[Gnso-epdp-team] Rational regarding Appendix C removal and onward referral

Alan Woods alan at donuts.email
Tue Sep 4 12:36:31 UTC 2018

Thank you Kavouss for your comments.

To clarify, our recommendations are twofold:

1) Removal of Appendix C

2) EPDP recommendation that ICANN must engage with the Contracted Parties
to put in place the legally required instruments (such as Art 26 or 28, as
appropriate) without further delay that would enshrine the GDPR concepts
found in Appendix C.

2A) the EPDP should also further recommend that such a review of contracts
(for the purposes of data processing arrangements), must extend to those
other service providers, which are equally essential to the DNS ecosystem,
including, but not necessarily limited to  EBERO providers, Data Escrow
agents and the RPM agents.

The purpose of our recommendation is based on the reasoning that Appendix C
is a last minute insertion/acknowledgement of the GDPR required data
agreements, (Art 28 and Art 26 which require written agreements between the
Processors and Controllers - or the Joint Controllers). We submit that this
appendix is not trying to define policy, but instead is restating what is
essentially a checklist of GDPR provisions which are to be included in any
such processing agreements (we try to highlight this in the appendix to our

 We also reference the stated intention of the ICANN Board themselves. In
their Advisory document (17th May 2018), 4.2.1 specifically notes the
future necessity to incorporate the Data Processing Requirements into the
RA and RRA  [although not specifically referring to, Appendix C, we must
noted that Appendix C is titled "Data Processing Requirements"] . In the
interests of time, we, as an expedited PDP should seek to avoid
unnecessarily expending our time on the review of an appendix that merely
restates legislation, and especially where it was intended, by the board,
to be later developed as a contractual matter, and thus outside the scope
of our EPDP.

I agree we must be very clear on the task of the EPDP. Our mission is set
the policy for Data Processing, which will essentially be the community
"ground rules" for handling registrant data in the DNS sphere. We are still
very much tasked with fully assessing many vital matters such as legal
basis, purpose, necessity etc. all of which are key to the concepts of
disclosure, access and transfer, some of which you have noted. So in full
agreement with you, upon removing Appendix C, we must remain focused on the
matters which are vital to the success of the output of the EPDP.

I look forward to discussing later today.

Kind regards

Alan Woods

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180904/3acfc893/attachment.html>

More information about the Gnso-epdp-team mailing list