[Gnso-epdp-legal] Notes, action items from Legal Team Meeting #1

Caitlin Tubergen caitlin.tubergen at icann.org
Wed Dec 19 17:07:06 UTC 2018


Dear All,

 

Below, please find the notes and action items from today’s Legal Team meeting.

 

Thank you.

 

Best regards,

 

Marika, Berry, and Caitlin

__

 

 

EPDP – Legal Team: Meeting #1 

Wednesday, 19 December 2018

 

Action Items
Margie to draft conflict of interest language for this team to review by the end of the week.
Thomas to draft CCWG lessons learned, e.g., one law firm preferred, early intervention from Board liaisons preferred, for this team to review by the end of the week.
Berry to provide written update on the procurement process.
Caitlin to send initial question assignments to team members.
 

Notes

 

1.            Roll Call & SOI Updates (5 minutes)

2.            Confirm EPDP-Legal Team members:

•              EPDP Leadership - Kurt, Rafik

•              Board - Leon

•              BC - Margie

•              IPC - Diane

•              ISPCP - Thomas

•              NCSG - Tatiana

•              RySG - Kristina

•              RrSG - Emily

•              GAC - Laureen

•              ALAC – Hadia

•              SSAC - TBD

•              Staff - Dan, Caitlin

 

 

3.            Discuss Legal Team Process and Working Methods (Thomas and Leon to provide experiential lessons from their prior legal team work)

 
A major role of this team will be to properly define the questions.
Possible idea - divide into smaller groups. The small group would independently rewrite questions to legal counsel, and the large group would compare and contrast the proposed answers. If this is the approach, how frequently should the team meet?
 

a)    How are questions raised to this group; what is the trigger?
For CCWG WS2, when a legal question was raised in the larger group, if the group agreed it should go to the legal team, the legal team would look more closely. If the LC team thought the question needed to be reworded, it would refine the question.  Following refinement of the question, the question would be posed to ICANN Legal. If the team was not satisfied with the answer, the legal team would forward questions to the external advisor to the LC. Once the answer was received from legal counsel (internal or external), the LC would review the answers with the group. If clarifying questions were still needed, the same process would begin again.
The legal expenses were still sizable, but not as sizable had the process not been in place.
Many legal questions came up during plenary discussions, but the LC would filter those questions, so outside counsel would only respond to questions vetted by the LC, not questions simply raised during plenary discussion.
 

b)            What is this group’s role (vis-à-vis the EPDP Team) regarding “reforming” the questions?

c)            Answering questions, when to use: 

1.            This group’s own expertise

2.            ICANN inside or outside counsel

3.            EPDP retained legal counsel

d)            What is this group’s responsibility for checking back with and reporting to the entire Team?

 

·         The CCWG LC would receive answers, review them and report to the larger group. Depending on the satisfaction of the answer received, the team would either continue its work or ask additional clarifying questions.

 

e)            Working methods: what can be done via email vs, when is a meeting required?

·         The work was done mainly through a mailing list, and the LC would meet every other week for a 60-minute teleconference. If an urgent item came up, the LC would hold an urgent meeting. 

 

f)             Scheduling: meeting frequency, ad hoc meetings, etc. 

·         While the default is a teleconference every other week, the LC was on stand-by for urgent matters.

 

g)        Working with provider: do we need an introductory letter? 

 

·         There should be some sort of letter where ICANN org would retain an external counsel, and the external counsel would act on behalf of EPDP Team, not ICANN org.

·         ICANN legal contracted with outside counsel so that the CCWG would be the beneficiary of the legal advice, and the attorney-client relationship was established b/w the legal counsel and the CCWG (rather than ICANN).

 

Additional comments:

 

·         The first feedback loop would be to go to ICANN legal or previous advice ICANN org has received. In this situation, there may not be advice we could use as all previous advice has been posted.  Perhaps the LC and ICANN should join forces when it comes to outside counsel to avoid conflicting legal opinions.

·         What we are looking for is legal coaching - are we using the right methodology? Perhaps an alternative route is to gather questions and have outside counsel give us coaching rather than prepare written answers to legal questions.

·         The members of this team should not be seen as legal advisors to this team.

·         It may be problematic for the EPDP Team to be the client receiving advice. Additionally, checking for previous advice may not be appropriate here. How will counsel be selected, and how we will explore the conflict issue?

·         Each question should be handled on a case-by-case basis in terms of what advice is previously available.

·         Do not understand the point of going to ICANN org to see if the question has already been answered. There should be a catalogue of previously-received advice. Asking ICANN org does not seem to advance the effort at all. Some previously-received advice advice may be covered under attorney-client privilege. 

·         The RySG is sensitive to ICANN's expenditures, and legal expenditures for CCWG accountability is a sensitive point. What could this team do differently to come in under budget?

