[Gnso-epdp-team] Notes and action items from small team #1 meeting

Marika Konings marika.konings at icann.org
Wed Oct 3 14:50:12 UTC 2018 

Dear All,

For your information, please find below the notes and action items of small team #1 which met earlier today to discuss:

h)     Applicability of Data Processing Requirements
h3) Should Contracted Parties be allowed or required to treat legal and natural persons differently, and what mechanism is needed to ensure reliable determination of status?
h4) Is there a legal basis for Contracted Parties to treat legal and natural persons differently?
h5) What are the risks associated with differentiation of registrant status as legal or natural persons across multiple jurisdictions? (See EDPB letter of 5 July 2018).

Best regards,

Caitlin, Berry and Marika


Small Team #1 Meeting
Wednesday, 4 October 2018
Notes and Action Items

High-level Notes/Actions:

Action item #1: Staff to put the possible draft recommendation up as a google doc and provide editing rights to the small team to further refine the language.

Action item #2: Small team to review and refine language by Friday 5 October COB. Following that take it back to the EPDP Team for input and consideration (early next week).

Notes & Action items
These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/2IpHBQ.

1. Roll Call & SOI Updates (5 minutes)

  *   Attendance will be taken from Adobe Connect - attendees: Alex Deacon (IPC), Ben Butler (SSAC), David Plumb (CBI), Gina Bartlett (CBI), James Bladel (RrSG), Marc Anderson (RySG), Margie Milam (BC), Laureen Kapin (GAC), Stephanie Perrin (NCSG)
  *   Please remember to mute your microphones when not speaking, and state your name before speaking for transcription purposes.
  *   Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

h)     Applicability of Data Processing Requirements
h3) Should Contracted Parties be allowed or required to treat legal and natural persons differently, and what mechanism is needed to ensure reliable determination of status?
h4) Is there a legal basis for Contracted Parties to treat legal and natural persons differently?
h5) What are the risks associated with differentiation of registrant status as legal or natural persons across multiple jurisdictions? (See EDPB letter of 5 July 2018).


  *   See background document that was shared.
  *   Initial input on charter questions:
  *   Margie/BC: GDPR does not apply to legal persons. Has a large impact on records that are redacted. It is reasonable to make distinction and can be done through self-designation - this is already done in a ccTLD context and some gTLDs (for example, .NYC has filed an RSEP to allow for this). Consider step in process flow for registration to allow for self-designation and explain what difference between legal / natural person is and its implications, as well as obtain consent for including any personal information. Legal persons are usually engaged in commercial activity so it also links to other areas such as consumer protection.
  *   James / RrSG:  Agree with a number of Margie's point. Need to do a better job at distinguishing between legal / natural person. Field current used is registrant organization, but this is overloaded and a bit of a mess. This EPDP could recommend contracted parties to distinguish between the two. Guidance from EDPB did note that even for registration for a legal person personal data could be provided, which makes it more complicated. Other privacy legislation, like e-privacy, does not distinguish between natural and legal person, so any recommendation made needs to be future proof Should contracted parties be allowed: YES, should they be required: NO. Does not scale to require this.
  *   Marc/RySG: Agree with a number of the previous points. Jurisdictional challenges need to be considered. Need flexibility to deal with different requirements in different jurisdictions. The organization field could be used, but it has never been used to differentiate between natural and legal person. Have a huge existing base of existing registrations where it is not easy to say whether it concerns a natural or legal person - backfilling requirement would be problematic and not an easy lift.
  *   Alex / IPC: sounds like there is a path forward as many agrees that there is a need to distinguish. May disagree on whether this should required. Legal persons should be encouraged to not use personal information when providing contact information. Need to provide information about the purposes. Consent should be an avenue. GDPR also provides for ability to correct information.
  *   Laureen / GAC: Effort has been focused on GDPR and future proofing, but reality is that we can never anticipate the contours of future privacy laws. Need to focus on current landscape which does distinguish between natural and legal person and as such would have preference for requirement. But would be willing to explore how communication is going out to existing customers - is there a way to leverage and inform customer base about difference and how to update? As well as recommend not using personal information. Could have requirement for going forward, but have flexibility for retroactive application.

Additional comments:

  *   Changes to systems are inevitable - could discuss staging of implementation, for example, initially only requirement to new registrations and deal later on with existing registrations, for example through annual WHOIS notice. Explore how this could be done in a phased process.
  *   Regarding distinction between legal/natural using the "Registrant Org" field is not optimal. Could consider using it but it would be "a hack". As such  would prefer something more specific here. Should have clear data fields that asks what type of registration is this (for individual/ natural person, or business/legal entity. In the latter case, you could even ask for further information like in what type of legal entity and in which legal jurisdiction.
  *   Agree that this needs to change, but devil will be in the details. Caution again interfaces, need to keep it general and allow for implementers to suit the circumstances.
  *   Annual WHOIS notices are result of existing policy. Is a challenge - to get anywhere above 10% participation.
  *   Everyone seems to agree that there should be a way to distinguish between legal and natural persons. May need to have some flexibility.
  *   What mechanisms might work? Having certain data fields? Annual WHOIS notices may be less successful? What other mechanisms could be recommended to be responsive to this? Should probably look at what recommended additional data fields in RDDS would need to be captured, for example, registrant type / status. Based on what type of registrant is identified, it would pivot to the type of information that is collected. For a legal entity, it would include title of person who would be the contact, opposed to the name.
  *   In ideal world, this would apply from a point in the future, and at the time of renewal convert old registrations to this new system.
  *   What policy recommendations do we want to make to the full EPDP Team to achieve the desired goal? Let's focus on what can be said.
  *   Possible policy recommendations: Further work to continue to consider this issue, there should be a follow on effort convening a group that would look at the operational issues with restructuring RDDS to distinguish between legal and natural person, collect this information reliable at registration and renewal, and how this could be enforced eventually by ICANN.
  *   Need to be aware of limitations of what can be done within this EPDP.
  *   Detail and timing of implementation is definitely another phase, but could define the policy requirements /goals now in the EPDP. Understand that implementation could take some time, but important to get a commitment on the policy recommendations to distinguish between legal and natural person.
  *   Is there agreement to have a requirement to distinguish between natural and legal person, provided that the implementation process is satisfactory?
  *   Should be high level recommendation in this EPDP that would kick off implementation work - it is desirable / necessary to make this distinction in WHOIS, need to look at the operational options and build an implementation plan to make this happen going forward as well as looking at it retroactively. Extended period of time may be needed to implement this in practice.
  *   Require registrars to ask the question, yes, require registries to put this in their systems, yes, require registrants to answer truthfully, and understand the difference - probably more complicated. Who would be accountable if registrant gets this wrong?
  *   Can agree in principle (desirable to differentiate), but implementation would require much more detail. Would be aspirational, not necessarily implementable.
  *   What would be high level language to puts a bit more
  *   There is rough consensus around the idea that capturing this distinction and making it available is necessary. Principle 2: Rys/Rrs/ICANN should make training/educational resources available to registrants that help registrants understand the distinction b/w a DN that is registered by a natural person and a legal person (since the majority of people do not understand). Third principle: look at what changes would be necessary in terms of the data fields that are defined and collected in WHOIS or successor RDS system and how they differ depending on how a Rt categorizes itself. Fourth - set future date whereby all registrants would be subject to this framework, and a future, future date where transfers and renewals would be subject to this framework.
  *   Could ask staff to start investigating how ccTLDs do this – no need to recreate the wheel if this is already successfully implemented, especially since many registrars also sell those names.
  *   Charter Question 4 - is there a legal basis for this distinction?
     *   Yes, based on GDPR.
     *   Yes, GDPR makes this distinction, though it is not a blanket distinction. Generally, there is utility in making this distinction.
     *   Yes within the GDPR, though this is complicated. Proposal: to get around this problem - corporations are large entities that want to provide data and have an identity theft problem - there should be an authentication required. Rights are protected in the GDPR in the charter for vulnerable groups (journalistic associations, etc.) - it's difficult to distinguish the categories of those groups.  It's easier to filter out the big corporations rather than try to distinguish the smaller entities.
  *   Important to remember the contentious debate b/w commercial and noncommercial websites - this was not about legal and natural persons.  This is related, but separate.
  *   Possible draft recommendation:
     *   EPDP Team recommends that:
     *   Distinction between legal and natural persons is necessary and useful.
     *   Contracted parties, in consultation with others interested parties, will recommend which data fields must be added to accomplish this distinction.
     *   Registries, registrars, ICANN should make (educational) resources available that help registrants understand the distinction between a domain name that is registered by a natural person vs. legal person / entity. (educational resources)
     *   Follow-on work to this EPDP will determine the timing of implementation phases.
     *   Consultation with ccTLDs will be helpful in implementation. That consultation should begin now.
  *   Good start. Take this back to the full group. More work to do.
  *   Does not capture the agreement that it would be a requirement for new registrants, but for legacy registrations it would be phased in. Timing between the two would need to be captured further.
  *   Add notes section so that additional comments can be made included.
  *   Small group to review and modify language by Sunday COB with the objective to circulate this early next week.

Action item #1: Staff to put the possible draft recommendation up as a google doc and provide editing rights to the small team to further refine the language.

Action item #2: Small team to review and refine language by Friday 5 October COB. Following that take it back to the EPDP Team for input and consideration.

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181003/2c19dea7/attachment-0001.html>

More information about the Gnso-epdp-team mailing list