[Gnso-epdp-team] Proposed Agenda EPDP Team meeting #5 - Thursday 6 June at

King, Brian Brian.King at markmonitor.com
Thu Jun 6 01:38:37 UTC 2019

Hi Marika,

Thank you to Caitlin, Berry, Marika for getting us started on defining SSAD user groups. This is important work for us in Phase 2. IPC’s general and specific comments follow:


In each section, we should change c) and d) from “requesting data” to “processing data.” While we understand that a demand or query must be made, we note that we covered “requesting data” in Recommendation 18 in Phase 1, and now we must develop the mechanism for processing data in the SSAD context.  GDPR requires that we go through this exercise to establish the purposes and bases for “processing data,” so that’s the more accurate term here.

Overriding Interests
In general, we caution against assuming that the privacy interests of the data subject will always override a particular user group’s interest; this is legally inaccurate. There is a broad spectrum of 6.1(f) interest weighing (https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf), including data protection safeguards we should build into the system. Building in these safeguards works to our advantage as we can change “the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden,” which will make standardized access as legally sound as possible.


To add to the list, we probably need a user group for ICANN. This will help show that we’re not conflating ICANN purposes with third party purposes. ICANN users could be listed together, or separately as OCTO, ARS or DAAR work specifically, Contractual Compliance, or established as several different user groups. What does the EPDP team think?

Registrants are an important user group, and must be included. We must ensure through policy that registrants are able to access the data that’s processed about them, in the system where it’s contractually obligated to be provided. This is key to exercising the registrant’s right to withdraw consent, right to rectification, erasure, etc., and a GDPR-compliant system requires data subject access. While many registrars make this information available in their customer portals, it’s not required that registrars do so, so we cannot assume it will be available to registrants in the registrar portal, especially with data minimization principles in play. We also should not presuppose a policy outcome that requires registrars to hold authoritative domain registration data. In fact, as suggested by the GAC, registrar liability may be lessened if the data were stored and accessed via a third-party portal. Registrars have been clear that registrar account credentials and data processed for a registrar’s business needs do not necessarily equal “WHOIS” data, which is separate and distinct from registrar purposes. Use cases for the registrant end user group include confirming registration data for releasing funds from escrow, verifying transfer completion, validating that renewal reminders and web form notices are going to the intended email address, and SSL Certificate provisioning.

End users
End users are an important user group, and must be included as a registration data user group. Lawful uses of registration data by end users can come in many forms, including establishing trustworthiness before the end user purchases a product, provides information on a web form, or clicks a suspicious link. “Consumer protection” is a fundamental right under the Charter of Fundamental Rights of the European Union (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT), and has been confirmed in the context of registration data access by the EC’s comments to the EPDP.

If the LEA distinction was intended to capture the difference between 6.1(e) and 6.1(f) processing, we note that the standard for 6.1(e) is not based on the LEA being European; rather, the processing must simply have a basis in Union or Member State law. A foreign LEA investigating a malicious botnet, for example, has a 6.1(e) basis because this form of cybercrime is illegal under Union or Member State law. Other bases (including but not limited to 6.1(c) and 6.1(d)) may also apply, according to the EC. LEA access should also not be limited to cybercrime or DNS abuse – LEAs use domain registration data to investigate all manner of crimes, not just those related to the DNS. To keep us focused, our goal here is to establish access that is standardized. LEAs with authority in a contracted party’s jurisdiction should already have legal means to subpoena any data needed, according to the differing standards present across the world’s various jurisdictions. The scope of our work vis-à-vis LEAs is to establish legal, standardized access to registration data notwithstanding local subpoena rules. So, we should have a single standard for LEAs, regardless of the jurisdiction of the contracted party or the LEA.

Intellectual Property
Intellectual property is a fundamental right under the Charter of Fundamental Rights of the European Union (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT). It is protected in It is not an “interest or position.” Accordingly:
a) should read, “Holders of intellectual property rights and their agents, attorneys, and rights enforcement representatives;”
b) should read, “Attestation in good faith that the user is the owner, agent, attorney, or rights enforcement representative of the intellectual property in question;”
c) should read, “•To investigate whether the registration or use of the domain name is violating intellectual property rights
•             In order to enable contact with parties using a domain name that is being investigated for violation of intellectual property rights
•             To enable identification of domain name Registrants to support trademark clearance (risk analysis) when establishing new brands
d) should read, “each of 6.1(a) through (f), depending on the facts of the investigation”
e) as a placeholder, should read, “various data elements may be necessary, depending on the facts of the investigation”

Thanks, all. Welcome robust discussion on this tomorrow.

