[Gnso-epdp-team] Response to 10 May letter re. collaboration with EPDP Team

[Mueller, Milton L]

OK, this is an interesting letter.
Thanks to Janis for clearly conveying to Goran the team’s preferences and getting this largely positive response.
Let me just comment on a few parts below:

> I invite all the members of the EPDP Team to work with ICANN org on
> the topics under consideration if this is the Team’s preference.

We will certainly work with ICANN org. Org is represented on the EPDP team through its staff and the board liaisons. We cannot avoid working with ICANN Org. My view is that we do not need an invitation to do so, we need to execute under the existing structures.

> With respect to the expected scope of work, I reiterate the work that
> ICANN org has been supporting in relation to a UAM based on the model
> proposed by the TSG has as its objective to determine whether this
> would diminish the legal liability of contracted parties, who would provide
> access to non-public registration data.

Because the contracted parties are well represented on the EPDP, I believe that the issue of how much legal liability they have, or will accept, is best determined by them, in negotiations with the other stakeholder groups, during the EPDP’s policy making process.

> As noted, further work needs to be undertaken to help inform the
> discussions with the European Commission and Data Protection Authorities,
> before an answer can be provided.

With this statement, ICANN Org seems to be setting itself up as an intermediary between the EPDP and the EC and the DPAs, or, worse, as an entity that is negotiating the policy with them. At best, this is utterly unnecessary. The EC is directly represented on the EPDP via its GAC representative, and the principles of data protection are well represented by the privacy experts in the NCSG and the legal representatives of the Registrars and Registries, whose businesses depend on proper compliance with GDPR (and other privacy laws). Many of them are based in Europe. At any rate, my understanding is that DPAs cannot participate in the policy making process, they can only tell us, ex post, whether what we have done is compliant or not. But _we_ have to do the work.

There is an even worse potential angle aside from the intermediary role. Goran’s statement above might be interpreted to mean that ICANN Org, by entering into “discussions” with the EC and the DPAs, is putting itself into the place of the EPDP team itself, and negotiating a policy on its own. Surely, Goran knows that is not how ICANN works.

> ICANN org would like to have clarity on whether the proposed model reduces
> exposure of contracted parties to liability related to disclosure of non-public
> registration data the soonest possible, hoping that this will help inform the
> EPDP Team’s deliberations.

This is not an unreasonable request; however, again, I would trust the contracted parties to look after their legal liabilities as part of the EPDP process. I do not understand why ICANN org is doing this. Perhaps the RySG and RrSG members on the EPDP team can tell us whether they have asked Goran to take care of their legal liabilities for them? That is a sincere question and it is directed to the CPH, not to ICANN Org.

> I remain at the EPDP’s disposal to channel to the Data Protection
> Authorities any questions that would help the Team with their
> ongoing or future work.

I take this offer as one made in good will, but do we need this channel? This is a real question, not a rhetorical one. Can the EPDP not send questions to DPAs or legal experts itself?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190517/00461ab8/attachment-0001.html>