[Gnso-epdp-team] Report on Small team on roles & responsibilities in preparation for EPDP Team Meeting #25
trang.nguyen at icann.org
Thu Nov 15 05:03:50 UTC 2018
There has been expression of surprise by some EPDP Team members regarding feedback that ICANN or is preparing on the roles and responsibilities memo<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000781.html>. This reaction is a surprise to ICANN org because it was requested on the 6 November 2018 EPDP Team call<https://participate.icann.org/p1qdyha6o2k/> that ICANN org work with Thomas and a small group of EPDP Team members on this topic.
On the recent 6 November 2018 EPDP Team call<https://participate.icann.org/p1qdyha6o2k/>, Thomas first introduced the suggestion to align roles and responsibilities in the draft Initial Report. During the call, it was requested that ICANN org work with Thomas and a small group of EPDP Team members on this topic. A roles and responsibilities memo<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000781.html> was circulated by Thomas to the EPDP Team mailing list on 7 November 2018 with a note that due to time constraint there was no opportunity to share the memo with anyone else in the EPDP Team or ICANN org for input prior to circulation. Because an opportunity to contribute to the initial draft of the memo was not possible due to time constraint, ICANN org liaisons immediately reviewed and began to work on feedback to this memo. Rather than redlining and providing comments directly on the memo, which would be difficult to read, ICANN org is preparing our feedback in a separate document for ease of viewing. On the 8 November 2018 EPDP Team call<https://community.icann.org/display/EOTSFGRD/2018-11-08+EPDP+Team+call+%2324?preview=/96210602/97846568/AC%20Chat%20%26%20Attendance%20EPDP%2008%20Nov%2018.pdf> when the memo was discussed, ICANN org liaisons reiterated our willingness to work with Thomas and other members of the EPDP Team on the roles and responsibilities. On the 12 November 2018 call with a small group of EPDP Team members regarding roles and responsibilities, John Jeffrey, ICANN org General Counsel, re-emphasized that ICANN org is in the process of preparing feedback to the memo Thomas circulated. We plan on circulating this response by tomorrow (15 November 2018). The feedback is intended to contribute to the Team’s efforts to analyze the appropriate application of the GDPR to the responsibilities of ICANN and the contracted parties.
It is unclear to us how feedback to the roles and responsibilities memo, which we are providing because an opportunity to contribute to the initial draft of the memo was not possible due to time constraint, is a surprise to some members of the EPDP Team. It is also unclear why continued discussion on this topic should delay the publication of the Initial Report since this is not the only topic where there is no consensus agreement within the EPDP Team (e.g., there is ongoing discussion on the legal versus natural person topic as well). Per the ICANN Bylaws and EPDP Charter, ICANN org liaisons cannot participate in consensus calls. Thus, ICANN org cannot be inserted into the EPDP process as a barrier to creating consensus because we have a view that might be different than those expressed by others in the EPDP Team. More specifically, we do not believe that the ongoing discussion on this topic should hold up the publication of the Initial Report.
There have also been some comments by some members of the EPDP Team that ICANN org’s feedback is coming at the last minute. ICANN org would like to remind the EPDP Team that the memo was only circulated on 7 November 2018. ICANN org would also like to remind the EPDP Team that based on the ICANN’s Bylaws<https://www.icann.org/resources/pages/governance/bylaws-en/#article1>, which state “ICANN's scope is to coordinate the development and implementation of policies” and the EPDP charter<https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-spec-gtld-rd-epdp-19jul18-en.pdf>, which defines ICANN staff liaison’s role as “to provide timely input on issues that may require ICANN Org input such as implementation-related queries,” we believe our role is to help the EPDP Team advance its discussion by flagging any implementation-related issues/concerns, and to provide responses to inquiries directed at ICANN org. To-date, the only questions that ICANN org liaisons have received from the EPDP Team that touch on the topic of joint controllership are the two from the 6 November 2018 EPDP Team meeting. The responses to these two questions are provided below. Regarding flagging implementation-related issues/concerns, ICANN org liaisons previously said at break-out sessions at the Los Angeles Face-to-Face that joint controllership is different than what's in the Temp Spec, silence does not mean agreement, and that review and discussion might be needed on this topic. On 4 October 2018, ICANN org liaisons sent an email<https://mm.icann.org/pipermail/gnso-epdp-team/2018-October/000502.html> to the EPDP mailing list stating that the purposes and roles and responsibilities in the Lawful Basis memo are different than what’s in the Temp Spec and that we are unable to convey an official ICANN position that differs from the Temporary Specification at this time. In the chat on the 6 November<https://community.icann.org/display/EOTSFGRD/2018-11-06+EPDP+Team+call+%2323?preview=/96210600/97846059/AC%20Chat%20%26%20Attendance%20EPDP%2006%20Nov%2018.pdf>, 8 November<https://community.icann.org/download/attachments/96210602/AC%20Chat%20%26%20Attendance%20EPDP%2008%20Nov%2018.pdf?version=1&modificationDate=1541693777000&api=v2>, and 13 November<https://community.icann.org/download/attachments/97846102/AC%20Chat%20%26%20Attendance%20EPDP%2013%20Nov%2018.pdf?version=1&modificationDate=1542124783000&api=v2> 2018 EPDP Team calls, ICANN org liaisons reiterated that joint controllership is different than what’s in the Temp Spec and would require further review.