·         The CCWG had to rework advice because ICANN was receiving independent advice, so the CCWG had to do its work multiple times, which resulted in increased cost. This should be avoided here. Additionally, the CCWG had two firms, so ideally the same firm should be used by both our group and ICANN. We also need early feedback from the Board if there is anything emerging in the recommendations that will make it likely for the Board to use the global public interest card. An early warning system from the Board liaisons could be helpful. 

·         Points to make to ICANN: 1. conflict of interest and take that into account in its procurement; 2. avoid multiple law firms doing overlapping work; 3. early intervention from the board to avoid redoing work. 

·         Action: Margie to capture conflict of interest concern by the end of the week

·         Action: Thomas to capture lessons learned from CCWG and request to ICANN to consider these issues in this effort by the end of the week

·         Should the team ask ICANN if we should use independent counsel together?

·         One concern - this small group may come out with different interpretations of the law, so sending questions off to outside counsel may not be a valuable use of time. Could this group try to answer the questions ourselves to highlight the areas we agree and disagree?

·         It may be difficult to sort out who is the client here. 

·         Berry to provide update on procurement process.

·         Caitlin to assign questions among the LC members. Team members may choose to swap questions if preferred.

 

4. Form EPDP Questions starting from: 
Questions for EDPB in Initial Report
Draft Statement of Work
[see Appendix below]


5. Wrap and confirm next meeting to be scheduled for Wednesday 2 January 2019 at 14.00 UTC
Confirm action items
 

 

 

Appendix

 
EDPB Questions as Drafted in the EPDP Initial Report:
P. 33, The EPDP Team also took note of a related footnote which states, “[if contact details for persons other than the RNH are provided] it should be ensured that the individual concerned is informed”. The EPDP Team discussed whether this note implies that it is sufficient for the Registered Name Holder (RNH) to inform the individual it has designated as the technical contact, or whether the registrar may have the additional legal obligations to obtain consent. The EPDP Team agreed to request further clarification from the EDPB on this point. 

P. 53, (For the EDPB) If registrars allow registrants to self-identify at the time as a natural or legal person, who will be held liable if the registrant incorrectly self-identifies and personal information is publicly displayed? Apart from self-identification, and educational materials to inform the registrant, are there any other ways in which risk of liability could be mitigated by registrars? 

P. 57, As noted below, the EPDP Team disagreed about the application of Art. 6(1)b, namely, does the reference ‘to which the data subject is party’ limit the use of this lawful basis to only those entities that have a direct contractual relationship with the Registered Name Holder? Similarly, in relation to Art. 6(1)(b), questions arose regarding how to apply “necessary for the performance of a contract”; specifically, does this clause solely relate to the registration and activation of a domain, or, alternatively, could related activities such as fighting DNS abuse also be considered necessary for the performance of a contract? The EPDP Team plans to put these questions forward to the European Data Protection Board (EDPB) to obtain further clarity in order to help inform its deliberations.

 

 
EPDP Questions to Legal Counsel as drafted in the SOW, 6 Dec. 2018:
Question #1:

The GDPR's scope does not include the data of legal persons, only the personal data of natural persons, but under the Temporary Specification, within the current WHOIS service, does not distinguish between natural and legal persons.  The outstanding issue is that the EDPB and DPAs have indicated that even though legal persons are not protected under the GDPR, the data provided by legal persons in the form of contact details for technical of employees or third-party providers could include personal data.  Therefore, although certain stakeholders want to continue to access the data of legal persons without obstruction, there has been debate on this topic due to the lack of clarity if there is a risk of allowing access to data of legal persons since it could include natural person personal data, with the following specific points raised:

Advocating access to legal person data, stakeholder groups provide:
businesses could self-declare, with business registration numbers
legal persons could be asked to guarantee that they have obtained the consent (“informed”) of an employee or contracted party whose contact data is listed, counting on the agency relationship.
the domain name registration can include clear instructional text (education to registrant), making clear that supplying any email or contact details for a legal entity which may include personal data is to be provided after clear consent is granted by the person whose details are in issue.
Advocating against access to legal person data, stakeholder groups express the following concerns: 
seeking consent must be clear and informed and can be withdrawn at any time and therefore the question is whether consent is practically supplied and maintained in this context
educating registrants as to what category they fall into is difficult and expensive
in some jurisdictions, notably the EU, certain groups (religious, political, gendered identity, etc.) are entitled to protection from persecution, which might occur if the registration data of their employees or contractors were released.
Based on the above questions and positions, please comment on the legal issues and liability risk which could result from a decision to ask registrars to make this distinction between legal and natural persons.

 

Question #2:

Can the information supplied-by registrants in the fields within a domain name application by relied upon by registrars and registries when registrars and registries process personal data, particularly if a registrant signs an attestation at the end of the application which states that the above information supplied is true and accurate and to the best of the registrant’s knowledge? E.g., if a registrant checks a box and identifies itself as a legal person and lists the corporate entity or organization name, will a registrar or registry be liable if the registrant made a mistake or incorrectly identified itself?

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20181219/7c0d73e1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4621 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20181219/7c0d73e1/smime-0001.p7s>


More information about the Gnso-epdp-legal mailing list