Brian J. King
Director of Internet Policy & Industry Affairs
MarkMonitor / Part of Clarivate Analytics
Phone: +1 (443) 761-3726
brian.king at markmonitor.com<mailto:brian.king at markmonitor.com>

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Marika Konings
Sent: Tuesday, June 4, 2019 11:00 AM
To: gnso-epdp-team at icann.org
Subject: [Gnso-epdp-team] Proposed Agenda EPDP Team meeting #5 - Thursday 6 June at

Dear EPDP Team,

Please see below the proposed agenda for Thursday’s EPDP Team meeting. Due to unforeseen circumstances, Steve Crocker will not be able to attend so his presentation to the EPDP Team will be rescheduled for another time. Please review the attached document prior to the meeting in preparation for agenda item 6.

Best regards,

Caitlin, Berry and Marika

EPDP Phase 2 - Meeting #5
Proposed Agenda
Thursday, 6 June 2019 at 14.00 UTC

1.               Roll Call & SOI Updates (5 minutes)

2.               Confirmation of agenda (Chair)

3.               Welcome and housekeeping issues (Chair) (10 minutes)

  *   SG/C/SO/AC input requests have been sent – deadline for input 21 June
  *   Working definitions
  *   Legal advisory group

4.               Review of clarifying questions, concerns and/or background information submitted in relation to GNSO Council -Board consultation in relation to Board action on Phase 1 recommendations - see https://www.icann.org/resources/board-material/resolutions-2019-05-15-en#1.b<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources_board-2Dmaterial_resolutions-2D2019-2D05-2D15-2Den-231.b&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=JkWP8AleBkzMavmymC-XYGJEaFEHQ9g7ewIXREdD5aI&s=NORsjnXboZ8Uu-xzmRkQeeiv46xo3kZxB-ChgItCi6w&e=> (Chair) (15 minutes)

     *   Overview of clarifying questions, concerns and/or background information put forward
     *   Discuss which of these have support of EPDP Team to be submitted to GNSO Council
     *   Confirm next steps

5.               SSAD Priority 1 worksheet (15 minutes) (Marika)

     *   Overview of input received – see https://docs.google.com/document/d/1uoolznpxb0JxddFZA5n9ueRkB4tjDOQQCoMeQWpbiSc/edit?usp=sharing<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_1uoolznpxb0JxddFZA5n9ueRkB4tjDOQQCoMeQWpbiSc_edit-3Fusp-3Dsharing&d=DwMGaQ&c=OGmtg_3SI10Cogwk-ShFiw&r=qQNCXqU_XE2XIdXbawYmk-YDflYH6pd8ffXlzxU37OA&m=JkWP8AleBkzMavmymC-XYGJEaFEHQ9g7ewIXREdD5aI&s=epnuSUMrQ_FhnUI_FgnaHil_h9_BDo9XnJQI9ve7Tro&e=>
     *   Further comments / questions
     *   Confirm next steps for finalization of priority 1 worksheet

6.               SSAD – Topic c Topic: Define user groups, criteria and purposes / lawful basis per user group (Marika) (60 minutes)

     *   Review template developed by staff support team (see attached)
     *   EPDP Team input
     *   Confirm next steps

7.               Any other business

     *   Priority 2 small team meetings update

Reminder - Call schedule remaining priority 2 worksheets:
·         Wednesday, 12 June - 20:00 – 21.30 UTC
City field redaction
Data Retention
·         Monday 17 June – 13:00 – 14:30 UTC
Potential OCTO Purpose
Feasibility of unique contacts to have a uniform anonymized email address
·         TBC (post ICANN65)
Accuracy and WHOIS ARS

8.               Wrap and confirm next meeting to be scheduled for Thursday, 13 June at 14.00 UTC (5 minutes)

     *   Confirm action items
     *   Confirm questions for ICANN Org, if any

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190606/2515ad00/attachment-0001.html>

More information about the Gnso-epdp-team mailing list