[Gnso-epdp-team] Legal vs Natural and Redactions
Alan Woods
alan at donuts.email
Wed Nov 14 18:11:51 UTC 2018
Dear Team,
Thank you, Hadia and Alan for your statements. As the Ry reps (supported by
the registrars) have already explained we believe the mandatory policy is
unsuitable noting our assessment as to the reasons grounding that position.
I believe it would be beneficial to the team, if the ALAC could similarly
provide us with your grounding reasoning as to why you believe such a
mandatory policy is appropriate, given the risks we have already noted to
both the Data Subject AND, the CPs, both of whom will be impacted to the
greatest extent by such a recommendation.
To leadership Team:
I think at this point, given the relatively small time left remaining in
this process, that we need to set clear expectations for the provision of
any such SO/AC/SG/C ‘recommendations’. At a minimum we should be insisting
that SO/AC/SG/Cs who wish to make any recommendations must also provide
their assessment/reasoning for such a conclusion, capable of grounding any
such recommendation; more so specifically in cases such as this, where such
views are at complete odds with strongly stated concerns and reservations
of another SO/AC/SG/C already on record, of which they are reasonably aware
of at the time of submission.
Using this recommendation as an example, and my apologies, this is not
aimed specifically at ALAC, but it is the example to hand. I’m fully sure
that Hadia and Alan have not come to this conclusion lightly.
That being said, if I may illustrate the point however by highlighting why
grounding reasons are so vital in this particular recommendation. In my
consideration of the proposal I would pose the following questions which
immediately spring to mind.
-
WHY is minimum mandatory policy considered suitable, given the concerns
raised? What factors were considered that seem to outweigh such concerns?
-
Given the representations on record as to the inability to implement a
mandatory policy, how is the recommendation made compatible with Art 25 of
the GDPR?
-
Given that representations on record as to concerns regarding the
security of personal data, should a mandatory policy be implemented?
-
At the very least, any such recommendation must be accompanied by an
assessment under Art 32?
-
Art 32 (2) requires an assessment as to security and the preventive
methods against breaches be undertaken. The ePDP recommendation must
ultimately also include such an assessment, therefore for clarity, any
party who makes such a recommendation, should also provide a grounding
assessment as to such a recommendation.
-
Again this assessment must take into account matters such as risk of
breach, with due deference to the helpful headings as provided by Art 32
(1). It must also provide acceptable answers or at least provide reasons
for dismissing to concerns raised.
-
So given the strongly stated concerns the CPs have raised regarding the
likelihood of a higher risk of breach of data, were a mandatory policy to
be imposed, it is incumbent on those suggesting to disregard such a
concern, to provide their reasoning for such a decision.
I appreciate we all have viewpoints (strong ones) on this, but without
providing a reasoned supported argument for a certain recommendation to the
group, we cannot possibly fairly assess such a recommendation. I must
therefore urge and request leadership to be insistent going forward, that
any such recommendations made by any SO/AC/SG/C (Registries included of
course) MUST be accompanied by a full statement of the reasons grounding
the recommendation, including, as we are talking about data subject rights,
an assessment as to the impact the proposed policy recommendation may have
on the privacy rights of the individual, or indeed on the ability of the
CPs to implement.
Kind regards,
Alan Woods
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181114/590d28d1/attachment.html>
More information about the Gnso-epdp-team
mailing list