[Gnso-epdp-team] Homework assignments, notes and action items - EPDP Team Meeting #15
policy at bacinblack.com
policy at bacinblack.com
Thu Apr 15 18:07:16 UTC 2021
Dear EPDP Team,
Please find below the notes and action items <https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> of today’s meeting. In order to ensure that there is no confusion, here are the instructions for the homework assignments:
1. Complete review of Bird & Bird advice by comparing it to the latest version of the legal/natural guidance write up.
Please review the remaining 4 questions (#6-9) in the comparison document (see https://docs.google.com/document/d/1jzKGLeTlJFf8-HB70NmAS_fZJvZgJiwO/edit) and provide your group’s responses to these questions. In addition, if you review of the Bird & Bird advice has resulted in additional questions the group should consider in the context of the guidance write up, please add those. The Staff Support Team will use your responses to the questions as well as those discussed on the call to update the write up accordingly to ensure it is consistent with the Bird & Bird advice that has been provided. Your group’s input is expected by Monday 19 April COB at the latest. Please do NOT use this google doc to opine on the write up or to raise any other issues that you think the write up should address.
2. Review the latest version of the guidance write-up and respond to outstanding questions
Please review the latest version of the legal/natural guidance write-up (see https://docs.google.com/document/d/1whCpXHm3UPmJ-IDSbliveSkwxL679x2U/edit#heading=h.gjdgxs) and provide your group’s response to the questions that were identified by the staff support team as a result of the last round of input (also listed below questions #1-4). If you have further comments or suggestions, please add these to the document in the form of comments, preferably including specific text you would like the EPDP Team to consider. The Staff Support Team will use your responses to produce a next iteration of the legal/natural guidance write up. Your group’s input is expected by Monday 19 April COB at the latest.
3. Provide your group’s thoughts on the question of whether updates should be made to the phase 1 recommendation on this topic.
Please review and respond to the questions in this document https://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit with your group’s position. As outlined during the call, this will facilitate the leadership’s team assessment of where the group is at and a possible path to a response to this specific question. Your group’s input is expected by Wednesday 21 April COB at the latest. Please be prepared to provide a summary overview of your position during the next EPDP Team meeting.
We would like to again express our appreciation for all the dialogue that has taken place on the list, but please make sure to also translate your input into specific suggestions for the documents listed above.
Best regards,
Caitlin, Marika and Berry
====================
EPDP Phase 2A - Meeting #15
Proposed Agenda
Thursday 15 April 2021 at 14.00 UTC
1. Roll Call & SOI Updates (5 minutes)
2. Welcome & Chair updates (Chair) (5 minutes)
* Appreciate all the dialogue on the mailing list – really important and encouraging that this discussion is happening. Important now to bring this back to the latest version of the write-up – many/most of the comment on the mailing list seem to be consistent with the latest version of the write-up. If not, it will be important for team members to point this out and focus on how it can be made consistent.
* Update from the legal committee (Becky)
* Responses have been received to 3 of the 4 questions. One question (q #3) is still pending but expected shortly. Based on the responses received to questions #1 and #2, the staff support team pulled together a comparison chart to compare the B & B advice to the latest version of the write up. Final call of the legal committee is expected to take place to review response to q#3.
* Placeholder meeting will be scheduled for the legal committee for next Tuesday. If response to q3 is not received in a timely manner the call will be cancelled.
Comments from team:
* Any of the parties who are named in the registration data must be informed and knowledgeable about that they have been named and what the responsibilities are in relation to this naming. Doesn’t that make consent moot and take away registrar responsibility as the registrant is already supposed to have dealt with this?
* This is an ideal but not a reality of what is going on. Employees for companies may name other employees or officers without their knowledge or do not update when employees leave the company. A registrar cannot rely on this consent given to the registrant – it must confirm itself that consent is present.
* Bird & Bird memo pointed out the importance of having a complaint mechanism so that if issues occur, these can be flagged and corrected by the registrar.
* Contracted parties are liable for any mistakes – not only about the money, but also reputational damage to consider.
* Bird & Bird memo does point to ways in which risk can be reduced for Contracted Parties, noting that liability is reduced by taking reasonable steps to remove personal data from registration data associated with a legal person.
3. Legal vs. natural (75 minutes)
i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
ii. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.
Guidance development
a. Continue review of updated write up of guidance proposal
* See comparison table developed by Staff Support Team and reviewed by Legal Committee – see https://docs.google.com/document/d/1jzKGLeTlJFf8-HB70NmAS_fZJvZgJiwO/edit
* EPDP Team to deliberate on the questions identified in column 3:
1) Consider adding reference to information requirements in relation to consent?
2) Consider making more specific that the registrant (data subject) needs to have an easy means to correct mistakes?
3) Consider adding a step that following Registrant confirmation that the registration does not include any personal data, the registrar should contact the provided contact details to confirm that no personal data is present.
4) Consider adding guidance that sufficient time must be provided for the Registrant (data subject) to respond to the verification request, but that there is no need to wait for an affirmative response, unless an email bounces (in which case the Registrar should not proceed with publication).
5) Consider adding that the Registrar should request the Registrant, if self-identified as legal person, to provide a company registration number.
6) Consider making more specific that at this stage the Registrar should ask whether Registrant (data subject) consents to publication of personal data?
7) Consider adding that, as an example, a Registrar could also use the company registration number to verify legal personhood.
8) Consider whether such a tool (to assess whether email addresses include an individual's name or appear to be generic) exists and/or is feasible?
9) Consider reference to this guidance/opinion from B & B
* Focusing on the questions identified that bridge the current version of the write up and the B & B advice received.
* Other comments are definitely relevant but need to be considered in the context of the write up.
