[council] Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations

Flip Petillion fpetillion at petillion.law
Tue Jul 30 13:14:36 UTC 2019


Rubens,

I share the feeling that it is uncommon to have a substantive discussion within the Council. However, that is exactly what the Bylaws mandate us to do within the atypical framework of expedited PDPs. Doesn’t the proposed one pager attached to the draft letter also address substance?

As to your second comment, I think we owe it to the community to provide the Board with recommendations and reasoning that is legally sound. If certain aspects of privacy have been previously overlooked, now seems the time to correct them.

Best regards,

Flip

Flip Petillion
fpetillion at petillion.law
+32484652653
www.petillion.law

[signature_1118330005]<http://www.petillion.law/>

  Attorneys – Advocaten - Avocats




From: Rubens Kuhl <rubensk at nic.br>
Date: Tuesday, 30 July 2019 at 13:22
To: Flip Petillion <fpetillion at petillion.law>
Cc: Ayden Férdeline <icann at ferdeline.com>, "council at gnso.icann.org" <council at gnso.icann.org>
Subject: Re: [council] Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations


Flip,

I find strange we are having a substantive discussion on the topic within the Council. I believe our approach to board denials of PDP recommendation should be to ask the PDP WG what clarifications or positions they have, and relay them to the board. IPC is represented in the PDP so the same content you posted here could be used there while formulating the response, whatever that response would look like.

And still on process grounds, it's clear that the board rationale for not approving part of Rec. 12 is different from the IPC rationale you relayed to the Council. But the rationale that needs to be answered to is the Board one, because they've made the decision to not fully approve rec. 12. So while it's interesting to know the overall IPC position on the matter, the topic at hand is the Board decision.


Rubens




On 30 Jul 2019, at 06:54, Flip Petillion <fpetillion at petillion.law<mailto:fpetillion at petillion.law>> wrote:

Hi Ayden,

Thank you for your questions and for the opportunity to clarify our position. I understand your questions address the substance of the recommendations and not the GNSO Council’s remit within the Board Approval Process.


  1.  Regarding your first question:

You are correct that the ‘Organisation’ field pertains to information of legal entities and thus should not be subject to GDPR principles (and thus should not be deleted or even redacted). However, this is not treated as such in the Final Report. To avoid that we enter into circular discussions, we started from the premise in the Final Report (and the draft rationale for rec. #12) that the GDPR could apply to the ‘Organisation’ field. Our point is that, in such a case, the practices of both disclosing AND deleting data are subject to GDPR according to article 4 (2). ,The deletion of previously provided data can likewise not occur without a solid purpose, legal basis and safeguards.


  1.  Regarding your second question:

(i) You are correct that the GDPR requires consent to be informed, affirmative and freely given. However, active opt-in consent is only required when relying on consent as a legal basis (art. 6.1.a). The Final Report and the guidance of the EU Authorities and DPAs have established that, depending on the purpose, the performance of the registration contract (art. 6.1.b) and legitimate interest (art. 6.1.f) are the valid legal bases. For the latter, an opt-out mechanism or redaction mechanism can be sufficient to shift the balance in favour of the interested party (cfr. Article 29 WP Guidance on Legitimate Interest) and active opt-in consent is not required.

(ii) If you were to rely on consent as a legal basis, normally (and ideally) consent is obtained at the time of collection of the personal data (i.e. the registration of the domain name). It is at this point in time that the data subject (registrant) is properly informed of the processing activities and is engaged in providing the necessary information related to the purpose and legal bases (i.e., performance of the registration agreement). Practice has shown that there are a lot of problems with obtaining consent after the fact (i.e., during the performance of the registration agreement). Quite often data subjects cannot be contacted, are confused about the nature of the opt-in communication, are simply not interested, etc. Accordingly, the requirement of an active opt-in consent on the basis of a ‘review request’ to existing registrants unnecessarily risks losing valid organisation information on a wide scale.

I hope this sufficiently answers your questions and clarifies the position of the IPC on this matter.

