[Accred-Model] Version 1.6 of the Accreditation and Access Model

Chris Pelling chris at netearth.net
Wed Jun 20 18:32:14 UTC 2018 

Hi Michael,
Just to be clear in you citing page 80/82 etc, and the data subject rights to get remedy through the controller / processor - did i understand you correctly that this was your further suggestion to protect the bad party who has used / abused the data from the controller and to leave it in the controllers "lap" to get fined ?  Data abuser gets wrapped nuckles and their creds suspended?
I just want to make sure I read your points correctly.



Sent by Chris on the move.
-------- Original message --------From: Michael Palage <michael at palage.com> Date: 20/06/2018  19:23  (GMT+01:00) To: 'Stephanie Perrin' <stephanie.perrin at mail.utoronto.ca>, accred-model at icann.org Subject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model 
Stephanie, I hear and fully respect your viewpoints and professional opinion, much like I do from my colleagues from the IPC/BC side.  The point I am trying to make with the Philly Special is lets have an informed intelligent discussion regarding what an ADR like component could look like, much like we did back in 1999 with the UDRP.  Back in 1999 it was heated.  One of my more favorable ICANN moments was Kathy and Karl doing a tag team at the public mic in Santiago, Chile.  However, Francis Guery from WIPO, Kathy and Karl from the non-commercial community, Rita Roden and Jonathan Cohen found a common ground. Was any one of these parties fully happy – NO. But that is what true ICANN consensus building is all about, no one walking away a total winner or total loser. To be clear the proposed ADR is voluntarily. A Data Subject can ignore it completely and rely solely on the Articles 80 and/or 82 of the GDPR. However, what I want to do is to see if there is a lightweight ADR to handle the no-brainer violations, much like the UDRP was intended to handle cybersquatting low hanging fruit. So I fully respect your professional opinion that there should be no waiver of rights and an increased fine amount. However, I would like to focus on those points of agreement (e.g. use of an ADR, renumeration for a Data Subject whose rights have been violated, etc.)  as opposed to disagreement.  While I appreciate your passion for the protection of Data Subject rights, I am trying to approach a consensus solution in a much more business pragmatic approach. Is there a framework that can handle the majority of low hanging fruit in which the voices of the Data Subject would be silenced?  That is why I think the waiver and nominal fixed fee penalties provide a certain degree of predictability to businesses. Although the greatest predictability factor for businesses is to only access the data under one of the enumerate rights currently being discussed in the ICANN and IPC/BC proposals.  There is a recent relevant life experience that I would like to share.  I previously purchased a VM Passat diesel thinking with the high MPG would help save the environment.  Well the management at VW serious undercut that thought process.  In the various class actions that were filed, I could have opted out and pursued a separate legal action against VM for the harm and their deception. Notwithstanding me being an attorney and having the resources to pursue a claim against VM, I made a time value of money decision and accepted the class action settlement package.  If there is an edge case about the potential for a criminal gang gaining access and abusing personal data associated with domain name registrant data? Potentially yes, in which case I would be the first to admit that the Philly Special ADR is not the right tool in the tool box for that problem. This is why some trademark owners opt for an ACPA action in the Eastern District of Virginia instead of messing around with a UDPR proceeding.   The point I am trying to make is that the Philly Special ADR component is not a be end, end all for every privacy right violation involving domain name registration data. Just like the Philly Special did not win the Super Bowl for the Philadelphia Eagles, it merely gave them a 10 point half time lead.  They still had to play an awesome second half to withstand Brady and Patriots.  Thanks for the constructive feedback and your honest on where your limits exist. Looking forward to seeing you and others in Panama. Best regards, Michael     From: Accred-Model <accred-model-bounces at icann.org> On Behalf Of Stephanie Perrin
Sent: Wednesday, June 20, 2018 12:15 PM
To: accred-model at icann.org
Subject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model I think you just need to up your numbers a bit Michael...I might get more in small claims Court these days!  (Don't got there, it is just a comparator).cheers StephaniePS still pondering the whole issue of giving up rights...Doubt I would ever buy it.  What happens if data subject finds out subsequently that their data has been sold to criminal gangs?  (think equifax, choicepoint cases here).  