[gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 3 October

Ayden Férdeline icann at ferdeline.com
Wed Oct 4 18:13:06 UTC 2017


I agree with your assessment here, Jonathan, that ICANN is a data controller.

Best wishes, Ayden

> -------- Original Message --------
> Subject: Re: [gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 3 October
> Local Time: 4 October 2017 6:13 PM
> UTC Time: 4 October 2017 17:13
> From: jonathan.matkowsky at riskiq.net
> To: Marika Konings <marika.konings at icann.org>, gnso-rds-pdp-wg at icann.org <gnso-rds-pdp-wg at icann.org>, lisa at corecom.com <lisa at corecom.com>
>
> I’ve given more thought to this and it it seems now obvious to me that ICANN is in fact a data Controller since alone or jointly with others, it is determining the purposes and means of the processing of the personal data.
>
> Jonathan Matkowsky
>
> On Wed, Oct 4, 2017 at 9:54 AM jonathan matkowsky <jonathan.matkowsky at riskiq.net> wrote:
>
>> Marika, there needs to be a “data flow” diagram with an analysis of the data from the time it’s provided by the registrant until it makes its way into the Whois, and the role that each registrar plays as controller vs processor, and ICANN as a co-controller versus processor. All the different obligations under the GDPR flow from these categories and they trigger different types of obligations. And that is unfortunately missing.
>>
>> On Tue, Oct 3, 2017 at 5:29 PM Marika Konings <marika.konings at icann.org> wrote:
>>
>>> Jonathan, I am not sure what you are referring to with ‘an analysis of ICANN as a data controller versus processor vs. co-controller’. I am not aware that anyone in particular is working on such an analysis but I am happy to stand corrected. I do note that the WSGR memorandum addresses the issue of controller in a number of its responses such as those to question 1 and question 17.
>>>
>>> As Chuck indicated on the call, if/when responses are received to the limited number of follow up questions, these will be shared with the WG.
>>>
>>> Best regards,
>>>
>>> Marika
>>>
>>> From: <gnso-rds-pdp-wg-bounces at icann.org> on behalf of jonathan matkowsky <jonathan.matkowsky at riskiq.net>
>>> Date: Tuesday, October 3, 2017 at 15:04
>>> To: "gnso-rds-pdp-wg at icann.org" <gnso-rds-pdp-wg at icann.org>, Lisa Phifer <lisa at corecom.com>
>>> Subject: Re: [gnso-rds-pdp-wg] IMPORTANT: Notes from RDS PDP WG Meeting - 3 October
>>>
>>> Hi Lisa,
>>>
>>> —When will we get an analysis of ICANN as a data controller versus processor vs co-controller? How can we draw conclusions from the memo without this info?
>>>
>>> —What are the follow-up questions already posed to the law firm?
>>>
>>> Thanks
>>>
>>> Jonathan
>>>
>>> On Tue, Oct 3, 2017 at 3:33 PM Lisa Phifer <lisa at corecom.com> wrote:
>>>
>>>> Dear all,
>>>>
>>>> Below please find notes from today’s RDS PDP WG meeting.
>>>>
>>>> To recap Action Items from today’s call:
>>>>
>>>> ·        Action Item: Staff to incorporate WG agreement in working draft.
>>>>
>>>> ·        Action Item: WG leadership team to consider input received during today's meeting and consider how to move forward as today's meeting did not achieve the goal of moving forward on these questions.
