[Gnso-epdp-team] Notes and action items - EPDP Phase 2A Meeting #02 - 14 Jan 2021

Caitlin Tubergen caitlin.tubergen at icann.org
Thu Jan 14 18:10:22 UTC 2021


Dear EPDP Team,

Please find below the notes and a link to the action items from today’s meeting.

Our next meeting will be Thursday, 21 January at 1400 UTC.

Best regards,

Marika, Berry, and Caitlin

Action Items

❗️Please refer to the Google Sheet<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0> for Action Items. We will review the action items at the beginning of each call.❗️

Notes

EPDP Phase 2A - Meeting #02
Agenda
Thursday 14 January 2021 at 14.00 UTC

1.                            Roll Call & SOI Updates
2.                            Welcome & Chair updates (Chair)

  *   Thank you to everyone who contributed to the homework assignments.
a.      Vice-Chair Selection & Council Liaison selection update
The charter foresees that “The EPDP Team, once formed, will select one or two Vice Chairs to assist the Chair. Should at any point a Vice-Chair need to step into the role of Chair, the same expectations with regards to fulfilling the role of chair as outlined in this charter will apply”.

  *   At this time, a GNSO Council liaison has not yet been appointed; however, expect to have news re: the liaison following the next Council meeting.
  *   Received an inquiry from Brian Beckham of WIPO to perform vice-chair duties for Phase 2A.
  *   In reading the charter, it could be interpreted that only EPDP members can serve as vice-chair. In the event the EPDP Team agrees in an appointment of Brian, it may need to be confirmed by the GNSO Council.
  *   Support Staff had a close look of the charter, and it notes once the EPDP Team has formed, the vice-chair is selected – the table in the charter shows a specific count, which includes the chair of the EPDP Team, but no separate count for the vice-chair. Accordingly, that may mean that the vice-chair is expected to come from the EPDP Team. As no volunteers have come forward from the EPDP Team, an appointment of a non-team member may need to be approved by the Council.

EPDP Team Feedback:

  *   No opposition provided. Next step will be to communicate to the Council.
  *   Generally speaking, the vice-chair should be a neutral party throughout.
3.                            Review of Homework Assignments

Feasibility of unique contacts (see compilation document attached)

a.        Review clarifying questions and determine whether these are referred to:

Today’s plan is to run through the questions and allow those who put forward the question or concern to explain the contribution at a high-level and focus on how this should be addressed. For example, should the clarifying question be discussed and/or reviewed by:



     *   EPDP Team
     *   Legal committee (if to be referred to legal counsel)
     *   Other


b.        Review proposals and consider
·         Clarifying questions
·         Definitions re: pseudonymization were added by Support Staff, and are pulled directly from the B&B memo (definitions in the legal questions were agreed to by the legal committee)
·         How should questions about definitions be raised?

