[IRT.RegDataPolicy] Rec19 IRT comments closing - DPA ICANN org & CP

Anderson, Marc mcanderson at verisign.com
Thu Oct 31 18:23:36 UTC 2019 

Dennis, IPT and IRT teams,



I have some closing comments on Rec #19.  Early on there was an attempt to bundle the phase 1 recommendations dealing with data processing agreements.  I think since there has been agreement that the data processing agreements between contracted parties (ICANN, Registries and Registrars) should be separate from those dealing with third parties (such as escrow or EBERO providers).  Rec #19 is specific to contracted parties and I suggest the policy language stay the same.  The current text referencing third parties should be removed from this recommendation and covered in a separate section.



I’m not sure that Rec #19 requires consensus policy language at all.  It recommends that contracted parties enter into required data protection agreements as appropriate.  That can be accomplished without consensus policy language.  If however language to this effect is going to be included, the current language goes far beyond what is in Rec #19.  Privacy law is evolving and varies across jurisdictions.  There is a danger in being to explicit in what is required in these data processing agreements as contracted parties will need some flexibility in implementing and maintaining them over time.  This was a factor in why Rec #19 states that due consideration should be given to the related analysis done by the EPDP team, rather than including that analysis directly in the recommendation.  We realized flexibility would be needed.



If it is decided that some language is needed for #19 in the policy, I suggest something much more streamlined.  For example building on the existing language and Rec #19:



Policy:

As part of processing gTLD registration data, ICANN Org, gTLD registries and accredited registrars must enter into and maintain in effect data processing terms and conditions concerning personal data in gTLD registration data as appropriate. The data processing terms and conditions will be provided in contractual language (in the form of an annex to the applicable contract between ICANN and the contracted party  specifications or addendum, for example).



Implementation notes:

In drafting these data protection agreements, ICANN Org, gTLD registries and accredited registrars shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne, to the extent appropriate, by the parties that are involved in the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.



Best,

Marc





From: IRT.RegDataPolicy <irt.regdatapolicy-bounces at icann.org> On Behalf Of Dennis Chang
Sent: Monday, October 28, 2019 3:52 PM
To: irt.regdatapolicy at icann.org
Subject: [EXTERNAL] [IRT.RegDataPolicy] Rec19 IRT comments closing - DPA ICANN org & CP



Call to close IRT comment for Recommendation #19 Analysis regarding DPA between ICANN and Contracted Parties

62

IRT review closing Recommendation #19 Analysis - DPA ICANN org & CP<https://docs.google.com/document/d/1kJFdfch4WI-bE8zXW1EM8ioVOAg7BlPOimJkqYJrR_w/edit>

20191101



--

Kind Regards,

Dennis S. Chang

GDD Programs Director

Phone: +1 213 293 7889

Sykpe: dennisSchang

www.icann.org<http://www.icann.org> One World – One Internet

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/irt.regdatapolicy/attachments/20191031/c1c7d0cf/attachment.html>

More information about the IRT.RegDataPolicy mailing list