[Gnso-epdp-team] Fwd: Responses to EPDP Questions

gtheo gtheo at xs4all.nl
Tue Oct 9 10:57:37 UTC 2018 

https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment

Theo


Alan Woods schreef op 2018-10-09 11:04 AM:
> Absolutely agree with Thomas on this,
> 
> The answer provided does not explain why a basic aspect of GDPR 
> compliance
> has not been initiated, the result of which would be of immense help 
> and
> support to the efforts of the EPDP. As noted at the last team meeting,
> ICANN are the subject matter experts here, they know their flows and
> expectations better than the EPDP team's combined acumen. We should be
> presented with the record of processing activities / data processing 
> map,
> so that we can consider the reality of current, 'as is' processing
> situation so as to assess if the Temp Spec, in its current form is
> sufficient to confirm basic GDPR compliance.
> 
> Kind regards,
> 
> Alan
> 
> 
> 
> [image: Donuts Inc.] <http://donuts.domains>
> Alan Woods
> Senior Compliance & Policy Manager, Donuts Inc.
> ------------------------------
> The Victorians,
> 15-18 Earlsfort Terrace
> Dublin 2, County Dublin
> Ireland
> 
> <https://www.facebook.com/donutstlds>   <https://twitter.com/DonutsInc>
> <https://www.linkedin.com/company/donuts-inc>
> 
> Please NOTE: This electronic message, including any attachments, may
> include privileged, confidential and/or inside information owned by 
> Donuts
> Inc. . Any distribution or use of this communication by anyone other 
> than
> the intended recipient(s) is strictly prohibited and may be unlawful.  
> If
> you are not the intended recipient, please notify the sender by 
> replying to
> this message and then delete it from your system. Thank you.
> 
> 
> On Tue, Oct 9, 2018 at 9:07 AM gtheo <gtheo at xs4all.nl> wrote:
> 
>> I agree Thomas,
>> 
>> Either a DPIA should have been carried out by ICANN ORG prior to the
>> 25th of May, or ICANN ORG has documented why a DPIA is not required.
>> Seems both are missing and ICANN ORG cannot demonstrate compliance
>> regarding Art 35 of the GDPR?
>> 
>> Best,
>> 
>> Theo Geurts
>> 
>> 
>> 
>> 
>> 
>> Thomas Rickert schreef op 2018-10-09 08:29 AM:
>> > Hi Marika,
>> > thanks for sharing this.
>> >
>> > Not sure how others read the answers, but I think that the rationale
>> > for not doing a DPIA is not satisfactory. I do not see any reason why
>> > a DPIA cannot be carried out. It would be hugely beneficial to our
>> > group to inform the balancing of rights discussions we will need to
>> > have.
>> >
>> > I have two more follow-up question we might want to ask, if the EPDP
>> > team agrees.
>> >
>> > 1. Has ICANN org commissioned any legal assessment or carried out
>> > legal assessments internally with respect to registration data? If so,
>> > can such documents please be shared with the EPDP team?
>> >
>> > 2. We understand that ICANN has not yet established a record of
>> > processing activities. ICANN is required to have such document, see
>> > Art. 30 GDPR. For the work of our group, it would be very helpful to
>> > obtain the record of processing activities to the extent that
>> > registration data is concerned.
>> >
>> > Thanks and kind regards,
>> > Thomas
>> >
>> >
>> >
>> >> Am 09.10.2018 um 05:17 schrieb Marika Konings
>> >> <marika.konings at icann.org>:
>> >>
>> >> Dear All,
>> >>
>> >> Please find below additional responses from ICANN Org to a number of
>> >> outstanding questions. We’ll get these posted shortly on the related
>> >> wiki page.
>> >>
>> >> Best regards,
>> >>
>> >> Caitlin, Berry and Marika
>> >>
>> >>>  —————————————
>> >>>
>> >>> The EPDP Team previously requested a summary of ICANN org’s contacts
>> >>> and engagements with the EPDP and DPAs. ICANN org provided a
>> >>> response, which is provided again below for reference:
>> >>>
>> >>> QUESTION: Can ICANN summarize in some searchable form the contacts
>> >>> and engagements with the EDPB and/or other DPAs in relation to the
>> >>> Temporary Specification for gTLD Registration Data?
>> >>>
>> >>> RESPONSE: ICANN org has been open and transparent with our
>> >>> engagements with the EDPB and DPAs. All of the formal written
>> >>> communications from EDPB and DPAs are published on ICANN
>> >>> correspondence. In addition, we’ve had informal verbal conversations
>> >>> with the EDPB and DPAs to educate, inform, and ask for guidance.
>> >>> Summaries of those informal conversations are published in blogs. To
>> >>> assist the EPDP Team in its work, ICANN org will provide the EPDP
>> >>> Team with a compiled list of correspondence received and blogs
>> >>> published thus far, including the topic of each correspondence/blog.
>> >>>
>> >>> As follow-up to the above response, attached is a summary of
>> >>> correspondence between ICANN org and the EPDP/DPAs, as well as
>> >>> announcements and blogs relating to ICANN org’s GDPR-related efforts.
>> >>> The document is marked as draft so that the EPDP Team can review and
>> >>> provide suggestions for re-organization or re-structuring of the
>> >>> content to best meet the EPDP Team’s needs.
>> >>>
>> >>> QUESTION: For which ICANN policies is admin/tech contact information
>> >>> currently a required data element and/or referenced in the policy?
>> >>>
>> >>> RESPONSE: Administrative and technical contact information is