* Note proposed principles shared by Milton with the list: 1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights. 2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries 3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process. 4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate.
* Would be helpful to see if anyone disagrees with these principles. On 3, different approaches may be possible. Some have also noted that distinction should focus on personal vs. non-personal data.
* 1) Consider adding reference to information requirements in relation to consent? Is already contemplated by RAA section – guidance should be clear. Making the point clearer on who is expected to consent and who the CP is entitled to rely on when it comes to consent may be helpful? Agree with the suggestion but may be more difficult to implement that it sounds? Write up is good at balancing GDPR of protecting personal data with facilitating the publication of non-personal data. Bird & Bird also outlines steps to minimize the risk to CPs if certain steps are followed. Need to be careful to not provide legal advice, consider pointing to the EDPB advice in relation to consent (https://st1.zoom.us/web_client/ehjzr5/html/externalLinkPage.html?ref=https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf) instead as that is authoritative information.
* 2) Consider making more specific that the registrant (data subject) needs to have an easy means to correct mistakes? Support for this suggestion as this is one of the multi-layer safeguards that B & B has suggested. Noting that there are obviously challenges with information that has already been published and ‘undoing’ that. Should it be considered to quarantine before release that would allow for correction before information is published? See also q4.
* 4) Consider adding guidance that sufficient time must be provided for the Registrant (data subject) to respond to the verification request, but that there is no need to wait for an affirmative response, unless an email bounces (in which case the Registrar should not proceed with publication). This seems to flip opt-out to opt-in – need to be mindful that silence is not the same as consent. B & B guidance is very specific that this is about when there is no personal information involved, so risk is low. Bouncing also may trigger accuracy considerations if the data subject is also the data source.
* 3) Consider adding a step that following Registrant confirmation that the registration does not include any personal data, the registrar should contact the provided contact details to confirm that no personal data is present. Sounds like existing requirement in the RAA Whois specification (Verify: the email address of the Registered Name Holder (and, if different, the Account Holder) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or … (phone call)? Use the provided contact details to contact the entity. Makes sense to add this step as it provides an additional safeguard to avoid getting personal information published.
* 5) Consider adding that the Registrar should request the Registrant, if self-identified as legal person, to provide a company registration number. Not all countries may have company registration numbers? Would there then be an expectation that a registrar would verify that information? Corporate identifiers may work well for large corporations, not so much for small business.
* Remaining questions to be addressed as homework.
Action item #1: EPDP Team to review remaining 4 questions in the comparison document and provided responses to those questions by Monday 19 April. In addition, EPDP Team to identify any further questions that the EPDP Team should consider as a result of the Bird & Bird advice to address any potential inconsistencies or additional safeguards.
* EPDP Team to deliberate on remaining questions in the updated write up (see https://docs.google.com/document/d/1whCpXHm3UPmJ-IDSbliveSkwxL679x2U/edit#heading=h.gjdgxs)
1. Example scenarios refer to “publish the data” with publish defined as “provide Registration Data in the publicly accessible Registration Data Directory Services” – Volker has suggested this should be discussed further by the EPDP Team.
2. Example scenario 1-d – Registrar Team has suggested this is too prescriptive and proposed that if any changes are made then the data is treated as natural-person data until the Registrant indicates otherwise via repetition of steps a-c. Others have suggested that Registrant should be requested when updates are made whether this results in changes to data type. EPDP Team to discuss how to proceed.
3. Example scenario 3 – EPDP Team to discuss whether this scenario should be deleted. There were originally some concerns that there would be no registrant / data subject involvement in the determination of data type, but this has been clarified by indicating that the registrant must confirm the determination by the registrar. Is this concern sufficiently addressed or should this scenario be deleted.
4. Use of third party services to verify determination of data type – sentence has been updated based on suggestions made. Does this sufficiently address the concerns?
5. Other?
* Confirm next steps
Action item #2: EPDP Team to review these questions in the latest version of the write up and provide input, preferably in the form of specific text to be considered by the EPDP Team by Monday 19 April.
Consideration of question i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
b. Review of questions developed by leadership team to determine positions of different groups – please be open minded and be constructive (see https://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit)
c. Homework assignment: all teams to provide responses to these questions by Tuesday 20 April at the latest.
d. EPDP Team input
e. Confirm next steps
* Important for all groups to ‘put their cards on the table’ to facilitate the deliberations on this specific question.
* Also important to recall relevant recommendations from phase 1 and phase 2 that may have an impact facilitating differentiation and/or could be built upon, for example, in the form of implementation guidance.
Action item #3: EPDP Team to respond to questions outlined in the google doc in relation to the question of whether or not changes should be made to existing requirements by Wednesday 21 April and come prepared to the meeting on 22 April to provide a high level summary of the responses provided.
4. Wrap and confirm next EPDP Team meeting (5 minutes):
a. EPDP Team Meeting #16 Thursday 22 April at 14.00 UTC - note, placeholder plenary session is being scheduled to allow for a second weekly plenary meeting, if needed.
b. Confirm action items
c. Confirm questions for ICANN Org, if any
* Placeholder time has been identified for a second plenary session each week. Will not commence next week, but anticipate it will happen for the week after (27 April at 14.00 UTC). This does not replace the need for doing homework if progress is to be made. If there is no need for this additional plenary session it can always be cancelled.
Berry Cobb
GNSO Policy Consultant
Principal | BAC in Black Consulting <http://bacinblack.com/>
Mob: +1 (720) 839-5735
<https://twitter.com/berrycobb>
<https://www.linkedin.com/in/berrycobb/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210415/a3118a5c/attachment-0001.html>
More information about the Gnso-epdp-team
mailing list