Remember that I am not just talking about WHOIS data in a tiered access case....I am assuming that queries will also lead to direct contact with registrars to get financial data. We should not build two systems here... On 2018-06-20 12:03, Michael Palage wrote:Brian, Thanks for the constructive feedback, and I welcome your additional feedback in connection with my response below. As I have noted previously, the final ADR component of the Philly Special has not yet been finalized, although I am working at it diligently. In fact I have a call with a former JAMS employee today to discuss some of her thoughts on my framework. My goal is to have a framework document (not specific policy and rules) out for discussion by the beginning of Panama. As you accurately note, Privacy Shield DOES NOT provide for “damages.”  However, Section 82, Paragraph 1 of the GDPR does provide that “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” Moreover Section 80 provides for a qualified third party to represent a Data Subject(s) and the right “to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.” So what I am trying to do with the Philly Special ADR component is thread the needle with a ADR framework that provides “some” compensation to the Data Subject.  I believe that the majority of the IPC/BC participants will likely support the proposition that the Data Subject get nothing per the Privacy Shield provision. However, the GDPR does provide for a private right of action and compensation and that cannot be ignored.   My current best thinking involves a hybrid approach where a Data Subject waives their rights under Section 80 and 82, if they elect for the ADR that has some type of renumeration for their harm. TO BE CLEAR, THE DATA SUBJECT WOULD NOT BE REQUIRED TO WAIVE THEIR RIGHT TO REPORT OR FILE A COMPLAINT WITH A DPA. OBVIOUSLY THAT WOULD BE A NON-STARTER FOR THE EDPB. In a recent discussion with a privacy lawyer, the thought process involved giving businesses some predictability as to the damages/fines they might face through an adverse ADR decision, while empowering a Data Subject to have a quicker process to have their claim resolved. Now those last couple of paragraphs will probably result in my receiving universal objection from both the hardcore IPC/BC advocates on this list as well as from Stephanie and Kathy. However, I am wearing my standard issued ICANN Kevlar Body armor and flame resistant undergarments – so fire away. This is a unenviable middle ground I have often found myself in over the past 20 years.  Stephine has made clear she thinks a Data Subject should be able to receive substantially much more than my proposed fine range. My response to Stephanie is if a Data Subject has been substantially harmed avoid my lightweight ADR and resort to the courts under Section 80 or 82.  However, if the harm to the Data Subject is not truly onerous and the Data Subject does not have the financial resources to initiate a legal proceeding in a court of competent jurisdiction, the ADR and the nominal fine may be better than nothing. To my BC/IPC colleagues, Section 80 and 82 of the GDPR are real, and they provide for a private cause of action with real damages. Should the ultimate winner in ICANN’s Universal Access Model (UAM) steel cage match NOT account for a mechanism that provides Data Subjects an administrative right to remedy the alledged violation, it is not a matter “if” but “when” the Data Controllers and Data Processors associated with this UAM find themselves in court.  That does not seem like the business predictability that most businesses strive to achieve.  Finally in response to John’s most recent email about the unworkability of the Philly Special model when someone refuses to pay the fine, thus resulting in future denied access.  The Philly Special specifically provides for a financial instrument to be put in place to prevent this type of bad actor walking away from their wrong/debt.  This provision was not only provided for in the Philly Special 2.0 policy document but it was also provided for in the proposed legal template that Users would have to sign prior to gaining access to the system. Brian thanks again for the constructive engagement, and hopefully this email provides additional insight into how I am proposing to navigate the complex ADR minefield. Best regards, Michael      From: Accred-Model <accred-model-bounces at icann.org> On Behalf Of BECKHAM, Brian
Sent: Wednesday, June 20, 2018 7:55 AM
To: accred-model at icann.org
Subject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model With respect to Michael’s request for feedback, and merely for information, the binding arbitration provided for under the Privacy Shield framework that Kathy has helpfully pointed out proposes the following: https://www.privacyshield.gov/article?id=B-Available-Remedies  B. Available Remedies Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual’s data in question) necessary to remedy the violation of the Principles only with respect to the individual.  These are the only powers of the arbitration panel with respect to remedies.  In considering remedies, the arbitration panel is required to consider other remedies that already have been imposed by other mechanisms under the Privacy Shield.  No damages, costs, fees, or other remedies are available.  Each party bears its own attorney’s fees.  Perhaps the types of equitable relief foreseen here are meant to speak to the difficulty in being “made whole”? Kind regards, Brian  From: Accred-Model [mailto:accred-model-bounces at icann.org] On Behalf Of Stephanie Perrin
Sent: Wednesday, June 20, 2018 1:13 AM
To: accred-model at icann.org
