[Gdd-gnso-ppsai-impl] Materials, Action Items From 30 Aug PP IRT Meeting

gtheo gtheo at xs4all.nl
Fri Aug 31 07:55:41 UTC 2018 

Hi Amy,

Regarding the action item of the processing spec. As I and Volker 
mentioned we need that to comply that with applicable law as mentioned 
on the call.
Personally, I have a very strong opinion about this.

The GDPR is a principle-based law and not a rule-based law. The GDPR 
mentions multiple times there must be an adequate level of protection, 
this is very broad, but this is with good reason. See art 32, 25 etc.

Something like the below is a no go;
3.8.5. Using industry standard 256-bit AES encryption or suitable 
equivalent where necessary or appropriate;

The GDPR expects you to use 256-bit AES (but does not specify that), and 
if something comes along that is better and stronger you are supposed to 
use that if it becomes best practice.

The GDPR does not state or mention you need to do a "pentest", 
https://en.wikipedia.org/wiki/Penetration_test
But the ICO (Brittish supervising authority), ruled recently that the 
lack of a pentest was a reason to issue higher fines. This was due to 
the scale of the breach and the size of the company (very large 
company).

Does the above mean that every company has to do a "pentest" in Europe?
No, this all matters on the amount of processing and size of the company 
and the data being processed and the means available. The GDPR will push 
companies to use the best of the best protection and security that is 
available but within reason. But companies themselves need to determine 
what is adequate and if they fail, they will get fined.

So if you could ask ICANN legal not to turn principle based law into 
rule-based law much obliged.

Theo




Amy Bivins schreef op 2018-08-30 08:24 PM:
> Dear Colleagues,
> 
> Thanks so much for your active participation on today's PP IRT call.
> The recording and associated materials are now available on the wiki:
> https://community.icann.org/display/IRT/30+August+2018
> 
> For those of you who could not attend, I encourage you to listen to
> the recording. We did not make it all the way through our list of
> discussion questions today, but hope to keep the discussion moving on
> the list between now and next week's call.
> 
> Our main topics of discussion today were:
> 
>   1.  An overview of the draft changes to the PPAA, which everyone is
> asked to review this week.
>      *   Action Item: I will consult with Legal regarding scope of
> remaining changes/work that are expected in re: the GDPR-related
> review (and timeline).
>      *   Action Item: IRT is asked to share any feedback with the list
> and bring any issues ready to discuss to the call next week.
> 
> 
> 
>   1.  How to manage PPAA provisions that are similar to or related to
> the Temporary Specification for gTLD Registration Data and/or the
> ePDP.
>      *   Action Item: I will consult with Legal regarding whether the
> proposed Specification 8 (or some version of it) must, in ICANN org's
> view, appear in this agreement, or whether some other solution to this
> issue could be developed.
>      *   Action Item: IRT members who have ideas for other approaches
> are asked to share these with the list.
> 
> 
> 
>   1.  A discussion of whether we are ready to proceed to public
> comment after discussion on the PPAA is complete. Ideally, we could
> finalize these discussions before ICANN63, but if issues need more
> time, we will take it.
>      *   IRT appeared to generally favor this course of action, but
> some IRT members raised questions about how the proposed requirements
> would operate under a gated access model.
>      *   IRT members would like to review how material in call for
> comments is presented. ICANN org agreed to provide that opportunity,
> provided that this will not unduly extend timeline.
>      *   Action Item: Answer on whether ICANN org views the inclusion
> of processing spec as a requirement may impact this decision (see
> Action Item (a) under 2 above).
>      *   Action Item: Any additional IRT feedback is requested on-list.
>      *   Action Item: Peter Roman, PSWG, will share proposal on-list
> re: treatment of data under gated access model, with goal of
> discussing whether this could be addressed in this IRT or some other
> forum.
> 
> If anyone else who was on the call would like to flag other issues for
> those who were not in attendance, please do. I'll return my action
> items as quickly as possible, and look forward to continued discussion
> this week.
> 
> Best,
> Amy
> 
> Amy E. Bivins
> Registrar Services and Engagement Senior Manager
> Registrar Services and Industry Relations
> Internet Corporation for Assigned Names and Numbers (ICANN)
> Direct: +1 (202) 249-7551
> Fax:  +1 (202) 789-0104
> Email: amy.bivins at icann.org<mailto:amy.bivins at icann.org>
> www.icann.org<http://www.icann.org>
> 
> 
> _______________________________________________
> Gdd-gnso-ppsai-impl mailing list
> Gdd-gnso-ppsai-impl at icann.org
> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

More information about the Gdd-gnso-ppsai-impl mailing list