[Gnso-epdp-team] Notes and action items - EPDP Phase 2A Meeting #09 - 4 March 2021
caitlin.tubergen at icann.org
Thu Mar 4 19:54:43 UTC 2021
Dear EPDP Team,
Please find below the notes and action items from today’s meeting.
As a reminder, the next plenary meeting will be Thursday, 11 March at 14:00 UTC.
Berry, Marika, and Caitlin
Please remember to check for action items using the team’s Workplan and Action Items sheet: https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0.
EPDP Phase 2A - Meeting #09
Thursday 4 March 2021 at 14.00 UTC
1. Roll Call & SOI Updates (5 minutes)
2. Welcome & Chair updates (Chair) (5 minutes)
* Upcoming update to GNSO Council on status of progress (24 March 2021)
* Keith has an obligation to report back to the GNSO Council on the status of the group’s progress. Three weeks from now, Keith has to provide a report to the Council. The work over the next few weeks is critical – to demonstrate to the Council that progress is being made, and that there is a path to consensus.
* Reminder to please do homework – it’s critical for the group’s progress. It’s imperative that the team picks up the pace.
* Thoughts from Philippe (GNSO Council liaison): in capacity as liaison to Council, reiterate Keith’s previous points. Council meeting is scheduled for 24 March. A case will need to be made to Council by this time.
* EPDP feedback: concerned that legal advice will still be outstanding when an update needs to be made.
* If legal questions are agreed to and submitted, this would help the case, but this has not happened yet. Need to demonstrate to the Council that the group is on track to deliver an Initial Report by.
* Suggest that the team plow ahead with the work and incorporate the legal advice into the evolution of the SSAD
* Keith has an obligation to deliver an update to the Council that the group is on track to deliver an Initial Report by May. Council will be looking at this with a critical eye as the manager of the PDP process. Submitting legal questions and demonstrating progress by this group will be critical.
* Hope Council will look at if the group is making progress to develop a policy, rather than on track for a specific and arbitrary date
* PDP 3.0 guidelines – any group has to commit to a plan following a cursory review of its charter. B/c the group started slower than anticipated, leadership made a decision to commit to delivery of an Initial Report by the end of May. This is an analysis based on the amount of work in front of us.
* ICANN org response to EPDP Team questions (see https://community.icann.org/x/I4GBCQ):
· Status of implementation rec 6/13
· ICANN org liability in the context of distinguishing between legal / natural persons
· Please note ICANN org has provided responses to the two questions over the list; they are now posted on the wiki.
3. Legal vs. natural (75 minutes)
1. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
2. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.
a. Update from Legal Committee in relation to questions referred to legal committee on legal / natural (Becky)
* Team made significant process during the two repurposed calls
* Legal Team has discussed all questions on both topics
* Bulk of legal v. natural questions are out for final sign-off by Friday
* The remaining legal v. natural questions will hopefully be completed over email.
* Aim is to finish up the work on Tuesday – call is extended to 90 minutes. If everyone does their homework, reviews all questions, and works online – should be in a position to finish on Tuesday. Again, this requires everyone to do their homework.
b. Follow up questions to Jamboard brainstorming – Proposal 1a
* Review responses to leadership follow up questions to input provided on JamBoard (see https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit)
* EPDP Team to discuss and confirm updates to be made to proposal 1a
* Does the flowchart assist?
* BC: yes, but if steps are combined in the user experience, there would need to be a wireframe webpage in order to determine if this saves a step in the user experience
* BC: agree that the concern was addressed in previous recommendations but in terms of how to design a webpage, have to mention it for completeness
* If Rrs or Rys today are differentiating today or might in the future, what are the possibilities for doing this that could become best practices or recommendations for the group to consider?
* Is this trip necessary? Yes, if you are going to differentiate, but that is not accepted by many in this group. As you can see by the diagram, it is very complicated. This doesn’t appear to have any benefit on the public and private interest. If we agree with the original recommendation that it’s a choice, delving into the specific process for which they do so is a waste of this group’s time.
* Charter notes what types of practices could be developed for CPs that want to differentiate or may be required to differentiate in certain jx
* Best practices is not the deliverable here – it is just one step on the journey
* Several team members are trying to engage in one-on-one conversations with stakeholder representatives to get a more realistic perspective of what the real-world business consequences of differentiation are. We are open to listening and figuring out your concerns – want to make sure your customer relationships are preserved. Aware that reseller model is different than a retail registrar. There could be a path forward here and want to work together to create this path.
* Urge that we move away from flowcharts and try to arrive at a result that shows what to do and why to do it
* As it relates to the charter for this group, we are to review best practices. Do the Phase 1 recs that are consensus policy need to be adjusted? This does not presuppose that consensus will be achieved. Once we get through the best practices – based on this, should the recommendation change?
* Caution that a one-size-fits-all model actually only fits one. Suggest starting with the GDPR principles and how to achieve each of those principles if you want to differentiate. Current consensus policy, which is flexible and allows the registrar to choose, is appropriate. Guidance does not mean the policy should be changed.
* Tried to address some of these expressed concerns in the proposal. One concern raised was to consider the nature of personal data, not just legal v. natural data. Another concern was some models (like reseller) cannot take steps before registration, so tried to make this flexible.