>>>>
>>>> Best regards,
>>>> Lisa
>>>>
>>>> Action Items and Notes from RDS PDP WG Call – 3 October 2017
>>>
>>>> These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki here:  [https://community.icann.org/x/bWfwAw[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_bWfwAw&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=4KHESqzP9NmlfumEghxako3KC7O-WGxT-TXjxYSCgXc&e=)
>>>
>>>> 1. Roll Call/SOI Updates
>>>>
>>>> ·        No SOI updates identified
>>>>
>>>> 2. Apply results from last week’s poll to working document
>>>
>>>> ·        [https://community.icann.org/download/attachments/66086765/AnnotatedResults-Poll-from-26SeptCall.pdf[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_AnnotatedResults-2DPoll-2Dfrom-2D26SeptCall.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=GxZzR0dVr7ytyC8X_yDY1AyGTyVYRZ3Ecgbez36rWxA&e=)
>>>
>>>> ·        22 members participated in poll
>>>>
>>>> ·        77% still don't think Original Registration Date should be a new data element
>>>>
>>>> ·        Record in working document as tentative agreement
>>>>
>>>> WG Agreement: There is no requirement for the Original Registration Date as proposed by the EWG Final Report
>>>>
>>>> Action Item: Staff to incorporate WG agreement in working draft.
>>>>
>>>> 3. General questions about WSGR memo
>>>
>>>> ·        [https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf[gnso.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__gnso.icann.org_en_drafts_wsgr-2Dicann-2Dmemorandum-2D25sep17-2Den.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=2doxZn4IxSgdwjUDmWxeg3UdGggQLYV-QKzqnRTNw_8&e=)
>>>
>>>> ·        Leadership in consultation with legal advisors within WG have been working to extract principles from WSGR memo and also answers previously supplied by senior EU privacy experts, to be applied to our work going forward
>>>>
>>>> ·        How was the law firm selected? Several candidates with expertise identified by staff and augmented with suggestions from legal advisors within WG. Using that input, candidates were evaluated and chosen based on experience, reputation, etc. Selection was ultimately made by leadership team not advisory group, with group's input on two finalists.
>>>>
>>>> ·        Do we intend to go back to the law firm to ask for more typical legal advice - that is, tell them what we propose doing, and ask for advice on legal risks associated with proposal? Yes, we can seek legal advice in the future, from this firm or another firm, at appropriate points in our work - that will incur additional cost to seek answers to new questions.
>>>>
>>>> ·        Were discussions with law firm recorded, or can a transcript be provided? The leadership team and legal advisors reviewed a confidential draft for the purpose of identifying any items required clarification, enabling finalization of the memo.
>>>>
>>>> ·        The law firm explicitly asked that draft not be shared and be treated as confidential; they prefer to share only final work product. In some cases, they asked for clarification of the questions that were asked by WG. We can share questions that were asked, but those questions focused on clarification and not questioning views or opinions expressed by WSGR.
>>>>
>>>> ·        How much did the advisory team feedback impact the ultimate questions? Not at all. The questions were developed by the WG prior to ICANN58 meeting, and then presented to full WG for review/edit/approval. Those questions were then published and asked of senior EU privacy experts in CPH. We intentionally gave WSGR the same questions (exactly) as were given to experts at CPH.
>>>>
>>>> ·        Now it's time to take inputs received from two sources and use it to address work outlined in our charter...
>>>>
>>>> 4. Introduce methodology to be used to apply memo to our work
>>>>
>>>> ·        Charter questions: Users/Purposes, Gated Access, Data Accuracy, Data Elements, and Privacy - fundamental questions to be addressed in Phase 1
>>>>
>>>> ·        We have already examined all but Accuracy to some degree, mostly for MPDS
>>>>
>>>> ·        What we're going to do today is to start with Charter question on Privacy and look at how inputs from senior EU privacy experts AND WSGR help us answer or move forward in addressing that question/sub-questions
>>>>
>>>> 5. Starting with charter question on Privacy for deliberation
>>>>
>>>>     a. Introduce DP/Privacy principles related to the charter question on Privacy
>>>
>>>> ·        [https://community.icann.org/download/attachments/66086765/Handout-RDS-WG-Call-3Oct2017.pdf[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_Handout-2DRDS-2DWG-2DCall-2D3Oct2017.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=gcPnRmTPeTHit2L-lYOL1zSYozVfG_wYMSWTdoBb40c&e=)
>>>
>>>> ·        Copied extracted principles in handout, mapped to the charter question on privacy and associated sub-questions, to facilitate reference during deliberation on those questions
>>>>
>>>> ·        Note that at end of handout there appears the one WG agreement thus far under the Privacy charter question, which was limited to MPDS: 14. [For MPDS] Existing gTLD RDS policies do NOT sufficiently address compliance with applicable data protection, privacy, and free speech laws about purpose
>>>>
>>>> ·        Review of principles mapped to this charter question/sub question:
>>>>
>>>> ·        5.1 Do existing gTLD registration directory services policies sufficiently address compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
>>>>
>>>> b. Starting with Privacy sub-question 5.1, discuss impact on WG agreements
>>>>
>>>> ·        We are not restricted to EU focus of this input; the input does provide guidance with respect to that jurisdiction. Our task is to provide requirements for RDS that takes into consideration all jurisdictions.
