[Gnso-epdp-team] Notes and action items EPDP Team Meeting #42
Marika Konings
marika.konings at icann.org
Tue Feb 5 18:27:30 UTC 2019
Dear EPDP Team,
Please find below the notes and action items of today’s EPDP Team meetings. You are encouraged to take particular note of the different action items. For your information, attached you will find the proposed updated timeline that was shared during the meeting.
Best regards,
Caitlin, Berry and Marika
===============
EPDP Team Meeting #42
Tuesday, 5 February 2019
Notes and Action Items
High-level Notes/Actions:
Action item #1: Extension of deadline for the EPDP Team to flag issues for further consideration following the review of the latest version of the Final Report: Tuesday 5 February COB.
Action item #2: CPs to share within max. 24-48 hours the proposed approach in relation to implementation bridge options
Action item #3: Leadership team to consider adding paragraph to Final Report in relation to the overarching requirements of GDPR compliance in relation to personal information and the definition of personal data as information that could lead to the discovery of personal data.
Action item #4: Kristina Rosette to provide suggested edits to the reasonable access recommendation to ensure consistency in terminology and provide necessary clarifications to facilitate implementation work
Action item #5: Staff to make note in the Final Report that ARS is considered covered as part of purpose 5 (ICANN Compliance) and related updates that have been made in the purpose 5 data elements workbooks.
Action item #6: EPDP Team to review additional ICANN Org questions and indicate as soon as possible on the email list and suggest if any of these need to be addressed in the Final Report.
Questions for ICANN Org from the EPDP Team: None
Notes & Action items
These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ .
Proposed Agenda:
1. Roll Call & SOI Updates
* Attendance will be taken from Adobe Connect
* Remember to mute your microphones when not speaking and state your name before speaking for transcription purposes.
* Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.
2. Welcome and Updates from EPDP Team Chair (5 minutes)
a) Reminder: process for Final Report input & Consensus Call
* See https://community.icann.org/x/VZwWBg
* See email sent by Keith Drazek, GNSO Chair, concerning some limited flexibility in the timeline to make the report as complete as possible and provide some quiet time for people to review the final report.
* See updated timeline shared during the meeting which factors in the additional time that is available per the letter from Goran Marby. (see also attached)
* This provides for a 5-day quiet period to allow EPDP Team members to flag any issues that were overlooked, are inconsistent or in error and review consensus designations (note, this is not an opportunity to reopen previously closed issues or question previously reached agreements).
* Appreciate all the input provided on the mailing list. Hope to be able to close of some of these discussions on the mailing list, although some may require further consideration.
* Consensus call - purposes alone is not sufficient to look at for consensus as there are other recommendations that are linked to it. It does look like there is agreement on those other recommendations linked to purposes, so that may address some of the concerns. Note that this is an iterative process and as such, conditions can be attached to it, and there will be an opportunity at the end to see the whole package and flag any issues / concerns at that stage.
* Objective of additional meeting is to finalize outstanding issues.
* Reminder, please send any substantive issues that require further consideration to the mailing list. Any minor edits / updates should be added to the google doc: https://docs.google.com/document/d/1sVZ9odV0qK1Bk8a4bDwWe5RW_PBzOnYBhHW_GnLL8jw/edit?usp=sharing.
Action item #1: Extension of deadline for the EPDP Team to flag issues for further consideration following the review of the latest version of the Final Report: Tuesday 5 February COB.
b) Review of outstanding action items
c) Other updates, if applicable
3. Implementation Transition Period (30 minutes)
Per last week’s action item: “Registry and Registrar EPDP Team Members to review implementation bridge options with respective stakeholder groups and come forward with a proposal for the next EPDP Team meeting on Tuesday, 5 February”
a) CPs to present proposal
b) Discuss proposal
c) Confirmation of agreement reached or next steps to come to agreement
* Some additional conversations have taken place. Circle back to some of the proposals that have been flagged previously. What would be enforced by compliance at the moment of the expiration of the Temporary Specification. Still have not achieved 100% sign off from CPs - hope to present something back to the group shortly. Will need some time for the group to be able to consider this proposal before the quiet period starts.
* Letter from Goran - two extra weeks are conditional on Final Report including policy recommendations on the bridging mechanism.
Action item #2: CPs to share within max. 24-48 hours the proposed approach in relation to implementation bridge options
4. Data Elements Workbooks Small Team Update
a) Update on status of work
b) Questions / clarifications
c) Expected next steps
* See latest version here: https://community.icann.org/display/EOTSFGRD/e.+Data+Elements+Workbooks
* DE small team is deep diving into the data elements workbooks to ensure that these are consistent with the EPDP Team recommendations and are accurate.
* Updates to the overall data matrix may also be necessary (see latest consolidated data elements table here: https://community.icann.org/download/attachments/96207076/Data%20Elements%20Matrix_v1.1.xlsx?version=1&modificationDate=1549334185442&api=v2
* Minimum data set is to be viewed per purpose.
* In the introduction section of Annex D, small team created definitions for each of the primary processing activities. You will also find a new legend that attempts to more precisely define Required vs. Optional, etc. as this specificity is needed to be precise.
* See also split between 1A and 1B, per the input that has been provided previously by RySG. Certain registries may not need certain data elements, while others do.
* Next small team is meeting later today. Aim is to conclude Purposes 4 - 6 plus some additional to-dos. Aim is to have finalized workbooks to the plenary by Thursday.
* To follow this work, please see relevant wiki page: https://community.icann.org/x/5AC8BQ. Note that call recordings and notes are also available and distributed to the EPDP Team.
