[Gnso-epdp-team] legal advice and budget

Trang Nguyen trang.nguyen at icann.org
Mon Jun 17 21:20:11 UTC 2019

Dear Thomas, EPDP Team colleagues,
Thank you for your email, Thomas. We agree that both ICANN org and contracted parties must be compliant with GDPR, which is the focus of the EPDP. Your point about synergies is also a good one, which is why we are following the EPDP Team’s suggestion from Phase 1 to use Bird & Bird both to advise ICANN org and to answer questions from the EPDP Team.
With regard to your comment about record of processing activities, the EPDP Team previously asked for ICANN Compliance’s record of processing. In a 20 November 2018 response, ICANN org provided an ICANN Compliance summary of processing activities. That response can be viewed here: <<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000944.html>>
Implementation of EPDP Phase 1 recommendations will require additional documentation of registration data processing activities, including activities by ICANN org, registry operators, registrars, and other third-parties. That work is underway and will be shared with the community and EPDP Team when ready.
With regard to Data Protection Impact Assessment, as previously mentioned in a response to the EPDP Team on 17 November 2018, ICANN org has not previously done a DPIA. The response stated: “In general, a DPIA is designed to (a) describe the processing and purpose of processing of personal data, including where applicable the legitimate interest pursued by the controller, (b) assess the processing necessity and proportionality, and (c) help manage the risks to the rights and freedoms of data subjects resulting from the processing. The elements of a DPIA are more fully described in Article 35(7) of the GDPR.  Under Article 35(1), a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
“ICANN org considered conducting a DPIA since early in the discussion of GDPR and gTLD registration data. One of the issues is when to do a DPIA that is most timely and useful--should the DPIA be conducted on the original requirements in the registry and registrar agreements, on the Temporary Specification which is temporary, or on the new requirements being discussed in the EPDP? We continue to evaluate whether that assessment should be performed and, if so, when.” A link to this response can be viewed here: <<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000909.html>>
We wish you and the EPDP Team safe travels to Marrakech.
Dan and Trang
ICANN Org Liaisons

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> on behalf of Thomas Rickert <epdp at gdpr.ninja>
Date: Saturday, June 15, 2019 at 1:02 PM
To: Marika Konings <marika.konings at icann.org>
Cc: "gnso-epdp-team at icann.org" <gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] legal advice and budget

Hi all,
I know this thread has not been responded to in a while, but I wanted to offer a thought that I hope will not be received as negative.

A lot of the work that our group is doing cannot only be characterized as the community’s policy work, but it is in fact ICANN’s (org) compliance.

Looking at the cost of becoming compliant, the easiest way to save money is to use synergies. We have asked in the past whether ICANN has written a record of processing activities, carried out DPIAs, asked for legal advice on related aspects etc. To my knowledge, we have not been provided with any such documentation.

To be clear, it would be extremely helpful for our group to be able to review existing documents. Even though if our group might hold different views on certain questions, any existing work products would expedite our work. Maybe there are documents in the making, in which case we could build our workplan around potential delivery dates to be able to benefit from such work products. If there is actually no documentation already, it would be good to get clarity around that, too, and we could try to work so that duplicate efforts of the org and our group can be avoided, i.e. so that the org can benefit best from the legal advice we are seeking.

Either way, when looking at where the money shall come from, I think it would be fair not to consider expenditures as the community’s policy making only, but as part of ICANN’s overall compliance activities.

I hope this helps.


Am 23.05.2019 um 23:42 schrieb Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>>:

Please note that the Board in its recent letter noted that “In anticipation of the EPDP Team’s additional needs, the Board has already earmarked additional resources. Release of these resources is contingent on the approval of a detailed work plan and resources identified by the GNSO Council”. As such, the EPDP Team should focus on identifying which legal questions are essential in addressing phase 2 issues based on which a better assessment can be made whether or not additional resources are needed. Of course, there may be additional needs that arise in the course of the deliberations and as noted, the process for obtaining such additional resources is to request those via the GNSO Council.
Best regards,
Caitlin, Berry and Marika
From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Greg Aaron <greg at illumintel.com<mailto:greg at illumintel.com>>
Date: Thursday, May 23, 2019 at 15:34
To: 'Matt Serlin' <matt at brandsight.com<mailto:matt at brandsight.com>>, 'Volker Greimann' <vgreimann at key-systems.net<mailto:vgreimann at key-systems.net>>, "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Subject: Re: [Gnso-epdp-team] legal advice and budget

Start thinking about the contingency now, please, Janis.  When we hear Marika say the first round of questions will almost exhaust the budget, that’s a warning sign the budget’s possibly too small to begin with.  As Matt says, guidance is critical.  Failure to plan now should not prevent us from doing our jobs in the months ahead.  And heaven knows what additional twists we may face.

