[Gnso-epdp-team] [Ext] RE: Comments on Final Report & Additional Topics- Part 1

farzaneh badii farzaneh.badii at gmail.com
Wed Feb 6 20:25:23 UTC 2019 

As we said, a purpose for data processing should not be speculative. We
don't even know what personal information should be accessed in the future
and for what activity, how can we have a futuristic purpose.  I have also
clarified numerous time that ICANN in getting involved with Botnet
mitigations did not access personal information itself. It only coordinated
the mitigation effort and facilitated the registries and registrars work in
overcoming the attacks.

 I can't support this purpose if it turns into a laundry list of activities
that are supposed to be carried out by OCTO "in the future". I thought it
could be a compromise, a placeholder for the future discussions and only
limited to the true role of OCTO. But if the group wants to keep adding to
this purpose then I object to having it. At the time that the
necessity occurs for their activities to have access to personal data, then
I am sure some measure through policy etc can be taken to facilitate that.
We don't have a crystal ball. I am not sure a crystal ball approach is GDPR
compliant even.

Farzaneh


On Wed, Feb 6, 2019 at 8:20 AM Ayden Férdeline <icann at ferdeline.com> wrote:

> I am not comfortable with the change. We discussed this topic extensively
> on yesterday's call, and we reached an agreement on different language. We
> have many other topics to discuss, and I respectfully suggest that we need
> to move on.
>
> Ayden
>
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Wednesday, February 6, 2019 8:16 AM, Marika Konings <
> marika.konings at icann.org> wrote:
>
> Thanks, Hadia, but this appears to change the meaning of what was agreed
> during yesterday’s meeting (‘expression of need’)? Of course, if everyone
> is comfortable with this change, we can make it accordingly.
>
>
>
> Best regards,
>
>
>
> Caitlin, Berry and Marika
>
>
>
> *From: *Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> *Date: *Wednesday, February 6, 2019 at 07:04
> *To: *Marika Konings <marika.konings at icann.org>, Margie Milam <
> margiemilam at fb.com>, "gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
> *Subject: *[Ext] RE: [Gnso-epdp-team] Comments on Final Report &
> Additional Topics- Part 1
>
>
>
> Thank you Marika, apologies for editing an old version. Please find below
> my edits in orange
>
>
>
> *The EPDP Team commits to considering in Phase 2 of its work whether
> additional purposes should be considered to facilitate ICANN’s Office of
> the Chief Technology Officer (OCTO) to carry out its mission (see
> https://www.icann.org/octo [icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_octo&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=8jO9a_m23mfKKNsKtbXLa6YCmiIgQc9YXUs1rPt8fsg&s=fO-WN_5SnhV8g_90YVeo7AtN-51CpOuzUg6iIpDMmC8&e=>).
> This consideration should be informed by legal guidance on if/how
> provisions in the GDPR concerning research apply to ICANN Org and **the
> relevance of research to ICANN's mission.*
>
>
>
>
>
> Again my edits are because I think that we should avoid referring to data
> or modes of operation the whole idea is yet to be explored.
>
>
>
>
>
> Hadia
>
>
>
>
>
> *From:* Marika Konings [mailto:marika.konings at icann.org]
> *Sent:* Wednesday, February 06, 2019 2:44 PM
> *To:* Hadia Abdelsalam Mokhtar EL miniawi; Margie Milam;
> gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] Comments on Final Report & Additional
> Topics- Part 1
>
>
>
> Hadia, all,
>
>
>
> Please note that per yesterday’s agreement, the recommendation has been
> updated as follows:
>
>
>
> *The EPDP Team commits to considering in Phase 2 of its work whether
> additional purposes should be considered to facilitate ICANN’s Office of
> the Chief Technology Officer (OCTO) to carry out its mission (see
> https://www.icann.org/octo [icann.org]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_octo&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=8jO9a_m23mfKKNsKtbXLa6YCmiIgQc9YXUs1rPt8fsg&s=fO-WN_5SnhV8g_90YVeo7AtN-51CpOuzUg6iIpDMmC8&e=>).
> This consideration should be informed by legal guidance on if/how
> provisions in the GDPR concerning research apply to ICANN Org and the
> expression for the need of such pseudonymized data by ICANN. *
>
>
>
> Best regards,
>
>
>
> Caitlin, Berry and Marika
>
>
>
> *From: *Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of
> Hadia Abdelsalam Mokhtar EL miniawi <Hadia at tra.gov.eg>
> *Date: *Wednesday, February 6, 2019 at 06:38
> *To: *Margie Milam <margiemilam at fb.com>, "gnso-epdp-team at icann.org" <
> gnso-epdp-team at icann.org>
> *Subject: *Re: [Gnso-epdp-team] Comments on Final Report & Additional
> Topics- Part 1
>
>
>
> Hi all
>
>
>
> Thank you Margie for your edits I would suggest a minor edit to the
> research purpose to read (my edits are in orange)
>
>
>
> "The EPDP Team commits to  considering in Phase 2 of its work whether
> additional purposes should be considered to facilitate research ADD: [
> and threat response] carried out by ICANN’s Office of the Chief
> Technology Officer (OCTO). This consideration should be informed by legal
> guidance on if/how provisions in the GDPR concerning research apply to
> ICANN Org and the need for the research purpose by ICANN org in
> accordance with the mission of ICANN’s Office of the Chief Technology
> Officer."
>
>
>
> The reason for my edits is that we don't know yet the kind of data that
> would be required nor the means of implementation the whole purpose/idea is
> yet to be explored.
>
>
>
>
>
> Hadia
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] *On
> Behalf Of *Margie Milam
> *Sent:* Tuesday, February 05, 2019 4:03 AM
