[Gnso-epdp-team] Report on Small team on roles & responsibilities in preparation for EPDP Team Meeting #25

Tue Nov 13 18:36:19 UTC 2018

I agree with Alan.  Somehow, every time we go back to the EPDP as a whole, it seems we become less precise and the summary is that everything is hunky dory.  It is not.  Yesterday's small team call was extremely important; many thanks to Thomas for his excellent chairmanship of that call.  I appear to be in the minority in supporting a delay in the release of our report, but I think it is extremely important to at least sketch out the implications of this evident failure to agree on the basic premises of data controllership and accountability.

Stephanie Perrin

On 2018-11-13 06:33, Alan Woods wrote:
Thank you Thomas, and furthermore thank you for your very balanced approach to the very surprising and frustrating events of last night's call.

I think you have hit the nail on the head here, and I echo your sentiments in the last paragraph. I got the distinct impression (however far from the truth that may be) that ICANN Org were holding their cards close to their chest, and although having been at the table of the ePDP, appear to be open to rejecting the work of the ePDP. These are discussions which should have been had day 1, openly and transparently, and in fact this proves the fundamental importance of the ePDP actually having substantive discussion of the roles and responsibilities prior to the interim report publication.

To echo Thomas, and indeed Diane, who I also recall made the point very well during the meeting, the hopes and wishes of the parties as to the allocation of roles and responsibilities are irrelevant; such matters are decided with reference alone to the legal reality and legal facts as to the roles held in the processing situation. I would further note that a statement made last night, (with the stated proviso that my audio dropped and I rejoined just as this utterance occurred therefore I will need to recheck the transcript for both context and accuracy), that ICANN Org is not a controller as it does not itself perform actual processing of the data; this concept of controllership is simply incorrect. I also heard this statement in Abu Dhabi from ICANN and indeed from the same person, and I also then raised my objection in an attempt to clarify. To hear it repeated again, last night, was worrisome (to put it mildly).

I personally think, receipt of the memo, in its entirety, and not a mere summary, as was promised in the dying moments of the meeting, is now hugely necessary. I furthermore think at this point the question of independent outside counsel for the eDPD is now, moreso than ever, a required step.

Kind regards,

Alan

[Donuts Inc.]<http://donuts.domains>
Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
________________________________
The Victorians,
15-18 Earlsfort Terrace
Dublin 2, County Dublin
Ireland

[http://storage.googleapis.com/signaturesatori/icons/facebook.png]<https://www.facebook.com/donutstlds>  [http://storage.googleapis.com/signaturesatori/icons/twitter.png] <https://twitter.com/DonutsInc>   [http://storage.googleapis.com/signaturesatori/icons/linkedin.png] <https://www.linkedin.com/company/donuts-inc>

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful.  If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Tue, Nov 13, 2018 at 11:09 AM Thomas Rickert <epdp at gdpr.ninja><mailto:epdp at gdpr.ninja> wrote:
Hello Marika, all,
yesterday, the call of the small roles & responsibilities team had its call.

We thank JJ and Erika from ICANN Org for attending the call.

I will only be able to attend the first 90 mins of the call and I do not know whether it is possible to squeeze in a report and discussion of the outcome of our call while I am in attendance. Therefore, I would like to give a brief update in writing.

The plan for the meeting was to discuss

- what roles GDPR offers and if these are sufficiently described in the language I offered for the report
- discussion of Rationale for joint controller vs. other scenarios
- options and limitations of policy work / charter limitations
- strategy to implementation

I hoped we could make sufficient progress during the call so that the small team could suggest a solid path forward to the EPDP plenary.

JJ reported to us that ICANN Org has a 10 page memo in the making in which concerns and ICANN’s views on the roles are described.
He said that we should not jump to the conclusion that a joint controller scenario is given before the roles and responsibilities for the individual processing activities are determined.
In his view, it is like putting the cart before the horse if a joint controller scenario is adopted before all parties had a chance to assess the impact on their liabilities and that joint controllership might not adequately reflect the risks the respective parties might want to take.

We then discussed that it is not really a question of what the parties want to choose to best suit their wishes, but a question of what the legal determination of the setup is. Several participants expressed their view that a joint controller scenario is likely present and therefore a joint controller agreement needs to be negotiated to reflect the roles and responsibilities and the required indemnifications etc. need to be put in place to associate the risks appropriately.

There are two issues with this that the EPDP Team and - in particular - the leadership needs to decide.

1. The issue of legal assessment vs. policy work

The question was brought up by Kurt and JJ in particular. They said - rightfully - that our group cannot really give legal advice. We have discussed the unfortunate situation that our policy group needs to do both compliance work as well as policy work in the EPDP plenary on multiple occasions before. We have a charter that requires us to speak to the responsibilities of the parties and this is just not possible without being transparent (in our report) about what concept we think is applicable. So I think the plenary needs to discuss and confirm that we will take position on this (which can be vetted during the public comment period).