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Matt Serlin
Sent: Thursday, May 23, 2019 12:36 PM
To: Volker Greimann <vgreimann at key-systems.net<mailto:vgreimann at key-systems.net>>; gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] legal advice and budget

I agree with Volker…it’s hard to ask for more budget when we don’t actually know what we are going to be spending with the yet and we haven’t exactly formulated what additional interaction we may have with B&B as we move forward.

Having said that, if the group determines we do need additional legal guidance and input, I’d like to think we will be able to get additional funds should that be needed at some point down the road. Legal guidance will be absolutely critical here and I’d hate to see budget issues get in the way of a high quality outcome. I just don’t think we’re there yet.


From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Volker Greimann <vgreimann at key-systems.net<mailto:vgreimann at key-systems.net>>
Date: Thursday, May 23, 2019 at 9:58 AM
To: "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Subject: Re: [Gnso-epdp-team] legal advice and budget

Before we start looking at a bigger pot to spend, lets first see if we can cull needless questions and make better use of the funds we do have.
Am 23.05.2019 um 17:51 schrieb Greg Aaron:
Janis, if more budget may be needed for legal advice, can you start the process of acquiring it?

Marika noted in chat today: “Do also note that there is a limited budget available - passing all these questions on may take up most of that budget which might prevent follow up on any further questions the group may have.”

This PDP is fundamentally about legal issues, and having access to legal advice is essential.  This is a place where ICANN should be spending resources.  Please see SAC104, where SSAC raised this issue to the Council last December:

“2.2 Legal Advice v The EPDP has been largely about legal issues, but the EPDP team has not [always] had access to neutral, expert, outside legal advice. [Bird & Bird was not retained until late into Phase 1.] This is a notable omission given the consequences and regulatory complexity of the work. The SSAC urges the GNSO Council to re-examine this as further policy-making takes place in 2019 and beyond. This subject is a worthy place to spend ICANN budget given the priority and nature of the work, and a place to apply all the professional tools at ICANN’s disposal, in order to carry out ICANN’s responsibility to ensure the stable and secure operation of the Internet's unique identifier systems.

… neutral legal advice would provide substantial benefit by fostering common understandings, consensus, and confidence in the
deliberations and work product. In particular, it may help policy-makers understand the options available to them, given that bodies such as the European Data Protection Board and the national data commissioners are not in a position to answer many questions or evaluate policy proposals.”
https://www.icann.org/en/system/files/files/sac-104-en.pdf [icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_en_system_files_files_sac-2D104-2Den.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=nKhM_m03vpyV3Os2PAdt6DzksxIrdnz3fYJtWfN8rLE&s=yao6GIyYgLMZPMq9yOUcxjh3_7Q940GwigNs1ZAiP3w&e=>


Gnso-epdp-team mailing list

Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>

Volker A. Greimann
General Counsel and Policy Manager

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net [key-systems.net]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.key-2Dsystems.net_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=nKhM_m03vpyV3Os2PAdt6DzksxIrdnz3fYJtWfN8rLE&s=l1cwMgcNpb-jY7z-_V_ktjI0sUWFKsEZBYOP10L45Fc&e=>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Alexander Siffrin

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.
Gnso-epdp-team mailing list
Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy [icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=nKhM_m03vpyV3Os2PAdt6DzksxIrdnz3fYJtWfN8rLE&s=hqgUNCX6Z_V6uRbC2TABAYvpkLZC_m240ZIm8E64s1Q&e=>) and the website Terms of Service (https://www.icann.org/privacy/tos [icann.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=nKhM_m03vpyV3Os2PAdt6DzksxIrdnz3fYJtWfN8rLE&s=6fgPASnaglQ2YGic1dKWdilgRcptiufZ8wio7biQvzI&e=>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190617/5e90ca9b/attachment-0001.html>

More information about the Gnso-epdp-team mailing list