ICANN org will continue to follow discussions and provide responses to any questions that the EPDP Team may have. We are also committed to continuing to work with the EPDP Team on the roles and responsibilities topic.
Dan and Trang
ICANN org liaisons
ICANN org’s responses to EPDP Team’s questions from the 6 November 2018 call
QUESTION: Is indemnification provided by ICANN through a joint controller agreement an option?
RESPONSE: Yes, indemnification through a joint controller agreement is one of the options if it is determined that ICANN and contracted parties are joint controllers. However, ICANN org has previously noted that the Temp Spec does not specify that ICANN org and the contracted parties are joint controllers.
The question of whether ICANN org and the contracted parties are joint controllers requires an analysis under Article 26 of the GDPR, which addresses the concept of joint controllers.
* If it is determined that ICANN org and the contracted parties are joint controllers, then there would need to be a joint controller arrangement as described in Article 26 of the GDPR;
* If there is a joint controller arrangement (or arrangements), it will have to be determined who the parties to the arrangement(s) would be. Would the arrangement take the form of an agreement? If so, would there be one agreement for all registrars, data escrow agents, etc, or would there be separate agreements for different entity types? Would a joint controller agreement bind entities that have no agreement with ICANN org when a joint controller agreement is negotiated but later become a registrar? Etc.
* It is customary to address indemnification in joint controller agreements as a mutual indemnification. It is necessary to fully understand the nature of processing activities, responsibilities and risks of non-compliance related to the joint controllership to adequately and fairly allocate the indemnification obligations. ICANN org is exploring ways to reduce contracted parties’ potential liability relating to access of non-public gTLD registration data, but this does not necessarily suggest that ICANN org would indemnify contracted parties in a joint controller agreement for all possible violations of GDPR, as this could be read to imply.
* As part of addressing indemnification in joint controller agreements, an assessment of the financial exposure to ICANN org as well as exploration of how such exposure could be financed (i.e., through increased funding) would have to be done.
These points and more will be addressed in ICANN org’s feedback to Thomas’s memo on roles and responsibilities, which we plan to circulate tomorrow, 15 November 2018.
QUESTION: If EPDP agrees on policy that requires ICANN to indemnify, would the ICANN legal team and Board oppose it?
RESPONSE: As noted above, indemnification through a joint controller agreement is one of the options if it is determined that ICANN and the contracted parties are joint controllers. This, however, does not necessarily suggest that it would be reasonable for ICANN org to indemnify contracted parties for all possible violations of GDPR. ICANN org can’t speak for the Board and, as noted above, there are several questions around joint controllership and joint controller agreements that would need to be answered before ICANN org could give a position on joint controllership and the associated allocation of liability and risk, including how financial exposure to ICANN could be financed (i.e., through increased funding) would have to be done.
These points and more will be addressed in ICANN org’s response to Thomas’s memo on roles and responsibilities, which we plan to circulate tomorrow, 15 November 2018.
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Alan Woods <alan at donuts.email>
Date: Tuesday, November 13, 2018 at 3:35 AM
To: Thomas Rickert <epdp at gdpr.ninja>
Cc: GNSO EPDP <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] Report on Small team on roles & responsibilities in preparation for EPDP Team Meeting #25
Thank you Thomas, and furthermore thank you for your very balanced approach to the very surprising and frustrating events of last night's call.
I think you have hit the nail on the head here, and I echo your sentiments in the last paragraph. I got the distinct impression (however far from the truth that may be) that ICANN Org were holding their cards close to their chest, and although having been at the table of the ePDP, appear to be open to rejecting the work of the ePDP. These are discussions which should have been had day 1, openly and transparently, and in fact this proves the fundamental importance of the ePDP actually having substantive discussion of the roles and responsibilities prior to the interim report publication.
To echo Thomas, and indeed Diane, who I also recall made the point very well during the meeting, the hopes and wishes of the parties as to the allocation of roles and responsibilities are irrelevant; such matters are decided with reference alone to the legal reality and legal facts as to the roles held in the processing situation. I would further note that a statement made last night, (with the stated proviso that my audio dropped and I rejoined just as this utterance occurred therefore I will need to recheck the transcript for both context and accuracy), that ICANN Org is not a controller as it does not itself perform actual processing of the data; this concept of controllership is simply incorrect. I also heard this statement in Abu Dhabi from ICANN and indeed from the same person, and I also then raised my objection in an attempt to clarify. To hear it repeated again, last night, was worrisome (to put it mildly).
I personally think, receipt of the memo, in its entirety, and not a mere summary, as was promised in the dying moments of the meeting, is now hugely necessary. I furthermore think at this point the question of independent outside counsel for the eDPD is now, moreso than ever, a required step.
[Image removed by sender. Donuts Inc.]<http://donuts.domains/>
Senior Compliance & Policy Manager, Donuts Inc.
15-18 Earlsfort Terrace
Dublin 2, County Dublin
[Image removed by sender.]<https://www.facebook.com/donutstlds> [Image removed by sender.] <https://twitter.com/DonutsInc> [Image removed by sender.]
Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.
On Tue, Nov 13, 2018 at 11:09 AM Thomas Rickert <epdp at gdpr.ninja> wrote:
Hello Marika, all,
yesterday, the call of the small roles & responsibilities team had its call.
We thank JJ and Erika from ICANN Org for attending the call.
I will only be able to attend the first 90 mins of the call and I do not know whether it is possible to squeeze in a report and discussion of the outcome of our call while I am in attendance. Therefore, I would like to give a brief update in writing.
The plan for the meeting was to discuss
- what roles GDPR offers and if these are sufficiently described in the language I offered for the report
- discussion of Rationale for joint controller vs. other scenarios
- options and limitations of policy work / charter limitations
- strategy to implementation
I hoped we could make sufficient progress during the call so that the small team could suggest a solid path forward to the EPDP plenary.
JJ reported to us that ICANN Org has a 10 page memo in the making in which concerns and ICANN’s views on the roles are described.
He said that we should not jump to the conclusion that a joint controller scenario is given before the roles and responsibilities for the individual processing activities are determined.
In his view, it is like putting the cart before the horse if a joint controller scenario is adopted before all parties had a chance to assess the impact on their liabilities and that joint controllership might not adequately reflect the risks the respective parties might want to take.
We then discussed that it is not really a question of what the parties want to choose to best suit their wishes, but a question of what the legal determination of the setup is. Several participants expressed their view that a joint controller scenario is likely present and therefore a joint controller agreement needs to be negotiated to reflect the roles and responsibilities and the required indemnifications etc. need to be put in place to associate the risks appropriately.
There are two issues with this that the EPDP Team and - in particular - the leadership needs to decide.
1. The issue of legal assessment vs. policy work
The question was brought up by Kurt and JJ in particular. They said - rightfully - that our group cannot really give legal advice. We have discussed the unfortunate situation that our policy group needs to do both compliance work as well as policy work in the EPDP plenary on multiple occasions before. We have a charter that requires us to speak to the responsibilities of the parties and this is just not possible without being transparent (in our report) about what concept we think is applicable. So I think the plenary needs to discuss and confirm that we will take position on this (which can be vetted during the public comment period).
If the EPDP Team does not wish to take a position on this question, I think we need to go back to the GNSO Council to ask for a revision of the charter.
