[Gnso-epdp-team] Notes and action items from today's EPDP Team meeting

Marika Konings marika.konings at icann.org
Tue Nov 6 16:45:35 UTC 2018


Dear All,

Please find below the notes and action items from today’s EPDP Team meeting.

Best regards,

Caitlin, Berry and Marika


EPDP Team Meeting #23
Tuesday, 6 November 2018
Notes and Action Items

High-level Notes/Actions:

Action item #1: EPDP Team to save the date for the next F2F meeting on January 16-18 2019 (Wednesday-Friday). Support team to send out save the date calendar invite for the F2F meeting

Action item #2: EPDP Team to review proposed language in relation to natural vs. legal person for inclusion in the Initial Report and come prepared to discuss this on Thursday's meeting.

Action item #3: Support team to draft proposed language for inclusion in the Initial Report reflecting today's discussion regarding provision for Technical contact.

Action item #4: Support team to mark language in relation to data retention as agreed in the Initial Report and harmonize data retention periods across data elements workbooks.

Action item #5: Thomas to translate slides into policy recommendations and edits to the tables for proposed inclusion in the Initial Report for EPDP Team consideration prior to Thursday’s meeting.

Questions for ICANN Org from the EPDP Team:
Is indemnification provided by ICANN through a joint controller agreement an option?
If EPDP agrees on policy that requires ICANN to indemnify, would the ICANN legal team and Board oppose it?

Notes & Action items
These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/2IpHBQ.

1. Roll Call & SOI Updates (5 minutes)

  *   Attendance will be taken from Adobe Connect
  *   Please remember to mute your microphones when not speaking, and state your name before speaking for transcription purposes.
  *   Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

2. Welcome and Updates from EPDP Team Chair (5 minutes)

a. Proposed approach for reviewing and finalizing the Initial Report

  *   See https://community.icann.org/x/5QDVBQ
  *   Important that people provide input as soon as possible - the timeline is determined by the end goal of having new policy recommendations in place by 25 May 2019. Any additional time needed will affect the time available for other phases of the work.

b. Update on F2F planning

Action item #1: EPDP Team to save the date for the next F2F meeting on January 16-18 2019 (Wednesday-Friday). Support team to send out save the date calendar invite for the F2F meeting

c. Proposed next steps in relation to small team #1 and #2 language for inclusion in the Initial Report
See email sent by Kurt which was followed by proposed language for inclusion in the Initial Report.

Action item #2: EPDP Team to review proposed language in relation to natural vs. legal person for inclusion in the Initial Report and come prepared to discuss this on Thursday's meeting.

d. Review of outstanding action items

  *   See https://community.icann.org/x/NwSNBQ

e. Other updates, if applicable

  *   Responsible parties for processing - need further info on what should be updated / discussed. To be added to agenda for Thursday's meeting. See also new agenda item 5.

3. Review of outstanding items for Initial Report and proposed approach

Objective of discussion:
1. Confirm list of outstanding items to be considered in relation to Initial Report and approach for addressing these

       a. Review outstanding issues punch list (to be circulated)
       b. Confirm approach for addressing these
       c. Confirm next steps, if any


  *   See email sent by Caitlin re. outstanding issues.
  *   Idea is to introduce certain topics via email followed by EPDP Team call, certain topics can hopefully be addressed via email, some items where volunteers are needed.
  *   Objective of the document and table is to track items that have been flagged as requiring further discussion and proposed approach.

4. Commence addressing outstanding items

a. Technical contact redaction – any concerns in relation to proposed language for inclusion in the Initial Report?


