[Gnso-epdp-team] Slicing and dicing

Thomas Rickert epdp at gdpr.ninja
Wed Aug 29 21:20:39 UTC 2018

A few points below that I committed to send to the list. 

Data matrix

During our last call, we have discussed a proposed methodology to slice and dice the work and document what data elements can be processed for what purpose based on what legal basis with what rationale. I have attached an attempt to capture that. This only covers the framework for capturing the collection of data by the registrar and the transfer from registrar to registry. The table would need to be extended to cover the additional processing activities, but at this stage it shall serve only to illustrate an approach where we could all feed our ideas into one document with a level of granularity that prevents us from conflating issues. 


Also, when we discussed 4.4.8. I proposed we also discuss the purpose in concrete terms. Milton asked me to give an example. 

4.4.8 reads: Supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection only.

Many in the group think this is too broad.

So let’s take IP protection.

If the purpose included the publication of all data of potential cybersquatters, including their payment data to allow for investigators to do their work efficiently, I think we would all agree that that would go too far. Yet, one could think that such action was covered by the purpose of 4.4.8..

On the other hand, if in the case of a UDRP proceeding, the data of the registrant shall be disclosed to the dispute resolution provider, we would probably (not to say hopefully) all agree that this would be fine. 

So my plea is that when we are talking about all those issues that could fall under 4.4.8. - let’s come up with concrete suggestions as to what the parties involved are supposed to do. We should all put some thought into that. What shall be done in the area of consumer protection e.g.? Are we talking about collection of additional data elements? Disclosing them to third parties? Retaiing them for a longer period? In other work, what could or should consumer protection entail in the gTLD world? Same for the other aspects in 4.4.8.


Mark asked during the last call to send a link to the eco Playbook. Here it is:
eco GDPR Domain Industry Playbook <https://www.eco.de/wp-content/uploads/2018/02/eco-domain-industry-playbook-v1.0-en.pdf>

We have gone through a lot of the exercises that this group will need to go through, so I encourage you to take a look at it. Maybe we can reuse parts of it to expedite our work.

Don’t get me wrong - I am not trying to sell you the approach in the Playbook, but I think it can be a good basis to argue over certain questions. Finally, I happen to be one of the authors. The good sentences have likely been written by others.
The things you might not like surely come from me.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180829/014d39c2/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Data Elements Matrix.xlsx
Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Size: 18157 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180829/014d39c2/DataElementsMatrix-0001.xlsx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180829/014d39c2/attachment-0003.html>

More information about the Gnso-epdp-team mailing list