5. Items flagged for further discussion
a) Privacy / Proxy registrations – see mailing list proposal and discussion
* Two variations of the recommendation have been shared on the mailing list
* P/P registration is not personal information, so should be published?
* Original intent of Temp Spec was pragmatic one - to avoid a situation whereby P/P information was behind the gate and that any reasonable access request would just result in the disclosure of P/P information which would mean another request would need to be made which would cause significant delays.
* Pseudonymized email could be considered personal information, but not any of the other information in relation to the P/P service.
* Need to clear about the risk profile we are creating for registrar - pseudonymized data is not anonymous, still risk associated with it.
* Is this already settled by PPSAI? Not necessarily for this group to address.
* There are already reasonable disclosure procedures available to reveal this information.
* Is concern only about the email address? If so, should recommendation include MUST include the public WHOIS and return in response to query full WHOIS data, apart from the pseudonymized email for which it would be MAY?
* Need to be careful to not restrain market innovation and different ways in which businesses are running their businesses. How to at least get non-personal data shared? Require that the services identify themselves and provide a mechanism for legitimate and lawful requests for underlying data. 2013 RAA already requires this.
* Not asking for change in the nature of P/P services or registrant data, just the data associated with the P/P or an indication it is a P/P registration.
* May need to consider the difference between P/P services.
* Possible compromise language: Registrars must publish the non-personal data associated with P/P registration?
* Is email communication already addressed in recommendation #10? Is there some obligation on the registrar to provide conduit?
* Consider restricting it to affiliated p/p services.
* Proposed updated language (no objections noted): In the case of a domain name registration where an "affiliated" privacy/proxy service used (e.g. where data associated with a natural person is masked), Registrar (and Registry where applicable) MUST include in the public RDDS and return in response to any query full non-personal RDDS data of the privacy/proxy service, which MAY also include the existing privacy/proxy pseudonymized email. *include footnote with reference to definition of "affiliated" as per the RAA.
Action item #3: Leadership team to consider adding paragraph to Final Report in relation to the overarching requirements of GDPR compliance in relation to personal information and the definition of personal data as information that could lead to the discovery of personal data.
b) Reasonable access
* See latest version shared during the meeting which reflects original language plus edits suggested by Alex Deacon on the mailing list
* Wonder if this would work from an implementation perspective: "a timeline for processing and responding to the disclosure requests in alignment with the Art. 12 GDPR timeframe for providing information to the data subject."
* How does this link to purposes? Should a purpose need to be identified in the request? Consider adding a reference in second bullet under Reasonable Disclosure Requests to purposes.
* Art. 12. 3 The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In CPs experience, 30 days is an acceptable base timeframe. Sometimes we need longer in which case we would communicate with the requestor, which is also in line with the Art.12 requirement.
* Also need to review intro paragraph – are these recommendations still in line with what the temp spec originally recommended?
Action item #4: Kristina Rosette to provide suggested edits to the reasonable access recommendation to ensure consistency in terminology and provide necessary clarifications to facilitate implementation work
c) Additional Purposes
* See latest version circulated by Ayden to the mailing list
* Aims to address the input received to date on this topic
* Cannot speculate on future uses and give a blanket permission – need to do proper analysis and ensure GDPR compliance
* Clarify in report that updates made to workbooks to clarify that ARS is dealt with in Compliance purpose
* Explanatory language aims to explain the context of the recommendation.
* See also proposed edit by the BC to add ‘threat response’ to the recommendation so that it would read: “The EPDP Team commits to considering in Phase 2 of its work whether additional purposes should be considered to facilitate research ADD: [ and threat response] carried out by ICANN’s Office of the Chief Technology Officer…… Thread response is different work – should it be made more general? Instead of referring to research, maybe refer to ‘facilitate the mission carried out by OCTO’? See https://www.icann.org/octo. Make change to refer to carrying out mission of OCTO (see https://www.icann.org/octo).
* This would be an ICANN purpose – ICANN need to deal with this if it would to establish this purpose as it is a controller.
* No objections noted to the language as modified by Ayden, with a reference to the OCTO mission (as noted above)
Action item #5: Staff to make note in the Final Report that ARS is considered covered as part of purpose 5 (ICANN Compliance) and related updates that have been made in the purpose 5 data elements workbooks.
6. ICANN Org Questions
Per last week’s action item, EPDP Team to review additional ICANN org questions and indicate on the email list if any of these need to be addressed in the Final Report
a) Consider topics flagged
b) Discuss proposed approach (‘what happens if these topics are not addressed / covered in the Final Report?’)
c) Confirmation of agreement reached or next steps to come to agreement
Action item #6: EPDP Team to review additional ICANN Org questions and indicate as soon as possible on the email list and suggest if any of these need to be addressed in the Final Report.
7. Wrap and confirm next meeting to be scheduled for Wednesday, 6 February 2019 at 14.00 UTC (5 minutes)
a) Confirm action items
b) Confirm questions for ICANN Org, if any
* Tomorrow's meeting may be shorter due to conflicts that some groups may have. This meeting is in addition to Thursday's meeting.
* Additional meeting scheduled for Monday 11 February, instead of Tuesday's meeting to allow any finetuning of the report before submission to the GNSO Council (deadline for submission of motions and documents for the Council meeting is Monday 11 February)
Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>
Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190205/f021a1c1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EPDP Team Proposed Timeline - upd 4 February 2019.pdf
Type: application/pdf
Size: 76293 bytes
Desc: EPDP Team Proposed Timeline - upd 4 February 2019.pdf
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190205/f021a1c1/EPDPTeamProposedTimeline-upd4February2019-0001.pdf>
More information about the Gnso-epdp-team
mailing list