From eleeza.agopian at icann.org Wed Oct 13 13:58:39 2021 From: eleeza.agopian at icann.org (Eleeza Agopian) Date: Wed, 13 Oct 2021 13:58:39 +0000 Subject: [ODP-SSAD] [Ext] ODP Design In-Reply-To: References: Message-ID: <9A72028B-A8F8-43F5-80B6-D1166577B342@icann.org> Dear Mr. Muthusamy, Thank you for your email. The Request for Information on identity verification methods you referenced below closed in July. An overview of the responses we received was provided in a webinar conducted on 24 September 2021. A recording of that webinar is available here. We are also planning another community conversation on this project during ICANN72. You can find information on the 28 Octoberr 2021 session here. If you have any feedback or input you?d like to share with the SSAD ODP team, you can submit it to odp-ssad at icann.org. Please note that all emails sent to this address are publicly archived here. You can find more information on the SSAD ODP on this page. Thank you, Eleeza From: Sivasubramanian Muthusamy Date: Sunday, October 10, 2021 at 12:43 PM To: Eleeza Agopian , "ssad at icann.org" Cc: Sivasubramanian Muthusamy <6.Internet at gmail.com> Subject: [Ext] ODP Design This concerns ICANN' call for information on identity verification methods as published at page https://www.icann.org/en/blogs/details/icann-to-open-request-for-information-on-identity-verification-methods-10-6-2021-en I wish to present a broad, abstract design outline for SSAD, with a commercial component in design and implementation, somewhat expanded in scope considering recent DNS issues related to identity. Kindly advise us on the timeline for this project. -- Sivasubramanian M Nameshop India. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiva at nameshop.in Sun Oct 10 19:45:54 2021 From: shiva at nameshop.in (Sivasubramanian Muthusamy) Date: Mon, 11 Oct 2021 01:15:54 +0530 Subject: [ODP-SSAD] Sent again with recipient addresses corrected: ODP Design In-Reply-To: References: Message-ID: Dear Eleeza Agopian, This concerns ICANN' call for information on identity verification methods as published at page https://www.icann.org/en/blogs/details/icann-to-open-request-for-information-on-identity-verification-methods-10-6-2021-en I wish to present a broad, abstract design outline for SSAD, with a commercial component in design and implementation, somewhat expanded in scope considering recent DNS issues related to identity. Kindly advise us on the timeline for this project. -- Sivasubramanian M Nameshop India. -------------- next part -------------- An HTML attachment was scrubbed... URL: From 6.internet at gmail.com Wed Oct 13 16:29:00 2021 From: 6.internet at gmail.com (sivasubramanian muthusamy) Date: Wed, 13 Oct 2021 21:59:00 +0530 Subject: [ODP-SSAD] [Ext] ODP Design In-Reply-To: <9A72028B-A8F8-43F5-80B6-D1166577B342@icann.org> References: <9A72028B-A8F8-43F5-80B6-D1166577B342@icann.org> Message-ID: Thank you for your reply with the links and session information. I will follow the information and also attend the community conversation. My earlier message to you was copied to odp-ssad at icann.org but I received an error message indicating that this is a list to which I am not subscribed to. Please see the attached screenshot. Sivasubramanian M On Wed, Oct 13, 2021 at 7:28 PM Eleeza Agopian wrote: > Dear Mr. Muthusamy, > > > > Thank you for your email. The Request for Information > > on identity verification methods you referenced below closed in July. An > overview of the responses we received was provided in a webinar conducted > on 24 September 2021. A recording of that webinar is available here > . > > > > > We are also planning another community conversation on this project during > ICANN72. You can find information on the 28 Octoberr 2021 session here > . > > > > > If you have any feedback or input you?d like to share with the SSAD ODP > team, you can submit it to odp-ssad at icann.org. Please note that all > emails sent to this address are publicly archived here > . You can find more information > on the SSAD ODP on this page . > > > > Thank you, > > Eleeza > > > > *From: *Sivasubramanian Muthusamy > *Date: *Sunday, October 10, 2021 at 12:43 PM > *To: *Eleeza Agopian , "ssad at icann.org" < > ssad at icann.org> > *Cc: *Sivasubramanian Muthusamy <6.Internet at gmail.com> > *Subject: *[Ext] ODP Design > > > > This concerns ICANN' call for information on identity verification methods > as published at page > https://www.icann.org/en/blogs/details/icann-to-open-request-for-information-on-identity-verification-methods-10-6-2021-en > > > > I wish to present a broad, abstract design outline for SSAD, with a > commercial component in design and implementation, somewhat expanded in > scope considering recent DNS issues related to identity. Kindly advise us > on the timeline for this project. > > > > -- > > Sivasubramanian M > > Nameshop > > India. > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: odp ssad message.png Type: image/png Size: 59183 bytes Desc: not available URL: From eleeza.agopian at icann.org Wed Oct 13 16:42:09 2021 From: eleeza.agopian at icann.org (Eleeza Agopian) Date: Wed, 13 Oct 2021 16:42:09 +0000 Subject: [ODP-SSAD] [Ext] ODP Design In-Reply-To: References: <9A72028B-A8F8-43F5-80B6-D1166577B342@icann.org> Message-ID: Your message was received. We manually approve all emails that are sent to that address as it draws a large amount of spam. This list was not envisioned to be a platform for community discussion by allowing responses to email threads, which has resulted in the deactivation of the subscription feature. You should see your message posted to the archive now: https://mm.icann.org/pipermail/odp-ssad/2021-October/thread.html From: sivasubramanian muthusamy <6.internet at gmail.com> Date: Wednesday, October 13, 2021 at 9:29 AM To: Eleeza Agopian Cc: Sivasubramanian Muthusamy , "ssad at icann.org" , "ODP-SSAD at icann.org" Subject: Re: [Ext] ODP Design Thank you for your reply with the links and session information. I will follow the information and also attend the community conversation. My earlier message to you was copied to odp-ssad at icann.org but I received an error message indicating that this is a list to which I am not subscribed to. Please see the attached screenshot. Sivasubramanian M On Wed, Oct 13, 2021 at 7:28 PM Eleeza Agopian > wrote: Dear Mr. Muthusamy, Thank you for your email. The Request for Information on identity verification methods you referenced below closed in July. An overview of the responses we received was provided in a webinar conducted on 24 September 2021. A recording of that webinar is available here [icann.zoom.us]. We are also planning another community conversation on this project during ICANN72. You can find information on the 28 Octoberr 2021 session here [72.schedule.icann.org]. If you have any feedback or input you?d like to share with the SSAD ODP team, you can submit it to odp-ssad at icann.org. Please note that all emails sent to this address are publicly archived here. You can find more information on the SSAD ODP on this page. Thank you, Eleeza From: Sivasubramanian Muthusamy > Date: Sunday, October 10, 2021 at 12:43 PM To: Eleeza Agopian >, "ssad at icann.org" > Cc: Sivasubramanian Muthusamy <6.Internet at gmail.com> Subject: [Ext] ODP Design This concerns ICANN' call for information on identity verification methods as published at page https://www.icann.org/en/blogs/details/icann-to-open-request-for-information-on-identity-verification-methods-10-6-2021-en I wish to present a broad, abstract design outline for SSAD, with a commercial component in design and implementation, somewhat expanded in scope considering recent DNS issues related to identity. Kindly advise us on the timeline for this project. -- Sivasubramanian M Nameshop India. -------------- next part -------------- An HTML attachment was scrubbed... URL: From shiva at nameshop.in Wed Oct 13 16:55:53 2021 From: shiva at nameshop.in (Sivasubramanian Muthusamy) Date: Wed, 13 Oct 2021 22:25:53 +0530 Subject: [ODP-SSAD] [Ext] ODP Design In-Reply-To: References: <9A72028B-A8F8-43F5-80B6-D1166577B342@icann.org>

Message-ID: Thank you :) I saw the message in the archive. I will now follow the recording of the webinar and come back to you with questions if any. Sivasubramanian M On Wed, Oct 13, 2021 at 10:12 PM Eleeza Agopian wrote: > Your message was received. We manually approve all emails that are sent to > that address as it draws a large amount of spam. This list was not > envisioned to be a platform for community discussion by allowing responses > to email threads, which has resulted in the deactivation of the > subscription feature. > > > > You should see your message posted to the archive now: > https://mm.icann.org/pipermail/odp-ssad/2021-October/thread.html > > > > > > *From: *sivasubramanian muthusamy <6.internet at gmail.com> > *Date: *Wednesday, October 13, 2021 at 9:29 AM > *To: *Eleeza Agopian > *Cc: *Sivasubramanian Muthusamy , "ssad at icann.org" < > ssad at icann.org>, "ODP-SSAD at icann.org" > *Subject: *Re: [Ext] ODP Design > > > > Thank you for your reply with the links and session information. I will > follow the information and also attend the community conversation. My > earlier message to you was copied to odp-ssad at icann.org but I received an > error message indicating that this is a list to which I am not subscribed > to. Please see the attached screenshot. > > > > > > Sivasubramanian M > > > > > > > > On Wed, Oct 13, 2021 at 7:28 PM Eleeza Agopian > wrote: > > Dear Mr. Muthusamy, > > > > Thank you for your email. The Request for Information > > on identity verification methods you referenced below closed in July. An > overview of the responses we received was provided in a webinar conducted > on 24 