[Gnso-epdp-team] [Ext] Re: For Final Review - Initial Report - deadline Wednesday 21 November at 18.00 UTC

Trang Nguyen trang.nguyen at icann.org
Tue Nov 27 00:41:28 UTC 2018


Hello Thomas.

Thanks for your note and for your continuing collaboration on this issue. Your knowledge and experience with these issues is very valuable to all of us, and we appreciate this dialogue.

The Temporary Specification identifies the existence of multiple controllers as part of the domain registration system. As we’ve discussed, it does not specify whether the controllers are joint or independent. ICANN org previously indicated that the controllers are independent and not joint (see Section 7.2.11.3 of the Cookbook<https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf>), which is based on our understanding of the definition of independent versus joint controllers (see the ICANN Org Feedback<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000895.html> on Roles and Responsibilities Memo).

In EPDP discussions, a view has been expressed that the parties are all joint controllers. ICANN org has said that position would be a significant change from the Temporary Specification and would require further review and discussion. Deciding whether or not the parties should act as joint controllers could have far reaching consequences, such as in relation to liability. To help the team move to finalizing its recommendation on this issue we believe it would be helpful to attempt to identify the specific facts and the precise application of the GDPR to these facts. If it’s true that the parties are all joint controllers then we should be able to describe exactly when and how the parties came together and continue to come together on a regular basis to jointly agree on all the relevant purposes and also all the variety of very specific means of processing. We’ve agreed to continue discussing this together further now that the initial report is published. Thanks for that.

We agree with your note below, which pointed out that if the controllers are independent there still must be a mechanism to ensure an appropriate legal basis for any transfers of personal data of an EEA resident to another party that is not subject to the GDPR. This is addressed by section 6.3.2 of the Temporary Specification, which permits registry operators wherever necessary, and without further ICANN org approval, to amend their registry-registrar agreements to incorporate data processing terms and conditions, including the EU Model Clauses to govern international data transfers. ICANN org and the contracted parties already collaborated on and published “ICANN Temporary Specification Model Registry-Registrar Agreement Amendment Terms<https://www.icann.org/en/system/files/files/rra-amendment-terms-temp-spec-02jul18-en.pdf>” which are posted on the Temporary Specification web page<https://www.icann.org/resources/pages/gtld-registration-data-specs-en>.

As a result, it at least appears to us that all of the formalities you mentioned are addressed under the framework of the Temporary Specification, but please let us know if and how you disagree.

The current proposal in the initial report is to create a new policy binding on all registries, registrars, and ICANN org, requiring negotiations on a brand new separate “agreement” (not “arrangement”). Implementation of this policy recommendation would require approximately 1000+ simultaneous negotiations. Unlike the EU-approved Model Clauses for international data transfers there is no such agreed or even approved standard form for a joint controller agreement available at this point in time, and no such standard form is expected to become available any time soon.

The community might collaborate on a template that could be used as a starting point for each of those negotiations, but each separate registry would then be free to make its own unique demands of ICANN org and its associated registrars. If this is the path that is decided upon, then numerous implementation questions would remain, as illustrated below.

For example, there would inevitably be disagreements between the parties on how to divide and allocate the various obligations under GDPR from a data subject perspective and the associated responsibilities and risks. We believe that it would be very difficult to achieve a consistent framework across all gTLDs, since each of the 1000+ negotiations would be a blank slate, subject to the demands of individual registries and registrars. ICANN org would be required to treat all registries and registrars fairly, so presumably each registry would want to hold out for or renegotiate to get the best possible “deal” in its JCA. This scenario could also lead to legal uncertainty in the community and could therefore have a counterproductive effect.

Presumably some registries might disagree that they even need a joint controller agreement at all. For example, how would we explain to a dot-brand TLD (outside or even inside of Europe) why they need a JCA?

Some registries might also propose terms for their JCA that the registrars or ICANN org (or both) would find to be unfair or otherwise objectionable. What if a registry were to demand in its proposed JCA that the registrars and ICANN org must indemnify the registry even for the registry’s own intentional misconduct in handling personal data?

If the parties failed to reach agreement, would ICANN org,  the registrars, and the registry all be in violation of the proposed new policy? You said that such a “failure to agree” would be a violation of the policy and that it would be up to ICANN org’s contractual compliance team to enforce, so presumably at some point the parties could end up in arbitration to determine which parties were right and wrong in their negotiating positions?

These are just a few examples of questions we have identified. There are likely many more that will arise if this path is pursued. Contrary to what has been said, we are not trying to spread “fear, uncertainty, and doubt” in raising these implementation-related questions. Rather, we are trying to fulfill our roles as ICANN org liaisons. The EPDP charter states: “The ICANN Org GDD and Legal Liaisons are expected to provide timely input on issues that may require ICANN Org input such as implementation-related queries.”

Thanks again for your continued openness to discussing this. We look forward to taking this conversation up again this week.

