<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Please keep in mind that merely delegating the decision making
power to a third party like ICANN, be it by contract or policy
that we have to abide by does not make us less of a controller. If
that were possible everyone would delegate controllership to third
parties to avoid liability. <br>
</p>
<p>Let us try to move on from unproductive "what if" scenarios and
start working within the framework of the legal advice we
received, in which CPs _are_ seen as controllers. Anything else is
not productive, would take forwever to work out and find consensus
on and be a waste of our time, which is, as I am told, precious
enough. If we want to release another report in the timeline we
discussed, there is no time for complicated models and complete
reversals of how this industry works. <br>
</p>
<p>We have our advice to the questions asked by the IPC and BC, lets
now follow that advice and accept its conclusions and move on to
working with it. <br>
</p>
<p>Best,</p>
<p>Volker<br>
</p>
<div class="moz-cite-prefix">Am 20.09.2019 um 20:51 schrieb King,
Brian via Gnso-epdp-team:<br>
</div>
<blockquote type="cite"
cite="mid:BY5PR10MB4338067C1B9282EE36D470C29F880@BY5PR10MB4338.namprd10.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Helvetica Neue";}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Helvetica Neue Light";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Helvetica Neue";
color:windowtext;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:535317491;
mso-list-template-ids:-143259450;}
@list l1
{mso-list-id:1035042731;
mso-list-type:hybrid;
mso-list-template-ids:1798723012 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2
{mso-list-id:1333802252;
mso-list-template-ids:1959061508;}
@list l3
{mso-list-id:1372536916;
mso-list-template-ids:372659024;}
@list l3:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4
{mso-list-id:1566914437;
mso-list-template-ids:1991142216;}
@list l4:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I would like to thank Sarah, Greg, and Mark
Sv for helping us organize these concepts and frame the
possible options. I support James’ request to staff, noting
that ICANN’s preferences, while not dispositive, are valuable
input for our work. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Good point, Ashley.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">James, I think we’re mostly on board, and
there is additional value to the CPs in the model you outline
if there is no right to deny the request. The Bird & Bird
memo notes that, “a CP's liability under the GDPR is
significantly affected by whether it is a "controller" or a
"processor", and that this determination hinges on three
factors:
<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo7">The degree
of actual control exercised by a party,<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo7">The image
given to data subjects, and<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo7">Reasonable
expectations of data subjects on the basis of this
visibility.
<o:p></o:p></li>
</ol>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We can (and should) drastically influence 2
and 3 with policy recommendations that require crystal-clear
notice to registrants about how registration data will be
processed. We identified this opportunity early on as the RAA
is insufficiently vague, and I think we’re probably unanimous
on this. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The remaining factor tending to increase CP
liability is the degree of actual control exercised, or “the
right to deny the request.” I understand that the ability to
deny requests appears attractive for risk mitigation, but I
implore CPs and the EPDP team to understand that this would
increase liability for CPs. <o:p>
</o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;color:black" lang="EN-GB">Brian
J. King
</span></b><span style="font-size:10.0pt;color:black"
lang="EN-GB"> <br>
Director of Internet Policy and Industry Affairs<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;color:black" lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;color:black" lang="EN-GB">T +1 443
761 3726</span><u><span
style="font-size:10.0pt;color:#0563C1"><a
href="http://www.markmonitor.com"
moz-do-not-send="true"><span style="color:#0563C1"
lang="EN-GB"><br>
</span><span style="color:#0563C1">markmonitor.com</span></a></span></u><span
style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;color:black" lang="EN-GB">MarkMonitor<br>
</span></b><span style="font-size:10.0pt;color:black"
lang="EN-GB">Protecting companies and consumers in a
digital world<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Gnso-epdp-team
<a class="moz-txt-link-rfc2396E" href="mailto:gnso-epdp-team-bounces@icann.org"><gnso-epdp-team-bounces@icann.org></a>
<b>On Behalf Of </b>James M. Bladel<br>
<b>Sent:</b> Friday, September 20, 2019 2:24 PM<br>
<b>To:</b> Heineman, Ashley <a class="moz-txt-link-rfc2396E" href="mailto:AHeineman@ntia.gov"><AHeineman@ntia.gov></a>;
Greg Aaron <a class="moz-txt-link-rfc2396E" href="mailto:greg@illumintel.com"><greg@illumintel.com></a>; 'Sarah Wyld'
<a class="moz-txt-link-rfc2396E" href="mailto:swyld@tucows.com"><swyld@tucows.com></a>; <a class="moz-txt-link-abbreviated" href="mailto:gnso-epdp-team@icann.org">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> Re: [Gnso-epdp-team] Questions regarding
disclosure risks<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue"">Greg – I think we’re assuming that there’s no
scenario where ICANN wants (or is able) to operate a replica
of all gTLD RDS. But we still need them to explicitly state
this, so we can work around it and move on.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue"">Ashely – Contracted Parties have had some
(informal) discussions about our preferred model, and I
think your description is closest to the mark. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue"">Some “entity” takes the request, checks it for
accuracy/validity, and then relays it to the appropriate
Contracted Party. The CP then responds
<b>to the entity</b>, either by providing the non-public
data or issuing a denial (with rationale). In this approach
the Contracted Party is only concerned with transactions to
the centralized entity, and retains the right to deny the
request if something doesn’t pass the smell test. CPs also
recognize that some degree of credential & request
verification “pre-screening” has already taken place.
