[Gnso-epdp-team] Notes and action items - EPDP Phase 2 - Meeting #45 - 5 March 2020

Caitlin Tubergen caitlin.tubergen at icann.org
Thu Mar 5 20:32:53 UTC 2020

Dear EPDP Team:


Please find below the notes and action items from today’s EPDP meeting #45.


Thank you.


Best regards,


Marika, Berry, and Caitlin



Action Items

EPDP Support Staff to send the proposed draft answers to ICANN Org’s questions and assumptions re: the financial considerations for SSAD to the EPDP Team for its review. (Complete) 
EPDP Team to review the draft financial consideration answers. Becky, Amr, Volker, Franck, Marc A., and Mark Sv. to provide feedback on the draft answers by Wednesday, 11 March for the plenary Team’s review.
Re:  Feasibility of unique contacts, no EPDP Team members objected to the Legal Committee’s proposal. EPDP Support Staff to incorporate the draft recommendation into the draft Priority 2 addendum.
Re: City field redaction, Margie to propose, on-list, an automated use case for the disclosure of city field to share with the EPDP Team by Monday, 9 March. 
EPDP support staff to propose text based on today's city field redaction discussion for the EPDP Team’s review in advance of Tuesday, 10 March.
Re: Potential OCTO Purpose, EPDP Team to review ICANN org’s recent response and ICANN Org’s responses from Phase 1 re: the use of nonpublic registration data prior to effective date of GDPR. Following review of the questions and answers from Phase 1, EPDP Team members who believe an additional question/response from ICANN org is still necessary, to provide the draft question and rationale for the EPDP Team’s review by Monday, 9 March.

EPDP Phase 2 - Meeting #45

Proposed Agenda

Thursday, 5 March 2020 at 14.00 UTC


1.                            Roll Call & SOI Updates (5 minutes)


2.                            Confirmation of agenda (Chair)
Request to discuss the financial considerations recommendation if time allows

3.                            Welcome and housekeeping issues (Chair) (5 minutes)
ICANN67 Virtual Meeting – confirmation of schedule
4 meetings during ICANN67
Today’s meeting is also an additional meeting, as it was originally cancelled due to it being a travel day 
Legal committee update
Two documents were circulated to the plenary Team – feasibility of unique contacts and city field redaction
The LC went through the outstanding questions with significant modifications to tighten up the language
If the representative LC reached consensus, the questions will be sent directly to B&B. If not, the questions will go to the plenary for further discussion.
Financial Feasibility
The Team had conversations about the financial feasibility building block in November. The Team thought it would be useful to better understand the possible scale of the SSAD, and Janis asked for an estimate on how much the SSAD would cost.
In response to the request, ICANN org sent a detailed list of questions
Support Staff endeavored to provide a first cut of answers for the EPDP Team to review
Should this be further considered during the next meeting, or should a small group of volunteers work on this issue?
EPDP Response:
Prefer to form a small team as this is very involved and may not be a good use of plenary meeting time
There should be ICANN org representation on the small team
Disagree with small team – this should be a discussion on-list instead of in a small team. An on-list discussion would not take time away from plenary meetings. Agree that ICANN org should be a part of the discussion.
Volunteers to look at answers: Becky, Amr, Volker, Franck, Marc. Mark Sv. – will review the document and drive the work on-list, but the plenary team is also invited to provide feedback. Small team calls can be scheduled if absolutely necessary. 

4.       Feasibility of unique contacts (priority 2) (30 minutes)
EPDP Team to review Legal Committee proposal
Advice from Bird & Bird – whether there is a pseudonymized email or anonymized email, it would be considered personal data. 
Legal committee’s conclusion, based on the advice, was that the uniform masked email addresses results in the publication of personal data; therefore, wide publication of masked email addresses is not currently feasible under the GDPR as disclosure would, in certain circumstances, require meaningful human review, i.e., balancing test under GDPR Article 6(1)(f).
Does the EPDP Team agree with the Legal Committee’s recommendation?
EPDP Team Response:
This legal opinion is confusing b/c of the term masked – does this mean that part of the email is in clear text while part of it is masked? Why is the word masked the appropriate term here?
The use of the term masked in this paragraph is Becky’s. In either case, technically the emails would be pseudonymized personal data. Even if every character is not the same but would still enable you to contact the email, it is still considered personal data.
This is fundamentally different than directly contacting via a pseudonymized email vs a link to contact an intermediary.
The issue is not contactability; the issue is the fact that you can use the pseudonymized email to identify a particular individual
Confirm next steps
No EPDP Team objections to the recommendation of the Legal Committee – EPDP Support Staff to update the draft Priority 2 addendum accordingly

