[council] Community member liability for participation in PDPs

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Sat May 5 14:51:58 UTC 2018

Ayden has summarized my worries rather well.  I have no doubt that a 
suit against myself for not protecting the individuals' rights would 
ultimately fail, but if (as has been whispered lately) various parties 
are going to try suing for what they term over-compliance, for "making 
WHOIS go dark", then those of us who are volunteers acting in good faith 
could be sued and not be seen to be acting in ICANN's best interest.  
Then all bets are off.  What we need is an explicit recognition, that 
those who are working diligently in a multi-stakeholder fashion, will be 
protected in the event of liability.  Staff are protected, Board members 
are protected, but those of us who are volunteers are not explicitly 
protected, in my view.  I have, for instance, been saying that ICANN is 
a data controller for the past five years.  Some parties in ICANN might 
not believe that this position is in ICANN's best interest, but it is a 
sound interpretation of the law and recognizing that fact appears in my 
view and in the view of privacy scholars I could muster, (and risk 
managers, for that matter) a very responsible position to take.  Noting 
how tempers are fraying lately, I think this question regarding this 
particular language "provided that the indemnified person's acts were 
done in good faith and in a manner that the indemnified person 
reasonably believed to be in ICANN's best interests and not criminal" is 
a valid concern.  This is of course of particular concern for those of 
us in civil society who embrace unpopular views, and are not being paid 
or backed by a company whose interests we are advancing at ICANN.