        *   This question could potentially be addressed by B&B or experts within the group who have an IT background. The Team may be missing information on how a unique string would work.
        *   Who decides whether pseudonymization is across all registrars or within one registration? This is a decision for the EPDP Team. These terms should be used as they are defined in GDPR.
        *   The point of clarifying question was that certain people did not understand the definitions. The distinction b/w pseudonymization and anonymization is quite clear. Anonymization is unique for each registration, while pseudonymization is unique by registrant. ALAC raised a potentially interesting point about pseudonymization across registrars; that is a technical question for ICANN. These concepts are clear, and our job is to decide which (if any) is allowable.
        *   The Team should take a step back even before discussing these definitions – what are we trying to use these definitions to do? What problem are we trying to solve? This should be determined first.
        *   Agree that the approach to a solution would be better if we know what the problem is. It is not a huge effort for registrars to create a pseudonymized identifier for their customers; however, sharing that identifier with multiple registries and registrars and tracking it over time starts to look less and less like an anonymous or pseudonymous bit of data and looks more like a tracking cookie. Where the team should draw the line is what is allowable under the law, and what problem we are trying to solve.
        *   Processing personal data is not inherently illegal; it depends who is doing it and what they are doing it for. The question is what happens when a pseudonym is shared outside of a contracted party; it is not inherently unlawful.
        *   May need more homework for next meeting with purpose or intent or what we are trying to solve for.
        *   The Team is trying to work toward contactability. The web forms have character limits which are untenable, particularly for noting IP infringement issues. Some web forms do not have free form options. The webforms are unacceptable; we need something more workable.
        *   Correlation is very important for cybersecurity purposes. There are often times when one needs to identify additional domain names associated with a contact, particularly in cybersecurity-related issues like phishing attacks.
        *   The B&B memo concentrated on the effect on the data subject; it didn’t focus on other purposes where pseudonymization this may be lawful.
        *   The Team already has a memo that notes that anonymized and pseudonymized data can be personal data. Circling back to that because some members do not want to accept the previous legal advice is not a good use of time. The legalities of whether a unique identifier can be published – that is a non-starter.
        *   What we are trying to do here is to make sure everyone is clear on the terminology and what solution we are working towards.
        *   The Team does not seem to agree what the memo said: in the hands of a contracted party, this data is personal. In the hands of a third party, the data might be personal data.
        *   Something that is pseudonymous for CPs could be anonymous for a third party. With respect to the B&B memo – the memo is not crystal clear in certain aspects. B&B touches on a DPIA.
        *   Distinction b/w anonymized and pseudonymized in GDPR is clear. However, the definitions in the memo are not clear. What is not really explained – for pseudonymization, could third parties somehow combine this information or have access to these strings and trace back to the individual?
        *   There is already a requirement for registrars to provide
        *   Action: Staff to put together a google doc where everyone can provide further input in advance of the next call.
        *   Laureen’s question re: data retention may be a question for the legal committee to further review.
        *   In one part of the legal memo, there is a reference to masking. Alan and Hadia asked what the relevance of introducing this concept is, when this was not put forward in the legal committee’s question.
        *   It may be helpful to put forward a short side paper on pseudonymization vs. anonymization.
        *   Who should address the question of masking?
        *   Answer: B&B via legal committee
        *   Caution against spending or wasting time with detailed explorations of how pseudonymization works in practice b/c pseudonymization is a form of personal identification.
        *   When we create a new pseudonymized email, that is a new data element for contracted parties to both create and process
        *   This is a tier 2 question – this is about how to implement rather than if we should implement in the first place
        *   Question for registrars re: changing anonymized email addresses over time
        *   There should be a proposal for disclosure of pseudonymized or anonymized emails
·         Next steps for considering these proposals further

Legal vs. natural (see compilation document attached)
c.       Review clarifying questions and determine whether these are referred to:

     *   EPDP Team
     *   Legal committee (if to be referred to legal counsel)
     *   ICANN org
     *   Other
d.       Review proposals and consider
·         Clarifying questions

     *   The first question is a legal question.
     *   Second question: there is already a review process as a part of the SSAD
     *   The NIS2 directive is a proposal and there is nothing in it that makes it mandatory to differentiate b/w legal and natural persons
     *   For questions to ICANN org: do any members of the Team wish to clarify their questions? If not, ICANN org will take these questions into account when providing an update on the study.
     *   Questions re: legal memos can be reviewed by the legal committee.
·         Next steps for considering these proposals further

4.                            Wrap and confirm next EPDP Team meeting (5 minutes):
- Action: In parallel tracks, ask Brian Beckham for time or give an EOI the group to review and consider. Concurrently, notify the Council and confirm this is OK.
-Action: EPDP Team to respond to Legal Committee appointment notice by Wednesday, 20 January.
a.       Meeting #03 Thursday 21 January at 14.00 UTC.
b.       Confirm action items
c.       Confirm questions for ICANN Org, if any


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210114/2be5399a/attachment-0001.html>


More information about the Gnso-epdp-team mailing list