[Gnso-epdp-team] REMINDER: For your review: purposes and user groups

King, Brian Brian.King at markmonitor.com
Wed Nov 27 20:51:34 UTC 2019 

Hi Caitlin,

Please see the IPC’s response below.


  1.  User groups:

  1.  Consider whether or not a set of user groups needs to be developed – is this already addressed through the accreditation recommendations?

IPC Response: We support addressing this through Building Block c), albeit with a couple changes needed, or more preferably through the Purposes Building Block. In Building Block c), section l), “Copyright” should be “Intellectual property” and “exclusive” should be removed. We should also be clear that ICANN Org is represented explicitly in the list. We are puzzled by the RrSG suggestion to remove section n) as Article 15 gives the data subject “the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” (emphasis added). We are aware that the data is likely available to the RNH in their registrar portal at most registrars, but we’re unaware of any contractual requirement for registrars to make the data available there, so it should be guaranteed in the SSAD.



  1.  If this is considered addressed as a result of the accreditation recommendations, consider the following text:

“The EPDP Team expects that the question of user groups will be addressed through the accreditation policy; specifically, all requestors will need to be accredited, and accreditation will include identity verification, which may include user category/categories.”

IPC Response: This is probably fine if it includes specificity as described above and below. We need to replace “may” with “must” if we’re still referencing user categories. If we’re not, we could say “must include explicit purposes.”



  1.  Purposes:

  1.  Consider purpose 2 and the previous agreement: “The EPDP Team agreed to consider at a later stage in the process whether an ICANN purpose for disclosure is necessary and/or desirable”. Has a later stage arrived, or is further time needed? Is this a question to be raised as part of the public comment period on the Initial Report?

IPC Response: the time is now, and we have actually already agreed on this. As the IPC noted in the Purposes Building Block, the language from the Phase 1 final report language (updated to the present tense) reads, "The EPDP recognizes that ICANN has a responsibility to foster the openness, interoperability, resilience, security and/or stability of the DNS in accordance with its stated mission (citation required). It has a purpose to require actors in the ecosystem to respond to data disclosure requests that are related to the security, stability and resilience of the system." We should include this language as ICANN’s purpose, in addition to EPDP Phase 1 final report Purposes 1 and 3-7.



  1.  Consider also whether a set of pre-determined purposes needs to be developed that third-party requestors can provide. If this is not deemed necessary at this stage, consider the following text:

“As identified in building block a) criteria and content of requests, each request must include information about the legal rights of the requestor specific to the request and/or specific rationale and/or justification for the request, e.g. What is the basis or reason for the request; Why is it necessary for the requestor to ask for this data? The EPDP Team expects that over time, the entity responsible for receiving requests will be able to identify certain patterns that could result in the development of a preset list of rationales and/or justifications that a requestor can select from, while always maintaining the option for the requestor to provide this information in free form”.



IPC Response: Yes, this is necessary. Our work with use cases identified several of the clearest, uncontroversial third-party purposes and their legal bases, connected to the “user groups” in Building Block c). These could be combined to form the necessary set of pre-determined purposes, which can and should be revisited on some ongoing basis to which we should also add a review mechanism to reevaluate, add, or eliminate purposes as the DNS, law, and public policy evolve over time. This is more a legal requirement than a policy position – the GDPR requires data to be, “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. The SSAD risks not being legally compliant if the purposes for which the data is further processed (by third parties) is not “specified” and “explicit” when collected. The list that Staff condensed from the use cases (https://community.icann.org/display/EOTSFGRD/d.+Use+Cases) is a good list of third-party purposes: (i) criminal law enforcement, national or public security, (ii) non law enforcement investigations and civil claims (including intellectual property, UDRP, and URS) (iii) contacting registrants, (iv) consumer protection, abuse prevention, digital service provider (DSP) and network security, or (v) Registered name holder consent or contract.

Happy Thanksgiving!

Brian J. King
Director of Internet Policy and Industry Affairs

T +1 443 761 3726
markmonitor.com<http://www.markmonitor.com>

MarkMonitor
Protecting companies and consumers in a digital world

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Caitlin Tubergen
Sent: Wednesday, November 27, 2019 10:54 AM
To: gnso-epdp-team at icann.org
Subject: [Gnso-epdp-team] REMINDER: For your review: purposes and user groups

Thank you, Sarah and all CPH Members for the timely response.

If any other EPDP Members have any feedback on the below proposals regarding purposes and user groups, please respond by Thursday, 28 November.

Thank you.

Best regards,

Marika, Berry, and Caitlin


From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> on behalf of Sarah Wyld <swyld at tucows.com<mailto:swyld at tucows.com>>
Organization: Tucows
Date: Tuesday, November 26, 2019 at 8:42 AM
To: "gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>" <gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>>
Subject: Re: [Gnso-epdp-team] For your review: purposes and user groups


Sent on behalf of the CPH team:



Hello Team,

Thanks for laying out these suggested options for how to approach the Purposes and User Groups.

We note that this would not generally be our preferred approach for addressing open issues, but because we did significant work on these topics already in plenary, we think that we can agree with the proposal for how to conclude these questions.

For User Groups, the building block in combination with the Accreditation building block should be sufficient to identify users and group them appropriately; we can therefore support the suggested text in the second bullet point.

For Purposes, we agree that no further work is required, and again support the second bullet point in that section.

Yours Truly,

The CPH Team





--

Sarah Wyld

Domains Product Team

Tucows

+1.416 535 0123 Ext. 1392




On 11/21/2019 6:02 PM, Caitlin Tubergen wrote:
Dear EPDP Team:

Under the Team’s current review schedule, no time has been set aside to further discuss purposes and user groups. To that end, we wanted to test a proposed approach to these building blocks as outlined in the list of issues that was shared prior to ICANN66.

User groups:

  *   Consider whether or not a set of user groups needs to be developed – is this already addressed through the accreditation recommendations?
  *   If this is considered addressed as a result of the accreditation recommendations, consider the following text:
“The EPDP Team expects that the question of user groups will be addressed through the accreditation policy; specifically, all requestors will need to be accredited, and accreditation will include identity verification, which may include user category/categories.”

Purposes:

  *   Consider purpose 2 and the previous agreement: “The EPDP Team agreed to consider at a later stage in the process whether an ICANN purpose for disclosure is necessary and/or desirable”. Has a later stage arrived, or is further time needed? Is this a question to be raised as part of the public comment period on the Initial Report?
  *   Consider also whether a set of pre-determined purposes needs to be developed that third-party requestors can provide. If this is not deemed necessary at this stage, consider the following text:
“As identified in building block a) criteria and content of requests, each request must include information about the legal rights of the requestor specific to the request and/or specific rationale and/or justification for the request, e.g. What is the basis or reason for the request; Why is it necessary for the requestor to ask for this data? The EPDP Team expects that over time, the entity responsible for receiving requests will be able to identify certain patterns that could result in the development of a preset list of rationales and/or justifications that a requestor can select from, while always maintaining the option for the requestor to provide this information in free form”.

Based on your feedback, the leadership team will determine when to discuss this further or whether the proposed approach has sufficient support to be incorporated in the draft Initial Report.

Please provide feedback by Thursday, 28 November.

Best regards,

Marika, Berry, and Caitlin



_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team at icann.org<mailto:Gnso-epdp-team at icann.org>

https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20191127/a161bf38/attachment-0001.html>

More information about the Gnso-epdp-team mailing list