[Gnso-epdp-team] Geographic Basis - Recommendation for inclusion in the Final Report

[Kurt Pritz]

Hi Everyone:

With the ongoing goal of progressing issues via email, the leadership and support  teams have considered the review of public comment made during the recent plenary conference call and suggests the following language to capture the agreement in principle that was developed on making Geographic Distinctions.

Based on that discussion the recommendation below is proposed for EPDP Team consideration.


Team Discussion

The Initial Report did not contain a Recommendation for the handling of personal data based on geographical considerations. Instead, the Initial Report asked three questions so that the community input could provide a guide for the EPDP Teams deliberations leading to the Final Report. Those questions were:

h)         Applicability of Data Processing Requirements

	h1)     Should Registry Operators and Registrars (“Contracted Parties”) be permitted or required to differentiate between registrants on a geographic basis?

	h2)     Is there a legal basis for Contracted Parties to differentiate between registrants on a geographic basis?


The EPDP Team considered the public comment and developed the following thoughts in its deliberations in addressing the charter questions:

The EPDP Team discussed this extensively (as documented in the Initial Report) as well as in the context of the review on the public comments received on the Initial Report. In relation to part of charter question h1, the EPDP Team agrees that contracted parties should be (and are) permitted to differentiate between registrants on a geographic basis;
However, the EPDP Team members have divergent views on whether differentiation on a geographic basis should be required.
Recognizing that ICANN is a Data Controller in many scenarios and that ICANN may be considered “established” in Europe (within the meaning of the GDPR), the EPDP Team discussed whether those factors would have an effect upon the discussion and determining GDPR-compliant outcomes. It became clear that legal guidance in relation to the applicability of GDPR in the context of ICANN having an ‘establishment’ in Europe could further inform requirements.
The EPDP Team also discussed the possibility of developing a set of rules for guiding the making of geographical distinctions in an GDPR-compliant manner (akin to the EWG hypothesized “rules engine”). The Team agreed that creating this set of rules was a complex task (just as it would be for individual registrars) and agreed such development could not occur within the remit of this Phase I EPDP. Such a development would also be dependent on the response to the aforementioned legal guidance.

EPDP Team Recommendation (a new recommendation as there was none in the Initial Report)

The EPDP Team recommends that the existing requirements of §§ 2.1 and 3 of the  Temporary Specification remain in place, i.e., contracted parties should (and are) permitted to differentiate between registrants on a geographic basis, but are not obligated to do so.

Based on the legal guidance that is provided on this topic:
The EPDP Team may reconsider this recommendation in phase 2 of its work, an
Consider the feasibility conditions and methodology for the development of a rule set for making decisions on geographic distinctions.



Action

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. If there are additional questions for ICANN Compliance that would serve to inform the deliberations on this recommendation, please share these also.

Deadline: Tuesday, 29 January, additional email discussion might follow depending on responses.



Best regards,

Kurt

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190125/4cedbd7d/attachment-0001.html>