>
<p class="MsoNormal" style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
<span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#333333">The Victorians, </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:7.5pt;margin-right:0in;margin-bottom:7.5pt;margin-left:0in">
<span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#333333">15-18 Earlsfort Terrace<br>
Dublin 2, County Dublin</span><span style="font-size:9.0pt;font-family:"open sans",serif;color:#D6D6D6"><br>
</span><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#333333">Ireland</span><br>
<br>
<a href="https://www.facebook.com/donutstlds" target="_blank"><span style="text-decoration:none"><span style="color:blue"><img border="0" id="_x0000_i1027" src="http://storage.googleapis.com/signaturesatori/icons/facebook.png" alt="http://storage.googleapis.com/signaturesatori/icons/facebook.png"></span></span></a> <a href="https://twitter.com/DonutsInc" target="_blank"><span style="text-decoration:none"><span style="color:blue"><img border="0" id="_x0000_i1026" src="http://storage.googleapis.com/signaturesatori/icons/twitter.png" alt="http://storage.googleapis.com/signaturesatori/icons/twitter.png"></span></span></a> <a href="https://www.linkedin.com/company/donuts-inc" target="_blank"><span style="text-decoration:none"><span style="font-size:10.5pt;color:blue"><img border="0" id="_x0000_i1025" src="http://storage.googleapis.com/signaturesatori/icons/linkedin.png" alt="http://storage.googleapis.com/signaturesatori/icons/linkedin.png"></span></span></a><o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Cambria",serif">Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of
this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Sat, Dec 8, 2018 at 12:49 AM Margie Milam <<a href="mailto:margiemilam@fb.com" target="_blank">margiemilam@fb.com</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi-<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
I was asked to provide further background for the accuracy discussion after yesterday’s EPDP call. Here is some information to frame our further analysis:<br>
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<b><u>SCOPE</u></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
This EPDP was chartered “to determine if the Temporary Specification...should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law.” In order to fully comply with GDPR,
data -- the very subject of this EPDP -- is required to be accurate. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
According to Article 5.1(d) of the GDPR, personal data shall be "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed,
are erased or rectified without delay." Article 39 also has similar language. Within the GDPR, this is the second of three principles about data standards, along with data minimization and storage limitation that needs to be addressed. While we have had
much discussion about data minimization and storage limitations, what’s clearly missing to finalize our deliberations and output about data standards is our discussion about data accuracy requirements. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
The ico. (Information Commissioner’s Office in the UK) points out in<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_guide-2Dto-2Dthe-2Dgeneral-2Ddata-2Dprotection-2Dregulation-2Dgdpr_principles_accuracy_-23steps&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=h0lLMkeUF_rn5GMhlS2z3vK51MHCcjEetUszEZTvxyg&s=RhTeIrHiyk5mS4H700KfDrYVVkEJElZPkbQjxDs2DOs&e=" target="_blank"><span style="color:#954F72">its
writings on “Principle (d): Accuracy”</span></a><span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span>that one of the new features of GDPR as compared to the principles under its predecessor is that there is now a
“clearer<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><b>proactive
</b>obligation to take reasonable steps to delete or correct inaccurate personal data.” The ICO notes that while “[t]here are clear links here to the right to rectification, which gives individuals the right to have inaccurate personal data corrected” … “[i]n
order to ensure that your records are not inaccurate or misleading in [the case of personal data someone else provides], you must:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
…<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
take reasonable steps in the circumstances to ensure the accuracy of the information; and
<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
carefully consider any challenges to the accuracy of the information.”<o:p></o:p></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
The ico. goes on to say that “The more important it is that the personal data is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the data to make decisions that may significantly affect the individual concerned
<b>or others</b>, you need to put more effort into ensuring accuracy. This may mean you have to get independent confirmation that the data is accurate.” We can all agree that the accuracy of domain name ownership is paramount to collection of WHOIS/Registered
Name Holder data in the first instance. In addition, since this data will be used by others (with a lawful interest), ensuring that it is accurate for them is relevant.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
This isn’t a new concept for discussion, as you may recall that the European Commission’s technical <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_files_gdpr-2Dcomments-2Deuropean-2Dcommission-2Dunion-2Dicann-2Dproposed-2Dcompliance-2Dmodels-2D07feb18-2Den.pdf&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=h0lLMkeUF_rn5GMhlS2z3vK51MHCcjEetUszEZTvxyg&s=YxaHZrnJlPuW_9bhzSZjJ7TOa-8_9ht63KuwYlhHWxA&e=" target="_blank"><span style="color:#954F72">input
