[Gnso-epdp-team] Report on Small team on roles & responsibilities in preparation for EPDP Team Meeting #25

Alan Woods alan at donuts.email
Tue Nov 13 11:33:56 UTC 2018

Thank you Thomas, and furthermore thank you for your very balanced approach
to the very surprising and frustrating events of last night's call.

I think you have hit the nail on the head here, and I echo your sentiments
in the last paragraph. I got the distinct impression (however far from the
truth that may be) that ICANN Org were holding their cards close to their
chest, and although having been at the table of the ePDP, appear to be open
to rejecting the work of the ePDP. These are discussions which should have
been had day 1, openly and transparently, and in fact this proves the
fundamental importance of the ePDP actually having substantive discussion
of the roles and responsibilities prior to the interim report publication.

To echo Thomas, and indeed Diane, who I also recall made the point very
well during the meeting, the hopes and wishes of the parties as to the
allocation of roles and responsibilities are irrelevant; such matters are
decided with reference alone to the legal reality and legal facts as to the
roles held in the processing situation. I would further note that a
statement made last night, (with the stated proviso that my audio dropped
and I rejoined just as this utterance occurred therefore I will need to
recheck the transcript for both context and accuracy), that ICANN Org is
not a controller as it does not itself perform actual processing of the
data; this concept of controllership is simply incorrect. I also heard this
statement in Abu Dhabi from ICANN and indeed from the same person, and I
also then raised my objection in an attempt to clarify. To hear it repeated
again, last night, was worrisome (to put it mildly).

I personally think, receipt of the memo, in its entirety, and not a mere
summary, as was promised in the dying moments of the meeting, is now hugely
necessary. I furthermore think at this point the question of independent
outside counsel for the eDPD is now, moreso than ever, a required step.

Kind regards,


[image: Donuts Inc.] <http://donuts.domains>
Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
The Victorians,
15-18 Earlsfort Terrace
Dublin 2, County Dublin

<https://www.facebook.com/donutstlds>   <https://twitter.com/DonutsInc>

Please NOTE: This electronic message, including any attachments, may
include privileged, confidential and/or inside information owned by Donuts
Inc. . Any distribution or use of this communication by anyone other than
the intended recipient(s) is strictly prohibited and may be unlawful.  If
you are not the intended recipient, please notify the sender by replying to
this message and then delete it from your system. Thank you.

On Tue, Nov 13, 2018 at 11:09 AM Thomas Rickert <epdp at gdpr.ninja> wrote:

