[Gnso-epdp-team] Notes and action items - EPDP Phase 2A Meeting #13 - 1 April 2021

Caitlin Tubergen caitlin.tubergen at icann.org
Thu Apr 1 23:13:57 UTC 2021

Dear EPDP Team,

Please find below the notes and action items<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> from today’s EPDP Team meeting.

The next EPDP Legal Committee will be Tuesday, 6 April at 14:00 UTC, and the next plenary meeting will be Thursday, 8 April at 14:00 UTC.

Best regards,

Berry, Marika, and Caitlin

EPDP Phase 2A - Meeting #13
Proposed Agenda
Thursday 1 April 2021 at 14.00 UTC

1.                            Roll Call & SOI Updates (5 minutes)

2.                            Welcome & Chair updates (Chair) (5 minutes)

     *   Review of March 2021 Project Package (Berry)
           *   During Phase 1, the Council was eager to receive updates on the status of the EPDP Team’s work.
           *   PDP 3.0 introduced a more rigorous approach to project plans in an effort to increase the accountability for all involved in these projects, including staff, leadership, and members.
           *   Please note the second page of the project package, which is the “situation report”. This is an extract of the project the Council considers in its meeting materials, and it is updated twice per month. The situation report highlights what the team is working on, what it will work on next, and what was completed in the prior period.
           *   With respect to status and health of the project, it is currently denoted as “on target”. The feasibility of unique contacts question is slightly downgraded/behind schedule since the Team is awaiting guidance from its external counsel before considering the question further.
           *   There are statistics regarding participation and attendance. The left-hand column shows the plenary and meeting attendance.
           *   This package will be delivered to the GNSO Council shortly.

3.                            Legal vs. natural (40 minutes)

  1.  Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
  2.  What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.

Guidance development

a.       Review updated write up of guidance proposal

  *   See updated draft write up developed by leadership & staff support team (https://docs.google.com/document/d/11AYCPVEKjF--Obp-okojggWv1Z4R2PBjvZFOGu4blTM/edit#heading=h.gjdgxs)

           *   Within this document, several EPDP Team members have raised the question of definitions with respect to disclosure and publication. Leadership recommends using the language from the Phase 1 IRT draft policy for consistency.

  *   Reactions by EPDP Team:
     *   Does the updated version address input provided to date?