on ICANN's proposed GDPR-compliant WHOIS models</span></a> underscored the GDPR's "Accuracy" principle and made clear that “reasonable steps should be taken to ensure the accuracy of any personal data obtained” for WHOIS databases and that ICANN should be
sure to incorporate this requirement in whatever model it adopts.<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
The ico.<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_guide-2Dto-2Dthe-2Dgeneral-2Ddata-2Dprotection-2Dregulation-2Dgdpr_accountability-2Dand-2Dgovernance_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=h0lLMkeUF_rn5GMhlS2z3vK51MHCcjEetUszEZTvxyg&s=UWaASFRkG2npkSZLHMfzDbjdajEbgoyFxk7wLtqAmbc&e=" target="_blank"><span style="color:#954F72">points
out that</span></a><span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span>“[o]ne of the biggest changes introduced by the GDPR is around accountability – a new data protection principle that says organisations are responsible
for, and must be able to demonstrate, compliance with the other principles ... [y]ou now need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect people’s rights.” With the main thrust of the EPDP being
to ensure that the WHOIS policies ICANN and the contracted parties adopt comply with the principles of the GDPR, these accountability principles shouldn’t be taken lightly. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
Consistent with these commitments and the GDPR, accuracy is an issue fully within scope of the EPDP so that ICANN and contracted parties proactively address how they will ensure the accuracy of data in the first place, not just how they rectify inaccurate data
brought to their attention after collection -- we simply see no way around the EPDP affirmatively addressing the GDPR’s accuracy principle in our deliberations and output. Especially since accuracy is addressed in the Temp Spec itself (see 4.1), which states
ICANN is responsible for “Maintenance of and access to<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><b>accurate</b><span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span>and
up-to-date information concerning registered names and name servers”.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-family:"Times New Roman",serif"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><u>OUTPUT/COMPLIANCE</u></b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
Dbata accuracy needs to be addressed both proactively as well as retroactively. As the<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__ico.org.uk_for-2Dorganisations_guide-2Dto-2Dthe-2Dgeneral-2Ddata-2Dprotection-2Dregulation-2Dgdpr_accountability-2Dand-2Dgovernance_&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=h0lLMkeUF_rn5GMhlS2z3vK51MHCcjEetUszEZTvxyg&s=UWaASFRkG2npkSZLHMfzDbjdajEbgoyFxk7wLtqAmbc&e=" target="_blank"><span style="color:#954F72">ico.
states</span></a><span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span>“Accountability is not a box-ticking exercise. Being <b>responsible</b> for compliance with the GDPR means that you need to be proactive and organised
about your approach to data protection, while <b>demonstrating</b> your compliance means that you must be able to evidence the steps you take to comply.” The ico. goes onto say that “Documenting this information is a great way to take stock of what you do
with personal data. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with<span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span><b>other aspects of the GDPR
such as making sure that the information you hold about people is accurate</b><span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span>and secure.” (emphasis added)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
To that end, the WHOIS policy developed by the EPDP needs to incorporate steps for contracted parties to be in compliance with the GDPR – accuracy being one facet of compliance. The WHOIS Accuracy Reporting System Reports showed that the accuracy levels are
unacceptably low.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;font-variant-caps:normal;text-align:start;word-spacing:0px">
We see the policy discussion on accuracy focused in three areas:<o:p></o:p></p>
<p class="gmail-m2261970767951819155gmail-m7699306115020964352msobodytext" style="margin-bottom:12.0pt">
<b>Collection</b>: At intake, we should consider whether the current forms of validation are sufficient. In this regard, it may be useful to include in the ccTLD survey a request to see what validation is done by the EU based ccTLDs.<o:p></o:p></p>
<p class="gmail-m2261970767951819155gmail-m7699306115020964352msobodytext" style="margin-bottom:12.0pt">
<b>Maintenance</b>: Once data is collected, Article 5 of the GDPR says that data must be “kept up to date”, which seemingly requires some sort of process that could be developed.
<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>Rectification:</b><span class="gmail-m2261970767951819155gmail-m7699306115020964352apple-converted-space"> </span>Article 5 of the GDPR says that ICANN and the contracted parties
must “ensure that personal data that are inaccurate … are erased or rectified without delay” and so, a uniform method to report and rectify inaccurate data could be considered. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Because there are so many facets to this conversation, perhaps the best way to address this is to talk about this in Toronto, at our F2F.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">All the best,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Margie<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Gnso-epdp-team mailing list<br>
<a href="mailto:Gnso-epdp-team@icann.org" target="_blank">Gnso-epdp-team@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>