  *   Possible language to address this issue: In accordance with the EDPB’s guidance that GDPR does not apply to legal persons and personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the context of WHOIS: If the Registered Name Holder elects to provide contact information for a technical contact that differs from the Registered Name Holder, the Registrar is required to obtain consent from the technical contact prior to publication. One suggested method of obtaining this consent is to include this consent in the WHOIS Accuracy Program Specification Section 1.f.i. verification email.
  *   Concerns expressed about relying on consent, especially if it is not provided by the data subject directly. If a RNH provides Tech contact data without consent, isn't the RNH responsible, not the registrar?
  *   Adding on to an existing system could be problematic - something that needs further consideration, but not within the context of the current deliberations.
  *   Previous agreement reached to continue to collect limited set of data elements (optional for RNH to provide) for technical contact, namely name, email and telephone. Concept of optional captured in data elements workbook C based on previous preliminary agreement: Optional data elements for    the Registered Name Holder (RNH) to provide, but required for the registrar to   offer as data elements the RNH may provide.
  *   How do contracted parties currently handle tech contact info collection? Some registrars have stopped collecting that data - see also EPAG court case. Some are still collecting but have noted this is a potential vulnerability.
  *   Should it also be optional for registrars to provide noting some of the issues? In that case a registrant can choose a registrar that provides this option if this is important for the registrant to provide.
  *   Consent is used by others such as .CAT and ccTLDs so it is not necessarily a path that cannot be pursued.
  *   Note that EDPB advice states: "registrants should be provided with the option of providing contact details for persons other than themselves if they wish to delegate these functions and facilitate direct communication with the persons concerned". In this context it is also noted that "it should be ensured that the individual concerned is informed". Consider asking a clarifying question to the EDPB concerning how this information process should take place and what, if any, additional obligations are there for the registrar, or whether this is purely a registrant responsibility.
  *   The registrant is responsible for breaching the other individual's privacy, if such is the case. However, the registrar is responsible for ensuring that consent was obtained.
  *   Individual registrars may voluntarily take on this risk and offer this option, if this is no longer a requirement.
  *   EDPB advice should alleviate some of the legal concerns - may require further clarification from EDPB.
  *   Document in the Initial Report the possible technical and legal challenges involved and outline the two different positions in relation to whether this should be required or optional for registrars to provide. Indicate that clarifying questions will be asked from the EDPB to further help inform deliberations in relation to this topic. Note that registrars may have legal liability for a RNH providing data about a third party, which is why they want the option.

Action item #3: Support team to draft proposed language for inclusion in the Initial Report reflecting today's discussion.

b. Data retention – any concerns in relation to proposed language for inclusion in the Initial Report?

  *   Good reasoning to set out data retention period based on all the work that went into the data elements workbooks to discuss retention.
  *   No opposition to include this in the Initial Report.
  *   Consider harmonizing the data retention period across all the data elements workbooks.

Action item #4: Support team to mark language in relation to data retention as agreed in the Initial Report and harmonize data retention periods across data elements workbooks.

c. Confirm next steps, if any

5. Responsibilities - data processing

See slides presented by Thomas Rickert

Starting point:

  *   We wanted to make a distinction between ICANN Purposes and other purposes
  *   Reason was to identify which the areas that ICANN should govern and enforce are
  *   We kept the language and called everything „ICANN purposes“ – that causes confusion
  *   We have removed the things that ICANN should not govern – good.
  *   We should make adjustments, though

Status Quo / legal background:

  *   Controller, Joint Controller and Processors are mentioned
  *   Let‘s look at the Art. 29 (WP 169) distinctions
  *   Let‘s discuss the micro vs the macro level
  *   Liability issues – two layers
  *   Data subjects claims – joint and several responsibility (indemnifications to balance)
  *   Authorities‘ sanctions (Authorities will go after the wrongdoer)
  *   Let‘s not be afraid of a joint controller scenario

Way forward

  *   Let‘s make everything part of a joint controller agreement
  *   Let‘s specify the roles and responsibilities in there
  *   Let‘s make indemnifications match the roles
  *   We can still have parties outsourcing work (EBERO and Escrow e.g.)
  *   Suggestion to change the language referring to "ICANN purposes" but describe that these are purposes that are governed by ICANN through consensus policies.
  *   Determine for whole document that parties are joint-controllers, and document in joint controller agreement for which areas which party is responsible (for example, for Ebero and escrow only one party would be responsible).
  *   Need to clarify the role of the different parties - important aspect of the Initial Report. Need a fair reflection of who asks for what and who does what. Those parties should take responsibility.
  *   Indemnification by ICANN - would ICANN be willing to do this? Would change risk

Question for ICANN Org: Is indemnification provided by ICANN through a joint controller agreement an option?

(proposed rewording: if EPDP agrees on policy that requires ICANN to indemnify, would the ICANN legal team and Board oppose it?)

Action item #5: Thomas to translate slides into language for proposed inclusion in the Initial Report for EPDP Team consideration prior to Thursday’s meeting.

5. Wrap and confirm next meeting to be scheduled for Thursday 8 November at 14.00 UTC.

a)      Confirm action items
b)     Confirm questions for ICANN Org, if an

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181106/ca4a3cb3/attachment-0001.html>


More information about the Gnso-epdp-team mailing list