Requestors have the benefit of a single point of contact
with a standardized request format for all TLDs/Registrars.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue"">The question in front of us Is whether or not
ICANN is willing & able to assume that role -- either
directly or by creating/delegating some other entity.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue"">J.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue Light"">-------------<o:p></o:p></span></p>
<p class="MsoNormal"><b><span
style="font-family:"Helvetica Neue
Light";color:#00B050">James Bladel<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-family:"Helvetica
Neue Light"">GoDaddy</span><span
style="font-size:12.0pt;font-family:"Helvetica Neue
Light""><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Helvetica
Neue""><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">"Heineman, Ashley"
<<a href="mailto:AHeineman@ntia.gov"
moz-do-not-send="true">AHeineman@ntia.gov</a>><br>
<b>Date: </b>Friday, September 20, 2019 at 13:10<br>
<b>To: </b>"James M. Bladel" <<a
href="mailto:jbladel@godaddy.com" moz-do-not-send="true">jbladel@godaddy.com</a>>,
Greg Aaron <<a href="mailto:greg@illumintel.com"
moz-do-not-send="true">greg@illumintel.com</a>>,
'Sarah Wyld' <<a href="mailto:swyld@tucows.com"
moz-do-not-send="true">swyld@tucows.com</a>>, "<a
href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a>"
<<a href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a>><br>
<b>Subject: </b>Re: [Gnso-epdp-team] Questions regarding
disclosure risks<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div style="border:none;border-left:solid #A6A6A6
4.5pt;padding:0in 0in 0in 14.0pt">
<p class="MsoNormal" style="background:#EBEBEB"><span
style="font-size:9.0pt;font-family:"Tahoma",sans-serif;color:black">Notice:</span><span
style="color:black">
</span><span
style="font-size:9.0pt;font-family:"Tahoma",sans-serif;color:black">This
email is from an external sender.
</span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black">Hi all. Thanks for
this and a quick question on the questions. Does ICANN
*have to* establish a replica database in this
scenario? Can't the information just more or less pass
through ICANN? That would mean less data being
transferred and could also presumably less data
stored/retained. Right? Just thinking out loud in an
effort to identify other options so we don't
unintentionally box ourselves in. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black">Thanks!<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black">Ashley (GAC)<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="98%" size="2" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span
style="color:black"> Gnso-epdp-team <<a
href="mailto:gnso-epdp-team-bounces@icann.org"
moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
on behalf of James M. Bladel <<a
href="mailto:jbladel@godaddy.com"
moz-do-not-send="true">jbladel@godaddy.com</a>><br>
<b>Sent:</b> Friday, September 20, 2019 11:35 AM<br>
<b>To:</b> Greg Aaron <<a
href="mailto:greg@illumintel.com"
moz-do-not-send="true">greg@illumintel.com</a>>;
'Sarah Wyld' <<a href="mailto:swyld@tucows.com"
moz-do-not-send="true">swyld@tucows.com</a>>;
<a href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a>
<<a href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a>><br>
<b>Subject:</b> Re: [Gnso-epdp-team] Questions
regarding disclosure risks</span> <o:p>
</o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Greg et al -<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Sarahs’ Alt super powers expired
at midnight yesterday and her laptop has now turned
back in to a pumpkin. So I’ll respond to Greg and
pose a few questions to ICANN Staff.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Greg - In this case, Yes.
“Addressed” = making the disclosure decision, and
(if affirmative) providing the Requestor with the
requested non-public data. For clarity, “provided”
can mean that ICANN sends the data directly to the
Requestor, or somehow <b>causes</b> another
(contracted) party to transmit the data to the
Requestor.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Many EPDP members have expressed
a desire to work with ICANN directly, rather than
route requests to individual Contracted Parties.
