[Gnso-epdp-team] Notes and action items - EPDP Phase 2A Meeting #17 - 27 April 2021

Caitlin Tubergen caitlin.tubergen at icann.org
Tue Apr 27 17:01:31 UTC 2021 

Dear EPDP Team,

Please find below the notes and action items<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> from today’s EPDP Phase 2A meeting.

The next EPDP Phase 2A meeting will be on Thursday, 29 April at 14:00 UTC.

Best regards,

Berry, Marika, and Caitlin

--
EPDP Phase 2A - Meeting #17
Proposed Agenda
Tuesday 27 April 2021 at 14.00 UTC

1.                     Roll Call & SOI Updates (5 minutes)

2.                     Welcome & Chair updates (Chair) (5 minutes)
·         Next steps – reminder of proposed next steps as outlined here https://mm.icann.org/pipermail/gnso-epdp-team/2021-April/003861.html

3.                            Legal vs. natural (60 minutes)
                                 i.            Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
                               ii.            What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.
Guidance development


  1.  Consider new issues flagged in latest version of the write up [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1a7MEle3_e-iXbaiZQV5wCD4Pv0414YjLtC2yxJEqbJc/edit__;!!PtGJab4!sIEI2-hpOjJsfBJsUET--oMlAp4Df7bVMCL0SBJJuK83xxRYTECKeFdlHmz_PsDCPt7-eOiV88E$>:
           *   The RrSG did not feel its guidance was included in the write-up, so the RrSG added its table into the write-up. This is substantively the same as what the team reviewed back in March.
           *   GAC reps did not find the write-up to incorporate the original write-up in sequencing and substance so this has also been added.
           *   Would be helpful for groups to be specific about which aspects of the proposals were not captured in the write-up
           *   There may have been a perception that the example scenarios from the registrars were to be included in the substantive guidance. That was not intended. The substantive guidance is the chart itself.
           *   Propose to use the table to review the write-up. If there is no input in the righthand side, that means there were no comments regarding the edits/suggestions.
           *   The chart is useful, but there was further conversation on this point since the chart was sent
           *   The chart was put together following the original deadline
2.      Any concern about moving “Distinguishing between legal and natural person data alone may not be dispositive, as the data provided by legal persons may include personal data that is protected under data protection law, such as GDPR” to the guidance section?

           *   Suggestion from the RrSG to move this section to the guidance section
           *   Recommend removing “may” and change to “is not” – add “is not decisive in relation to the publication of the data”
           *   Agree with Brian’s comment – rephrase legal and natural person type of data. Clarify this. Agree with Sarah’s comment that it would be useful to include this in the guidance.
           *   What is meant by guidance? There is guidance that Rrs provide to registrants and guidance attached to a policy. What is dispositive when it comes to CPs managing their risks is whether the registrant is able to confirm that they are an individual and that they consent or they can reliably and authoritatively declare that there is no personal data.
           *   What we’re looking for here is distinguishing b/w the registrant – the entity that owns the domain name. That alone may not be enough as the registration data could still include personal data.
           *   Rec. 17 says, “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”. Team is asked to consider if guidance on this is necessary. Team should be clear about what it is not dispositive for – whether the data can be published or not.
           *   Distinguishing b/w registrations of natural and legal persons may be the appropriate text
           *   When we are talking about a registration, we are talking about a registrant and possibly some other roles. Are we trying to encompass the idea that the registrant may be a legal person, but there may be other roles?
           *   Registrant data even for a legal person could include natural person data – that is the crux of the issue.
           *   Suggest reading the following EDPS opinion on NIS2 which provides important nuance: https://edps.europa.eu/data-protection/our-work/publications/opinions/edps-opinion-cybersecurity-strategy-and-nis-20_en
           *   Important to keep recital 49 of the GDPR in mind – “the protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.” This does not answer the question about the data set if there is info from others.
           *   Need to be careful to make these concepts clear for individuals who are NOT mired in these concepts like this WG – reminder of this letter: https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdf “personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the context of WHOIS”
           *   Do not believe Recital 14 and the letter from the EDPB are inconsistent. If there is data provided by a registrant that relates to other folks – in that case, attention must be paid. Have to figure out a way to make sure this info is not published in the absence of consent by the third parties.
           *   Do not agree with the above reading of the letter – this could be employees acting on behalf of the registrant if the registrant is a legal person.
           *   It may be helpful to break out this issue – Laureen, Melina, Sarah, Hadia, and Stephanie to agree on language. The Team can revisit this at a future meeting.
3.      See 1d – what approach should be taken when a Registrant makes substantive changes to registration data?