> *To:* gnso-epdp-team at icann.org
> *Subject:* [Gnso-epdp-team] Comments on Final Report & Additional Topics-
> Part 1
>
>
>
> Hi-
>
> Per Marika’s request, here are some language clarifications for your
> consideration, as well as additional topic submitted on behalf of the BC,
>  and developed in collaboration with the IPC.  New Text is in yellow
> highlight.
> * _________*
>
>
>
> *Rec 1*
>
> *Purpose 1(b):*   Subject to the Registry and Registry Terms Conditions
> and Policies, and ICANN Consensus Policies – please ADD: { and relevant
> registry agreements and registrar accreditation agreements]
>
>
>
> *Purpose 2:*  Footnote 6 needs to be moved to be linked to Purpose 2, not
> Rec 2.
>
>
>
> *Research purpose:*  The EPDP Team commits to  considering in Phase 2 of
> its work whether additional purposes should be considered to facilitate
> research ADD: [ and threat response] carried out by ICANN’s Office of the
> Chief Technology Officer (OCTO). This consideration should be informed by
> legal guidance on if/how provisions in the GDPR concerning research apply
> to ICANN Org and the expression 426for the need of such data by  ICANN
>
>
>
> *Footnote 7/8*  should not be a footnote but moved up to the body of the
> report.  These footnotes are substantive recommendations and commitments
> that should not be buried in a footnote.
>
>
>
> *Rec 7:*   Replace “ICANN Compliance”with ”ICANN Organization” to be
> consistent with other recommendations.
>
> Delete  the quote in  Footnote 12 on page 24, since this is inconsistent
> with Purpose 5.
>
>
>
> *Additional Topics:*
>
>
>
> *INFORMATION TO BE PROVIDED TO THE REGISTRANT:*
>
> Page 16- where there is the quote from the EDPB:
>
>  *It should therefore be made clear, as part of the registration process,
> that the registrant is free to (1) designate the same person as the
> registrant (or its representative) as the administrative or technical
> contact; or (2) provide contact information which does not directly
> identify the administrative or technical contact person concerned
> (e.g. admin at company.com <admin at company.com>). For the avoidance of doubt,
> the EDPB recommends explicitly clarifying this within future updates of the
> Temporary Specification*”.
>
>
>
> We believe it is important to follow the EDPB’s advice and propose
> including a recommendation regarding informed consent, in light of the
> legal advice received, as follows:
>
>
>
> The EPDP recommends that as part of the registration process, the
> Registrar shall offer the registered name holder the option to (1)
> designate the same person as the registrant or its representative as the
> technical contact; or (2) provide contact information which does not
> directly identify the technical contact person, but instead uses a generic
> or role-based email  (e.g.admin at company.com).
>
>
>
> *OPTIONAL TECH CONTACT DISCUSSION:*  We do not support making the Tech
> Contact optional  at the registrar level or registry level and believe that
> more discussion is needed.  For example, we have not discussed what happens
> to existing Tech contacts in the legacy registrations.  Shouldn’t there be
> a similar transitional process to what has been developed for the
> ORGANIZATION field?   In any event, this obligation must be requieeed for
> the registries since they should receive the tech contact data for those
> registrants who have provided consent.
>
>
>
> *RECOMMENTATION  REGARDING CONSENT* Page 19 – Line 549  please delete
>  “as soon as commercially reasonable”.  Instead, this recommendation should
> track the dates for implementation under the transition plan that James and
> the registrars proposed in Toronto.
>
>
>
> *Rec 4:* THICK WHOIS: we do not support the deletion of THICK WHOIS as a
> consensus policy, and believe that this goes beyond the scope of this EPDP.
>
>
>
> *Rec 8:*  GLOBAL REDACTION vs. OPTIONAL AT THE REGISTRAR---  We do not
> agree with global application of the REDACTION, and believe  that this
> recommendation goes well beyond the Temp Spec, which at a minimum allows
> the registrars/registries to CHOOSE a different application, especially
> because of differing legal regimes.  Our policy needs to be flexible enough
> to account for laws beyond GDRP, such as the possible US legislation
> related to WHOIS.  Similarly, we do not believe that the redaction should
> apply to legal persons.  We recall James suggesting that we could consider
> an approach similar to the approach taken for the ORGANIZATION Field, and
> thus we would like to further explore it in Phase 2.
>
>
>
> *Footnote 15* is a recommendation that should be moved into the body of
> the Final Report & not be buried in a footnote.   Also- it needs to exclude
> registrations with privacy/proxy services and those for which the
> registrant has provided consent.
>
>
>
> *PAGE 27*:  REDACTION OF CITY– we don’t agree with the redaction of CITY
> and are awaiting legal advice from Ruth on the issue. As a result, it is
> premature to make a recommendation that it be redacted now.  This should be
> a Phase 2 discussion
>
>
>
> *REC 9:*   Instead of a “via a process that can be determined by each
> registrar”   we should have concrete steps that can be enforced by ICANN.
> Could the registrars identify some reasonable steps for this process?
>
>
>
> ADD:  After the implementation phase-in period, the ORG FIELD will no
> longer be REDACTED by either the registry or registrar.
>
>
>
> We are still working through the remainder of the Final Report, and will
> follow up this email with additional comments.
>
>
>
> All the best,
>
> Margie
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190206/423462d6/attachment-0001.html>

More information about the Gnso-epdp-team mailing list