September 2021. A recording of that webinar is available here > [icann.zoom.us] > . > > > > > We are also planning another community conversation on this project during > ICANN72. You can find information on the 28 Octoberr 2021 session here > [72.schedule.icann.org] > . > > > > > If you have any feedback or input you?d like to share with the SSAD ODP > team, you can submit it to odp-ssad at icann.org. Please note that all > emails sent to this address are publicly archived here > . You can find more information > on the SSAD ODP on this page . > > > > Thank you, > > Eleeza > > > > *From: *Sivasubramanian Muthusamy > *Date: *Sunday, October 10, 2021 at 12:43 PM > *To: *Eleeza Agopian , "ssad at icann.org" < > ssad at icann.org> > *Cc: *Sivasubramanian Muthusamy <6.Internet at gmail.com> > *Subject: *[Ext] ODP Design > > > > This concerns ICANN' call for information on identity verification methods > as published at page > https://www.icann.org/en/blogs/details/icann-to-open-request-for-information-on-identity-verification-methods-10-6-2021-en > > > > I wish to present a broad, abstract design outline for SSAD, with a > commercial component in design and implementation, somewhat expanded in > scope considering recent DNS issues related to identity. Kindly advise us > on the timeline for this project. > > > > -- > > Sivasubramanian M > > Nameshop > > India. > > -- Sivasubramanian M Nameshop India. -------------- next part -------------- An HTML attachment was scrubbed... URL: From fabien.betremieux at icann.org Fri Oct 15 18:34:49 2021 From: fabien.betremieux at icann.org (Fabien Betremieux) Date: Fri, 15 Oct 2021 18:34:49 +0000 Subject: [ODP-SSAD] Request for Extension of SSAD ODP GAC Survey Message-ID: <75455823-DF72-4C1F-9F30-8FFFAFF0F906@icann.org> Dear SSAD ODP Team, The GAC wishes to request an extension of the deadline for the SSAD ODP GAC Survey, to after ICANN72. The GAC notes and welcomes the recent clarification from ICANN org that part of the questions should be considered optional. That said, providing input in regard to designations of accreditation authorities may still prove challenging in some countries given that they may require substantial consultations and coordination at the national level. The extended response period would be used by GAC representatives to further communicate on the survey and ease coordination with competent national bodies. As you may be aware, this matter is also one of the topics the GAC is set to discuss during the upcoming ICANN72 meeting. The GAC would also like to take the opportunity of this request to kindly suggest that future surveys not be launched over summer holidays, or if this is the case, that the response period be longer. Thank you for your consideration On behalf of the GAC Chair, The GAC Support Team. -------------- next part -------------- An HTML attachment was scrubbed... URL: From eleeza.agopian at icann.org Fri Oct 15 21:12:59 2021 From: eleeza.agopian at icann.org (Eleeza Agopian) Date: Fri, 15 Oct 2021 21:12:59 +0000 Subject: [ODP-SSAD] Request for Extension of SSAD ODP GAC Survey In-Reply-To: References: Message-ID: <1A8416D5-0D2D-4A05-BD81-9B82145C72DC@icann.org> Dear GAC Support Team, We have received your request for an extension on the survey for Governmental Advisory Committee (GAC) members with regard to the System for Standardized Access/Disclosure (SSAD) Operational Design Phase (ODP). In order to accommodate greater participation, the survey deadline has been extended to 31 October 2021. The survey is available here: https://www.surveymonkey.com/r/ssadodpgac. While there are several questions in the survey, you are welcome to answer only those for which you are able to provide replies. In particular, we urge GAC members to focus on the following two questions: 1. How should each country/territory or government-designated Accreditation Authority (AA) be designated to ICANN org or its designee? 2. Who in your administration should be authorized to make such designations? This survey is critical in helping ICANN org fully assess the SSAD recommendations and answer the ICANN Board?s scoping questions. Any additional information or input the GAC deems relevant to the accreditation of governmental entities and requests for disclosure of nonpublic registration data by governmental entities, would also be appreciated. We thank you for your help in encouraging GAC participation. As always, feel free to contact us at ODP-SSAD at icann.org if there are any questions or concerns. Please note, the full text of your email, including your comment, name, and email address, will be published in the archive on ICANN org?s website here. Sincerely, Eleeza Agopian From: ODP-SSAD on behalf of Fabien Betremieux Date: Friday, October 15, 2021 at 11:34 AM To: "odp-ssad at icann.org" Cc: "gac at icann.org" Subject: [ODP-SSAD] Request for Extension of SSAD ODP GAC Survey