           *   Under the proposed guidance, two thoughts come to mind. There is an enormous focus on legal vs. natural and permission to publish information, and a question re: how to determine if PII is associated with a legal person. Is there a determination that it is OK to make this information available for public access? The question underneath this is how to make this determination. Preference would be to compress and condense the proposed guidance into a simple form – have to make determination whether it is OK or not OK to make the data public. If you cannot get permission from the data subject or make a clear determination based on the data, the data should not be published. Item B provides “as soon as commercially reasonable” – how is this interpreted? It sounds like there is no current requirement to do this, but this is permitted. There will come a time at which ICANN or this group says the time has now come that this is required.
           *   Propose the above questions be put into writing by Steve so the group can further digest. The text quoted is from EPDP Phase 1 Recommendation 6 – this is currently being implemented by ICANN org in conjunction with an Implementation Review Team. This will be a requirement in the future.
           *   Previously asked for registrars to provide further information on how many registrars (if any) have implemented this – still awaiting an answer.
           *   Do not like the definition of publish as this is misleading but defining based on IRT definition is OK.
           *   NCSG had objected strongly to the third option where registrar infers person type. Do not understand step 3 – why isn’t this done at collection?
           *   The paragraph regarding guidance sounds like guidance – would it be better to move this paragraph to the proposed guidance section instead of after the scenarios?
           *   With respect to the definition of publication “to provide registration data in the publicly accessible Registration Data Directory Services”. Want to make sure there are two distinct things – making data publicly accessible (nonpersonal data) and disclosure via the SSAD
           *   To publish, in the context of this group, means publicly available information in the directory (WHOIS, RDAP) as distinct from disclosure which is either through SSAD or a direct request with the contracted party.
           *   Because of different business models that registrars that may employ, inference of person type could be OK – for example, corporate registrars could infer person type b/c of their business type
           *   Difference b/w Scenario 1 and Scenario 2 is the timing at which the data type is chosen by the registrant. This should be two forms of Scenario 1 – the other form would be that the registrant identifies the registrant type at registration and the determination over whether the data is personal could happen at a later time.
           *   With respect to noncommercial companies – legal v. natural is not an easy determinations to make – the determination as to legal personhood is difficult and could vary across a portfolio of domain names. Do not support the idea of making advice binding. The determination of if the guidance is acceptable would be a determination by the data protection commissioner, and co-controllers should err on the side of caution.
           *   The Team is not yet at the point of discussing binding policy recommendations.
           *   Support suggestion of including another flavor where a registrar collects the legal v. natural distinction first and then makes a subsequent determination of if there is personal data.
           *   Would like to have an idea of the registrars on this team of if Rec. 6 has been implemented or not.
           *   Cannot answer for all registrars – but have not yet implemented Rec. 6 b/c waiting for some sort of standard to emerge in the industry.
           *   If there is any update from the Phase 1 IRT that would inform this discussion, please feel free to update the group.
           *   It’s important to not let WHOIS die – the GDPR is an instrument that is not designed to prohibit publication of nonpersonal data. There are contracted parties who wish to make this distinction, but they do not have sufficient guidance. There is no risk to the two-step approach. It’s important to get further guidance from legal counsel to make EPDP Team members more comfortable.
           *   Focused on ensuring what used to be WHOIS is done in compliance with applicable regulation and law and also in the context of making registration data publicly accessible through requests under certain parameters
           *   WHOIS is not necessary for the purposes people have claimed as there are other ways to achieve these goals.
           *   The fact that registrars have requested guidance is not surprising – the question is what can the EPDP Team actually provide in terms of guidance. Some have stated unequivocally that there is no risk; this is simply not true. There is risk.
           *   Several stakeholder groups have been pressing for the data to be in the publicly accessible database. Automated requests in SSAD is short of what several stakeholder groups are asking for.
           *   The guidance document should have a disclaimer that this is not legal advice and people rely it at their own risks, however we should note some of the legal risks. In the guidance document, we should allow for both options – publication in RDDS and automated response in SSAD.
           *   One of the reasons to distinguish b/w legal and natural persons is that you do want to publish the data of corporate entities that is not personal. We have to be careful about making sure that individuals’ records are not published. There are good things about publishing the data of legal persons that are corporations offering services.
           *   The reason we’re having a discussion about definitions is because the definitions used in the document are not the same as the definitions displayed at the beginning of the call – suggest staff ensure that the correct definitions are incorporated into the next iteration of the document.
           *   There is some discussion around adding language that would allow registrars to publish data in the public RDDS. This is not necessary for this document because Phase 1 recommendations already envision this. There is language that requires redaction where GDPR is applicable on personal data and allows for but does not require geographic differentiation. This is already an option for registrars and do not need new policy or guidance for this. Should focus on the intent of this document, which is what guidance can we provide for registrars who are making a distinction b/w legal and natural persons that will enable them to help make this distinction if they would like to
           *   Concept of 1d – any substantive change to the data should reset the confirmation. Disagree – any change should be accompanied by a new confirmation of legal/natural and personal/nonpersonal instead of redacting without re-asking the questions.
           *   When data is collected, the status of that data is what is dispositive.
           *   Document keeps referring to contracted parties making the determination. This is registrars making the determination; registries do not make this determination.
           *   Suggest that Staff make a quick pass for publication vs. disclosure in SSAD

     *   Are there any “cannot live with” aspects remaining?
     *   What incentives, if any, could be considered to promote any guidance agreed to by the EPDP Team?
  *   Confirm next steps
-      EPDP Team to review the legal v. natural write-up and provide comments (in comment form only) by COB Friday, 2 April.
-      Support staff to incorporate feedback into next iteration and distribute updated version to EPDP Team by Tuesday, 6 April.

4.                            Wrap and confirm next EPDP Team meeting (5 minutes):

  1.  EPDP Team Meeting #14 Thursday 8 April at 14.00 UTC.
  2.  Confirm action items
  3.  Confirm questions for ICANN Org, if any

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210401/3c87fe5a/attachment-0001.html>

More information about the Gnso-epdp-team mailing list