[Gnso-epdp-legal] Question 1: | EPDP-Phase 2A - Legal Sub-team call | Tuesday, 02 February 2021 at 14:00 UTC
Crossman, Matthew
mmcross at amazon.com
Thu Feb 4 07:24:28 UTC 2021
Thanks all for the continued discussion. I think working to hash out some of these issues over email between meetings is the right approach to help us move faster.
The issue I’m still struggling with is how the answer to the proposed question moves our work forward. We already have legal advice (as Laureen noted) that suggests that implementing safeguards can mitigate the risk to Contracted Parties. It seems to me the key question is not a legal one, but instead whether those safeguards are feasible, practical, and implementable at scale. Unfortunately that is not something Bird & Bird can resolve for us.
I think a concrete example helps illustrate the point. Assume Bird & Bird says “yes, if you implement the proposed safeguards the level of risk is equal or lesser than the risk of obtaining consent.” I assume the argument would then be that since Contracted Parties have accepted the risk of obtaining consent they should be comfortable accepting the same risk for self-identification. Setting aside that I agree with Volker that notice and consent is an apples to oranges comparison, even with that best case scenario answer we would still be in the same place we are currently with needing to determine whether the safeguards that are necessary to mitigate that risk are in fact implementable.
If folks have further thoughts on the purpose of the question I’d appreciate hearing them.
Thanks,
Matt
From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org> On Behalf Of Volker Greimann
Sent: Wednesday, February 3, 2021 4:50 PM
To: Kapin, Laureen <LKAPIN at ftc.gov>
Cc: gnso-epdp-legal at icann.org
Subject: RE: [EXTERNAL] [Gnso-epdp-legal] Question 1: | EPDP-Phase 2A - Legal Sub-team call | Tuesday, 02 February 2021 at 14:00 UTC
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
Thanks Laureen, I like how concise the rewrite is. My problem is twofold however:
1) It still relies on the problematic differentiation of legal vs natural which in my view does not confer an automatic benefit as the data designated as legal entity data may still contain in it protected personal information. We would be better served if we ensure the distinction is made between what type of data is actually used.
2) By comparing a voluntary disclosure decision by the registrant with a required differentiation, we are essentially comparing apples and oranges. One is consent-based, voluntary and free, and the other is forced. That in itself already leads to the obvious conclusion that both cannot easily be compared, hence my proposal to allow for a voluntary confirmation of "no personal data here" here as well.
My suggestion of shifting the disclosure to the SSAD serves two main purposes:
1) It prevents harvesting and collection of the data and thereby abuse that would evidently follow full disclosure in the RDS, thereby reducing legal risks.
2) It strengthens the purpose of the SSAD by ensuring it remains a tool for all RDS data sets.
3) It provides a potential path to more automation, thereby reducing response times (and increasing reliability) for requesters and reducing review times for CPs.
Best,
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net<http://www.key-systems.net/>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 3, 2021 at 8:25 PM Kapin, Laureen <LKAPIN at ftc.gov<mailto:LKAPIN at ftc.gov>> wrote:
Thanks to Volker and Hadia and weighing in –
This question aims at obtaining a comparative assessment of the legal risks associated with granting consent to publish personal information with publishing registrant data after engaging in a series of protective steps with the registrant to educate and verify the election to identify the data as non-personal. Volker’s proposal seems to introduce a separate policy issue for discussion rather than focusing the question more precisely.
Here’s my proposed rewrite:
Please compare the legal risks for contracted parties associated with providing a registrant the opportunity to consent to publication of their data with the requirement to identify itself as either an individual or organization (legal entity) assuming that the Registrar adopts the procedures outlined in Bird & Bird’s January 25, 2019 memo (i.e., notify/explain; confirm; verify; opportunity to correct).
On a related note, it would be useful to get data on the amounts of fines assessed (if any) under comparable circumstances (disclosure of personal data after reasonable steps taken to guide registrant in making an election that may result in disclosure).
On a separate note, I think Volker’s proposal for automated disclosure by the SSAD is creative and warrants further discussion. Because this mechanism would still shield information that is not protected by the GDPR, however, I would propose we also discuss a “quarantine” period to hold the data for a limited amount of time for verification prior to publication. This would reduce the risk of inadvertent disclosures of personal information.