If the EPDP Team does not wish to take a position on this question, I think we need to go back to the GNSO Council to ask for a revision of the charter.

2. Timing

We were not given any indication as to how quickly a memo would be shared with the EPDP Team. JJ said that their memo should inform and help our work but it should not stand in the way of our work.

In my view (which was shared by several participants), the EPDP Team must know what ICANN org’s view on the matter is. The SGs and Cs need to be able to take into account the concerns and suggestions that ICANN Org might have to inform their own positioning. Also, I think we cannot detach our work from ICANN org’s position. It would be unfortunate - to say the least - if our group came up with a recommendation for the parties to negotiate a JCA just to find out that ICANN Org will refuse to implement that recommendation. Thus, clarity is required as soon as possible and a report should not be published before the memo has been shared, analyzed, discussed in the EPDP team and potential revisions to the initial report have been made.

In closing, let me be honest with the entire team and express my frustration with the process.
We have asked both Board liaisons as well as ICANN staff multiple times to share any legal memos / opinions there are to inform our discussions. Also, we have asked whether there would be concerns by ICANN Org with respect to entering into a joint controller agreement or data processing agreements in several meetings. We were not given any indication whatsoever that there could be problems. It is unfortunate to only learn about ICANN’s memo and that there are concerns a few days before the planned publication of our report.

Kind regards,
Thomas

Am 12.11.2018 um 16:25 schrieb Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>>:

Dear All,

Please find below the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 13 November at 14.00 UTC.

  *   In relation to agenda item #3, please find attached an updated version of the proposed language for inclusion in the Initial Report in which staff has aimed to capture some of the input that was received in response to the Initial Report through the google doc, as well as input received on the mailing list.
  *   In relation to agenda item #4, please find attached a table which provides an overview of the changes proposed by EPDP Team members that staff didn’t feel comfortable applying because e.g. either the proposed change is not clear, the proposed change affects previously agreed preliminary agreements / text, or is a substantive change that requires further discussion / consideration by the full EPDP Team (see https://docs.google.com/document/d/1SoNTnvvadNQ8nX_-OxN4mtsd-gfLNxT54GXSXyGQwEQ/edit?ts=5be6721f for all comments received to date). In certain cases, staff has proposed a path forward, but would appreciate EPDP Team/commenter feedback before applying this change. Note that a number of comments were made in relation to preliminary recommendations and/or text that is still under consideration. It is the expectation that this input will be raised in the context of those discussions.

FYI, staff expects to share an updated version of the Initial Report later today so you can see how other input has been addressed (non-substantial issues) as well as how other aspects are coming together as a result of the EPDP Team work over the last couple of meetings.

Best regards,

Caitlin, Berry and Marika

======================

EPDP Meeting #25 Agenda
Tuesday, 13 November 2018

  1.  Roll Call & SOI Updates (5 minutes)
  2.  Welcome and Updates from EPDP Team Chair (5 minutes)

     *   Initial Report finalization status, incl. items remaining to be addressed and schedule for the week ahead
     *   Confirm status and next steps in relation to natural vs. legal and geographic status
     *   Review of outstanding action items
     *   Other updates, if applicable

  1.  Data Redaction (see attached)

Objective of discussion:

  1.  Confirm language for inclusion in the Initial Report in relation to data redaction as well as email communication

     *   Review latest version of language for inclusion in relation to data redaction
     *   Consider charter questions:

f2) Should standardized requirements on registrant contact mechanism be developed?
f3) Under what circumstances should third parties be permitted to contact the registrant, and how should contact be facilitated in those circumstances?
And related draft recommendation:
In relation to facilitating email communication between third parties and the registrant, the EPDP Team recommends that [current requirements in the Temporary Specification that specify that a Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself, remain in place. [[[Other to be decided]]].

     *   Confirm next steps, if any

  1.  Commence review & discussion of comments / input received on Initial Report

Objective of discussion:
(1) Review proposed changes / comments on the Initial Report that require EPDP Team consideration
(2) Agree on if/how these proposed changes / comments are to be applied to the Initial Report

     *   Commence review of proposed changes / comments on the Initial Report (see list attached)
     *   Confirm approach for addressing these
     *   Confirm next steps, if any

  1.  Wrap and confirm next meeting to be scheduled for Wednesday 14 November / Thursday 15 November at 14.00 UTC (dependent on progress made).
     *   Confirm action items
     *   Confirm questions for ICANN Org, if any

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.

<Data Redaction - up 12 November 2018.docx><Initial Report changes for discussion - upd 12 November 2018.docx>_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181113/cc9d2856/attachment-0001.html>