They would also prefer to have ICANN make the
disclosure determination, as opposed to leaving this
to the affected Contracted Party (please jump in if
I’m misunderstanding/mischaracterizing this point).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Therefore, the questions we (me,
Sarah, Registrars, ePDP) would like to refer to our
Staff Liaisons are:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Does ICANN have a clear
preference on whether or not it will:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1. Field these requests for
non-public data<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2. Maintain its own RDS replica
database<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3. Make a/the determination of
the validity of the request<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">4. Assume responsibility for this
decision, in any scenario where ICANN doesn’t hold
the data directly and must require a Contracted
Party to respond to the Requestor (even if the
Contracted Party disputes ICANN’s determination).<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We have been dancing around these
questions for a quite a while, and I now believe the
answers stand between us and progress on our work.
Either ICANN agrees to assume some/all of the role
of decision-maker (and accept responsibility for
making this decision), or we abandon the
“centralized” version of SSAD and instead focus our
efforts on developing a distributed model (which is
expressly opposed by some “requestor” stakeholders).
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Either way, the is the fork in
the road, and we need a clear path forward. If there
are no further questions or objections, I recommend
that Marika/Staff refer this to our liaisons. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks—<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">J.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">_______________<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">James Bladel<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">GoDaddy<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr width="98%" size="2" align="center">
</div>
<div id="x_divRplyFwdMsg">
<p class="MsoNormal"><b>From:</b> Gnso-epdp-team <<a
href="mailto:gnso-epdp-team-bounces@icann.org"
moz-do-not-send="true">gnso-epdp-team-bounces@icann.org</a>>
on behalf of Greg Aaron <<a
href="mailto:greg@illumintel.com"
moz-do-not-send="true">greg@illumintel.com</a>><br>
<b>Sent:</b> Thursday, September 19, 2019 14:25<br>
<b>To:</b> 'Sarah Wyld'; <a
href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> Re: [Gnso-epdp-team] Questions
regarding disclosure risks <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div style="border:none;border-left:solid #A6A6A6
4.5pt;padding:0in 0in 0in 14.0pt">
<p class="MsoNormal" style="background:#EBEBEB"><span
style="font-size:9.0pt;font-family:"Tahoma",sans-serif;color:black">Notice:This
email is from an external sender.
</span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
<div>
<div>
<p class="xmsonormal">When you say “addressed” what
do you mean -- that ICANN decides whether the data
should be disclosed in response to a query?<span
style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal"> <span style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal"> <span style="color:#000066"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal"><b>From:</b> Sarah Wyld
<<a href="mailto:swyld@tucows.com"
moz-do-not-send="true">swyld@tucows.com</a>><br>
<b>Sent:</b> Thursday, September 19, 2019
11:16 AM<br>
<b>To:</b> Greg Aaron <<a
href="mailto:greg@illumintel.com"
moz-do-not-send="true">greg@illumintel.com</a>>;
<a href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a><br>
<b>Subject:</b> Re: [Gnso-epdp-team] Questions
regarding disclosure risks<span
style="color:#000066"><o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal"><span style="color:#000066"> <o:p></o:p></span></p>
<p><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif">Hi
Greg,<br>
<br>
"Responding party" here would mean that requests
are received and addressed by ICANN Org. This
email focused specifically on questions raised
by ICANN Org working in this capacity, I'm
interested to see what other scenarios you could
expect to occur here.</span><o:p></o:p></p>
<p><span
style="font-size:10.0pt;font-family:"Verdana",sans-serif">Thanks.</span><o:p></o:p></p>
<pre><span style="color:#000066">-- <o:p></o:p></span></pre>
<pre><span style="color:#000066">Sarah Wyld<o:p></o:p></span></pre>
<pre><span style="color:#000066">Domains Product Team<o:p></o:p></span></pre>
<pre><span style="color:#000066">Tucows<o:p></o:p></span></pre>
<pre><span style="color:#000066">+1.416 535 0123 Ext. 1392<o:p></o:p></span></pre>
<pre><span style="color:#000066"> <o:p></o:p></span></pre>
<pre><span style="color:#000066"> <o:p></o:p></span></pre>
<div>
<p class="xmsonormal"><span style="color:#000066">On
9/19/2019 10:12 AM, Greg Aaron wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="xmsonormal">Sarah, what do you mean by