           *   The recommendation may not be clear enough from the readers perspective. Suggestion to remove the last sentence from this section, or is there another way to address this concern from the Rr team?
           *   Anything that requires manual review – do this at the time of registration. The determination should not be made at the time of registration.
           *   Recommendation 9 is incomprehensible – would be concerned with removing an explanation of sorts
           *   Could consider upgrading the footnote if that is would help clarify
           *   This is flagged as a relevant Phase 2 recommendation, which is saying that certain types of disclosure requests should be subject to automated disclosure. Open to figuring out the best way to find useful context for this – left on its own, this is a cipher.
           *   When we talk about reviewing personal data, are we operating under the assumption that there is a clear and unambiguous way to determine if there is personal data present?
           *   There is no such definition in data protection law of legal data. We could decide to call them an individual or a legal person, but that doesn’t help with the determination of personal data. That is the distinction that is operative and legally significant here. Using the legal v. natural distinction is unhelpful here.
           *   9. Check in with Brian K regarding his comment
           *   10. Suggestion to add a relevant portion of legal advice
           *   Concern with adding excerpt from the memo because it is long and complex. It is not helpful to include only a piece of it – would prefer to refer to the entire text.
           *   Agreement to append the legal guidance to the write-up
           *   13. This is not factually incorrect, but it does not belong in this section. For the context of this point, we should just focus on differentiation and should not include this.
           *   Do not think we should refer to differentiation as a process – we should say we are allowing registrants to identify themselves as legal. If they declare themselves as such, it will be published. It is also relevant for CPs – if you say you are differentiating b/w legal and natural person registrants rather than allowing customers to tell us this.
           *   If we name at the time of registration as one possibility, we should also name others “or any other time when a CP interacts directly with a registrant, WDRP, renewal reminders, or WHOIS verifications.”
           *   Need to be mindful of different business models – does this include anything other than the 13-day window?
           *   WDRP notices may fall outside of this window
           *   Sooner rather than later is better


4.      Consider whether it would be helpful to add a timeline to scenario 2
5.      Consider whether scenario 3 should remain.
6.      Definition of “publish” (note, the write up currently includes the following definition “EPDP-p1-IRT: “Publication”, “Publish”, and “Published” means to provide Registration Data in the publicly accessible Registration Data Directory Services.”)
7.      Any other issues flagged by deadline (Monday 26 April at 18.00 UTC)
b.         Confirm next steps to finalize write up for inclusion in the Initial Report

4.                            Reminder of Homework assignments (5 minutes)

·         Thursday’s EPDP Team meeting will focus on the question of whether any changes are warranted to the EPDP Phase 1 recommendation (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”). Please come prepared to present your groups responses to the questions in the google doc (see https://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit__;!!PtGJab4!sIEI2-hpOjJsfBJsUET--oMlAp4Df7bVMCL0SBJJuK83xxRYTECKeFdlHmz_PsDCPt7-iJ8uXHE$>). Please try to focus your interventions on the specific questions that were asked and come prepared to put forward specific (ideally textual) suggestions for how the group can develop a response to the charter question.

·         By Friday 30 April<x-apple-data-detectors://5>, please put forward your group’s proposed response to the feasibility of unique contacts questions (i. Whether or not unique contacts to have a uniform anonymized email address is feasible, and if feasible, whether it should be a requirement. ii. If feasible, but not a requirement, what guidance, if any, can be provided to Contracted Parties who may want to implement uniform anonymized email addresses). Please note here that we have been given specific advice from B&B with a risk continuum, so we will work within that, and we will not entertain discussions seeking to obviate risk altogether. The staff support team has set up a google doc to provide your suggestions (see https://docs.google.com/document/d/1lqLOkF1jaA2NK1hmYtG4jiY4x7V432maFh1Xlv5UeBM/edit?usp=sharing [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1lqLOkF1jaA2NK1hmYtG4jiY4x7V432maFh1Xlv5UeBM/edit?usp=sharing__;!!PtGJab4!sIEI2-hpOjJsfBJsUET--oMlAp4Df7bVMCL0SBJJuK83xxRYTECKeFdlHmz_PsDCPt7-qokXRkU$>). Based on the input received, leadership with the support of the staff support team will aim to develop proposed draft language for inclusion in the Initial Report.

5.      Wrap and confirm next EPDP Team meeting (5 minutes):
a.       EPDP Team Meeting #18 Thursday 29 April at 14.00 UTC
b.       Confirm action items

  1.  EPDP Team to review the table<https://docs.google.com/document/d/1mHNvYWeyTGFhb--yDfWfTYNx_RVe1Bkl/edit> and provide further feedback by COB, Friday, 30 April. If you disagree with a comment or proposed addition, please provide a proposed update that factors in the concern identified. As always, please provide updates in comment form.
  2.  Small team comprised of Laureen, Melina, Sarah, Hadia and Stephanie (and others, if missed) to review items A & B in the write-up and propose an update, factoring in comments in 4-6<https://docs.google.com/document/d/1mHNvYWeyTGFhb--yDfWfTYNx_RVe1Bkl/edit> and those made during Meeting #17.
  3.  Small team comprised of Laureen and Sarah (and others, if desired) to provide a response to Laureen's proposal for Item 7 in the table<https://docs.google.com/document/d/1mHNvYWeyTGFhb--yDfWfTYNx_RVe1Bkl/edit>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210427/2ecc483c/attachment-0001.html>

More information about the Gnso-epdp-team mailing list