We were not given any indication as to how quickly a memo would be shared with the EPDP Team. JJ said that their memo should inform and help our work but it should not stand in the way of our work.
In my view (which was shared by several participants), the EPDP Team must know what ICANN org’s view on the matter is. The SGs and Cs need to be able to take into account the concerns and suggestions that ICANN Org might have to inform their own positioning. Also, I think we cannot detach our work from ICANN org’s position. It would be unfortunate - to say the least - if our group came up with a recommendation for the parties to negotiate a JCA just to find out that ICANN Org will refuse to implement that recommendation. Thus, clarity is required as soon as possible and a report should not be published before the memo has been shared, analyzed, discussed in the EPDP team and potential revisions to the initial report have been made.
In closing, let me be honest with the entire team and express my frustration with the process.
We have asked both Board liaisons as well as ICANN staff multiple times to share any legal memos / opinions there are to inform our discussions. Also, we have asked whether there would be concerns by ICANN Org with respect to entering into a joint controller agreement or data processing agreements in several meetings. We were not given any indication whatsoever that there could be problems. It is unfortunate to only learn about ICANN’s memo and that there are concerns a few days before the planned publication of our report.
Am 12.11.2018 um 16:25 schrieb Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>>:
Please find below the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 13 November at 14.00 UTC.
* In relation to agenda item #3, please find attached an updated version of the proposed language for inclusion in the Initial Report in which staff has aimed to capture some of the input that was received in response to the Initial Report through the google doc, as well as input received on the mailing list.
* In relation to agenda item #4, please find attached a table which provides an overview of the changes proposed by EPDP Team members that staff didn’t feel comfortable applying because e.g. either the proposed change is not clear, the proposed change affects previously agreed preliminary agreements / text, or is a substantive change that requires further discussion / consideration by the full EPDP Team (see https://docs.google.com/document/d/1SoNTnvvadNQ8nX_-OxN4mtsd-gfLNxT54GXSXyGQwEQ/edit?ts=5be6721f for all comments received to date). In certain cases, staff has proposed a path forward, but would appreciate EPDP Team/commenter feedback before applying this change. Note that a number of comments were made in relation to preliminary recommendations and/or text that is still under consideration. It is the expectation that this input will be raised in the context of those discussions.
FYI, staff expects to share an updated version of the Initial Report later today so you can see how other input has been addressed (non-substantial issues) as well as how other aspects are coming together as a result of the EPDP Team work over the last couple of meetings.
Caitlin, Berry and Marika
EPDP Meeting #25 Agenda
Tuesday, 13 November 2018
1. Roll Call & SOI Updates (5 minutes)
2. Welcome and Updates from EPDP Team Chair (5 minutes)
* Initial Report finalization status, incl. items remaining to be addressed and schedule for the week ahead
* Confirm status and next steps in relation to natural vs. legal and geographic status
* Review of outstanding action items
* Other updates, if applicable
1. Data Redaction (see attached)
Objective of discussion:
1. Confirm language for inclusion in the Initial Report in relation to data redaction as well as email communication
* Review latest version of language for inclusion in relation to data redaction
* Consider charter questions:
f2) Should standardized requirements on registrant contact mechanism be developed?
f3) Under what circumstances should third parties be permitted to contact the registrant, and how should contact be facilitated in those circumstances?
And related draft recommendation:
In relation to facilitating email communication between third parties and the registrant, the EPDP Team recommends that [current requirements in the Temporary Specification that specify that a Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself, remain in place. [[[Other to be decided]]].
* Confirm next steps, if any
1. Commence review & discussion of comments / input received on Initial Report
Objective of discussion:
(1) Review proposed changes / comments on the Initial Report that require EPDP Team consideration
(2) Agree on if/how these proposed changes / comments are to be applied to the Initial Report
* Commence review of proposed changes / comments on the Initial Report (see list attached)
* Confirm approach for addressing these
* Confirm next steps, if any
1. Wrap and confirm next meeting to be scheduled for Wednesday 14 November / Thursday 15 November at 14.00 UTC (dependent on progress made).
* Confirm action items
* Confirm questions for ICANN Org, if any
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>
Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.
<Data Redaction - up 12 November 2018.docx><Initial Report changes for discussion - upd 12 November 2018.docx>_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team