Subject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model I think Mike has come up with a reasonable solution, although the numbers are low.  If I have to replace my phone number because it is out there now, $250 does not cover my trouble.  This is the fundamental problem with privacy loss, it is often impossible to be made whole.  Stephanie PerrinOn 2018-06-19 14:23, Michael Palage wrote:John, So I think it is fair to say that no matter what Kathy or I say you will not be happy with any meaningful Data Subject centric safeguard, so this will be my last response on the list. So the "complex" problem we are seeking to solve is respecting the Fundamental Human Right to Privacy that Europeans have.  Much like I respect my fellow Americans and their love of the Second Amendment, I have learned to respect European's passion for their Right to Privacy. Now the problem with ICANN and the IPC/BC solution is that there is no mechanism to make a Data Subject whole after their Personal Data has been improperly processed.  All of the proposed safeguards are focused on limiting a third party to harm additional Data Subjects in the future. I just find that problematic. When Kathy I worked on the UDRP and Working Group B almost 20 years ago, we were on the opposite side of the issue.  However, we recognized that any solution that ICANN proposed had to be modeled after well established international law, and respect the rights of both Complainant (Trademark Owner) and Respondent (Domain Registrant).  What I tried to do in my proposal was model that seed of compromise that was so successful almost 20 years ago in connection with the UDRP.  As Kathy noted there are ADR components in the Privacy Shield that provide for the resolution of disputes.  You are also correct that there are requirements that businesses pay for these services and there are no fees to Data Subjects, which creates the potential for abuse.  That is why I have been looking to modify the JAMS ADR rules to perhaps find a middle ground that balances the respect rights of the Data Subject and Controller/Processor. In speaking with a number of privacy attorneys, Data Subject rarely get compensated for violations of their rights, although DPA can impose substantial fines against the Controller/Processor.  The sweet spot I was looking at in connection with the ADR mechanism was something URS "like". I think this group and ICANN has done a really good job delineating under what set of circumstances a request can be legally made. In fact I think it would be constructive if a User enumerated at the time of the search what basis they were acting upon.  The URS "like" ADR process would make use of templates for the complaint and response forms and NO formal written opinion by the panel just a summary decision. I am still surveying privacy professionals but I think a fine in the range of $250 to $500 for a violation of the terms of services would not be unreasonable.   However, this is still at the spaghetti throwing stage.  The other important mechanism is the need to have a disincentive for people to abuse the system by filing abusive requests.  There may be the need for some type of speed bump mechanism to mitigate against abusive filings.  Still noodling on this safeguard but would appreciate any group feedback. One of the hard lessons I have learned in ICANN is that it is easy to criticize but it is really hard to find a solution to both complex and simple problems. Safe travels and I look forward to hopefully seeing you in Panama next week. Best regards, Michael      -----Original Message-----From: Accred-Model <accred-model-bounces at icann.org> On Behalf Of John R. LevineSent: Tuesday, June 19, 2018 1:32 PMTo: Kathy Kleiman <kathy at kathykleiman.com>Cc: accred-model at icann.orgSubject: Re: [Accred-Model] Version 1.6 of the Accreditation and Access Model It's great when there is actually an easy solution.  At least for the many US companies, law firms, cybersecurity firms, and others (and this a huge part of the group seeking access), they should "self-certify" to the EU-US Privacy Shield, via procedures set up by the US Department of Commerce and Federal Trade Commission. Well, at least until the EU courts kill privacy shield like they did Safe Harbor. Banks and non-profits such as CAUCE are not eligible for Privacy Shield (they're not regulated by the FTC or DOT.)  For small organizations the PS rules are extremely conplex and there's a mandatory annual payment to cover potential arbitration costs. Can we back up and explain what problem this overcomplex "solution" is supposed to be solving here? Regards,John Levine, johnl at iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________Accred-Model mailing listAccred-Model at icann.orghttps://mm.icann.org/mailman/listinfo/accred-model  GLOBAL
INNOVATION
INDEX 2018   Energizing the World with Innovation   Launch July 10www.wipo.int/gii#GII2018  World Intellectual Property Organization Disclaimer: This electronic message may contain privileged, confidential and copyright protected information. If you have received this e-mail by mistake, please immediately notify the sender and delete this e-mail and all its attachments. Please ensure all e-mail attachments are scanned for viruses prior to opening or using. 

_______________________________________________Accred-Model mailing listAccred-Model at icann.orghttps://mm.icann.org/mailman/listinfo/accred-model
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180620/53ab2697/attachment.html>

More information about the Accred-Model mailing list