Kind regards,
Laureen Kapin
Counsel for International Consumer Protection
Federal Trade Commission
(202) 326-3237
From: Gnso-epdp-legal <gnso-epdp-legal-bounces at icann.org<mailto:gnso-epdp-legal-bounces at icann.org>> On Behalf Of Volker Greimann
Sent: Wednesday, February 3, 2021 12:17 PM
To: Hadia El Miniawi <hadiaminiawi at yahoo.com<mailto:hadiaminiawi at yahoo.com>>
Cc: gnso-epdp-legal at icann.org<mailto:gnso-epdp-legal at icann.org>
Subject: Re: [Gnso-epdp-legal] Question 1: | EPDP-Phase 2A - Legal Sub-team call | Tuesday, 02 February 2021 at 14:00 UTC
Thank you Hadia, for kicking this off.
Here is my take on the question:
Recommendation number 6 of EPDP phase one report will require registrars to provide the opportunity for the registered name holder to provide consent to publish their contact information as well as their email addresses in the RDS of the sponsoring registrar by means of a yet-to-be-defined process.
Assuming the CPs were similarly required by ICANN policy to permit registered name holders to declare whether their registration data contains personal information or is strictly limited to non-personal information, along with implementing all the safeguards indicated in the Bird & Bird legal memo, such as providing a well-crafted notice in clear and plain language explaining the consequences of this declaration such as registration data declared as containing only non-personal information being subject to automated disclosure to requestors in the SSAD, requiring registered name holders to acknowledge the notice and the automated disclosure of their registration data in consequence of declaring their data as non-personal information, how then would the risk associated with the disclosure of the registration data in this case be different from the risk posed through the publication of the registration data based on the registrant’s consent?
Rationale:
We need to stop making the false differentiation between the legal nature of the registrant and start focussing on the nature of their information, hence the shift to personal vs non-personal information.
Further, by shifting the focus from all-out publication to automated disclosure in the SSAD, more safeguards are in place against abuse and data harvesting.
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH
T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net<http://www.key-systems.net/>
Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner
Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.
On Wed, Feb 3, 2021 at 10:33 AM Hadia El Miniawi <hadiaminiawi at yahoo.com<mailto:hadiaminiawi at yahoo.com>> wrote:
Hi All,
Based on Beck's suggestion yesterday to rephrase the first question please find herewith my first attempt
Recommendation number 6 of EPDP phase one report requires registrars to provide the opportunity for the registered name holder to provide consent to publish redacted contact information as well as the email addresses in the RDS of the sponsoring registrar. If the CPs require registered name holders to self-identify themselves as natural or legal persons, along with implementing all the safe guards indicated in the Bird & Bird legal memo, like providing a well-crafted note in clear and plain language explaining the consequences of self-identification and that the registration data of legal persons would be made public, requiring registrants to acknowledge the note and the publication of their registration data in consequence of self-identifying oneself as a legal person. How is the risk associated with the publication of the registration data in this case different from the risk posed through the publication of the registration data based on the registrant’s consent?
Best
Hadia
On Tuesday, February 2, 2021, 05:31:12 PM GMT+2, Terri Agnew <terri.agnew at icann.org<mailto:terri.agnew at icann.org>> wrote:
Dear all,
All recordings for the EPDP-Phase 2A - Legal Sub-team call held on Tuesday, 02 February 2021 at 14:00 UTC can be found on the agenda wiki page <https://community.icann.org/x/zwhACQ> (attendance included) and the GNSO Master Calendar<https://gnso.icann.org/en/group-activities/calendar>.
These include:
* Attendance (please let me know if your name has been left off the attendance list)
* Audio recording
* Zoom chat archive
* Zoom recording (including audio, visual, rough transcript)
* Transcript
As a reminder only members or alternates replacing members as primary can join the call.
For additional information, you may consult the mailing list archives <https://mm.icann.org/pipermail/gnso-epdp-legal/> and the main wiki page<https://community.icann.org/x/IYEpBQ>.
Thank you.
With kind regards,
Terri
_______________________________________________
Gnso-epdp-legal mailing list
Gnso-epdp-legal at icann.org<mailto:Gnso-epdp-legal at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-legal/attachments/20210204/28efa89c/attachment-0001.html>
More information about the Gnso-epdp-legal
mailing list