[Gnso-epdp-team] FW: [Ext] Fwd: Additional language for roles and responsibilities
mcanderson at verisign.com
Mon Nov 19 18:28:15 UTC 2018
Thank you for the proposed additional language. I have a couple follow up questions for you.
In your first paragraph you talk about public and private versions of the JCA. I’m not familiar with this and generally understand that if ICANN enters into a JCA with registries and registrars it would be public. Can you elaborate on what you mean?
The second to last paragraph starts off saying it’s out of scope to prescribe the form of the JCA, but then goes on to recommend the form of the JCA. Your recommendations include leveraging the RRA for the JCA. As currently structured this wouldn’t work because ICANN isn’t party to the RRA. I think that paragraph can just be dropped altogether and leave the form to contracted parties.
Your last paragraph says that the JCA should include information that is legally required to be provided to the data subject to use the same language across TLDs as much as possible. Here I think the opposite is true. GDPR does not apply globally and what information is legally required to be provided varies across jurisdictions. Being to prescriptive here seems like it would lead to more variation being needed across TLDs. Curious what the Registrar take here is as they will be on the hook for the data subject disclosure.
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Marika Konings
Sent: Monday, November 19, 2018 7:40 AM
To: gnso-epdp-team at icann.org
Subject: [EXTERNAL] [Gnso-epdp-team] FW: [Ext] Fwd: Additional language for roles and responsibilities
Please see email from Thomas below which may not have made it to the list.
Caitlin, Berry and Marika
Anfang der weitergeleiteten Nachricht:
Von: Thomas Rickert <thomas at rickert.net<mailto:thomas at rickert.net>>
Betreff: Additional language for roles and responsibilities
Datum: 18. November 2018 um 21:59:10 MEZ
An: "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Kopie: Thomas Rickert <thomas at rickert.net<mailto:thomas at rickert.net>>
As discussed during out last call, please find below an additional paragraph to be inserted after line 1628, i.e. at the end of Recommendation #13.
The challenge was to keep the language concise, yet cover the most urgent operational questions that came up, while not stepping over the line and do work outside the picket fence. You will decide whether these parameters were met in the language below, but I hope it will at least serve as a starting point for our discussions.
The EPDP Team understands that a joint controller situation between ICANN Org, Registries and Registrars requires work at a greater level of granularity than in this report. During the negotiations, the parties shall conduct a detailed review of the individual processing activities and the actions to be taken by the respective parties. A clear demarcation the processing activities covered by the JCA versus those carried out by either party outside the scope of the JCA shall be documented and reflected both in the private as well as in the public version of the JCA.
The JCA shall ensure that the risks of data processing are shared adequately based on whose interests are concerned. Also, the JCA shall include indemnifications to ensure that no party shall ultimately be liable for another parties’ wrongdoing.
The JCA shall recognize that parties are currently using third parties’ services or otherwise work with third parties, such as
- Data Escrow Agents
- Registry Service Providers
- Registrar as a Service Providers
- Dispute Resolution Providers
- the TMCH.
This may or may not include processing of personal data by those third parties. Where personal data is processed by third parties, the respective joint controller will need to ensure that the data processing is carried out in a way compliant with GDPR. However, conditional to GDPR compliance, nothing in the JCA shall prevent the respective joint controller from engaging third parties and entering into the required agreements without further authorizations from the other joint controllers.
The EPDP Team considers it out of scope of its work to prescribe in what form JCAs will be entered into, as long as a set of the minimum requirements as specified in the EPDP Team’s report, are met. It does appear advisable, though, to create one template, which can be amended to reflect situations that are not applicable industry-wide (such as eligibility requirements for registered name holders) and that JCAs are entered into per TLD between ICANN Org, the respective Registry Operator and registrars. A potential way to facilitate contracting would be to make the JCA part of the RRA, so there would be separate tri-partite agreements between ICANN Org, the Registry Operator and each registrar.
Standardized parts of the JCA should include the informations that are legally required to be provided to the data subjects to allow for the use of the same language across all TLDs as much as possible.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team