From yuko.green at icann.org Fri Nov 12 18:23:32 2021 From: yuko.green at icann.org (Yuko Yokoyama) Date: Fri, 12 Nov 2021 18:23:32 +0000 Subject: [ODP-SSAD] Request for verification/feedback on SSAD recommendations Message-ID: <2AF94881-78F0-494C-9D3A-82630ACED211@icann.org> Dear Janis, We identified 2 additional questions/assumptions that we would like GNSO Council?s confirmation and/or clarifications. Question 1: Recommendation 9.4 states: Per the legal guidance obtained (see Advice on use cases re automation in the context of disclosure of non-public registrant data - April 2020), the EPDP Team recommends that the following types of disclosure requests, for which legal permissibility has been indicated under GDPR for full automation (in-take as well as processing of disclosure decision) MUST be automated from the time of the launch of the SSAD: Recommendation 9.4.4 states: No personal data on registration record that has been previously disclosed by the Contracted Party. ICANN org understands this mandatory automated use case 4 to apply only when a contracted party has notified the central gateway operator that this use case applies for a specific domain name, as the central gateway operator would not know which domain names? registration data contain no persona data, or if the CPs have previously disclosed the data on the ground of use case 4. Can you please confirm this is the intent of the Policy Recommendation? Question 2: As you can see in our briefing from ICANN72 presentation concerning identity verification, ICANN org understands the EPDP recommendations to contemplate two different types of accredited SSAD users who may be associated with a legal person: (a) individuals who are affiliated with an org (e.g. an employee), and (b) individuals who represent an org (such as an outside counsel, brand management firm, etc). For each of these types of individuals, we are expecting that the accreditation authority will first verify the individual?s identity, and then the individual?s association with the legal person. The individual?s association with the legal person would be a ?declaration? tied to the individual?s accreditation, which takes into account that one individual could be associated with more than one legal entity who has individuals using the SSAD. This is the ?signed assertion? concept referenced in the EPDP Team?s Final Report. One issue we will need to resolve during implementation is how to manage multiple individuals? associations with the same legal entity. Can you let us know if the approaches we?ve identified are aligned with the community expectations in this regard, if not, can you share any additional thinking regarding the community expectations? The first approach we identified was that each individual?s association with a legal entity will need to be individually verified (so that even if one person has demonstrated an association with an entity, the second, third, fourth, etc individuals will also need to do the same). Alternatively, a second, alternative, approach would be that once one person is accredited and associated with a legal entity in the SSAD, additional individuals claiming association with the legal entity could be added (or verified) by the initial individual to gain accreditation and be associated with the entity. However, this approach may raise operational challenges, particularly in large, global entities that may have many individuals seeking SSAD accreditation. This also may not work in cases where the first individual accredited and associated with an organization is an organizational representative, since a representative may not be able to verify individuals within the org, or other individuals who represent the org. We look forward to discussing this matter during our next call with you. Regards, Yuko Yokoyama Program Director Strategic Initiatives, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) E-mail: yuko.green at icann.org www.icann.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From diana.middleton at icann.org Tue Nov 16 16:05:25 2021 From: diana.middleton at icann.org (Diana Middleton) Date: Tue, 16 Nov 2021 16:05:25 +0000 Subject: [ODP-SSAD] 18 November Webinar - Deck Published Message-ID: Our fourth SSAD ODP Community Webinar on the business process and system designs of the SSAD will be this Thursday, 18 November 2021 from 16:00 to 17:30 UTC. You can still register here. With the aim of maximizing community feedback, we have published the webinar presentation in advance here. This way, you can choose to submit questions in advance to odp-ssad at icann.org or alternatively ask them during the webinar. Our team will be happy to answer them. We look forward to your participation. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuko.green at icann.org Tue Nov 30 16:43:02 2021 From: yuko.green at icann.org (Yuko Yokoyama) Date: Tue, 30 Nov 2021 16:43:02 +0000 Subject: [ODP-SSAD] Response to the question asked during the Webinar #4 Message-ID: Dear Mr. Palage, As you recall, SSAD ODP team ran out of time to address your question that was asked at the end of the last SSAD ODP webinar (18 November 2021). As promised, here is our response to your question. Your question: ?? The term "technically and commercially feasible" is currently used in the 2013 RRA. Is ICANN stating that the term in Recommendation in 9.1 is equivalent to the RRA term. Goran stated that it was up to Registrars to make that determination under 9.1, who makes that determination under the RAA? ICANN Compliance or the Registrar? Our answer: No. ICANN is not stating that the term ?technically and commercially feasible? in Recommendation 9.1 is equivalent to the term used in the Registrar Accreditation Agreement. The RAA?s Transition Addendum, at Section 6, set out a process for determining technical and commercial feasibility of an across-field validation requirement in the RAA?s WHOIS Accuracy Program Specification, at Section 1(e). The EPDP Team did not reference or incorporate that process into its SSAD recommendations. This question was asked in follow-up to a question read aloud and answered during the webinar: ?How does ICANN intend to resolve ambiguity and recommendation 9.1 around who gets to determine whether it is technically and commercially feasible and legally permissible to automate responses?? (see recording at approximately 1hr:21min). During the webinar, G?ran Marby responded that, under the General Data Protection Regulation (GDPR), the contracted parties would be responsible for deciding whether or not to disclose nonpublic registration data requested via the SSAD. When a contracted party?s disclosure of registration data is subject to the GDPR, and that processing is performed pursuant to the GDPR?s ?legitimate interest? legal basis (e.g. requiring the application of the GDPR?s Article 6(1)f?s ?balancing test?), the contracted party (not ICANN) is responsible for applying that test and determining whether or not it may disclose the data in compliance with the GDPR). G?ran also said that ?the policy making process cannot change that fundamental fact because it's one of the more important parts of the actual law.? I hope this answered your question, but if further clarification is needed, please do not hesitate to contact us at odp-ssad at icann.org. Please note, this email is also posted on our publicly archived email. Regards, Yuko Yokoyama Program Director Strategic Initiatives, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) -------------- next part -------------- An HTML attachment was scrubbed... URL: