[Gnso-epdp-team] Fwd: Responses to EPDP Questions

gtheo gtheo at xs4all.nl
Tue Oct 9 08:06:58 UTC 2018

I agree Thomas,

Either a DPIA should have been carried out by ICANN ORG prior to the 
25th of May, or ICANN ORG has documented why a DPIA is not required. 
Seems both are missing and ICANN ORG cannot demonstrate compliance 
regarding Art 35 of the GDPR?


Theo Geurts

Thomas Rickert schreef op 2018-10-09 08:29 AM:
> Hi Marika,
> thanks for sharing this.
> Not sure how others read the answers, but I think that the rationale
> for not doing a DPIA is not satisfactory. I do not see any reason why
> a DPIA cannot be carried out. It would be hugely beneficial to our
> group to inform the balancing of rights discussions we will need to
> have.
> I have two more follow-up question we might want to ask, if the EPDP
> team agrees.
> 1. Has ICANN org commissioned any legal assessment or carried out
> legal assessments internally with respect to registration data? If so,
> can such documents please be shared with the EPDP team?
> 2. We understand that ICANN has not yet established a record of
> processing activities. ICANN is required to have such document, see
> Art. 30 GDPR. For the work of our group, it would be very helpful to
> obtain the record of processing activities to the extent that
> registration data is concerned.
> Thanks and kind regards,
> Thomas
>> Am 09.10.2018 um 05:17 schrieb Marika Konings 
>> <marika.konings at icann.org>:
>> Dear All,
>> Please find below additional responses from ICANN Org to a number of 
>> outstanding questions. We’ll get these posted shortly on the related 
>> wiki page.
>> Best regards,
>> Caitlin, Berry and Marika
>>>  —————————————
>>> The EPDP Team previously requested a summary of ICANN org’s contacts 
>>> and engagements with the EPDP and DPAs. ICANN org provided a 
>>> response, which is provided again below for reference:
>>> QUESTION: Can ICANN summarize in some searchable form the contacts 
>>> and engagements with the EDPB and/or other DPAs in relation to the 
>>> Temporary Specification for gTLD Registration Data?
>>> RESPONSE: ICANN org has been open and transparent with our 
>>> engagements with the EDPB and DPAs. All of the formal written 
>>> communications from EDPB and DPAs are published on ICANN 
>>> correspondence. In addition, we’ve had informal verbal conversations 
>>> with the EDPB and DPAs to educate, inform, and ask for guidance. 
>>> Summaries of those informal conversations are published in blogs. To 
>>> assist the EPDP Team in its work, ICANN org will provide the EPDP 
>>> Team with a compiled list of correspondence received and blogs 
>>> published thus far, including the topic of each correspondence/blog.
>>> As follow-up to the above response, attached is a summary of 
>>> correspondence between ICANN org and the EPDP/DPAs, as well as 
>>> announcements and blogs relating to ICANN org’s GDPR-related efforts. 
>>> The document is marked as draft so that the EPDP Team can review and 
>>> provide suggestions for re-organization or re-structuring of the 
>>> content to best meet the EPDP Team’s needs.
>>> QUESTION: For which ICANN policies is admin/tech contact information 
>>> currently a required data element and/or referenced in the policy?
>>> RESPONSE: Administrative and technical contact information is 
>>> referenced in the following ICANN policies and procedures:
>>> Registry Registration Data Directory Services Consistent Labeling and 
>>> Display Policy 
>>> <https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en>. 
>>> Output requirements for administrative and technical contact 
>>> information.
>>> Thick WHOIS Transition Policy for .COM, .NET, .JOBS 
>>> <https://www.icann.org/resources/pages/thick-whois-transition-policy-2017-02-01-en>. 
>>> Guidance to registry operators for handling output of administrative 
>>> and technical contact information where no data exists in the SRS 
>>> during the period when registrars begin sending Thick WHOIS data to 
>>> registry operators for all new registrations.
>>> Rules for Uniform Domain Name Dispute Resolution Policy 
>>> <https://www.icann.org/resources/pages/udrp-rules-2015-03-11-en>. 
>>> Notifications of complaints include administrative and technical 
>>> contacts information.
>>> WHOIS Data Reminder Policy 
>>> <https://www.icann.org/en/resources/registrars/consensus-policies/wdrp>. 
>>> WDRP notices may be presented to the registrant either directly or 
>>> through the administrative contact.
>>> Transfer Policy 
>>> <https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en>. 
>>> Administrative contact along with the registered name holder have the 
>>> authority to approve or deny a transfer request. Because of this 
>>> role, the administrative contact is referenced in parts of the 
>>> transfer process as well as in the Registrar Transfer Dispute 
>>> Resolution Policy.
>>> Uniform Rapid Suspension System (URS) Rules 
>>> <http://newgtlds.icann.org/en/applicants/urs/rules-28jun13-en.pdf>. 
>>> Notifications of complaints include administrative and technical 
>>> contacts information.
>>> QUESTION: We have spent most of this meeting exploring the role of 
>>> compliance at ICANN, in order to support a proposal that ICANN has an 
>>> implicit contract with the registrant and that therefore 6 1 b 
>>> applies as a grounds for processing.  This would also facilitate 
>>> ICANN operating a UAM on behalf of those who want the data.  It might 
>>> also explain Goran’s initiative in seeking some kind of recognition 
>>> by EU authorities that ICANN has a kind of quasi-regulator status, as 
>>> the authority vested with the responsibility to manage the DNS.  
>>> Given that all of this is outside the current configuration of ICANN 
>>> as data controller, which would be more clear had we done a DPIA and 
>>> had we adequate data maps to work with….can we either get back to our 
>>> Charter questions that we were mandated to address by the GNSO, or 
>>> get a full explanation of what is going on and why we continue to be 
>>> focused on the access question.
>>> RESPONSE: This request appears to be directed at the EPDP Team and 
>>> not ICANN org as ICANN org does not dictate the direction of the EPDP 
>>> Team’s discussion.
>>> QUESTION: Why hasn’t a Data Protection Impact Assessment been carried 
>>> out to clarify data flows and ICANN’s relationship with the data 
>>> subject in light of its acknowledged role as a joint controller and 
>>> Article 35 of the GDPR?
>>> RESPONSE: This question was also asked during the Data 
>>> Protection/Privacy Update Webinar hosted by ICANN org on 8 October 
>>> 2018. John Jeffrey, ICANN’s General Counsel and Secretary provided 
>>> the following response:
>>> “This is something that has been considered since the very beginning. 
>>> One of the issues is when to do that in a way that is most timely and 
>>> useful and how to do that. We continue to evolve the thinking of how 
>>> the interpretation of GDPR applies to WHOIS. We have a number of 
>>> questions which have been addressed directly to the DPAs and the EDPB 
>>> and we’ve have an ongoing discussion with the EC about how to 
>>> interpret the GDPR. We believe that those are a better format at this 
>>> point than doing the assessment, but we continue to evaluate whether 
>>> that assessment would be the right thing to do and when.”
>>> The presentation for the webinar is posted here 
>>> <https://www.icann.org/en/system/files/files/presentation-data-protection-privacy-08oct18-en.pdf>, 
>>> and the Adobe Connect recording is here 
>>> <https://participate.icann.org/p29vt2uxodx/>. The question and 
>>> response start at 0:27:00 in the Adobe Connect recording.
>> <DPA Advice Summary-DRAFT.xlsx>
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team 
>> <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

More information about the Gnso-epdp-team mailing list