>>>>
>>>> ·        “Within each jurisdiction” = within ALL jurisdictions of the world
>>>>
>>>> ·        Re: 3.e. The GDPR applies to all personal data, comments that GDPR does NOT apply to all personal data
>>>>
>>>> ·        Answer could be "yes" if taking into account procedure for dealing with conflicts with local law
>>>>
>>>> ·        Conflating two different issues: policy and implementation. Reading RAA it matches up with GDPR, but the way it's been implemented does not (e.g., purpose, consent). Need to ask whether policies address compliance or whether implementation of those policies do or do not
>>>>
>>>> ·        Comment: The policy as it is written is tightly bound to the extreme limitations of whois-the-protocol, which is part of the problem
>>>>
>>>> ·        For example, from RAA: 3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating:3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended;3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator);3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and 3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4.
>>>>
>>>> ·        Is data escrow within the RDS's scope?
>>>>
>>>> ·        Do questions not line up with existing policy, producing answers that are not useful? This is why people are concerned about questions - if you ask the wrong question, you don't get helpful answers
>>>>
>>>> ·        Maybe the question should be "Do the existing implementations of gTLD policy sufficient address compliance....?
>>>>
>>>> ·        Comment: Current policies violate GDPR for EU citizens - example CL&D
>>>>
>>>> ·        Need to distinguish policies from implementation, which is informed by decisions about who the data controller is
>>>>
>>>> ·        Note that WSGR did not respond to the questions that are in this document - these are questions that the WG identified as sub-questions to help address the overarching charter questions. The principles that you see were derived from the memo as aiming to assist in responding to these questions.
>>>>
>>>> ·        Possible reframing of sub-question 5.1: Do existing gTLD registration directory services policies and/or implementations PREVENT compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
>>>>
>>>> ·        Would re-applying existing policy, using RDAP instead of WHOIS, shed any light on whether it's the policy or the implementation that prevent compliance with applicable laws?
>>>>
>>>> Action Item: WG leadership team to consider input received during today's meeting and consider how to move forward as today's meeting did not achieve the goal of moving forward on these questions.
>>>>
>>>> 6. Confirm action items and proposed decision points
>>>>
>>>> ·        WG Agreement: There is no requirement for the Original Registration Date as proposed by the EWG Final Report
>>>>
>>>> ·        Action Item: Staff to incorporate WG agreement in working draft.
>>>>
>>>> ·        Action Item: WG leadership team to consider input received during today's meeting and consider how to move forward as today's meeting did not achieve the goal of moving forward on these questions.