Best regards,

Flip


Flip Petillion
fpetillion at petillion.law<mailto:fpetillion at petillion.law>
+32484652653
www.petillion.law<http://www.petillion.law/>

<image001.png><http://www.petillion.law/>

  Attorneys – Advocaten - Avocats




From: Ayden Férdeline <icann at ferdeline.com<mailto:icann at ferdeline.com>>
Reply to: Ayden Férdeline <icann at ferdeline.com<mailto:icann at ferdeline.com>>
Date: Tuesday, 30 July 2019 at 00:41
To: Flip Petillion <fpetillion at petillion.law<mailto:fpetillion at petillion.law>>
Cc: Maxim Alzoba <m.alzoba at gmail.com<mailto:m.alzoba at gmail.com>>, Darcy Southwell <darcy.southwell at endurance.com<mailto:darcy.southwell at endurance.com>>, "gnso-secs at icann.org<mailto:gnso-secs at icann.org>" <gnso-secs at icann.org<mailto:gnso-secs at icann.org>>, "council at gnso.icann.org<mailto:council at gnso.icann.org>" <council at gnso.icann.org<mailto:council at gnso.icann.org>>
Subject: Re: [council] Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations

Hi Flip,

Thanks for sharing this input from the IPC.

Sorry if this is a stupid question, but since data that does not pertain to natural persons is beyond the scope of the GDPR, I do not understand how you can make the claim that article 4 (2) of the GDPR does not allow for the organisation field to be deleted. Could you please clarify? Thanks.

I am also concerned that what you describe below - "Practice has shown that data subjects are generally reluctant to take active steps after their data has been collected to provide active opt-in consent (cfr. opt-in emails)" - sounds like a proposal for not obtaining consent that is valid under the GDPR, which I understand requires consent to be freely given.

Kind regards,

Ayden


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 29 July 2019 18:29, Flip Petillion <fpetillion at petillion.law<mailto:fpetillion at petillion.law>> wrote:

Dear Keith,
Dear All,

The IPC shares the Board’s concern that the option to delete the Organisation fields contents as a result of a refusal or failure to respond by the registrant upon a ‘review request’ by the registrar, risks resulting in a wide scale loss of crucial information about the registrant's identity.

While the IPC acknowledges that Recommendation #12 achieved consensus support in the EPDP Team’s Phase 1 Final Report, we agree with the Board that the “or delete the field contents” part of recommendation #12 2) b) is not in the best interests of the ICANN community or ICANN.

We therefore do not agree that the recommendation should be resubmitted as is, and also not together with the presented rationale in the draft letter to the Board.

Irrespective of the debate as to whether the organisation field may contain personal data or not, the issues considered in the current rationale and the concerns of the Board can both be met by redacting the organisation data in case of an opt-out (or lack of active opt-in) instead of deleting.
· The concept of ‘privacy by default/design’ in the GDPR does not automatically necessitate the implementation of an opt-in mechanism (especially considering the legitimate interests attached to the transparency of organisation information online);
· The deletion/erasure by a controller of previously provided personal data is also considered ‘processing’ (article 4 (2) GDPR), for which the controller must determine a purpose and proper legal basis. As a result, a registrar cannot simply delete important information provided by the registrant unless (i) the registrant has requested the erasure of the ‘Organisation’ field by exercising his right to erasure (this right must be actively exercised and cannot be inferred), (ii) the retention of the ‘Organisation’ field is no longer necessary for the purposes of processing the domain name registration data (Recommendation #15 implies that the retention period of the data elements would at the minimum be the ‘life of the registration’), or (iii) the registrar can justify the deletion on the basis of another valid legal basis (such as the consent of the registrant).

Practice has shown that data subjects are generally reluctant to take active steps after their data has been collected to provide active opt-in consent (cfr. opt-in emails). Together with the expected difficulties in contacting the registrants and verifying their (lack of) consent on a wide scale, the IPC believes (in accordance with the Board Statement) that this would pose a serious and unnecessary risk to lose important registrant information.

Procedurally, we fail to see the use of the checks and balances incorporated in the ‘Board Approval Process’ of Annex A-1 Section 6 of the Bylaws if it would be outside the GNSO Council’s remit to allow a modification to the Consensus Policy recommendation delivered by the EPDP Team. Section 6 of Annex A-1 of the Bylaws specifically provides:
“At the conclusion of the Council and Board discussions, the Council shall meet to affirm or modify its recommendation, and communicate that conclusion (the "Supplemental Recommendation") to the Board, including an explanation for the then-current recommendation.”

