[Gnso-epdp-team] For your review: updated recommendations 10, 11, 12

Thomas Rickert epdp at gdpr.ninja
Mon Feb 11 13:56:00 UTC 2019


All,
Sorry for swamping the list, but one thing we could also do to make things easier at the operational level: It is common practice to add a certain period to the retention period to implement deletion. We could therefore enhance the 1 year to 1,5 years clarifying that the additional time is needed to implement the deletion.

With that, we could also address the problem that was raised that TDRP claims could be filed on the very last day and not reach the CP in time.

Best,
Thomas

> Am 11.02.2019 um 14:28 schrieb Thomas Rickert <epdp at gdpr.ninja>:
> 
> Hi Marika, Berry and Caitlin,
> A few suggestions for amendments, which are hopefully considered friendly
> 
> Recommendation 15:
> Your addition in Point 1 reads: .     The EPDP Team recommends community members be invited to contribute to this data gathering exercise by providing input on other legitimate purposes for which different retention purposes may be applicable.  
>  
> Let’s please speak of retention PERIODS, not retention PURPOSES.
> 
> Your addition in point 2 reads: 
> This retention period does not restrict the ability of registries and registrars to retain data elements provided in Recommendations 4 -7 for other purposes specified in Recommendation 1 for shorter periods.
> I guess that the added language does not work. The way we designed this, the data can be used for TDRP for a year after deletion and ONLY for that purpose. If we want to keep the data accessible by staff of the registry or registrar for other purposes, we need to say for what purposes and for what period. That is not an impossible task, we would just need to do it. 
> 
> We could, for the sake of completeness, add : Also Registries and registrars might retain data for other periods and other purposes based on their business processes and applicable legal requirements.
> 
> Recommendation 18:
> 
> I would reinstate the words „requests for“ as the data disclosure procedure is triggered by a request of a requestor, so we are just describing the process.
> 
> Best,
> Thomas
> 
> 
>> Am 11.02.2019 um 02:13 schrieb Caitlin Tubergen <caitlin.tubergen at icann.org <mailto:caitlin.tubergen at icann.org>>:
>> 
>> Hi All,
>>  
>> In response to the feedback received on the data retention and reasonable access recommendations (updated recommendations 15 and 18, respectively), please find updated text for your review in advance of our next meeting, Monday, 11 February at 1400 UTC.
>>  
>> Thank you.
>>  
>> Best regards,
>>  
>> Marika, Berry, and Caitlin
>>  
>> From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org <mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Thomas Rickert <epdp at gdpr.ninja <mailto:epdp at gdpr.ninja>>
>> Date: Sunday, February 10, 2019 at 12:56 PM
>> To: Kurt Pritz <kurt at kjpritz.com <mailto:kurt at kjpritz.com>>
>> Cc: "gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>>
>> Subject: Re: [Gnso-epdp-team] For your review: updated recommendations 10, 11, 12
>>  
>> Hi Kurt, Ashley, all, 
>> thanks in particular to Kurt and Ashley for their analysis and suggestions. 
>>  
>> To be clear, It was not my intention to rule out LEA disclosures or establish hurdles for those. The opposite is true: We should not give the impression that contracted parties would only honor disclosure requests if the requirements in our recommendation 12 are met even if LEA requirements for requesting data would be lower. It would be inappropriate for us even to give the impression that we would ask LEAs to give more or other data than they are required to by law for their disclosure requests. 
>>  
>> Let me suggest language that I hope meets Ashley’s requirements while not going into too much details on the legal rationales that I have offered during our call.
>>  
>> "Whilst the EPDP Team is confident that the criteria enumerated in this recommendation work for data disclosure requests relating to civil claims, the EPDP Team did not yet have an opportunity work on policy for LEA disclosure requests. It may well be that LEA disclosure requests can be honored following the criteria in this recommendation, but there may be different criteria or processes that need to be followed depending on the jurisdiction of the requesting LEA, the alleged crimes involved and the location of the contracted party as a condition for the contracted party to be entitled to or be required to disclose data."
>>  
>> We could either put this into the text of the recommendation or make it a footnote, but I think that a disclaimer of some sort is warranted for the sake of transparency with respect to the status of our recommendation and our work.
>>  
>> I hope you find this helpful,
>> Thomas
>>  
>> 
>> 
>>> Am 08.02.2019 um 17:04 schrieb Kurt Pritz <kurt at kjpritz.com <mailto:kurt at kjpritz.com>>:
>>>  