> Hello Marika, all,
> yesterday, the call of the small roles & responsibilities team had its
> call.
> We thank JJ and Erika from ICANN Org for attending the call.
> I will only be able to attend the first 90 mins of the call and I do not
> know whether it is possible to squeeze in a report and discussion of the
> outcome of our call while I am in attendance. Therefore, I would like to
> give a brief update in writing.
> The plan for the meeting was to discuss
> - what roles GDPR offers and if these are sufficiently described in the
> language I offered for the report
> - discussion of Rationale for joint controller vs. other scenarios
> - options and limitations of policy work / charter limitations
> - strategy to implementation
> I hoped we could make sufficient progress during the call so that the
> small team could suggest a solid path forward to the EPDP plenary.
> JJ reported to us that ICANN Org has a 10 page memo in the making in which
> concerns and ICANN’s views on the roles are described.
> He said that we should not jump to the conclusion that a joint controller
> scenario is given before the roles and responsibilities for the individual
> processing activities are determined.
> In his view, it is like putting the cart before the horse if a joint
> controller scenario is adopted before all parties had a chance to assess
> the impact on their liabilities and that joint controllership might not
> adequately reflect the risks the respective parties might want to take.
> We then discussed that it is not really a question of what the parties
> want to choose to best suit their wishes, but a question of what the legal
> determination of the setup is. Several participants expressed their view
> that a joint controller scenario is likely present and therefore a joint
> controller agreement needs to be negotiated to reflect the roles and
> responsibilities and the required indemnifications etc. need to be put in
> place to associate the risks appropriately.
> There are two issues with this that the EPDP Team and - in particular -
> the leadership needs to decide.
> 1. The issue of legal assessment vs. policy work
> The question was brought up by Kurt and JJ in particular. They said -
> rightfully - that our group cannot really give legal advice. We have
> discussed the unfortunate situation that our policy group needs to do both
> compliance work as well as policy work in the EPDP plenary on multiple
> occasions before. We have a charter that requires us to speak to the
> responsibilities of the parties and this is just not possible without being
> transparent (in our report) about what concept we think is applicable. So I
> think the plenary needs to discuss and confirm that we will take position
> on this (which can be vetted during the public comment period).
> If the EPDP Team does not wish to take a position on this question, I
> think we need to go back to the GNSO Council to ask for a revision of the
> charter.
> 2. Timing
> We were not given any indication as to how quickly a memo would be shared
> with the EPDP Team. JJ said that their memo should inform and help our work
> but it should not stand in the way of our work.
> In my view (which was shared by several participants), the EPDP Team must
> know what ICANN org’s view on the matter is. The SGs and Cs need to be able
> to take into account the concerns and suggestions that ICANN Org might have
> to inform their own positioning. Also, I think we cannot detach our work
> from ICANN org’s position. It would be unfortunate - to say the least - if
> our group came up with a recommendation for the parties to negotiate a JCA
> just to find out that ICANN Org will refuse to implement that
> recommendation. Thus, clarity is required as soon as possible and a report
> should not be published before the memo has been shared, analyzed,
> discussed in the EPDP team and potential revisions to the initial report
> have been made.
> In closing, let me be honest with the entire team and express my
> frustration with the process.
> We have asked both Board liaisons as well as ICANN staff multiple times to
> share any legal memos / opinions there are to inform our discussions. Also,
> we have asked whether there would be concerns by ICANN Org with respect to
> entering into a joint controller agreement or data processing agreements in
> several meetings. We were not given any indication whatsoever that there
> could be problems. It is unfortunate to only learn about ICANN’s memo and
> that there are concerns a few days before the planned publication of our
> report.
> Kind regards,
> Thomas
> Am 12.11.2018 um 16:25 schrieb Marika Konings <marika.konings at icann.org>:
> Dear All,
> Please find below the proposed agenda for the next EPDP Team meeting which
> is scheduled for Tuesday 13 November at 14.00 UTC.
>    - In relation to agenda item #3, please find attached an updated
>    version of the proposed language for inclusion in the Initial Report in
>    which staff has aimed to capture some of the input that was received in
>    response to the Initial Report through the google doc, as well as input
>    received on the mailing list.
>    - In relation to agenda item #4, please find attached a table which
>    provides an overview of the changes proposed by EPDP Team members that
>    staff didn’t feel comfortable applying because e.g. either the proposed
>    change is not clear, the proposed change affects previously agreed
>    preliminary agreements / text, or is a substantive change that requires
>    further discussion / consideration by the full EPDP Team (see
>    https://docs.google.com/document/d/1SoNTnvvadNQ8nX_-OxN4mtsd-gfLNxT54GXSXyGQwEQ/edit?ts=5be6721f
>     for all comments received to date). In certain cases, staff has
>    proposed a path forward, but would appreciate EPDP Team/commenter feedback
>    before applying this change. Note that a number of comments were made in
>    relation to preliminary recommendations and/or text that is still under
>    consideration. It is the expectation that this input will be raised in the
>    context of those discussions.
> FYI, staff expects to share an updated version of the Initial Report later
> today so you can see how other input has been addressed (non-substantial
> issues) as well as how other aspects are coming together as a result of the
> EPDP Team work over the last couple of meetings.
> Best regards,
> Caitlin, Berry and Marika
> ======================
> *EPDP Meeting #25 Agenda*
> Tuesday, 13 November 2018
>    1. Roll Call & SOI Updates (5 minutes)
>    2. Welcome and Updates from EPDP Team Chair (5 minutes)
>    1. Initial Report finalization status, incl. items remaining to be
>       addressed and schedule for the week ahead
>       2. Confirm status and next steps in relation to natural vs. legal
>       and geographic status
>       3. Review of outstanding action items
>       4. Other updates, if applicable
>    1. Data Redaction (see attached)
> Objective of discussion:
>    1. Confirm language for inclusion in the Initial Report in relation to
>    data redaction as well as email communication
>    1. Review latest version of language for inclusion in relation to data
>       redaction
>       2. Consider charter questions:
> f2) Should standardized requirements on registrant contact mechanism be
> developed?
> f3) Under what circumstances should third parties be permitted to contact
> the registrant, and how should contact be facilitated in those
> circumstances?
> And related draft recommendation:
> In relation to facilitating email communication between third parties and
> the registrant, the EPDP Team recommends that [current requirements in the
> Temporary Specification that specify that a Registrar MUST provide an email
> address or a web form to facilitate email communication with the relevant
> contact, but MUST NOT identify the contact email address or the contact
> itself, remain in place. [[[Other to be decided]]].
>    1. Confirm next steps, if any
>    1. Commence review & discussion of comments / input received on
>    Initial Report
> Objective of discussion:
> (1) Review proposed changes / comments on the Initial Report that require
> EPDP Team consideration
> (2) Agree on if/how these proposed changes / comments are to be applied to
> the Initial Report
>    1. Commence review of proposed changes / comments on the Initial
>       Report (see list attached)
>       2. Confirm approach for addressing these
>       3. Confirm next steps, if any
>    1. Wrap and confirm next meeting to be scheduled for Wednesday 14
>    November / Thursday 15 November at 14.00 UTC (dependent on progress made).
>       1. Confirm action items
>       2. Confirm questions for ICANN Org, if any
> *Marika Konings*
> *Vice President, Policy Development Support – GNSO, Internet Corporation
> for Assigned Names and Numbers (ICANN) *
> *Email: marika.konings at icann.org <marika.konings at icann.org>  *
> *Follow the GNSO via Twitter @ICANN_GNSO*
> *Find out more about the GNSO by taking our interactive courses
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and
> visiting the GNSO Newcomer pages
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>. *
> <Data Redaction - up 12 November 2018.docx><Initial Report changes for
> discussion - upd 12 November 2018.docx>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181113/3a1104c4/attachment-0001.html>

More information about the Gnso-epdp-team mailing list