[Gnso-epdp-team] Controllership Language for Initial Report

Alan Woods alan at donuts.email
Wed Nov 14 11:09:14 UTC 2018


I agree with Stephanie, and would further like to strongly caution us from
assuming that ICANN are a sole controller for 'ALL' processing here.

Should ICANN be considered sole controller for the whole kit and caboodle
here, then we are stating that the CPs have *zero* influence on the manner
in which we process data. In such an instance, it is up to ICANN to provide
us with documented instructions as to all aspects of the processing. I
think we should consider what such a statement means for ICANN and indeed
the substantial ramifications that such a statement would have for the the
Multistakeholder model itself here. In addition, I think we shall find that
the legal reality of the situation is never going support the finding of a
sole controllership (in all aspects). Pragmatically, any CP could confirm
that our requirements under the RA or RAA is simply nowhere near
'comprehensive' enough to qualify as 'documented instructions' for our
processing. Let alone the complications regarding aspects such as
Sub-processor arrangements, 'technical and organizational measures', and of
huge importance, the taking care of any and all data subject requests re
registration (which are the Controller's responsibility). The means of
processing the CPs implement are varying, but with united goals, but this
still suggests such processing means extend beyond the contracts, and we
need to be mindful of that in our assessment of the facts here.
Additionally ICANN cannot possibly implement and monitor, and enforce
compliance with their 'processing' instructions as would be required under
Art 28 in any meaningful manner.

I have always maintained that we do not, as an industry, fit nicely into
the clean controller/processor relationship and thus defining our exact
relationship must be the work of new thinking on our combined behalf.
Thankfully such an approach fits with the intention of the GDPR, and within
the  expanded appreciation of non-traditional processing situations, as is
supported by Art 26 of the GDPR. Hence why the Joint Controller path with a
detailed roles and responsibility carve up is the most pragmatic and likely
only viable path open to us.

Alan








[image: Donuts Inc.] <http://donuts.domains>
Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
------------------------------
The Victorians,
15-18 Earlsfort Terrace
Dublin 2, County Dublin
Ireland

<https://www.facebook.com/donutstlds>   <https://twitter.com/DonutsInc>
<https://www.linkedin.com/company/donuts-inc>

Please NOTE: This electronic message, including any attachments, may
include privileged, confidential and/or inside information owned by Donuts
Inc. . Any distribution or use of this communication by anyone other than
the intended recipient(s) is strictly prohibited and may be unlawful.  If
you are not the intended recipient, please notify the sender by replying to
this message and then delete it from your system. Thank you.


On Tue, Nov 13, 2018 at 4:44 PM Stephanie Perrin <
stephanie.perrin at mail.utoronto.ca> wrote:

> If you are talking about the IPC team agreeing, Brian, fine.  I don't
> think the EPDP has any consensus position on controllership at all, which
> is why I support delaying the release of the report until we can at least
> frame our questions.  ICANN as a body, including this PDP, needs to analyze
> the current situation and determine status.  Given the inattention to
> registrant rights and data protection law throughout the history of ICANN,
> not much is clear....the contracts have embedded policy that was not
> community-developed, ICANN has taken on sole responsibility for some
> functions that are normal business requirements (eg Escrow), so determining
> what the framework is is not so simple.  WE need to do that to figure out
> quite a few things under GDPR.
>
> Stephanei
> On 2018-11-13 11:03, King, Brian via Gnso-epdp-team wrote:
>
> Hi All,
>
>
>
> If I still have posting rights to the list, here is some language for your
> consideration as a first draft of the EPDP’s position on ICANN
> controllership for the Initial Report:
>
>
>
> The team agrees that ICANN is at least a controller for all purposes
> identified, and perhaps the sole controller for some or all purposes. The
> team eagerly awaits the receipt of the legal memorandum about ICANN’s
> controllership role that is currently being drafted. As the memorandum was
> not received prior to the publication deadline for the Initial Report, the
> team requests that this memorandum be produced as soon as possible to
> inform both public comment and the group’s views on controllership for the
> Final Report.
>
>
>
> I’ll defer to Alex and Diane on further IPC input from here.
>
>
>
> *Brian J. King*
>
> *Director of Internet Policy & Industry Affairs*
>
> *MarkMonitor */ *Part of Clarivate Analytics *
>
> Phone: +1 (443) 761-3726
>
> brian.king at markmonitor.com
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing listGnso-epdp-team at icann.orghttps://mm.icann.org/mailman/listinfo/gnso-epdp-team
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181114/b3d9fc1d/attachment-0001.html>


More information about the Gnso-epdp-team mailing list