>>>>
>>>>  7. Confirm next WG meeting (Tuesday 10 October at 16.00 UTC)
>>>
>>>> Meeting Materials (all posted at [https://community.icann.org/x/bWfwAw[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_x_bWfwAw&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=4KHESqzP9NmlfumEghxako3KC7O-WGxT-TXjxYSCgXc&e=))
>>>
>>>> ·        26 September Call poll (closed COB Saturday 30 September)
>>>
>>>> ·        Link to participate: [https://www.surveymonkey.com/r/JM679DR[surveymonkey.com]](https://urldefense.proofpoint.com/v2/url?u=https-3A__www.surveymonkey.com_r_JM679DR&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=80KHlbgsAUZ12B7MkyZpaxsYR1VNcDnNXeGyZU5JlII&e=)
>>>>
>>>> ·        PDF of Poll Questions: [Poll-from-26SeptemberCall.pdf[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086762_Poll-2Dfrom-2D26SeptemberCall.pdf-3Fversion-3D1-26modificationDate-3D1506462198000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=Qh0wpwEJhnmMtn0WjUrDH--J5pDrK3j-XSvG9SkCoBE&e=)
>>>>
>>>> ·        SurveyMonkey Summary Poll Results: [SummaryResults-Poll-from-26SeptCall.pdf[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_SummaryResults-2DPoll-2Dfrom-2D26SeptCall.pdf-3Fversion-3D1-26modificationDate-3D1506882150000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=YthnS4kRZFpcDW3V2wu5_4o2iacXHMPOm9-8pCh15Ts&e=)
>>>>
>>>> ·        SurveyMonkey Raw Data Poll Results: [RawDataResults-Poll-from-26SeptCall.zip[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_RawDataResults-2DPoll-2Dfrom-2D26SeptCall.zip-3Fversion-3D1-26modificationDate-3D1506882171000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=GD_nKg2UD1C_5fk9Nu-8iWjbqBznGdRjovHat2Vsiz8&e=) and [XLS[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_RawDataResults-2DPoll-2Dfrom-2D26SeptCall.xlsx-3Fversion-3D1-26modificationDate-3D1506882190000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=sgYSSm5kVL1ORiWVra_xH_U_W8Szr60a2ofA5cMhAFA&e=)
>>>>
>>>> ·        Annotated Survey Results: [AnnotatedResults-Poll-from-26SeptCall.pdf[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_AnnotatedResults-2DPoll-2Dfrom-2D26SeptCall.pdf-3Fversion-3D1-26modificationDate-3D1506963736000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=9PuB-N3Zz2zIaw8bKfiyR-TppIjiMhl7BO57I1_yQt8&e=)
>>>>
>>>> ·        WSGR memorandum: [https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf[gnso.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__gnso.icann.org_en_drafts_wsgr-2Dicann-2Dmemorandum-2D25sep17-2Den.pdf&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=2doxZn4IxSgdwjUDmWxeg3UdGggQLYV-QKzqnRTNw_8&e=)
>>>>
>>>> ·        [Principles from DP Expert and WSGR - 29 Sept 2017.docx[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_Principles-2520from-2520DP-2520Expert-2520and-2520WSGR-2520-2D-252029-2520Sept-25202017.docx-3Fversion-3D1-26modificationDate-3D1506964656000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=kmC6D7EdNgHgKZ9sUHlKD98-MbEeT1aDl_0l40vc74w&e=)
>>>>
>>>> ·        [Handout-RDS-WG-Call-3Oct2017.pdf[community.icann.org]](https://urldefense.proofpoint.com/v2/url?u=https-3A__community.icann.org_download_attachments_66086765_Handout-2DRDS-2DWG-2DCall-2D3Oct2017.pdf-3Fversion-3D1-26modificationDate-3D1506979314000-26api-3Dv2&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=pSoLE7Y91MVjMmhJ-xbOcyqU8WJlZg4XQXqvhIgGu_0&s=OmxAWn8um4-fiyFlpuMK8T1wlIQ1bz-1gXS4eIsBnRY&e=)
>>>
>>>> _______________________________________________
>>>> gnso-rds-pdp-wg mailing list
>>>> gnso-rds-pdp-wg at icann.org
>>>> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>>>
>>>>
>>>
>>> --
>>>
>>> Jonathan Matkowsky
>>>
>>> *******************************************************************
>>> This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.
>>>
>>> *******************************************************************
>>
>> --
>> Jonathan Matkowsky
>
> --
> Jonathan Matkowsky
>
> *******************************************************************This message was sent from RiskIQ, and is intended only for the designated recipient(s). It may contain confidential or proprietary information and may be subject to confidentiality protections. If you are not a designated recipient, you may not review, copy or distribute this message. If you receive this in error, please notify the sender by reply e-mail and delete this message. Thank you.
>
> *******************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20171004/0483cf06/attachment-0001.html>


More information about the gnso-rds-pdp-wg mailing list