>> >>> referenced in the following ICANN policies and procedures:
>> >>>
>> >>> Registry Registration Data Directory Services Consistent Labeling and
>> >>> Display Policy
>> >>> <
>> https://www.icann.org/resources/pages/rdds-labeling-policy-2017-02-01-en>.
>> 
>> >>> Output requirements for administrative and technical contact
>> >>> information.
>> >>> Thick WHOIS Transition Policy for .COM, .NET, .JOBS
>> >>> <
>> https://www.icann.org/resources/pages/thick-whois-transition-policy-2017-02-01-en>.
>> 
>> >>> Guidance to registry operators for handling output of administrative
>> >>> and technical contact information where no data exists in the SRS
>> >>> during the period when registrars begin sending Thick WHOIS data to
>> >>> registry operators for all new registrations.
>> >>> Rules for Uniform Domain Name Dispute Resolution Policy
>> >>> <https://www.icann.org/resources/pages/udrp-rules-2015-03-11-en>.
>> >>> Notifications of complaints include administrative and technical
>> >>> contacts information.
>> >>> WHOIS Data Reminder Policy
>> >>> <https://www.icann.org/en/resources/registrars/consensus-policies/wdrp>.
>> 
>> >>> WDRP notices may be presented to the registrant either directly or
>> >>> through the administrative contact.
>> >>> Transfer Policy
>> >>> <https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en>.
>> 
>> >>> Administrative contact along with the registered name holder have the
>> >>> authority to approve or deny a transfer request. Because of this
>> >>> role, the administrative contact is referenced in parts of the
>> >>> transfer process as well as in the Registrar Transfer Dispute
>> >>> Resolution Policy.
>> >>> Uniform Rapid Suspension System (URS) Rules
>> >>> <http://newgtlds.icann.org/en/applicants/urs/rules-28jun13-en.pdf>.
>> >>> Notifications of complaints include administrative and technical
>> >>> contacts information.
>> >>>
>> >>> QUESTION: We have spent most of this meeting exploring the role of
>> >>> compliance at ICANN, in order to support a proposal that ICANN has an
>> >>> implicit contract with the registrant and that therefore 6 1 b
>> >>> applies as a grounds for processing.  This would also facilitate
>> >>> ICANN operating a UAM on behalf of those who want the data.  It might
>> >>> also explain Goran’s initiative in seeking some kind of recognition
>> >>> by EU authorities that ICANN has a kind of quasi-regulator status, as
>> >>> the authority vested with the responsibility to manage the DNS.
>> >>> Given that all of this is outside the current configuration of ICANN
>> >>> as data controller, which would be more clear had we done a DPIA and
>> >>> had we adequate data maps to work with….can we either get back to our
>> >>> Charter questions that we were mandated to address by the GNSO, or
>> >>> get a full explanation of what is going on and why we continue to be
>> >>> focused on the access question.
>> >>>
>> >>> RESPONSE: This request appears to be directed at the EPDP Team and
>> >>> not ICANN org as ICANN org does not dictate the direction of the EPDP
>> >>> Team’s discussion.
>> >>>
>> >>> QUESTION: Why hasn’t a Data Protection Impact Assessment been carried
>> >>> out to clarify data flows and ICANN’s relationship with the data
>> >>> subject in light of its acknowledged role as a joint controller and
>> >>> Article 35 of the GDPR?
>> >>>
>> >>> RESPONSE: This question was also asked during the Data
>> >>> Protection/Privacy Update Webinar hosted by ICANN org on 8 October
>> >>> 2018. John Jeffrey, ICANN’s General Counsel and Secretary provided
>> >>> the following response:
>> >>>
>> >>> “This is something that has been considered since the very beginning.
>> >>> One of the issues is when to do that in a way that is most timely and
>> >>> useful and how to do that. We continue to evolve the thinking of how
>> >>> the interpretation of GDPR applies to WHOIS. We have a number of
>> >>> questions which have been addressed directly to the DPAs and the EDPB
>> >>> and we’ve have an ongoing discussion with the EC about how to
>> >>> interpret the GDPR. We believe that those are a better format at this
>> >>> point than doing the assessment, but we continue to evaluate whether
>> >>> that assessment would be the right thing to do and when.”
>> >>>
>> >>> The presentation for the webinar is posted here
>> >>> <
>> https://www.icann.org/en/system/files/files/presentation-data-protection-privacy-08oct18-en.pdf>,
>> 
>> >>> and the Adobe Connect recording is here
>> >>> <https://participate.icann.org/p29vt2uxodx/>. The question and
>> >>> response start at 0:27:00 in the Adobe Connect recording.
>> >>>
>> >> <DPA Advice Summary-DRAFT.xlsx>
>> >> _______________________________________________
>> >> Gnso-epdp-team mailing list
>> >> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>> >> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>> >> <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
>> >
>> > _______________________________________________
>> > Gnso-epdp-team mailing list
>> > Gnso-epdp-team at icann.org
>> > https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>> _______________________________________________
>> Gnso-epdp-team mailing list
>> Gnso-epdp-team at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

More information about the Gnso-epdp-team mailing list