[Gnso-epdp-team] Notes, action items - Small Team Joint Controllership Meeting - 10 Dec 2018

Caitlin Tubergen caitlin.tubergen at icann.org
Tue Dec 11 02:34:59 UTC 2018

Dear All,


Please find below the notes from today’s small team call on responsible parties/joint controllership.


Thank you.

Best regards,


Marika, Berry, and Caitlin



Notes and Action Items

Small Team Meeting on Responsible Parties (Joint Controllership)

10 December 2018, 1400 UTC


Purpose of the Small Team: Conduct a bifurcated analysis: 

Does a joint controller relationship exist? If so, who are the respective parties? 
What are the implementation issues that spring from those determinations?
What potential alternatives exist?
The first section of the ICANN memo lays out definitions. One noted issue in the Initial Report is requiring ICANN to enter into JCA - a complication is there are over 1000 registry operators (as one example) - how does the Team envision handling this complexity - template, thousands of agreements, amendments to base agreements, etc.?
Irrespective of the responsible parties determination, there will be a lot of implementation work ahead. Instead of thinking of how difficult the implementation will be, the group should focus on GDPR compliance.
For example, the Irish DPA requires a written agreement for joint controllers. Please see: http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79
If the Team confirms joint controllership exists, will ICANN agree to that?
Is a written agreement strictly required, or is it an arrangement? What does an agreement mean in this context?
It is up to the community to agree on responsible parties; however, a court could ultimately decide the Team’s determination is incorrect.
The significant heavy lifting of developing contractual relationships will be done outside the EPDP. What does the EPDP need to provide in its policy recommendation?
Even if there were no formal requirements for a JCA, it is important to lay out the roles and responsibilities. It could be helpful to suggest guidance.
Does anyone object to the joint controllership determination?
The idea of including the JCA in the RRA needs to be further discussed as ICANN is not a party to the RRA but does approve amendments. 
First question - do we have a joint controllership? The ICANN org liaisons are not part of the formal consensus call. 
It may be problematic that registrars are not participating in this small team, despite the fact that this group may determine that registrars are joint controllers.
A JCA may be appropriate in some situations, but it may not be the appropriate solution across the board. The work we've done to date has been focused on ICANN purposes, not joint purposes. What's ultimately important is to enter into a GDPR-compliant arrangement, whether that's a JCA or something else. 
The small team cannot come to consensus on what is binding on the EPDP Team and community at large. If the sub-team cannot align itself, the sub-team can report divergence. However, if the small team comes to agreement, it would be helpful to report conclusions to the plenary. If the Initial Report is wrong in anyone's determination, what are the alternatives? What is needed to make an informed decision?
Question for ICANN org - if conclusions are taken back to the whole group, does that allay the concerns of an underrepresented small team?
The conversation is OK to continue, so long as the Team has an opportunity to weigh in. 
There are likely situations such as RDDS, where contracted parties are processors rather than joint controllers. The specifics would be noted in a JCA. Independent purposes do not need to be discussed in the EPDP.
The ICANN org cookbook notes that ICANN org is an independent controller. The Temp Spec classifies the parties as controllers, not joint controllers or independent controllers. The Team needs to focus on the policy recommendation.
JCAs could spell out liabilities so a brand registry in Asia with generic corporate data would not have the same liability as another entity. ICANN was presented with two legal opinions, noting joint controllership, yet ICANN decided it was not a joint controller.
The foundation has been presented in the Initial Report. We would define the responsible parties in the workbooks and update the language of the Temp Spec. Within the joint controller scenario, we would identify the party(ies) who is responsible for audit, disclosing data, etc. This could then be mirrored in a joint controller agreement.
Next step: pro forma amendment to the Temp Spec. The EPDP Team could then discuss.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181211/eab9ae1e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4621 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181211/eab9ae1e/smime-0001.p7s>

More information about the Gnso-epdp-team mailing list