Kind regards

Stephanie Perrin

On 2018-05-05 10:14, Ayden Férdeline wrote:
> Thanks, Marika-
> At first glance this extract from the Bylaws does appear relevant, 
> although the language around what could constitute "ICANN's best 
> interests" is very much open to interpretation.
> I have also observed a new FAQ 
> <https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en> 
> on the website of the European Commission, which in response to the 
> question, "What should I do if I think that my personal data 
> protection rights haven’t been respected?" advises three options, one 
> of which is: "Take legal action against the company or organisation. 
> File an action directly in court against a company/organisation if you 
> believe that it has violated your data protection rights. This doesn’t 
> stop you lodging a complaint with the national DPA if you so wish."
> From what I remember - and I am going off of my memory here, as 
> the question that Stephanie asked in Abu Dhabi is absent from the 
> meeting transcripts that I reviewed - Stephanie thought we in the 
> community might not be protected under the GDPR from civil litigation 
> by a contracted party negatively impacted by a policy we recommend or 
> a data subject whose privacy rights are not respected. If we launch an 
> EPDP and rapidly develop something which ultimately does not adhere to 
> the letter of the GDPR (which is very plausible, given ICANN's 
> policies for 18 years now have not adhered to European data protection 
> law), could those in the community who participate in the EPDP be held 
> liable in some way? I would like a firm commitment from ICANN as to 
> what constitutes "ICANN's best interests" - I presume advocating for 
> compliance with the law would be seen as acting in good faith, but a 
> clarification would be appreciated...
> Thank you.
> Best wishes,
> Ayden Férdeline
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 30 April 2018 4:18 AM, Marika Konings <marika.konings at icann.org> wrote:
>> Ayden, the following provision of the ICANN Bylaws will hopefully 
>> address your concern:
>> ICANN shall, to the maximum extent permitted by the CCC, indemnify 
>> each of its agents against expenses, judgments, fines, settlements, 
>> and other amounts actually and reasonably incurred in connection with 
>> any proceeding arising by reason of the fact that any such person is 
>> or was an agent of ICANN, provided that the indemnified person's acts 
>> were done in good faith and in a manner that the indemnified person 
>> reasonably believed to be in ICANN's best interests and not criminal. 
>> For purposes of this _Article 20_, an "agent" of ICANN includes any 
>> person who is or was a Director, Officer, employee, or any other 
>> agent of ICANN (including a member of the EC, the EC Administration, 
>> any Supporting Organization, any Advisory Committee, the Nominating 
>> Committee, any other ICANN committee, or the Technical Liaison Group) 
>> acting within the scope of his or her responsibility; or is or was 
>> serving at the request of ICANN as a Director, Officer, employee, or 
>> agent of another corporation, partnership, joint venture, trust, or 
>> other enterprise. The Board may adopt a resolution authorizing the 
>> purchase and maintenance of insurance on behalf of any agent 
>> of ICANN against any liability asserted against or incurred by the 
>> agent in such capacity or arising out of the agent's status as such, 
>> whether or not ICANN would have the power to indemnify the agent 
>> against that liability under the provisions of this _Article 20_.
>> Best regards,
>> Marika
>> On 29 Apr 2018, at 07:44, Ayden Férdeline <icann at ferdeline.com 
>> <mailto:icann at ferdeline.com>> wrote:
>>> Thanks, Martín-
>>> However I would like to receive a similar confirmation from ICANN's 
>>> General Counsel that, in the event of civil litigation against ICANN 
>>> under, say, the GDPR, ICANN will defend community members and not 
>>> just directors and staff.
>>> I am not a lawyer; I'm not sure whether this is a reassurance we 
>>> should receive from ICANN org, or whether we should be obtaining 
>>> this from our own, independent counsel, but I think this is 
>>> something that we do need to receive advice on.
>>> If we are about to embark, potentially, on an Expedited PDP, where 
>>> the community will be under a tight time crunch to develop a policy 
>>> that could well result in legal action (from potentially a wide 
>>> range of unsatisfied stakeholders!), I think we in the community 
>>> need assurances that we are not absorbing any personal liability in 
>>> participating in the EPDP.
>>> Best wishes,
>>> Ayden
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On 28 April 2018 7:54 PM, Martin Pablo Silva Valent 
>>> <mpsilvavalent at gmail.com <mailto:mpsilvavalent at gmail.com>> wrote:
>>>> Ayden, at least from my perspective as lawyer, there is no reason 
>>>> to bealive there could be such liability, ever. Not in this PDP nor 
>>>> any others. We the policy making members are not to worry about that.
>>>> Cheers,
>>>> Martín Silva
>>>> On Sat, Apr 28, 2018, 11:40 AM Ayden Férdeline <icann at ferdeline.com 
>>>> <mailto:icann at ferdeline.com>> wrote:
>>>>     Dear all,
>>>>     As we enter into discussions around next steps re: RDS/GDPR and
>>>>     entertain the possibility of an Expedited PDP, I wanted to
>>>>     re-raise a question that Stephanie Perrin asked in Abu Dhabi,
>>>>     and to ask whether or not a response to it was received. And if
>>>>     the answer is we did not receive a response, I think it is
>>>>     important we obtain one urgently. If, in order to receive a
>>>>     response, we must put this question on Council letterhead and
>>>>     submit it as a formal piece of correspondence, I would like to
>>>>     suggest that we do so.
>>>>     In Abu Dhabi, Stephanie asked the CEO whether community members
>>>>     who participate in Policy Development Processes could be held
>>>>     liable in the event of civil litigation following on from the
>>>>     policies which we develop. She noted that board members, as
>>>>     directors, and employees, as agents of ICANN, have immunity,
>>>>     but wanted to know if ICANN was absorbing this liability too
>>>>     for the community members who participate in the activities of
>>>>     the multistakeholder community. She said we need protection too.
>>>>     I would like to be able to pull out a transcript and to quote
>>>>     Stephanie directly, however I have reviewed many of them today
>>>>     and cannot find her question in there. However, I do distinctly
>>>>     remember it being asked and a follow-up question coming from
>>>>     another member of the Council. Maybe I missed it in the
>>>>     transcripts; if so, I would appreciate if someone could please
>>>>     link to this transcript and provide the page number. Thanks!
>>>>     Best wishes,
>>>>     Ayden Férdeline
>>>>     _______________________________________________
>>>>     council mailing list
>>>>     council at gnso.icann.org <mailto:council at gnso.icann.org>
>>>>     https://mm.icann.org/mailman/listinfo/council
>>> _______________________________________________
>>> council mailing list
>>> council at gnso.icann.org <mailto:council at gnso.icann.org>
>>> https://mm.icann.org/mailman/listinfo/council
> _______________________________________________
> council mailing list
> council at gnso.icann.org
> https://mm.icann.org/mailman/listinfo/council
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/council/attachments/20180505/83b417c6/attachment-0001.html>

More information about the council mailing list