[gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 3 October

jonathan matkowsky jonathan.matkowsky at riskiq.net
Tue Oct 3 21:04:08 UTC 2017


Hi Lisa,

—When will we get an analysis of ICANN as a data controller versus
processor vs co-controller? How can we draw conclusions from the memo
without this info?

—What are the follow-up questions already posed to the law firm?

Thanks
Jonathan

On Tue, Oct 3, 2017 at 3:33 PM Lisa Phifer <lisa at corecom.com> wrote:

> *Dear all,*
>
> *Below please find notes from today’s RDS PDP WG meeting.*
>
> *To recap Action Items from today’s call:*
>
> ·        *Action Item:* Staff to incorporate WG agreement in working
> draft.
>
> ·        *Action Item:* WG leadership team to consider input received
> during today's meeting and consider how to move forward as today's meeting
> did not achieve the goal of moving forward on these questions.
>
> *Best regards,*
> *Lisa*
>
>
>
> *Action Items and Notes from RDS PDP WG Call – 3 October 2017*
>
> *These high-level notes are designed to help PDP WG members navigate
> through the content of the call and are not meant as a substitute for the
> transcript and/or recording. The MP3, transcript, and chat are provided
> separately and are posted on the wiki here: *
> https://community.icann.org/x/bWfwAw
>
> 1. Roll Call/SOI Updates
>
> ·        No SOI updates identified
>
> 2. Apply results from last week’s poll to working document
>
> ·
> https://community.icann.org/download/attachments/66086765/AnnotatedResults-Poll-from-26SeptCall.pdf
>
> ·        22 members participated in poll
>
> ·        77% still don't think Original Registration Date should be a new
> data element
>
> ·        Record in working document as tentative agreement
>
> *WG Agreement: *There is no requirement for the Original Registration
> Date as proposed by the EWG Final Report
>
> *Action Item:* Staff to incorporate WG agreement in working draft.
>
> 3. General questions about WSGR memo
>
> ·
> https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf
>
> ·        Leadership in consultation with legal advisors within WG have
> been working to extract principles from WSGR memo and also answers
> previously supplied by senior EU privacy experts, to be applied to our work
> going forward
>
> ·        How was the law firm selected? Several candidates with expertise
> identified by staff and augmented with suggestions from legal advisors
> within WG. Using that input, candidates were evaluated and chosen based on
> experience, reputation, etc. Selection was ultimately made by leadership
> team not advisory group, with group's input on two finalists.
>
> ·        Do we intend to go back to the law firm to ask for more typical
> legal advice - that is, tell them what we propose doing, and ask for advice
> on legal risks associated with proposal? Yes, we can seek legal advice in
> the future, from this firm or another firm, at appropriate points in our
> work - that will incur additional cost to seek answers to new questions.
>
> ·        Were discussions with law firm recorded, or can a transcript be
> provided? The leadership team and legal advisors reviewed a confidential
> draft for the purpose of identifying any items required clarification,
> enabling finalization of the memo.
>
> ·        The law firm explicitly asked that draft not be shared and be
> treated as confidential; they prefer to share only final work product. In
> some cases, they asked for clarification of the questions that were asked
> by WG. We can share questions that were asked, but those questions focused
> on clarification and not questioning views or opinions expressed by WSGR.
>
> ·        How much did the advisory team feedback impact the ultimate
> questions? Not at all. The questions were developed by the WG prior to
> ICANN58 meeting, and then presented to full WG for review/edit/approval.
> Those questions were then published and asked of senior EU privacy experts
> in CPH. We intentionally gave WSGR the same questions (exactly) as were
> given to experts at CPH.
>
> ·        Now it's time to take inputs received from two sources and use
> it to address work outlined in our charter...
>
> 4. Introduce methodology to be used to apply memo to our work
>
> ·        Charter questions: Users/Purposes, Gated Access, Data Accuracy,
> Data Elements, and Privacy - fundamental questions to be addressed in Phase
> 1
>
> ·        We have already examined all but Accuracy to some degree, mostly
> for MPDS
>
> ·        What we're going to do today is to start with Charter question
> on Privacy and look at how inputs from senior EU privacy experts AND WSGR
> help us answer or move forward in addressing that question/sub-questions
>
> 5. Starting with charter question on Privacy for deliberation
>
>     a. Introduce DP/Privacy principles related to the charter question on
> Privacy
>
> ·
> https://community.icann.org/download/attachments/66086765/Handout-RDS-WG-Call-3Oct2017.pdf
>
> ·        Copied extracted principles in handout, mapped to the charter
> question on privacy and associated sub-questions, to facilitate reference
> during deliberation on those questions
>
> ·        Note that at end of handout there appears the one WG agreement
> thus far under the Privacy charter question, which was limited to MPDS: 14.
> [For MPDS] Existing gTLD RDS policies do NOT sufficiently address
> compliance with applicable data protection, privacy, and free speech laws
> about purpose
>
> ·        Review of principles mapped to this charter question/sub
> question:
>
> ·        *5.1 Do existing gTLD registration directory services policies
> sufficiently address compliance with applicable data protection, privacy,
> and free speech laws within each jurisdiction?*
>
> b. Starting with Privacy sub-question 5.1, discuss impact on WG agreements
>
> ·        We are not restricted to EU focus of this input; the input does
> provide guidance with respect to that jurisdiction. Our task is to provide
> requirements for RDS that takes into consideration all jurisdictions.
>
> ·        “Within each jurisdiction” = within ALL jurisdictions of the
