[Gnso-epdp-team] Notes & Action Items - EPDP Phase 2 Meeting #57

policy at bacinblack.com policy at bacinblack.com
Thu May 14 19:01:28 UTC 2020

Dear EPDP Team:


Please find below the notes and action items from today’s meeting.


The next EPDP Team meeting will be Tuesday 19 May at 14.00 UTC, where we will continue to discuss Recommendation #7 Authorization Automated & Recommendation #16 Automation



Best regards,


Marika, Berry, and Caitlin



Action Items:

1.	Homework for additional Tuesday meetings is due on Monday’s at 18.00 UTC for Tuesday’s meeting items
2.	EPDP Team to further consider the path for automation in cases where it is confirmed that there is no legal risk. 
3.	EPDP Team to provide its input on data retention <https://docs.google.com/document/d/1k5w2BMWiPBzpj_HeghcaijX2F2SVd5JHjKgDKIGRrfw/edit?usp=sharing>  (if not done so yet), acceptable use policy <https://docs.google.com/document/d/1h2179UY3KNoA3eIC1sdVR8G-GN_brLAN3h89r9fOtjE/edit?usp=sharing> , query policy <https://docs.google.com/document/d/1IkLu_tfMCayjjeXZLpivgXL5G2dtCepv440YpVTADSw/edit?usp=sharing>  and terms of use <https://docs.google.com/document/d/1sBVjsUf3JNQclGMpMS4PXBaffarVF5galoWxpVjzRYg/edit?usp=sharing>  by Monday 18 May at 18.00 UTC



EPDP Phase 2 - Meeting #57

Proposed Agenda

Thursday 14 May 2020 at 14.00 UTC


1.                            Roll Call & SOI Updates (5 minutes)


2.                            Confirmation of agenda (Chair)


3.                            Welcome and housekeeping issues (Chair) (10 minutes)

a.	Updated timeline, including review of input received on addendum

*	Still trying to meet the deadline that has been set by GNSO Council to finalize work on SSAD
*	See updated timeline circulated together with the agenda – understand that this is an ambitious timeline but call on all groups to put in last effort with the aim to finalize work
*	Understand there is concern in the team about intensity of work and that some issues may not be finalized on time. As you recall, the group early on separated out priority 1 and 2 items with the understanding that the priority 2 items were not deemed critical for operation of SSAD and could be addressed at a later stage. However, group is aiming to include as many as priority 2 items in the SSAD Final Report but it may not be possible to address all, either as a result of external dependencies or more time being needed for deliberations.
*	GNSO Chair Keith Drazek has joined for this agenda item to discuss possible ways forward, especially on priority 2 items that cannot be addressed in the SSAD Final Report:

*	Thanks to the EPDP Team for all the time and effort spent to date on these topics;
*	Crunch time in the next several weeks to get to a final report on SSAD;
*	Council understands that there are issues that may not be on the critical path but which are still important, like data accuracy, privacy / proxy implementation, legal vs. natural; 
*	Recognized the importance of recommendations in relation to the evolution of SSAD, consistent with existing processes and procedures while providing predictability;
*	Council has a meeting on 21 May and will discuss how to establish a process for dealing with issues that are not on a critical path for SSAD. Council will take these issues seriously and commits to providing a path for addressing these issues. Council has not had concrete discussions yet, but some have suggested a possible phase 3 or alternative approaches. Council hopes to provide EPDP Team with feedback shortly after those discussions. Council may need to look at each of the remaining items and see what is the best way to address those items. If there is a phase 3 that would require finding a new chair as Janis will depart at the end of June. 
*	EPDP Team should focus on the critical path, delivering a Final Report on SSAD, including a mechanism for the evolution of SSAD, but Council understands that it wants some clarity on how those issues are going to be dealt with that are not on the critical path. 

*	What other options are going to be considered than a phase 3? 
*	What is the urgency on getting SSAD done without also addressing the priority 2 items? Wasn’t the intention to have something as soon as possible – what has changed? Get a working system and then build upon that by addressing other issues. Some of the priority 2 topics may not be resolvable – no consensus possible which would just drag out things. 
*	Many of those caring deeply about priority 2 items are not represented on Council and do not have voting power. 
*	Priority 2 items are critical to the deployment of SSAD and as such cannot be dragged out. Will need a very good hair to handle those discussions. 
*	Consider creating two buckets of open issues: those where there is divergence and should not pursue (there is no point in prolonging this exercise until some parties get their will) and the second bucket of issues that just need ore time. I am not sure whether those are actually for phase 3 or just regular PDPs


Key aspects of updated timeline (see document circulated)

