[Gnso-epdp-team] Proposed agenda - EPDP Phase 2A Meeting #20 - 6 May 2021

[Caitlin Tubergen]

Dear EPDP Team,

Please find below the proposed agenda for Thursday’s meeting.

Best regards,

Berry, Marika, and Caitlin
--

EPDP Phase 2A - Meeting #20
Proposed Agenda
Thursday 6 May 2021 at 14.00 UTC


1.                     Roll Call & SOI Updates (5 minutes)



2.                     Welcome & Chair updates (Chair) (5 minutes)



3.                            Legal vs. natural (60 minutes)

  1.  Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
  2.  What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.
Bird & Bird Response to Question #3<https://community.icann.org/download/attachments/155191493/ICANN%20EDPB%202a%20-%20Memo%20re.%20NIS2%2C%20dotEU%20and%20RIPE-NCC%20-%2020210427.docx?version=1&modificationDate=1620089113000&api=v2>

     *   High level overview (Becky)
     *   EPDP Team to consider whether any aspects of the response warrant changes to the latest version of the write up or further consideration.
     *   Confirm next steps
Guidance write up

     *   Consider remaining outstanding questions:

Guidance #3 - As part of the implementation, Registrars should consider using a type of

Example scenarios (note, these scenarios are intended to be illustrations for how a Registrar could apply the guidance above. These scenarios are NOT to be considered guidance in and of itself).



1.                             EPDP Team to consider whether or not these scenarios should remain or whether they should be replaced by the RrSG table as suggested by ALAC. If there is agreement that scenarios should remain as examples, EPDP Team to consider whether scenario #3 (Registrar determines type based on data provided) should remain as some concerns have been expressed by NCSG in relation to the Registrar making an initial assessment about whether or not the registrant is a legal or a natural person. Note, updates were made to ensure that the Registrant is requested to confirm this assessment.


Scenario #2 - Data subject self-identification at time when registration is updated


a.    The Registrar collects Registration Data and provisionally redacts the data.
b.    The Registrar informs the Registrant (per guidance #3 above) and requests the Registrant (data subject) to designate legal or natural person type. The Registrar must also request the Registrant to confirm whether only non-personal data is provided for legal person type.[1]
c.     Registrant (data subject) indicates legal or natural person type and whether or not the registration contains personal information after registration is completed. For example, the Registrant may confirm person type at the time of initial data verification, in response to its receipt of the Whois data reminder email for existing registrations, or through a separate notice requesting self-identification.[2]
d.    If the data subject identifies as a legal person and confirms that the registration data does not include personal data, the Registrar should (i) contact the provided contact details to verify the Registrant claim[3] (ii) set the registration data set to automated disclosure in response to SSAD queries and (iii) publish the data.



2.                             The GAC has suggested that it might be helpful to add some timelines to this scenario. How could/should such a timeline look?

Registrars shall not be prohibited from voluntarily utilizing a third party to verify that a registrant has correctly identified its data[4], provided that such verification is compliant with applicable data protection regulations.


3.                             Proposed language changes from Volker were applied to make clear that third party verification is not disallowed, but neither specifically recommended. NCSG has noted its objection to this rewrite as it would make scenario 3 ten times worse. EPDP Team to consider concerns and determine if/how these can be addressed. Note, the Bird & Bird advice specifically talks about the option to verify information provided by the registrant.


4.                            Homework assignments reminder (5 minutes)

·         By Friday 7 May, EPDP Team to review proposed feasibility of unique contacts write up for Initial Report<https://docs.google.com/document/d/1uA_gEGmfyokKOP0Xft7q__RXVK1Ns_IXzSRoPKusm_E/edit?usp=sharing>. Please provide comments, suggestions and proposed edits in the form of comments.

·         By Friday 7 May, EPDP Team to review updated version<https://docs.google.com/document/d/1tbk4x7LDzqAazO2ABzjPPkR3gsPcPuBSrECQRpg0CdE/edit#heading=h.gjdgxs> of legal/natural guidance write up and indicate which aspects, if any, your group cannot live with for inclusion in the Initial Report.

·         By Friday 7 May, GAC and RrSG Team to review updated version<https://docs.google.com/document/d/1tbk4x7LDzqAazO2ABzjPPkR3gsPcPuBSrECQRpg0CdE/edit#heading=h.gjdgxs> of write up and to indicate to EPDP Team if GAC updated proposal and RrSG table, respectively, need to be included, where it would be included and what aspects it would cover that are currently not addressed in the write up. Please provide your response via the mailing list.



5.      Wrap and confirm next EPDP Team meeting (5 minutes):

  1.  EPDP Team Meeting #21 Tuesday 11 May at 14.00 UTC
  2.  Confirm action items

  1.  Confirm questions for ICANN Org, if any




________________________________
[1] Note that the confirmation that only non-personal data is provided could also happen at a later point in time. However, until the Registrant confirms that no personal data is present in the registration data, the Registrar does not set the registration data to automated disclosure.
[2] Note, the implementation of EPDP Phase 1, recommendation #12 (Organization Field) may facilitate the process of self-identification.
[3] Per the guidance<https://community.icann.org/download/attachments/155191493/ICANN%20-%20EPDP%20Phase%202a%20-%20Memo%20re.%20VSC%20and%20consent%20options%20-%2020210406.docx?version=1&modificationDate=1617804552000&api=v2> provided by Bird & Bird, “this verification method is advisable, and will help reduce risk. That risk reduction will be greatest if there is a reasonable grace period within which the objection can be lodged, before the data in question is published in the Registration Data” and “requiring an affirmative response to verification mailings seems over-cautious, unless and until studies show that the measures adopted are failing to keep very substantial amounts of personal data out of published Registration Data. However, if a verification email “bounces” (i.e. a Contracting Party knows it was not delivered), then it would be better if publication does not proceed”.
[4] Per the guidance<https://community.icann.org/download/attachments/155191493/ICANN%20-%20EPDP%20Phase%202a%20-%20Memo%20re.%20VSC%20and%20consent%20options%20-%2020210406.docx?version=1&modificationDate=1617804552000&api=v2> provided by Bird & Bird, “a company registration number may be another means of verifying legal personhood”.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20210504/b365df71/attachment-0001.html>