[gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 16 January 2018

Tue Jan 16 18:41:41 UTC 2018

Dear All,

Please find below the notes and action item from today’s next generation RDS PDP WG (see https://community.icann.org/x/RAByB for further details). Please note that the next meeting is scheduled for Wednesday, 24 January at 06:00 UTC.

Best regards,

Marika

Action Items and Notes from RDS PDP WG Call – 16 January 2018

These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki.

1. Roll Call/SOI Updates

  *   Roll call will be taken from Adobe Connect
  *   Please mute your microphones when not speaking and state your name before speaking for transcription purposes.

2. Review poll results from 9 January call

  *   See survey results and handout distributed (https://community.icann.org/x/RAByB)
  *   Support for previously-forget agreement has fallen, with a full 33% now arguing that DN Cert IS a legitimate purpose.
  *   More WG members are of the view that Criminal Activity / DNS Abuse - Investigation is a legitimate purpose for collecting some data than those who believe that investigation is not a legitimate purpose.
  *   Based on review of these results and comments on the mailing list, leadership proposes to focus the discussion on what makes any purpose legitimate for processing registration data.

3. Deliberate on what makes any purpose legitimate for processing registration data?
    a. Review examples of criteria and legitimate purposes

  *   Possible criteria: does it support ICANN's mission; is it specific; is it explained in a way that registrants can understand; does it explain to registrants what their data will be used for; is it necessary for the fulfilment of a contract; other?
  *   What other criteria should be considered?
  *   See examples taken from the GDPR regulation and Hamilton memo which may help inform the WG's deliberation.
  *   Shouldn't WG make a difference between purpose for collection and purpose for processing?
  *   Definition of processing in the GDPR is "‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction"

    b. What makes purposes already agreed upon (Tech Issue Resolution, DN Management) legitimate?

  *   DN Management: Fall into the category of self-evident - doesn't make sense to have a domain name registration if you cannot keep track of it. Need to be able to manage the system.
  *   Tech Issue Resolution: if objective is to have industry to exchange value between two parties, sometimes things may happen, need to be able to deal with those kinds of issues.
  *   Doesn't make sense to do what we do without these two purposes. Other purposes may not have the same level of importance.
  *   The DNS is a distributed database and the Internet is a distributed system without anyone in control and without the necessity of pre-existing contractual relations between participants therefore, you need to be able to contact other operators.
  *   Inherent to the functionality - if you cannot manage domain names or resolve technical issues the DNS will not work.
  *   Scoping and perspective differences may be the underlying reason for the differences of opinions in the WG.
  *   ICANN is the data controller, the purpose has to relate to its mandate.
  *   Would a possible criterion to determine legitimacy be: Ensure that certain parts of the DNS work as they are supposed to? ICANN's role is tightly bound by its mission so important to factor that in and be precise. Supporting the DNS and its distributed nature is what makes these purposes legitimate - you cannot have this system without having this info available for these purposes. "Inherent to functionality"
  *   Data minimization and proportionality need to be factored in as it concerns the processing of personal data.
  *   Important detail is the distinction between what is mandatory vs. what is optional. Is this discussion about what is mandatory?

Possible criteria for legitimacy:

  *   Does it support ICANN's mission?
  *   Is it specific?
  *   Is it explained in a way that registrants can understand?
  *   Does it explain to registrants what their data will be used for?
  *   Is it necessary for the fulfilment of a contract?
  *   DNS is the Internet's primary naming system, and it needs a registration directory service to make the Internet's decentralized operation work. In particular, to make a system that does not require pre-existing contracts among everyone, everyone involved in the operation needs to be able to contact one another.  That's why 46 and 48 are legitimate purposes  for collection.

    c. Add to and refine list of possible criteria for what makes any purpose legitimate for processing registration data

  *   Important to consider whether something is required or whether it is optionally provided by registrants. Legitimate purpose for requiring data may have a higher bar than data that is optional to be provided by registrants.
  *   Let's worry about "requiring" later but focus for now on legitimate purposes for which data could be collected.
  *   If there is already agreement on data that needs to be collected (contact information), the only question should be whether access should be provided for other purposes that may not be considered inherent to functionality.
  *   Is there any data that is new for any of the other purposes under consideration that might warrant further consideration? If it is already collected, the focus should be on access.
  *   May need further clarity on if something is not legitimate purpose for requiring data can access still legitimately be provided?
  *   What is the ability to later on make changes to purposes identified should circumstances change?
  *   This is what the GDPR says: "The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations".
  *   The GDPR notes that "the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data" so wouldn't that include both purposes for collection and access (and as such there is no primary / secondary purpose)?
  *   It is impossible to make an exhaustive list of all the possible legitimate uses of collected data. Does it make any sense to simply say, X,Y,&Z are collected for the reasons Andrew lists, and then identify X & Y for public access in the public interest? This would at least give a generic reason to debate with regard to access to X & Y.
  *   Need to determine data required for inherent functionality, but there are also processing purposes that are essential for the operation - may not be a mandated collection reason, but as a processing reason (access).
  *   Is it sufficient to define different purpose for access than for collection?
  *   Would issue be solved by providing ability for registrants to voluntarily fill in as much information they want?
  *   Recital 50 and article 6.4 of the GDPR may provide some further guidance on whether there is compatibility with the purpose for collection. Maybe some of the purposes that have mixed support could benefit from further review on 'compatibility'. Consider whether a small drafting team could make progress in this regard (criteria for compatibility for a legitimate purpose for access with a legitimate purpose for compatibility). Volunteers: Stephanie, Nathalie, Steve M (lead). Small group to provide status update during next week's meeting.

    d. Formulate possible WG agreement(s) on criteria

  *   None yet.

4. Confirm action items and proposed decision points

Action item: small group of volunteers to provide status update on discussion on compatibility criteria ahead of next week's meeting.

5. Confirm next WG meeting: Wednesday, 24 January at 06:00 UTC

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<http://learn.icann.org/courses/gnso> and visiting the GNSO Newcomer pages<http://gnso.icann.org/sites/gnso.icann.org/files/gnso/presentations/policy-efforts.htm#newcomers>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180116/9dcad182/attachment-0001.html>