*	As proposed during the last meeting, additional meetings would be scheduled on 2 Tuesdays, namely 19 May and 26 May. 
*	The week of 2 June is EPDP Team homework week – there will be no plenary meetings scheduled, but groups are expected to organize themselves throughout that week to be able to review all updated recommendations to flag any cannot live with items by the end of that week. In addition, groups will be requested to review the discussion tables for the priority 2 items so that concerns can hopefully be resolved allowing for those topics for which concerns can be easily resolved to be included in the SSAD Final Report. 
*	During the week of 15 June additional meetings are likely to be scheduled – this is to a large extent dependent on the # of cannot live with items flagged. 
*	The week of 22 June would be a quiet week to allow groups to review the frozen Final Report and identify any minor edits and/or inconsistencies that should be addressed before the report is finalized and a consensus call is conducted. 
*	Groups are encouraged to do their homework and prepare accordingly.


Action item: Homework for additional Tuesday meetings is due on Monday’s at 18.00 UTC for Tuesday’s meeting items


b.	ICANN Org’s cost estimate for SSAD Q & A session update

*	Q & A session was held on Tuesday – recording of that meeting is available and high level responses to questions have been circulated.
*	Cost estimate should be seen as a guiding point for policy development, it is not a price tag as it was developed on certain assumptions. Depending on final recommendations, this estimation could change. 
*	Up to EPDP Team to do the policy work and determine what financial aspects need to be covered in the recommendation – groups to review relevant discussion table and deliberate on any updates to those recommendations as needed. 

c.	Recommendation #6 – updated version posted for review

*	Not all discussion items were covered during last week’s meeting, but in an effort to move forward, the updated recommendation proposes a path forward for those remaining items for EPDP Team review. This updated recommendation has been posted for review (see https://community.icann.org/x/K4LsBw). It also includes a table which catalogues all the edits and where these were derived from. If there any concerns or questions about changes applied, please flag accordingly.
*	Two wiki pages contain all of the relevant information for the deliberations:

*	Wiki page that contains all the public comment review tool and discussion tables (https://community.icann.org/x/BQZxBw)
*	Wiki page that contains all the updated recommendations for EPDP Team review (https://community.icann.org/x/K4LsBw) 

*	Request to update the EPDP Team as updated documents are posted – note that following the EPDP Team’s review of public comments, the staff support team will post the updated recommendation shortly thereafter.


4.       Recommendation #7 Authorization Automated & Recommendation #16 Automation

a.	Review ‘cannot live with’ items identified (see updated recommendations <https://docs.google.com/document/d/1dsaa_gO78F3hmVZ2P6_yjt716Z9nMyegl3Qj7za0N_o/edit> )

*	the Initial Report contained 2 recommendations that dealt with automation, namely rec #7 – authorization for automated disclosure requests and rec #16 – automation. 
*	The recommendations in the Initial Report referred to further investigation of a set of use cases for possible automation for which legal guidance was subsequently obtained. 
*	The legal committee reviewed this guidance and Becky provided the EPDP Team with an update during our meeting on 30 April following which the staff support team was tasked to take a stab at updating the recommendations in light of the legal guidance as well as the comments received in response to the public comment forum for EPDP Team review.
*	The rewrite combines the two recommendations and contains some reorganization – the EPDP Team may need to consider whether two separate recommendations are still the best approach or whether this should be one recommendation with sub-headings. 
*	When assigning these tasks to staff, leadership expects them to use their best judgement in updating the language in line with the EPDP Team’s expectations, input and deliberations to date, which highlights the importance of doing homework so that views of the different groups are known and document. As always, these rewrites are shared back with the EPDP Team for review and input.  
*	One last thing, please make sure to take into account the color coding of the recommendations. Language in green is language that is taken verbatim from the Initial Report – no reopening of language that has been previously agreed unless there is a good reason to do so. Similarly, please make sure that you have reviewed notes and recordings from meetings that you were not able to attend – the group does not halt its deliberations and decisions just because you weren’t there, you are always able to channel your concerns via your group or homework assignments in advance of the meeting. 


Cannot live with items:

Item #1:                                               Changes from ‘should’ to ‘must’ in relation to automation. 

