[Gnso-epdp-team] Fwd: Responses to EPDP Questions
gtheo
gtheo at xs4all.nl
Tue Oct 9 08:06:58 UTC 2018
I agree Thomas,
Either a DPIA should have been carried out by ICANN ORG prior to the
25th of May, or ICANN ORG has documented why a DPIA is not required.
Seems both are missing and ICANN ORG cannot demonstrate compliance
regarding Art 35 of the GDPR?
Best,
Theo Geurts
Thomas Rickert schreef op 2018-10-09 08:29 AM:
> Hi Marika,
> thanks for sharing this.
>
> Not sure how others read the answers, but I think that the rationale
> for not doing a DPIA is not satisfactory. I do not see any reason why
> a DPIA cannot be carried out. It would be hugely beneficial to our
> group to inform the balancing of rights discussions we will need to
> have.
>
> I have two more follow-up question we might want to ask, if the EPDP
> team agrees.
>
> 1. Has ICANN org commissioned any legal assessment or carried out
> legal assessments internally with respect to registration data? If so,
> can such documents please be shared with the EPDP team?
>
> 2. We understand that ICANN has not yet established a record of
> processing activities. ICANN is required to have such document, see
> Art. 30 GDPR. For the work of our group, it would be very helpful to
> obtain the record of processing activities to the extent that
> registration data is concerned.
>
> Thanks and kind regards,
> Thomas
>
>
>
>> Am 09.10.2018 um 05:17 schrieb Marika Konings
>> <marika.konings at icann.org>:
>>
>> Dear All,
>>
>> Please find below additional responses from ICANN Org to a number of
>> outstanding questions. We’ll get these posted shortly on the related
>> wiki page.
>>
>> Best regards,
>>
>> Caitlin, Berry and Marika
>>
>>> —————————————
>>>
>>> The EPDP Team previously requested a summary of ICANN org’s contacts
>>> and engagements with the EPDP and DPAs. ICANN org provided a
>>> response, which is provided again below for reference:
>>>
>>> QUESTION: Can ICANN summarize in some searchable form the contacts
>>> and engagements with the EDPB and/or other DPAs in relation to the
>>> Temporary Specification for gTLD Registration Data?
>>>
>>> RESPONSE: ICANN org has been open and transparent with our
>>> engagements with the EDPB and DPAs. All of the formal written
>>> communications from EDPB and DPAs are published on ICANN
>>> correspondence. In addition, we’ve had informal verbal conversations
>>> with the EDPB and DPAs to educate, inform, and ask for guidance.
>>> Summaries of those informal conversations are published in blogs. To
>>> assist the EPDP Team in its work, ICANN org will provide the EPDP
>>> Team with a compiled list of correspondence received and blogs
>>> published thus far, including the topic of each correspondence/blog.
>>>
>>> As follow-up to the above response, attached is a summary of
>>> correspondence between ICANN org and the EPDP/DPAs, as well as
>>> announcements and blogs relating to ICANN org’s GDPR-related efforts.
>>> The document is marked as draft so that the EPDP Team can review and
>>> provide suggestions for re-organization or re-structuring of the
>>> content to best meet the EPDP Team’s needs.
>>>
>>> QUESTION: For which ICANN policies is admin/tech contact information
>>> currently a required data element and/or referenced in the policy?
>>>
>>> RESPONSE: Administrative and technical contact information is
>>> referenced in the following ICANN policies and procedures:
>>>
>>> Registry Registration Data Directory Services Consistent Labeling and
>>> Display Policy
>>> <https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en>.
>>> Output requirements for administrative and technical contact
>>> information.
>>> Thick WHOIS Transition Policy for .COM, .NET, .JOBS
>>> <https://www.icann.org/resources/pages/thick-whois-transition-policy-2017-02-01-en>.
>>> Guidance to registry operators for handling output of administrative
>>> and technical contact information where no data exists in the SRS
>>> during the period when registrars begin sending Thick WHOIS data to
>>> registry operators for all new registrations.
>>> Rules for Uniform Domain Name Dispute Resolution Policy
>>> <https://www.icann.org/resources/pages/udrp-rules-2015-03-11-en>.
>>> Notifications of complaints include administrative and technical
>>> contacts information.
>>> WHOIS Data Reminder Policy
>>> <https://www.icann.org/en/resources/registrars/consensus-policies/wdrp>.
>>> WDRP notices may be presented to the registrant either directly or
>>> through the administrative contact.
>>> Transfer Policy
>>> <https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en>.
>>> Administrative contact along with the registered name holder have the
>>> authority to approve or deny a transfer request. Because of this
>>> role, the administrative contact is referenced in parts of the
>>> transfer process as well as in the Registrar Transfer Dispute
>>> Resolution Policy.
>>> Uniform Rapid Suspension System (URS) Rules
>>> <http://newgtlds.icann.org/en/applicants/urs/rules-28jun13-en.pdf>.
>>> Notifications of complaints include administrative and technical
>>> contacts information.
>>>
>>> QUESTION: We have spent most of this meeting exploring the role of
>>> compliance at ICANN, in order to support a proposal that ICANN has an
>>> implicit contract with the registrant and that therefore 6 1 b
>>> applies as a grounds for processing. This would also facilitate
>>> ICANN operating a UAM on behalf of those who want the data. It might
>>> also explain Goran’s initiative in seeking some kind of recognition
>>> by EU authorities that ICANN has a kind of quasi-regulator status, as
>>> the authority vested with the responsibility to manage the DNS.
>>> Given that all of this is outside the current configuration of ICANN
>>> as data controller, which would be more clear had we done a DPIA and
>>> had we adequate data maps to work with….can we either get back to our
>>> Charter questions that we were mandated to address by the GNSO, or
>>> get a full explanation of what is going on and why we continue to be
>>> focused on the access question.
>>>
>>> RESPONSE: This request appears to be directed at the EPDP Team and
>>> not ICANN org as ICANN org does not dictate the direction of the EPDP
>>> Team’s discussion.
>>>
>>> QUESTION: Why hasn’t a Data Protection Impact Assessment been carried
>>> out to clarify data flows and ICANN’s relationship with the data
>>> subject in light of its acknowledged role as a joint controller and
>>> Article 35 of the GDPR?
>>>
>>> RESPONSE: This question was also asked during the Data
>>> Protection/Privacy Update Webinar hosted by ICANN org on 8 October
>>> 2018. John Jeffrey, ICANN’s General Counsel and Secretary provided
>>> the following response:
>>>
>>> “This is something that has been considered since the very beginning.
>>> One of the issues is when to do that in a way that is most timely and
>>> useful and how to do that. We continue to evolve the thinking of how
>>> the interpretation of GDPR applies to WHOIS. We have a number of
>>> questions which have been addressed directly to the DPAs and the EDPB
>>> and we’ve have an ongoing discussion with the EC about how to
>>> interpret the GDPR. We believe that those are a better format at this
>>> point than doing the assessment, but we continue to evaluate whether
>>> that assessment would be the right thing to do and when.”
>>>
>>> The presentation for the webinar is posted here
>>> <https://www.icann.org/en/system/files/files/presentation-data-protection-privacy-08oct18-en.pdf>,
>>> and the Adobe Connect recording is here
>>> <https://participate.icann.org/p29vt2uxodx/>. The question and
>>> response start at 0:27:00 in the Adobe Connect recording.
>>>
>> <DPA Advice Summary-DRAFT.xlsx>
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>> <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
More information about the Gnso-epdp-team
mailing list