[Gnso-epdp-team] BC Comments on the Phase 2 Proposed Approach

[Margie Milam]

Dear All,

On behalf of the BC – here are our comments on the draft approach for Phase 2:

  *   Slide 1:
     *   Objective – is to produce a consensus policy that describes the policies for access to non-public registration data for third parties. As previously noted, this information may be personal or non-personal data.
     *   We believe “legal certainty” is not the appropriate standard;  while we agree it’s a goal to minimize risk on the contracted parties, the development of the system can proceed in parallel with the effort to minimize risk.  It is unlikely that “legal certainty” will ever be attained;  but through this process we can solicit and hopefully receive recognition that the system reduces the risk of providing access.
     *   We do not think the word “disclosure” should be used in lieu of “access”.   The letters from the European Commission indicate
“we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR).”

  *   Slide 3:  The definitions are confusing and should not be adopted.   It is clear from the quote above that the EC and the ICANN community thinks of “access” in the context of third party access – limiting the definition of “access” to only be applicable to the registrant or data subject is problematic.   The refence to the cite ico.org.uk page<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/> is not relevant because that page refers to “subject access” which is a different concept than what is intended to be accessed through a UAM.
  *   Slide 4: - reference “Standardized Access of Non-Public Data” instead of “Standardized Disclosure of Non-Public Data”
  *   Work Stream 2 – is missing topics from the Phase 1 Final Report:
     *   Data Accuracy and the WHOIS Accuracy Reporting System:   See footnote 6 in the Final Report: The topic of accuracy as related to GDPR compliance is expected to be considered further as well as the WHOIS Accuracy Reporting System.
     *   Revisiting Purpose 2 in light of the GDPR concerns raised in the EC Letters
     *   Revisiting topics in legal memos delivered after the Final Report to see if they affect our analysis.  The recent correspondence from the EC may lead to updates to the Bird & Bird analysis, and thus, may impact some of the policy recommendations from Phase 1.
  *   Slide 5: It is unclear what is meant by “centralized or decentralized” model, so we should be more clear, since it could be referring to centralized/decentralized accreditations, request submissions, data access systems or  data storage. In addition, we should add other topics – such as “risk mitigation”
  *   Slide 6: The timeline for workstream should be shortened.  The timeline has a Final Report published more than 1 year away, which is much too long.  Under this proposed plan, the board approval would be towards the end of next year, and implementation would be years away.  Our timeline should reflect the “expedited” nature of this work and the importance to the Internet Ecosystem.

Mark and I look forward to discussing these issues on our next EPDP call.

All the best,

Margie and Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190515/04d944d5/attachment-0001.html>