[Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC

Mon Sep 23 20:40:06 UTC 2019

Greg,

I believe the existing legal advice, contained in Bird & Bird's legal memo of 10 September 2019 (question 3), supports the need for natural persons to have a right to object to data processing activities.

On page 10 of the memo Bird & Bird advised, "The initial and annual notice and opt-out process suggested by the EPDP would not be sufficient: an individual would be given general notice that an automated process may be used, but would not know that a decision has actually been taken on this basis and, unless an individual was aware of this, he or she would not be in a positon to take advantage of the safeguards required by the GDPR."

They also advised (same page):

"... safeguards require the controller to notify the data subject as soon as possible that a decision has been taken, at which point the data subject has up to one month to require the controller to reconsider the decision, with significant operational implications for any urgent requests."

I still need to consult with NCSG colleagues regarding the language that I proposed, but I believe any building block k language that does not ensure there are mechanisms in place that allow registrants to exercise their rights under the GDPR would be unacceptable to us.

Thanks,

Ayden

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 23 September 2019 18:10, Greg Aaron <greg at illumintel.com> wrote:

> Adyen’s proposal has major flaws, and IMHO is a non-starter.
>
> One: it does not propose a deadline for the registry/registrar to provide any substantive response, i.e. the data or a denial.  Instead, it seems to allow contracted parties to not provide a substantive response for sixteen days, and maybe more.  That sets a very long response floor and expectation for the entire gTLD world.  The effective result will be: no flow of data.
>
> Two: as we discussed in Los Angeles, we are trying to automate what can be automated, including automated decision-making where it is possible.  For anything that is automated, an ACK letter is not necessary -- instead the data (or a 6(1)f denial) should just come back in reply.  That would leverage RDAP, which is a goal of ours.  See also the TSG paper.
>
> Three: a written ACK is appropriate for requests that are made offline, outside the system.  Even then, an acknowledgement of receipt can be issued automatically and immediately by the contracting party (with a tracking number).  That’s SOP for any system that requires the tracking of submissions, and most registrars already do it with customer service tickets.
>
> Four: the proposal assumes that data subjects must be informed every time a request for their data comes in, and that data subjects have the right to decline the processing.  The GDPR does not    require either of those.  Instead, GDPR requires that the data subject be made aware before of the processing that may happen, and who generally the recipients may be.  Appropriately, the Temp Spec already covers  this – it requires registrars to notify their registrants of the  specific purposes for which their data will be processed, and potential recipients, so case-based notification is not required. (Temp Spec, Section 7.)  If the policy needs to be more specific and tell registrants that they are subject to GDPR Article 6 disclosures, then we should make that happen.  Unfortunately Adyen’s proposal builds in a way for data subjects to hide their criminal activity and cover their tracks.  That is not necessary under the law, and it is contrary to the GDPR’s intent.  SSAC provided the legal-sub team with draft questions about these topics in the last submission round, and hopefully those will go to Bird & Bird soon.
>
> All best,
>
> --Greg
>
> From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Ayden Férdeline
> Sent: Sunday, September 22, 2019 7:06 PM
> To: Alex Deacon <alex at colevalleyconsulting.com>
> Cc: gnso-epdp-team at icann.org
> Subject: Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC
>
> Hi Alex,
>
> I envision this being some form of written communication (most likely an email) that lets the SSAD requestor know that their request has been successfully received and is being processed. I also imagine it containing a copy of their request.
>
> Thanks,
>
> Ayden