> world
>
> ·        Re: 3.e. The GDPR applies to all personal data, comments that
> GDPR does NOT apply to all personal data
>
> ·        Answer could be "yes" if taking into account procedure for
> dealing with conflicts with local law
>
> ·        Conflating two different issues: policy and implementation.
> Reading RAA it matches up with GDPR, but the way it's been implemented does
> not (e.g., purpose, consent). Need to ask whether policies address
> compliance or whether implementation of those policies do or do not
>
> ·        Comment: The policy as it is written is tightly bound to the
> extreme limitations of whois-the-protocol, which is part of the problem
>
> ·        For example, from RAA: *3.7.7.4 Registrar shall provide notice
> to each new or renewed Registered Name Holder stating:3.7.7.4.1 The
> purposes for which any Personal Data collected from the applicant are
> intended;3.7.7.4.2 The intended recipients or categories of recipients of
> the data (including the Registry Operator and others who will receive the
> data from Registry Operator);3.7.7.4.3 Which data are obligatory and which
> data, if any, are voluntary; and 3.7.7.4.4 How the Registered Name Holder
> or data subject can access and, if necessary, rectify the data held about
> them.3.7.7.5 The Registered Name Holder shall consent to the data
> processing referred to in Subsection 3.7.7.4.*
>
> ·        Is data escrow within the RDS's scope?
>
> ·        Do questions not line up with existing policy, producing answers
> that are not useful? This is why people are concerned about questions - if
> you ask the wrong question, you don't get helpful answers
>
> ·        Maybe the question should be "Do the existing implementations of
> gTLD policy sufficient address compliance....?
>
> ·        Comment: Current policies violate GDPR for EU citizens - example
> CL&D
>
> ·        Need to distinguish policies from implementation, which is
> informed by decisions about who the data controller is
>
> ·        Note that WSGR did not respond to the questions that are in this
> document - these are questions that the WG identified as sub-questions to
> help address the overarching charter questions. The principles that you see
> were derived from the memo as aiming to assist in responding to these
> questions.
>
> ·        Possible reframing of sub-question 5.1: *Do existing gTLD
> registration directory services policies and/or implementations PREVENT
> compliance with applicable data protection, privacy, and free speech laws
> within each jurisdiction?*
>
> ·        Would re-applying existing policy, using RDAP instead of WHOIS,
> shed any light on whether it's the policy or the implementation that
> prevent compliance with applicable laws?
>
> *Action Item:* WG leadership team to consider input received during
> today's meeting and consider how to move forward as today's meeting did not
> achieve the goal of moving forward on these questions.
>
> 6. Confirm action items and proposed decision points
>
> ·        *WG Agreement: *There is no requirement for the Original
> Registration Date as proposed by the EWG Final Report
>
> ·        *Action Item:* Staff to incorporate WG agreement in working
> draft.
>
> ·        *Action Item:* WG leadership team to consider input received
> during today's meeting and consider how to move forward as today's meeting
> did not achieve the goal of moving forward on these questions.
>
>  7. Confirm next WG meeting (Tuesday 10 October at 16.00 UTC)
>
>
>
> *Meeting Materials (all posted at https://community.icann.org/x/bWfwAw
> <https://community.icann.org/x/bWfwAw>)*
>
> ·        *26 September Call poll (closed COB Saturday 30 September)*
>
> ·        *Link to participate*: https://www.surveymonkey.com/r/JM679DR
>
> ·        *PDF of Poll Questions*: Poll-from-26SeptemberCall.pdf
> <https://community.icann.org/download/attachments/66086762/Poll-from-26SeptemberCall.pdf?version=1&modificationDate=1506462198000&api=v2>
>
> ·        *SurveyMonkey Summary Poll Results: *
> SummaryResults-Poll-from-26SeptCall.pdf
> <https://community.icann.org/download/attachments/66086765/SummaryResults-Poll-from-26SeptCall.pdf?version=1&modificationDate=1506882150000&api=v2>
>
> ·        *SurveyMonkey Raw Data Poll Results: *
> RawDataResults-Poll-from-26SeptCall.zip
> <https://community.icann.org/download/attachments/66086765/RawDataResults-Poll-from-26SeptCall.zip?version=1&modificationDate=1506882171000&api=v2>
>  and XLS
> <https://community.icann.org/download/attachments/66086765/RawDataResults-Poll-from-26SeptCall.xlsx?version=1&modificationDate=1506882190000&api=v2>
>
> ·        *Annotated Survey Results: *
> AnnotatedResults-Poll-from-26SeptCall.pdf
> <https://community.icann.org/download/attachments/66086765/AnnotatedResults-Poll-from-26SeptCall.pdf?version=1&modificationDate=1506963736000&api=v2>
>
> ·        WSGR memorandum:
> https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf
>
> ·        Principles from DP Expert and WSGR - 29 Sept 2017.docx
> <https://community.icann.org/download/attachments/66086765/Principles%20from%20DP%20Expert%20and%20WSGR%20-%2029%20Sept%202017.docx?version=1&modificationDate=1506964656000&api=v2>
>
> ·        Handout-RDS-WG-Call-3Oct2017.pdf
> <https://community.icann.org/download/attachments/66086765/Handout-RDS-WG-Call-3Oct2017.pdf?version=1&modificationDate=1506979314000&api=v2>
>
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-- 
Jonathan Matkowsky

-- 
*******************************************************************
This message was sent from RiskIQ, and is intended only for the designated 
recipient(s). It may contain confidential or proprietary information and 
may be subject to confidentiality protections. If you are not a designated 
recipient, you may not review, copy or distribute this message. If you 
receive this in error, please notify the sender by reply e-mail and delete 
this message. Thank you.

*******************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171003/60319d72/attachment-0001.html>


More information about the gnso-rds-pdp-wg mailing list