“responding party”? For example so your
scenarios assume that ICANN is acting in a
specific legal capacity?<span
style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal"> <span style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal">I ask because depending on
what you mean, there may be other scenarios.<span
style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal"> <span style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal">All best,<span
style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal">--Greg<span
style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal"> <span style="color:#000066"><o:p></o:p></span></p>
<p class="xmsonormal"> <span style="color:#000066"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="xmsonormal"><b>From:</b>
Gnso-epdp-team<span style="color:#000066"><a
href="mailto:gnso-epdp-team-bounces@icann.org" moz-do-not-send="true"><gnso-epdp-team-bounces@icann.org></a></span><b>On
Behalf Of
</b>Sarah Wyld<br>
<b>Sent:</b> Wednesday, September 18, 2019
3:18 PM<br>
<b>To:</b> <span style="color:#000066"><a
href="mailto:gnso-epdp-team@icann.org"
moz-do-not-send="true">gnso-epdp-team@icann.org</a></span><br>
<b>Subject:</b> [Gnso-epdp-team] Questions
regarding disclosure risks<span
style="color:#000066"><o:p></o:p></span></p>
</div>
</div>
<p class="xmsonormal"><span style="color:#000066"> <o:p></o:p></span></p>
<p>Hello all,<o:p></o:p></p>
<p>During the recent EPDP face-to-face meetings in
Los Angeles, several members of the working
group expressed a desire to position ICANN as
the responding party to requests for disclosure
of non-public registration data.<br>
<br>
In order to fulfill this request, one of two
things must be true. Either:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="xmsonormal"
style="color:#000066;margin-top:0in;margin-bottom:0in;margin-bottom:.0001pt;mso-list:l3
level1 lfo3">
ICANN Org maintains a current (<24 hours)
copy of the entire RDS database; or<o:p></o:p></li>
<li class="xmsonormal"
style="color:#000066;margin-top:0in;margin-bottom:0in;margin-bottom:.0001pt;mso-list:l3
level1 lfo3">
ICANN has some mechanism (contract clause) to
compel the Contracted Party to disclose the
data to ICANN or the requestor<o:p></o:p></li>
</ol>
<p>These potential scenarios raise the following
questions:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="xmsonormal"
style="color:#000066;margin-top:0in;margin-bottom:0in;margin-bottom:.0001pt;mso-list:l4
level1 lfo6">
In the first scenario, does ICANN accept the
legal risks and operational costs of
maintaining its own replica of all RDS data
for gTLDs? If not, how would those risks and
costs be addressed?<o:p></o:p></li>
<li class="xmsonormal"
style="color:#000066;margin-top:0in;margin-bottom:0in;margin-bottom:.0001pt;mso-list:l4
level1 lfo6">
In the second scenario, will ICANN “relay”
disclosed data between the requestor and the
Registry/Registrar?<o:p></o:p></li>
<li class="xmsonormal"
style="color:#000066;margin-top:0in;margin-bottom:0in;margin-bottom:.0001pt;mso-list:l4
level1 lfo6">
What should be done in situations where ICANN
instructs the Registry/Registrar to disclose
data (either to ICANN or the requestor), but
the contracted party has determined that the
request is not legitimate and refuses? Is this
matter referred to ICANN compliance?
<o:p></o:p></li>
</ol>
<p style="margin-bottom:12.0pt"><br>
Thank you, <o:p></o:p></p>
<pre><span style="color:#000066">-- <o:p></o:p></span></pre>
<pre><span style="color:#000066">Sarah Wyld<o:p></o:p></span></pre>
<pre><span style="color:#000066">Domains Product Team<o:p></o:p></span></pre>
<pre><span style="color:#000066">Tucows<o:p></o:p></span></pre>
<pre><span style="color:#000066">+1.416 535 0123 Ext. 1392<o:p></o:p></span></pre>
<pre><span style="color:#000066"> <o:p></o:p></span></pre>
<pre><span style="color:#000066"> <o:p></o:p></span></pre>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Gnso-epdp-team mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gnso-epdp-team@icann.org">Gnso-epdp-team@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/gnso-epdp-team">https://mm.icann.org/mailman/listinfo/gnso-epdp-team</a>
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/policy">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a class="moz-txt-link-freetext" href="https://www.icann.org/privacy/tos">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</pre>
</blockquote>
<div class="moz-signature">-- <br>
Volker A. Greimann<br>
General Counsel and Policy Manager<br>
<strong style="border-bottom: 3px solid #5C46B5">KEY-SYSTEMS GMBH</strong><br>
<br>
T: +49 6894 9396901<br>
M: +49 6894 9396851<br>
F: +49 6894 9396851<br>
W: <a class="moz-txt-link-abbreviated" href="http://www.key-systems.net">www.key-systems.net</a><br>
<br>
Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835<br>
CEO: Alexander Siffrin<br>
<br>
Part of the CentralNic Group PLC (LON: CNIC) a company registered
in England and Wales with company number 8576358.</div>
</body>
</html>