* Should first look at why the Phase 1 recommendation needs to be changed.
* As we look towards the outcomes of this group – do we need to make adjustments to Phase 1 recommendations, and are there implications to Phase 2 recommendations? We approached this as a group – what could be possible – what are the potential best practices, but we will eventually have to move to how to clarify how existing policy should be changed (if at all).
* We are not being told – rather than look at ways it could be possible, now we are being told we need to look at if group members want to make it possible.
* There is still work to be done regarding whether adjustments to consensus policy are needed or required. At the end of this process, is there a path to consensus on changing Phase 1 recommendations.
* Perhaps steps 2 and 3 could be collapsed (l v. n and whether personal data) could be asked in the same sentence.
* Asking someone if they are a legal or natural person is very confusing to most people, particularly with language differences. If a registrar can come up with a safe way of doing this, then the existing consensus recommendation says they can do this. Flagging people is a problem.
* Confusing the registrant has already been covered; there are safeguards in place in the GAC proposal. To be clear, this is about adding a binary flag to categorize the registrant as either legal or natural and that comes with benefits for policy choices. This is just considered to be a useful distinction as part of a broader proposal.
* Work with UE designers and making sure that choices presented to users are clear is very important – regarding the flag, if the purpose of the flag is for how data should be handled, that is already a requirement.
* Flag or not, registrar should have a way of identifying if data should be published or not; how they do this should be up to them. Ultimately, we are looking at a registrant making a declaration – no personal data, therefore publication could be OK. It could be the same declaration for someone with PII who wants their info published. The differentiation of legal v. natural is unnecessary here. We do not need to ask the legal v. natural question. The ultimate question is – is there consent to publish this info.
* The benefit of formally defining a flag is that it is standardized and can go into escrow if we want it to. The question is – do we want a flag for legal v. natural, we want a standardized flag so that it’s usable is appropriate. How we set it and if we set is question for later, but having the flag would be helpful.
* Yes, we have a flag, but the legal committee has been discussing this consent issue. The CP is relying on an attestation that there is consent to publish. This is a difficult question – large companies represented here may be able to assure themselves in most cases but others may not have a clue.
* Consent relates to personal data. In the comments on the proposal, some argued that legal v. natural is difficult and there are language and educational barriers. However the bar is much higher for consent under GDPR. Consent should be the last resort b/c the bar to prove that you have valid consent is very high. If someone believes the language is not simple enough for legal v. natural, how can it be valid enough for someone to provide informed consent? The distinction b/w legal v. natural is a valuable distinction in many data protection regimes. Maybe a way to do this if CPs would want to propose ways they could differentiate.
* Confirm next steps
c. Review remaining proposals & input provided (starting with scenario #1)
* See https://jamboard.google.com/d/1H3CDUTITCfgcS85WMjlvyLV07cb7_V7ksFz8lVjExPg/viewer
* Berry circulated a thought experiment yesterday.
* This thought experiment tries to encapsulate a lot of what we spoke about in today’s meeting and before. What is important is that in this is a thought experiment, nothing will happen tomorrow, but, a few years down the road, it may become a requirement to differentiate between legal and natural persons. This thought experiment asks the group to consider what would happen if this was a requirement. Let’s first approach this by what is already in the pipeline to be implemented.
* Rec. 6 – touched on this – basically about Rrs providing ability for RNH “consent” to have their info published. Some have already implemented this; others will wait for this requirement to be implemented. This is indirectly related to legal v. natural. How are CPs actually going to implement this and obtain consent? Example – domain investor may wish to have their info published – what would this look like?
* Rec. 12 – this is a Phase 1 rec about the Org field. The second half of the recommendation notes requirements for new registrations beginning on a date certain. On a date certain, registrars have to allow registrants to publish the org field. How does that impact the registration process – how will this be implemented?
* Rec. 17 – which is the ability for CPs to differentiate b/w legal and natural persons should they choose to. Are some CPs going to do this – what about brand protection models? If so, how are they going to go about doing this?
* Phase 2 – recognizing that only the Council has adopted the Phase 2 recommendations – liability risks. Footnote 39 – there is a requirement for a legal risk fund. Could this group build on this particular concept?
* There are a series of questions here and the group should have a frank discussion on all of these.
* So much of what we’re talking about ties back to Phase 1 and Phase 2
* Should not be making consensus policy based on a theoretical law. We are close to agreement that do we want to publish the data or not – and are we giving people a clear path to publishing, if they’d like to publish it.
* It seems clear that the NCSG wants to leave this as a consent-based discretion. This is not what we’re here to do – we are here to relitigate the legal v. natural distinction.
* Please try to keep this from becoming personal.
* We have a consensus policy – the question before us is do we need to adjust the consensus policy.
* The whole time the NCSG has been arguing, there has been law. The fundamental question to be asked here – are you consenting to the release of personal information here/can you consent to the release of personal information here.
* Consent relates to personal data. If there is a registrant providing personal and non-personal data, and they do not consent – do you also not publish the non-personal information? The distinction is inevitable and serves a purpose.
4. Wrap and confirm next EPDP Team meeting (5 minutes):
a. Meeting #10 Thursday 11 March at 14.00 UTC.
b. Confirm action items
c. Confirm questions for ICANN Org, if any
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnso-epdp-team