[Gnso-epdp-team] Major issue in the Data Elements workbooks

Berry Cobb mail at berrycobb.com
Mon Oct 29 13:41:45 UTC 2018

Hi Milton,


Thank you for your questions.  Hopefully, this response will cure your


In short, staff understands this as an evolution of workbook template
structure and perhaps Question #1 within the latest version can be reworded.


You will recall that the first iteration of our workbooks only contained a
Purpose Statement with a series of nine questions to better understand the
purpose.  During the LA F2F, we started to deliberate the lawful basis
against the Purpose Statement only and by Wednesday morning of the F2F the
lawful basis small team started to define multiple Processing Activities for
each Purpose Statement.  This is where the group recognized the possibility
of a lawful basis for each defined Processing Activity and not just the
Purpose Statement itself.  As it turned out, a few of the questions within
that set of nine was an initial attempt at defining a processing activity,
but the first version of the workbook template fell short in that the Data
Elements section along the left side only referred to the processing
activity of Collection.  The old workbook format outgrew its usefulness in
that we also needed to identify/confirm the Data Elements for the other
three standard Processing Activities such as Transmission, Disclosure, and
Retention.  Hence the launch of the next generation workbook the EPDP has
been using for the last several weeks.


As you will now see, each Processing Activity (Collection, Transmission,
Disclosure, Retention) has its own lawful basis (either 6(1)(b) or 6(1)(f))
along with a brief rationale statement.  The intent here is that each
Processing Activity, its lawful basis, and its brief rational are each
connected back to an reinforce the rationale for the Purpose Statement.


With the latest version of the workbook, the attempt to complete the
rationale for Question #1 of the Purpose Statement was to key off the part
of question "if the purpose was based on a ICANN contract."  Or, as in
Question #2 identifying the relevant ICANN bylaw that supports the
definition of the Purpose Statement and finally Question #3 about the
"picket fence" which is connected to both questions #1 & #2.


In transitioning to the next version of the workbook template, I wanted to
stay as true to the prior version as much as possible.  Therefore, Question
#1 did not change, even though the lawful basis determination in answering
the question of "is the processing necessary to achieve the purpose" shifted
to the Lawfulness of Processing Test section.


Would a modification of Question #1 address your concern to perhaps "Cite
the relevant section of the ICANN contracts that corresponds to the above
purpose, if any."?   In keeping with the nature of the drilling down
framework, we can even swap Question #1 with Question #2 so that we start at
the top with the identification of ICANN Bylaws and then second the
identification ICANN contract provisions and third to the "picket fence"


Please advise if this may address the concerns you raise below.


Thank you.


Marika, Caitlin, and Berry.


Berry Cobb

GNSO Policy Consultant



From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of
Mueller, Milton L
Sent: Monday, October 29, 2018 06:23
Subject: [Gnso-epdp-team] Major issue in the Data Elements workbooks


I've gone through three workbooks now (Purposes A, B and C) and have noticed
a significant error in all three of them. Whoever did the last revision of
these documents has confused the question whether something is within
ICANN's mission with the question whether it is lawful under GDPR.


For example, in Purpose A, Purpose Rationale 1 asks, 

"1) If the purpose is based on an ICANN contract, is this lawful as tested
against GDPR and other laws?"


The answer provided has struck out all the appropriate language about 6.1.b
vs 6.1.f, and has inserted: "Yes, this purpose is lawful based on ICANN's
mission to coordinate the allocation and assignment of names in the root
zone of the Domain Name System." It goes on to cite the RAA. 


Something similar has happened with Purposes B and C.  Language about
lawfulness under GDPR has been replaced with language about ICANN's mission
or contracts. 


This is a mistake, and cannot stand. References to ICANN's mission and
contracts tell us nothing about whether something is "lawful as tested
against GDPR and other laws." 

Perhaps the staff and Kurt can clarify how this happened. 


NCSG members are preparing modified versions of the workbooks which correct
the error, but it might be easier if whoever made these modifications would
systematically reverse them. My problem is that I do not know what exact
language regarding purpose rationale was accepted before these changes were



Dr. Milton L. Mueller

Professor, School of Public Policy

Georgia Institute of Technology



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20181029/25b5d241/attachment.html>

More information about the Gnso-epdp-team mailing list