Dan and Trang
ICANN org liaisons

From: Thomas Rickert <epdp at gdpr.ninja>
Date: Wednesday, November 21, 2018 at 7:21 AM
To: Trang Nguyen <trang.nguyen at icann.org>
Cc: Thomas Rickert <epdp at gdpr.ninja>, Marika Konings <marika.konings at icann.org>, "gnso-epdp-team at icann.org" <Gnso-epdp-team at icann.org>
Subject: [Ext] Re: [Gnso-epdp-team] For Final Review - Initial Report - deadline Wednesday 21 November at 18.00 UTC

Hi Trang,
Thanks so much for the additional comments. As you suggest, I think these should not stop us from releasing the report.

Let’s be clear, there will be work involved in getting the compliance done and we should try to get contracts as standardized as possible and use existing mechanisms to get the contracts in place (hence my idea to use the RRA). Maybe it is just me, but I read those comments like we are suggesting something that is overly cumbersome to implement, which suggests that you might have a envisaged solution that requires less efforts. If so, please do share.

Just to illustrate this:

Where we have a joint controller situation, we need JCAs
Where we have controller-processor situations, we need DPAs
Where we have independent controller situations, we would at least need to cover (as for the other two scenarios) the non-EU transfers in writing

In sum, regardless what option we pursue, we will need to formalize the relationships.

If anyone has an idea of how to avoid formalities, please share. If there is no way to avoid formalities, let’s just accept that and try to find the most efficient way to get that done.

Best
Thomas


Am 21.11.2018 um 06:42 schrieb Trang Nguyen <trang.nguyen at icann.org<mailto:trang.nguyen at icann.org>>:

Dear EPDP Team,

Regarding recommendation #13, as we flagged today in the chat and previously provided in the ICANN feedbackdocument<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000895.html>, there are implementation-related issues and concerns that we look forward to continuing to discuss with the Team. For example, the practicality as well as cost of negotiating, monitoring, supporting, and enforcing 1200+ different agreements with potentially different obligations. We’d also like to flag some additional suggestions and questions on recommendation #13. For easy viewing, we extracted recommendation #13 from the draft Initial report and provided the suggestions and questions in the comment fields. To be clear, we do not believe that these items should delay publication of the Initial Report. We look forward to continued discussion with the EPDP Team on this topic.

The one thing that we do want to flag for the EPDP Team’s consideration prior to the publication of the Initial Report is the inconsistency in how recommendation #13 is displayed in Section 2 and Section 4 of the Initial Report. Section 2 only contains 2 paragraphs while Section 4 contains these two paragraphs plus several paragraphs of additional text. Since the additional text does not appear in Section 2 of the report, we assume it is not part of the recommendation. If this assumption is correct, it would be helpful to make the separation of the additional text clearer in Section 4 of the report.

Dan and Trang
ICANN org liaisons


From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>>
Date: Tuesday, November 20, 2018 at 11:46 AM
To: "Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>" <Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>>
Subject: [Gnso-epdp-team] For Final Review - Initial Report - deadline Wednesday 21 November at 18.00 UTC

Dear EPDP Team,

We are pleased to share the proposed Initial Report for publication. Thank you again for attending and constructively contributing to the many hours of meetings over the past few days.


  *   Redline – https://drive.google.com/a/icann.org/file/d/171jOv42nahKFnPW1WhSE8ckr6K00i4RX/view?usp=sharing [drive.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com_a_icann.org_file_d_171jOv42nahKFnPW1WhSE8ckr6K00i4RX_view-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=EsM_gBHmxSFPAzJp3M67DbigIhZDtEFi7WicX3tz3RQ&s=3J4Yh6TGbOOGChMPq_9L97rAO_AHWQaBNjw03jVhv-s&e=>
  *   Clean – https://drive.google.com/a/icann.org/file/d/1OyG6ExIGkemW902jHYF7V88Y8mu-kObk/view?usp=sharing [drive.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__drive.google.com_a_icann.org_file_d_1OyG6ExIGkemW902jHYF7V88Y8mu-2DkObk_view-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=EsM_gBHmxSFPAzJp3M67DbigIhZDtEFi7WicX3tz3RQ&s=ASqrI8ZnjDf6jUM_k0_3nQgyvS2Gam5oREH-MqPMaew&e=>

Note that in the redline version, you will find highlighted in yellow the updates proposed by Thomas for the responsibilities section. He also spotted some inconsistencies in the related tables that have been updated accordingly (as well as the related data elements workbooks sections). Please also note that per Monday’s discussion, the summary has been split out into an Executive Summary and Overview of Preliminary Recommendations.

For your convenience, you will also find attached the clean Word version. However, should you spot any minor issues or show stoppers, please use the line number reference in the pdf version to facilitate locating the language. Minor issues (e.g. grammatical, readability) can be sent to staff off list.

Due to internal ICANN processing times and deadlines we require feedback by 1800 UTC, tomorrow, 21 November. If you need additional time (not more than two hours), you must notify us before the 1800 cut off.

Best regards,

Caitlin, Berry and Marika

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.

<EPDP Team Preliminary Rec #13.docx>_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-epdp-team

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181127/8970c99c/attachment-0001.html>


More information about the Gnso-epdp-team mailing list