[council] Seeking guidance for EPDP - Follow up from Council Meeting and Next Steps
Marie Pattullo
marie.pattullo at aim.be
Fri Mar 13 17:15:57 UTC 2020
Dear Keith, dear all
The BC is grateful for the ongoing correspondence between the Board and the GNSO Council about WHOIS data accuracy, proving the importance of this issue.
The BC firmly believes that the EPDP team should continue its policy work on accuracy in Phase 2; indeed “Accuracy and WHOIS Accuracy Reporting System” is specifically referenced on page 7 of the Phase 2 Initial Report as a Priority 2 Topic. The BC does not believe that anyone would countenance the amount of effort and resources that have so far been expended for both the Temporary Specification and the EPDP being wasted on management of an inaccurate database.
We note that:
· As stated by the European Commission representative (Georgios Tselentis) on the EPDP call yesterday, the accuracy issue is a critical component of determining compliance under the GDPR of the entire policy and the SSAD. This view was shared by the ALAC and other GAC representatives on that call.
· Accuracy was included in the Temp Spec in multiple places. The EPDP was chartered to review the Temp Spec and make appropriate changes to comply with the GDPR.
· The Phase 1 Final Report – as approved by the GNSO Council - addressed accuracy in Recommendation 6, and a footnote stated that:
The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System.
Since the EPDP was expecting to do this work in Phase 2, and stated so in the Phase 1 Final Report, changing course now would go against the agreements they reached in Phase 1, that were adopted by the GNSO Council when it approved the Phase 1 recommendations.
Further:
· Bird & Bird submitted legal advice related to the accuracy requirements under GDPR. The legal advice given to ICANN by Bird & Bird<https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_pages_viewpage.action-3FpageId-3D105386422&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=-LdYts5hWjq8kN2q0InnZDRHDevQvAtMHmhze1YIQlI&s=OW-p5b-K4DZYDnz5ZuVUA83qvLWwKiKPh5mKFGlW2x0&e=> includes:
A. Ensuring the accuracy of personal data provided by the data subject
1. At least under some circumstances, there is a positive obligation on the controller to ensure that the data is accurate. However, the existence of such a positive obligation is contextual – it depends on the significance of the consequences for data subjects of processing inaccurate data and the effort that would be required to verify accuracy.
2. As explained in the ICO guidance, "The more important it is that the personal data is accurate, the greater the effort you should put into ensuring its accuracy. So if you are using the data to make decisions that may significantly affect the individual concerned or others, you need to put more effort into ensuring accuracy".
3. The GDPR is not prescriptive in mandating the types of measures a party must put in place to meet this burden. The ICO guidance explains that "[w]hat is a ‘reasonable step’ will depend on the circumstances and, in particular, the nature of the personal data and what you will use it for". As a general rule, the ICO guidance says it is usually reasonable to assume information given by the data subject is accurate, "unless inaccurate information could have serious consequences, or if common sense suggests there may be a mistake".
4. A controller "may have to get independent confirmation" where the impact is particularly significant. For example, where an employer engages employees needing essential qualifications to be able to fulfil the job description, it would be reasonable to independently verify an applicant's credentials. By contrast, where an individual completes a lifestyle survey, which will be used for research and direct marketing, with information about interests, there is no obligation on the organisation to verify the accuracy of the information.
· The EPDP has a subcommittee on legal issues that is currently proposing follow-up questions to Bird & Bird related to clarifying this legal analysis. This will guide the EPDP develop any further policy recommendations related to accuracy.
Finally, we shouldn’t be using an artificial deadline to stop work on a matter that is so important to several stakeholders. If funding is an issue, the GNSO Council can ask for additional resources, and can grant the EPDP sufficient time to properly conclude its work. The Council can also ask the EPDP to create a sub-team to review this topic quickly, to enable this topic to be included in its Final Report.
While we appreciate the work involved in rectifying historic inaccuracies in WHOIS data, the BC believes that at a minimum, accuracy could be revisited and if need be rectified on renewal and that a clearer standard could be employed for new registrations. Again, we refer to the Initial Phase 2 Report: on page 20, under “implementation guidance”, it lays down examples of additional information that an Accreditation Authority or Identity Provider could require from an applicant for accreditation, such as business registration numbers. Why can the same logic not be applied to new registrants?
As ever, the BC thanks you for your consideration and stand ready to discuss this with you further.
Best to all,
Marie
From: council <council-bounces at gnso.icann.org> On Behalf Of Drazek, Keith via council
Sent: Thursday, March 12, 2020 11:34 PM
To: council at gnso.icann.org
Cc: gnso-secs at icann.org
Subject: Re: [council] Seeking guidance for EPDP - Follow up from Council Meeting and Next Steps
Hi all,
As a follow-up to Rafik’s 6 March email (below) and our brief discussion during yesterday’s Council meeting, I’d like to share my current thinking and propose a path forward. If anyone has views to share, please do so now; the EPDP Phase 2 Team needs our guidance in short order. I’ve done some additional homework since yesterday’s call, so I hope I’ve captured everything here accurately.