The IPC therefore believes it is in the GNSO Council’s remit to consult with the Board and modify a Consensus Policy Recommendation if such modification alleviates concerns raised in the Board Statement and is in the best interest of the ICANN community and ICANN.

In accordance with the concern raised in the Board Statement, the IPC therefore believes that the “or delete the field contents” part (deletion option) of Recommendation #12 2) b) should be deleted.

Best regards,

Flip

Flip Petillion
fpetillion at petillion.law<mailto:fpetillion at petillion.law>
+32484652653
www.petillion.law<http://www.petillion.law/>

<image002.png><http://www.petillion.law/>

  Attorneys – Advocaten - Avocats




From: Flip Petillion <fpetillion at petillion.law<mailto:fpetillion at petillion.law>>
Date: Monday, 29 July 2019 at 21:41
To: Maxim Alzoba <m.alzoba at gmail.com<mailto:m.alzoba at gmail.com>>, Darcy Southwell <darcy.southwell at endurance.com<mailto:darcy.southwell at endurance.com>>
Cc: "gnso-secs at icann.org<mailto:gnso-secs at icann.org>" <gnso-secs at icann.org<mailto:gnso-secs at icann.org>>, "council at gnso.icann.org<mailto:council at gnso.icann.org>" <council at gnso.icann.org<mailto:council at gnso.icann.org>>
Subject: Re: [council] Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations

Dear Keith,
Dear All,

Due to the vacation period, we will be able to send in the IPC comments later today or tomorrow morning my time.
Sorry for the inconvenience.

Best regards,

Flip


Flip Petillion
fpetillion at petillion.law<mailto:fpetillion at petillion.law>
+32484652653
www.petillion.law<http://www.petillion.law/>

<image003.png><http://www.petillion.law/>

  Attorneys – Advocaten - Avocats




From: council <council-bounces at gnso.icann.org<mailto:council-bounces at gnso.icann.org>> on behalf of Maxim Alzoba <m.alzoba at gmail.com<mailto:m.alzoba at gmail.com>>
Date: Thursday, 25 July 2019 at 18:53
To: Darcy Southwell <darcy.southwell at endurance.com<mailto:darcy.southwell at endurance.com>>
Cc: "gnso-secs at icann.org<mailto:gnso-secs at icann.org>" <gnso-secs at icann.org<mailto:gnso-secs at icann.org>>, "council at gnso.icann.org<mailto:council at gnso.icann.org>" <council at gnso.icann.org<mailto:council at gnso.icann.org>>
Subject: Re: [council] Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations

 We support the current draft of the letter and comments of Darcy.

Also I'd like to underline , that the modification of the recommendations is for GNSO Council, not for the Board
 ,and that doing micro management of PDPs is not in the GNSO Council's role.


Maxim Alzoba

On Wed, Jul 24, 2019, 22:44 Darcy Southwell <darcy.southwell at endurance.com<mailto:darcy.southwell at endurance.com>> wrote:
Thanks you, Keith.

The Registrar Stakeholder Group (RrSG) agrees that it's outside the Council's remit to modify, or even suggest modification of, a consensus recommendation from a PDP working group and therefore objects to modifying Recommendation 12 to remove the deletion option.  The Council should seek to formalize the rationale provided to the Board in Marrakech and resubmit the consensus recommendation to the Board for approval.  Therefore, RrSG supports the Council's letter to the Board as written regarding Recommendation 12.

Regarding Recommendation 1, Purpose 2, the EPDP Team and Board have been quite clear that further legal analysis is necessary to ensure Purpose 2 is drafted consistent with applicable laws.  In its Final Report, the EPDP Team recommended Purpose 2 be further evaluated during phase 2 of the EPDP.  In its resolution, the Board clearly instructed ICANN Org to engage the DPAs to accomplish the necessary legal analysis to perform the work.  That legal analysis must be completed before the EPDP Team can even begin to consider how to revise Purpose 2.  Further, it is not typical for the Council to instruct a PDP as to when it works on such specific tasks.  It is up to the PDP Working Group, with its leadership and coordinating with ICANN staff, to prioritize its work.  So far, the EPDP Team has prioritized the work related to the System for Standardized Access to Non-Public Registration Data, consistent with its Charter, and with the concerns of many of the GNSO Councilors.  At this point, the RrSG sees no reason for the Council to intervene to reprioritize the Purpose 2 work ahead of the chartered work.