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Sunday, 22 September 2019 22:45, Alex Deacon <alex at colevalleyconsulting.com> wrote:
>
>> Ayden,
>>
>> Can you describe what form this "Receipt Acknowledgement Letter" would take?
>>
>> Alex
>>
>> ___________
>>
>> Alex Deacon
>>
>> Cole Valley Consulting
>>
>> alex at colevalleyconsulting.com
>>
>> +1.415.488.6009
>>
>> On Sat, Sep 21, 2019 at 11:41 AM Ayden Férdeline <icann at ferdeline.com> wrote:
>>
>>> Hi,
>>>
>>> Regarding building block k, I have alternate language that I would like to table for consideration please.
>>>
>>> The language circulated in the below email is:
>>>
>>> Building Block k) (Receipt of acknowledgement)
>>>
>>> The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible.
>>>
>>> The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below.
>>>
>>> Proposed new language (changes in red):
>>>
>>> Building Block k) (Acknowledgement of request)
>>>
>>> The EPDP Team recommends that upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed.
>>>
>>> Kind regards,
>>>
>>> Ayden Férdeline
>>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>
>>> On Saturday, 21 September 2019 02:19, Marika Konings <marika.konings at icann.org> wrote:
>>>
>>>> Dear EPDP Team,
>>>>
>>>> Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review.
>>>>
>>>> Best regards,
>>>>
>>>> Caitlin, Berry and Marika
>>>>
>>>> ===========
>>>>
>>>> EPDP Phase 2 - Meeting #20
>>>>
>>>> Proposed Agenda
>>>>
>>>> Tuesday, 24 September 2019 at 14.00 UTC
>>>>
>>>> 1.                            Roll Call & SOI Updates (5 minutes)
>>>>
>>>> 2.                            Confirmation of agenda (Chair)
>>>>
>>>> 3.                            Welcome and housekeeping issues (Chair) (5 minutes)
>>>>
>>>> a)                     Reminder - the EPDP Team members to populate the contents of the lawful basis table by Wednesday 25 September (see [https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--                9aD2lHZI/edit](https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--%099aD2lHZI/edit))
>>>>
>>>> b)                     Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting
>>>>
>>>> 4.                            Acceptable Use Policy (Building block d & h) – first reading (30 minutes).
>>>>
>>>> a)                      Initial discussion
>>>>
>>>> b)                     Feedback from EPDP Team
>>>>
>>>> c)                      Confirm next steps
>>>>
>>>> 5.                            Receipt of acknowledgement (building block k) – first reading (30 minutes)
>>>>
>>>> a)                      Initial discussion
>>>>
>>>> b)                     Feedback from EPDP Team
>>>>
>>>> c)                      Confirm next steps
>>>>
>>>> 6.                            Who should be responsible for disclosure decision (15 minutes)
>>>>
>>>> a)                      Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQuniv8/edit)
>>>>
>>>> b)                     Consider team input and approach forward
>>>>
>>>> c)                      Confirm next steps
>>>>
>>>> 7.                            Wrap and confirm next EPDP Team meeting (5 minutes):
>>>>
>>>> a)                      Thursday 26 September 2019 at 14.00 UTC
>>>>
>>>> b)                     Confirm action items
>>>>
>>>> c)                      Confirm questions for ICANN Org, if any
>>>>
>>>> Marika Konings
>>>>
>>>> Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
>>>>
>>>> Email: marika.konings at icann.org
>>>>
>>>> Follow the GNSO via Twitter @ICANN_GNSO
>>>>
>>>> Find out more about the GNSO by taking our [interactive courses](https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_gnso&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=Cg5uQf0yAfw-qlFZ0WNBfsLmmtBNUiH0SuI6Vg-gXBQ&e=) and visiting the [GNSO Newcomer pages](https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gnso.icann.org_files_gnso_presentations_policy-2Defforts.htm-23newcomers&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=5DXgId95wrCsHi--pxTiJD7bMB9r-T5ytCn7od3CF2Q&s=tT-E2RoAucUb3pfL9zmlbRdq1sytaEf765KOEkBVCjk&e=).
>>>
>>> _______________________________________________
>>>
>>> Gnso-epdp-team mailing list
>>>
>>> Gnso-epdp-team at icann.org
>>>
>>> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
>>>
>>> _______________________________________________
>>>
>>> By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190923/a0627578/attachment-0001.html>