1. The issue of registrant data accuracy is an important topic that deserves full and thorough consideration, including its impact on GNSO policy, contracted party agreements, and other ICANN processes such as ARS. As such, it is not only a policy issue, and there are likely non-GDPR-specific factors that will need to be considered.
2. The EPDP Team Phase 1 Final Report Recommendation #4 said, “The EPDP Team recommends that requirements related to the accuracy of registration data under the current ICANN contracts and consensus policies shall not be affected by this policy.” The ICANN Board approved this recommendation without further guidance or comment.
3. There is not agreement within the EPDP on the meaning of “data accuracy” in the context of GDPR. There is disagreement over whether it is only from the perspective of the data subject or also third parties? There was a legal memo received during Phase 1 on the topic of data accuracy and a legal question was developed during Phase 2 to help clarify the meaning, but it has not been submitted.
4. The charter for the EPDP did not specify or identify the topic of data accuracy as within scope, but the EPDP Phase 1 final report included a reference to data accuracy in footnote #24. That footnote said: “The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System.” This footnote did not specify that such further consideration take place in Phase 2, but the issue was included in the Phase 2 work plan that was approved by the GNSO Council.
5. During Phase 1, the EPDP Team requested external legal counsel guidance on the topic of accuracy in the context of GDPR, and received the following summary answer: “In sum, because compliance with the Accuracy Principle is based on a reasonableness standard, ICANN and the relevant parties will be better placed to evaluate whether these procedures are sufficient. From our vantage point, as the procedures do require affirmative steps that will help confirm accuracy, unless there is reason to believe these are insufficient, we see no clear requirement to review them.”
6. There is not sufficient clarity at this time on how existing accuracy requirements have been impacted by GDPR. As such, in order to properly consider and scope further work on registrant data accuracy, more discussion is needed among interested/impacted parties, including ICANN Org.
7. The EPDP is scheduled to conclude its Phase 2 work in June with its deliberations on priority 2 items, of which accuracy is one, needing to complete by 24 March at the latest to be included in the Final Report. Furthermore, and there is no FY21 budget assigned for its continuation beyond that time. Under these constraints (time, resources, complexity), our ability to reach a policy solution in a couple of months is highly unlikely if not impossible and could delay delivery of the Final Report on SSAD which has been identified by basically everyone as priority #1.
In light of the above, my recommended path forward for the Council and EPDP is as follows:
1. Council acknowledge the importance and complexity of the topic, but also the time and resource constraints noted above.
2. Council will discuss and consider possible next steps, including establishing a small group/scoping team to establish a framework to address the issue of registrant data accuracy across policy/contracts/procedures.
3. Council to acknowledge the possible impact of the data accuracy issue in the context of SSAD implementation and RDDS, and recognize the need to prioritize accordingly.
4. Encourage the EPDP team to submit the pending legal memo to help inform the work of any future scoping team.
I hope that strikes the right balance to ensure the work will be done, while giving the community space and time to approach the issue holistically and to carefully develop any needed policy recommendations.
I shared this with Rafik and Pam and we are in agreement.
We were asked to respond by Friday the 13th, but that doesn’t leave much time for feedback, so please respond by 11:59 UTC on Monday 16 March. This will allow us to deliver our reply to the EPDP Team prior to their Tuesday call.
Thanks,
Keith
From: council <council-bounces at gnso.icann.org<mailto:council-bounces at gnso.icann.org>> On Behalf Of Rafik Dammak
Sent: Friday, March 6, 2020 6:32 PM
To: Council GNSO <council at gnso.icann.org<mailto:council at gnso.icann.org>>
Subject: [EXTERNAL] [council] Seeking guidance for EPDP
Hi all,
I am sending a request from EPDP team chair asking guidance from GNSO council regarding WHOIS accuracy. There was disagreement within the EPDP team if the topic is within scope or not. So we would like to get from council guidance regarding its expectations on WHOIS accuracy issue in phase 2 and if the EPDP team is expected to deliberate on it or not asap, taking into account the GNSO council and ICANN org ongoing correspondence<https://www.icann.org/en/system/files/correspondence/marby-to-drazek-05dec19-en.pdf> on the matter.
The EPDP team chair asked that GNSO council can provide guidance by Friday 13th march so that the EPDP team will have time to receive further guidance from the external legal council (if applicable). The time constraint can be also explained that EPDP team is currently deliberating priority 2 topics during the initial report public comment period.
Best Regards,
Rafik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/council/attachments/20200313/0435b8d9/attachment-0001.html>
More information about the council
mailing list