*	Question – legal advice confirmed that automation for the use cases identified is possible – why is there concern about changing this to MUST? Like any other rule, if there is a legal reason why a CP cannot comply, there are provisions for handling that? CPs would need to be able to explain on a case by case basis if they do not disclose the data, not necessarily an overall waiver.
*	Process for exemptions is problematic. Should sets expectations with CPs, changing to must takes away flexibility for CPs. Make it at the choice of the controller. 
*	Legal memo identified three use cases in which it would be legally permissible to automate. Question is whether these MAY or MUST be automated.  
*	Legally permissible is not the only factor, it should also include a risk analysis before it could be changed to a MUST. 
*	The requirement would only be for the use cases where legal advice has confirmed that there is no risk, for all other cases it will be at the choice of the CPs. Some groups agreed to the hybrid model on the notion that when legal permissibility would be demonstrated, there would be a requirement for automation. 
*	For the cases for which Bird & Bird has identified no risk, it should be MUST. Mechanism could similarly only recommend further use cases if authoritative legal advice is received. How would this be implemented?
*	Who will take on liability for these automated decisions? Just because it is possible doesn’t mean it is doable. 
*	Consider making it a best practice to automatically disclose – following best practice would be a requirement but if there is an issue, CPs would need to explain why it is not following the best practice. How would a best practice be enforceable? CP would need to explain very well why it does not follow the best practice. If it fails to do so, there can and should be a route for ICANN compliance to step in. 
*	CP happy to automate as much as they can, but being required to do so is problematic. 
*	What is remaining risk for these use cases? If those risks can be addressed, maybe that could provide a path to ‘MUST’? If there is legal certainty that there is no legal risk, can there be a MUST? 


Action item: EPDP Team to further consider the path for automation in cases where it is confirmed that there is no legal risk. 


Item #2

Staff support team to take a stab at better describing automation.


Item #3 

Staff support team to take a stab at reorganizing section c).


Item #4

Is this relevant here? It is relevant in context of SSAD, but not as much in the context of automation. Commercially feasible is in the eye of the beholder – should this be a more neutral process than currently proposed?

Some flagged that financial considerations may not be in scope as it is not in the charter. It was pointed out that the PDP manual does request a PDP Team to consider the budgetary impact of recommendations. As noted before, this is not about the price tag, but about better understanding possible budgetary implications and guidance that the group may want to provide in the form of policy proposals related to the financial sustainability. 

Consider reformulating after reviewing financial considerations comments – leave for now


Item #5

Use case overlooked – will be added in updated version.


Item #6 

Proposed wording change by GAC – agreement to make this change.


Item #7 – 

Make clear that it concerns requests by LEA that do not require meaningful review and that have as a lawful basis 6(1)b that could be automated. Note that not all CP are okay with automating that. To be further considered.


b.	Confirm next steps


5.       Recommendations not considered by EPDP

a.	Review discussion items gleaned from input provided on recommendations not considered by EPDP <https://docs.google.com/document/d/1QGzM6bvdRPq77tLt2EmMBw7FE7kplwQROT2hY61ZzWc/edit> 
b.	Confirm next steps


Deferred to next meeting


6.       Recommendation #4 Third Party Justification 

a.	Review discussion items gleaned from input provided on recommendations not considered by EPDP <https://docs.google.com/document/d/1FLaBcU3Nl0vdRPO2-jmwLE2TcqdBNKLTiObOYdjcniw/edit> 
b.	Confirm next steps


Deferred to next meeting


7.       Recommendation #14 Data Retention

a.	Review discussion items gleaned from input provided on recommendations not considered by EPDP <https://docs.google.com/document/d/1k5w2BMWiPBzpj_HeghcaijX2F2SVd5JHjKgDKIGRrfw/edit> 
b.	Confirm next steps


Deferred to next meeting


8.                            Wrap and confirm next EPDP Team meeting (5 minutes):

a.	Tuesday 19 May at 14.00 UTC. Topic to be addressed: Acceptable Use, Query Policy, Terms of use.
b.	Confirm action items

a.	Confirm questions for ICANN Org, if any


Action item: EPDP Team to provide its input on data retention <https://docs.google.com/document/d/1k5w2BMWiPBzpj_HeghcaijX2F2SVd5JHjKgDKIGRrfw/edit?usp=sharing>  (if not done so yet), acceptable use policy <https://docs.google.com/document/d/1h2179UY3KNoA3eIC1sdVR8G-GN_brLAN3h89r9fOtjE/edit?usp=sharing> , query policy <https://docs.google.com/document/d/1IkLu_tfMCayjjeXZLpivgXL5G2dtCepv440YpVTADSw/edit?usp=sharing>  and terms of use <https://docs.google.com/document/d/1sBVjsUf3JNQclGMpMS4PXBaffarVF5galoWxpVjzRYg/edit?usp=sharing>  by Monday 18 May at 18.00 UTC


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20200514/79b6ea53/attachment-0001.html>

More information about the Gnso-epdp-team mailing list