>>> Thanks for this additional input on Recommendation 13.  Please forgive these observations and consider this recommendation for closing off this remaining issue. 
>>>  
>>> During our meeting Thomas was given the floor to explain his edits. During that, there was the usual chat going on: first some non-substantive commentary, then a different discussion. Partially through Thomas’ intervention, I shook myself out of watching the chat to listen to Thomas, who was making a careful, studied explanation of his addition. I kicked myself (figuratively) for missing part his explanation when, in a few months, any of us would probably give a lot to have Thomas available to answer questions such as these. It made we wonder how many of us were watching the chat instead of listening. 
>>>  
>>> Understanding Thomas point, I made the suggestion to the group that we retain it in some form (a more complete explanation of the issue) but move it down into the body of the recommendation as an item to be considered. At that point, my sense was that the team wanted to leave it first and foremost and I withdrew my suggestion to move it. 
>>>  
>>> Having said that, I understand Ashley’s comment that we don’t have a full handle on the effect of the GDPR sections Thomas cited on out recommendations. 
>>>  
>>> I recommend that we: 
>>> respectfully ask Thomas to augment the issue somewhat with a couple / few sentences. 
>>> move that issue to the annotation describing the recommendation with a notation that this issue be sorted out during the implementation discussion. 
>>>  
>>> Let me know what you think. 
>>>  
>>> Best regards,
>>>  
>>> Kurt
>>>  
>>> 
>>> 
>>>>  
>>>> 
>>>> At 07/02/2019 03:52 PM, Heineman, Ashley wrote:
>>>> 
>>>> 
>>>>> Thanks for this and hello colleagues,
>>>>>  
>>>>> After further reflection on today’s discussion of Recommendation 12 and the new text proposed by Thomas, I believe this language should be deleted.   Specifically –“ “These criteria are applicable to disclosure requests relating to civil claims. LEA requests will be handled according to applicable laws.”  
>>>>>  
>>>>> While I am extremely pleased with the state of the Recommendation overall, this new insertion has not been fully considered and I believe is misplaced.  
>>>>>  
>>>>> I understand and am sympathetic to Thomas’ concerns, but that being said, I believe those concerns are best addressed elsewhere. The singular intent of Recommendation 12 is to provide clarity around the process and expectations of reasonable lawful disclosure in terms of making requests.  The recommendation attempts to ensure that expectations are set for how to submit requests and in what fashion those requests will be handled once received.  The Recommendation does NOT assume that disclosure will be made and, further, it isn’t even contemplated how and on what basis a decision for disclosing (or not) will be made. Those issues are to be dealt with in Phase 2 and/or otherwise in a specific access discussion.
>>>>>  
>>>>> I’m thus concerned that by explicitly limiting this recommendation to civil requests will unfairly and unnecessarily remove the benefits of process clarity for LEA.   
>>>>>  
>>>>> In light of these concerns, I strongly recommend the deletion of this text.  Thomas’ legitimate concerns should then be taken up and addressed in our Phase 2 work.
>>>>>  
>>>>> Thanks!
>>>>>  
>>>>> Ashley
>>>>> 202 482 0298
>>>>>  
>>>>> From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org <mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Caitlin Tubergen
>>>>> Sent: Thursday, February 7, 2019 3:26 PM
>>>>> To: gnso-epdp-team at icann.org <mailto:gnso-epdp-team at icann.org>
>>>>> Subject: [Gnso-epdp-team] For your review: updated recommendations 10, 11, 12
>>>>>  
>>>>> Dear EPDP Team:
>>>>>  
>>>>> Attached, please find the updated recommendations. The updates are the result of today’s EPDP Team discussion
>>>>>  
>>>>> As always, please feel free to flag any text that you believe does not represent what the Team agreed to.
>>>>>  
>>>>> Best regards,
>>>>>  
>>>>> Marika, Berry, and Caitlin
>>>>>  
>>>>>  
>>>>>  
>>>>> _______________________________________________
>>>>> Gnso-epdp-team mailing list
>>>>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>>>>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
>>>> _______________________________________________
>>>> Gnso-epdp-team mailing list
>>>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>>>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
>>>  
>>> _______________________________________________
>>> Gnso-epdp-team mailing list
>>> Gnso-epdp-team at icann.org <mailto:Gnso-epdp-team at icann.org>
>>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
>>  
>> <Updated Rec. 15 - data retention_10 Febv2.docx><Recommendation 18_10Feb.docx>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190211/3c0aea72/attachment-0001.html>


More information about the Gnso-epdp-team mailing list