Best,
Darcy

On Fri, Jul 19, 2019 at 12:30 AM Drazek, Keith via council <council at gnso.icann.org<mailto:council at gnso.icann.org>> wrote:
Hi Marie,

Thanks for your initial feedback here, and for the discussion during yesterday’s Council call.

On your second point below, related to the Board’s treatment of Recommendation 12, I believe it is outside the Council’s remit to suggest, or even allow, a modification to the Consensus Policy recommendation delivered to us by the EPDP Team, and subsequently delivered by Council to the Board. In my view, it is the role of Council to now hold the Board accountable for its decision to not accept Rec 12 in full, and to call for the Board to accept it following the clarification they requested.

I welcome further discussion on these items following discussion with our respective SGs and Cs, but that’s my current view.

Best,
Keith

From: Marie Pattullo <marie.pattullo at aim.be<mailto:marie.pattullo at aim.be>>
Sent: Thursday, July 18, 2019 10:53 PM
To: Drazek, Keith <kdrazek at verisign.com<mailto:kdrazek at verisign.com>>
Cc: gnso-secs at icann.org<mailto:gnso-secs at icann.org>; council at gnso.icann.org<mailto:council at gnso.icann.org>
Subject: [EXTERNAL] RE: Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations

Hi Keith,

Thanks for sharing the draft. I’m afraid I haven’t been able to discuss this much with our members yet (sorry) but on an initial reading, the BC does have some concerns.

On your first point, on rec 1, while the first sentence is great, we have problems with the second. As you know from the comments we attached to Janis’ letter, we really need to give the EPDP Team a clear instruction to reword this and replace the placeholder language; I understand that it’s not on the Team’s roadmap right now. We really think that at a minimum, Council needs to tell the Team to do that and get it back ASAP for Board action. We all agree that the EPDP should deal with this, so we really do need a purpose 2 (for 3rd party access) for the Board to adopt.

As for your 2nd para, on rec 12, we don’t agree that it should just be resubmitted as is. As you know, the BC really does think that as far as the ORG field goes, Rec 12 should be amended to remove the deletion option. There could always be an option of to allow the contracted parties to update any inaccuracies in the ORG field, as appropriate, if they need that.

Looking forward to the discussion!

Thanks

Marie


From: council <council-bounces at gnso.icann.org<mailto:council-bounces at gnso.icann.org>> On Behalf Of Drazek, Keith via council
Sent: Wednesday, July 17, 2019 11:49 AM
To: council at gnso.icann.org<mailto:council at gnso.icann.org>
Cc: gnso-secs at icann.org<mailto:gnso-secs at icann.org>
Subject: [council] Draft GNSO Council Letter to ICANN Board on EPDP Phase 1 Recommendations

Hi all,

In preparation for our Council meeting this week, please review the attached draft letter to the ICANN Board concerning next steps on the two EPDP Phase 1 recommendations not accepted in full by the Board.

As you will recall, we had a good conversation with the ICANN Board during our working session lunch, and we committed to following up on the issue. The draft letter is self-explanatory, and our goal is to ensure a common understanding between Council and Board before we take our formal action to request Board reconsideration on Recommendation 12. We want to avoid an ongoing back-and-forth on the issue, so our hope is this letter will pave the way to a clear resolution.

Please review before our Council meeting.

Thanks to Rafik and Pam for leading this work while I was on PTO.

Best,
Keith
_______________________________________________
council mailing list
council at gnso.icann.org<mailto:council at gnso.icann.org>
https://mm.icann.org/mailman/listinfo/council

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________
council mailing list
council at gnso.icann.org<mailto:council at gnso.icann.org>
https://mm.icann.org/mailman/listinfo/council

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________
council mailing list
council at gnso.icann.org<mailto:council at gnso.icann.org>
https://mm.icann.org/mailman/listinfo/council

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/council/attachments/20190730/b92896ae/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 7393 bytes
Desc: image001.png
URL: <http://mm.icann.org/pipermail/council/attachments/20190730/b92896ae/image001-0001.png>


More information about the council mailing list