5.       City field redaction (priority 2) (30 minutes)
EPDP Team to review Legal Committee proposal
The Legal Committee reviewed the previous legal advice received in Phase 1 re: the permissibility of publishing the city field in public RDDS
B&B’s conclusion: in order to perform the balancing test, the EPDP Team would need to provide additional information about the benefits of universal publication of city field. 
B&B lays out how to conduct balancing test
EPDP Team response:
First time seeing a reference to a generic balancing test. If we do not have to look at the particulars of the data subject, that changes a lot of previous recommendations.
The scope of this memo is not a case-by-case balancing, but it is not a generic balancing test – it is a specific but very challenging balancing test and considering the rights of all individuals who would be affected by universal publication
In terms of automated disclosure for specific use cases, there are specific use cases where city field is relevant for specific legal claims. This memo was focused on the universal publication. The balancing test may not be as difficult with automatic disclosures, and this is a specific automated use case in the examples Mark Sv. provided
Interpreted the B&B advice differently – publication of this does not make any sense. This advice does not make a case for universal publication, but in some instances a requestor may ask for automated disclosure of the city field. Could the Team agree that we will not universally publish the city field in the general case and review it under automated use cases?
Easiest way to solve this – the CP should perform the balancing test – recommend that the city field may be disclosed in the public WHOIS but may be redacted based on the CP’s analysis – that way, we allow the publication of more for those who would like to publish
Either the CP should be able to decide for their own domains or all CPs should redact the city field
Phase 1 Rec. 11 states that city field MUST be redacted; proposal to change this to a MAY
Do not agree with making this a choice for contracted parties as the city field is part of the data subject’s address
This should be considered as part of the automated use cases
Action: Margie to formulate text to consider on disclosure of city field as an automated use case
Logical contradiction in MAY proposal: if the city field is redacted and someone requests it, the CP will be able to decide if they are putting themselves at a legal risk. No need for CPs to publish this data if they want to. If there is a legal privacy right, it should not be widely published.
Confirm next steps
Action: Margie to formulate text to consider on disclosure of city field as an automated use case


6.       Potential OCTO Purpose (if time allows)
Review ICANN org response
Received an email from ICANN org liaisons – sent to the EPDP Team on 26 Feb
ICANN org did not identify any additional uses for non-public registration data
In the email, there is a paragraph that references the public data and associated uses, like the BRDA, but these uses do not use non-public data
There is a letter from Goran to GNSO Council re: ARS, noting it cannot do this work without non-public data
There is a difference b/w what ICANN org is doing now vs. what it was doing before GDPR – such as where ICANN was accessing the entire WHOIS database, conducting testing of new registrars and registries 
ICANN org already answered this – GDPR changed the landscape and some things that used to be common are simply no longer possible, and WHOIS ARS is an example of that
If ICANN believes it has a purpose for the data in the future, there is nothing stopping this. ICANN is a controller and can create the purpose in the future. 
ARS is an audit, and that is allowed under the current purposes. Why ICANN has chosen not to do it is a separate issue
OCTO and Org are two distinct entities. ICANN has not identified any additional purposes outside of what is covered in Phase 1
Confirm next steps
EPDP Team to review previous responses from OCTO and revisit the question

7.                            Wrap and confirm next EPDP Team meeting (5 minutes):
Tuesday 10 March 2020 Virtual ICANN67 Cancun EPDP Team meeting (tentative 9:00 – 11:00 local time (14:00 – 16:00 UTC) - https://67.schedule.icann.org/meetings/1152557
Confirm action items
Confirm questions for ICANN Org, if any


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200305/038a13db/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200305/038a13db/smime-0001.p7s>

More information about the Gnso-epdp-team mailing list