Dear SSAD ODP Team, The GAC wishes to request an extension of the deadline for the SSAD ODP GAC Survey, to after ICANN72. The GAC notes and welcomes the recent clarification from ICANN org that part of the questions should be considered optional. That said, providing input in regard to designations of accreditation authorities may still prove challenging in some countries given that they may require substantial consultations and coordination at the national level. The extended response period would be used by GAC representatives to further communicate on the survey and ease coordination with competent national bodies. As you may be aware, this matter is also one of the topics the GAC is set to discuss during the upcoming ICANN72 meeting. The GAC would also like to take the opportunity of this request to kindly suggest that future surveys not be launched over summer holidays, or if this is the case, that the response period be longer. Thank you for your consideration On behalf of the GAC Chair, The GAC Support Team. -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuko.green at icann.org Mon Oct 18 20:59:30 2021 From: yuko.green at icann.org (Yuko Yokoyama) Date: Mon, 18 Oct 2021 20:59:30 +0000 Subject: [ODP-SSAD] Request for verification/feedback on SSAD recommendations Message-ID: <0DF2A168-7C33-4038-A6E7-E357FD113EDF@icann.org> Dear Janis, As we continue to develop Org?s assessment for the SSAD ODP, we came to additional questions/assumptions that we would like GNSO Council?s confirmation and/or clarifications. Contractual Compliance In the SSAD, there are two areas that implicate ICANN Contractual Compliance intervention: 1. Alert mechanisms/complaints regarding Contracted Party behavior (Recs 5.3, 5.4) The recommendation states the ?alert mechanism is not an appeal mechanism ? to contest disclosure or non-disclosure affected parties are expected to use available dispute resolution mechanisms such as courts or Data Protection Authorities?? As a result, Compliance?s role is limited to investigating complaints related to procedural failures by the contracted party. 1. Contracted Party SLA requirements (Rec 10) Similar to existing processes, complaints or investigations related to contracted party requirements for SSAD may be received and processed through public-facing complaint forms that feed into the Naming Services portal (NSp) and result in individual cases. If needed, develop automation of complaints related to violations as those may be triggered from internal reporting. Question 1: Does the proposed approach regarding development of potential complaint forms or automated notifications (where possible) fulfill the intentions of the recommendations? Automation of Disclosure Request Processing Per recommendation 9.4, only the following categories are considered to meet the criteria for automated processing of data disclosure: * Requests from Law Enforcement in local or otherwise applicable jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2) processing is to be carried out under a GDPR, Article 2 exemption; * The investigation of an infringement of the data protection legislation allegedly committed by ICANN/Contracted Parties affecting the registrant; * Request for city field only, to evaluate whether to pursue a claim or for statistical purposes; * No personal data on registration record that has been previously disclosed by the Contracted Party. Question 2: We note the first bullet specifically references the GDPR. Our understanding is the above categories were included in the legal guidance provided to the EPDP Team, and the legal guidance specifically referenced the GDPR. Our assumption is the EPDP Team considered this guidance in developing this recommendation but did not intend to exclude privacy laws outside the GDPR. In other words, though this first use case only references the specific scenario in which a law enforcement requestor has a legal basis for processing under GDPR 6(1)e (or whose processing is explicitly exempted from GDPR?s restrictions on data processing), other law enforcement authorities who are outside the EU might also qualify for automated disclosure if they have a comparable legitimate interest in processing such data under their own local law. Can you please confirm if this assumption is correct (or if, conversely, the intention was only for EU law enforcement requests to have the potential for automation under this use case)? We would very much appreciate your help in relaying these questions to the GNSO Council. If you have any questions, please do not hesitate to contact us. Regards, Yuko Yokoyama Program Director Strategic Initiatives, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) -------------- next part -------------- An HTML attachment was scrubbed... URL: From karklinsj at gmail.com Wed Oct 20 15:07:28 2021 From: karklinsj at gmail.com (Janis Karklins) Date: Wed, 20 Oct 2021 18:07:28 +0300 Subject: [ODP-SSAD] Request for verification/feedback on SSAD recommendations In-Reply-To: <0DF2A168-7C33-4038-A6E7-E357FD113EDF@icann.org> References: <0DF2A168-7C33-4038-A6E7-E357FD113EDF@icann.org> Message-ID: Hello Yuko, Looking forward to our conversation in less than an hour. I prepared answer to the second question, but would like to better understand the first one. I will formulate full response after our conversation. The answer to the Q2 is as follows: Your assumption is correct. Even EPDP was created to develop ICANN policy to accommodate the GDPR requirements, the EPDP Team took broader approach and attempted to formulate recommendations that would correspond to all existing and possible future privacy regulations in different parts of the world. Reference to specific provisions of GDPR in 9.4.1 is evident as it was existing regulation at the time of the formulation of the recommendation. JK On Mon, Oct 18, 2021 at 11:59 PM Yuko Yokoyama wrote: > Dear Janis, > > > > As we continue to develop Org?s assessment for the SSAD ODP, we came to > additional questions/assumptions that we would like GNSO Council?s > confirmation and/or clarifications. > > *Contractual Compliance* > > In the SSAD, there are two areas that implicate ICANN Contractual > Compliance intervention: > > 1. Alert mechanisms/complaints regarding Contracted Party behavior > (Recs 5.3, 5.4) > > The recommendation states the ?alert mechanism is not an appeal mechanism > ? to contest disclosure or non-disclosure affected parties are expected to > use available dispute resolution mechanisms such as courts or Data > Protection Authorities?? > > > > As a result, Compliance?s role is limited to investigating complaints > related to procedural failures by the contracted party. > > > > 1. Contracted Party SLA requirements (Rec 10) > > > > Similar to existing processes, complaints or investigations related to > contracted party requirements for SSAD may be received and processed > through public-facing complaint forms that feed into the Naming Services > portal (NSp) and result in individual cases. > > > > If needed, develop automation of complaints related to violations as those > may be triggered from internal reporting. > > > > *Question 1: Does the proposed approach regarding development of potential > complaint forms or automated notifications (where possible) fulfill the > intentions of the recommendations?* > > *Automation of Disclosure Request Processing* > > Per recommendation 9.4, only the following categories are considered to > meet the criteria for automated processing of data disclosure: > > - Requests from Law Enforcement in local or otherwise applicable > jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2) > processing is to be carried out under a GDPR, Article 2 exemption; > - The investigation of an infringement of the data protection > legislation allegedly committed by ICANN/Contracted Parties affecting the > registrant; > - Request for city field only, to evaluate whether to pursue a claim > or for statistical purposes; > - No personal data on registration record that has been previously > disclosed by the Contracted Party. > > > > *Question 2: We note the first bullet specifically references the GDPR. > Our understanding is the above categories were included in the legal > guidance provided to the EPDP Team, and the legal guidance specifically > referenced the GDPR. Our assumption is the EPDP Team considered this > guidance in developing this recommendation but did not intend to exclude > privacy laws outside the GDPR. In other words, though this first use case > only references the specific scenario in which a law enforcement requestor > has a legal basis for processing under GDPR 6(1)e (or whose processing is > explicitly exempted from GDPR?s restrictions on data processing), other law > enforcement authorities who are outside the EU might also qualify for > automated disclosure if they have a comparable legitimate interest in > processing such data under their own local law. Can you please confirm if > this assumption is correct (or if, conversely, the intention was only for > EU law enforcement requests to have the potential for automation under this > use case)? * > > > > We would very much appreciate your help in relaying these questions to the > GNSO Council. If you have any questions, please do not hesitate to contact > us. > > > > Regards, > > > > Yuko Yokoyama > > Program Director > > Strategic Initiatives, Global Domains & Strategy > > Internet Corporation for Assigned Names and Numbers (ICANN) > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuko.green at icann.org Wed Oct 20 19:43:07 2021 From: yuko.green at icann.org (Yuko Yokoyama) Date: Wed, 20 Oct 2021 19:43:07 +0000 Subject: [ODP-SSAD] Request for verification/feedback on SSAD recommendations In-Reply-To: <0DF2A168-7C33-4038-A6E7-E357FD113EDF@icann.org> References: <0DF2A168-7C33-4038-A6E7-E357FD113EDF@icann.org> Message-ID: <817CAB99-09EC-4C2D-9561-1EA5C887C6E8@icann.org> Dear Janis, As discussed during today?s call, here is the additional context behind the question 1: The areas identified in the SSAD that interact with ICANN Contractual Compliance, like requestor/data subject procedural complaints and Contracted Party SLA issues, appear to integrate well within the existing processes that ICANN Contractual Compliance employs. For instance, the complaints from requestors and data subjects could come through external facing complaint forms that would be developed, and if needed, automated processes may be developed for processing issues such as those related to SLA violations. From there, the complaints can be processed per ICANN Contractual Compliance?s standard approach and processes. Question 1: Does the proposed approach regarding development of potential complaint forms or automated notifications (where possible) fulfill the intentions of the recommendations? Please let me know if we may provide any further clarifications. Regards, Yuko From: Yuko Green Date: Monday, October 18, 2021 at 1:59 PM To: Janis Karklins Cc: "odp-ssad at icann.org" Subject: Request for verification/feedback on SSAD recommendations Dear Janis, As we continue to develop Org?s assessment for the SSAD ODP, we came to additional questions/assumptions that we would like GNSO Council?s confirmation and/or clarifications. Contractual Compliance In the SSAD, there are two areas that implicate ICANN Contractual Compliance intervention: 1. Alert mechanisms/complaints regarding Contracted Party behavior (Recs 5.3, 5.4) The recommendation states the ?alert mechanism is not an appeal mechanism ? to contest disclosure or non-disclosure affected parties are expected to use available dispute resolution mechanisms such as courts or Data Protection Authorities?? As a result, Compliance?s role is limited to investigating complaints related to procedural failures by the contracted party. 1. Contracted Party SLA requirements (Rec 10) Similar to existing processes, complaints or investigations related to contracted party requirements for SSAD may be received and processed through public-facing complaint forms that feed into the Naming Services portal (NSp) and result in individual cases. If needed, develop automation of complaints related to violations as those may be triggered from internal reporting. Question 1: Does the proposed approach regarding development of potential complaint forms or automated notifications (where possible) fulfill the intentions of the recommendations? Automation of Disclosure Request Processing Per recommendation 9.4, only the following categories are considered to meet the criteria for automated processing of data disclosure: * Requests from Law Enforcement in local or otherwise applicable jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2) processing is to be carried out under a GDPR, Article 2 exemption; * The investigation of an infringement of the data protection legislation allegedly committed by ICANN/Contracted Parties affecting the registrant; * Request for city field only, to evaluate whether to pursue a claim or for statistical purposes; * No personal data on registration record that has been previously disclosed by the Contracted Party. Question 2: We note the first bullet specifically references the GDPR. Our understanding is the above categories were included in the legal guidance provided to the EPDP Team, and the legal guidance specifically referenced the GDPR. Our assumption is the EPDP Team considered this guidance in developing this recommendation but did not intend to exclude privacy laws outside the GDPR. In other words, though this first use case only references the specific scenario in which a law enforcement requestor has a legal basis for processing under GDPR 6(1)e (or whose processing is explicitly exempted from GDPR?s restrictions on data processing), other law enforcement authorities who are outside the EU might also qualify for automated disclosure if they have a comparable legitimate interest in processing such data under their own local law. Can you please confirm if this assumption is correct (or if, conversely, the intention was only for EU law enforcement requests to have the potential for automation under this use case)? We would very much appreciate your help in relaying these questions to the GNSO Council. If you have any questions, please do not hesitate to contact us. Regards, Yuko Yokoyama Program Director Strategic Initiatives, Global Domains & Strategy Internet Corporation for Assigned Names and Numbers (ICANN) -------------- next part -------------- An HTML attachment was scrubbed... URL: From karklinsj at gmail.com Thu Oct 21 14:36:33 2021 From: karklinsj at gmail.com (Janis Karklins) Date: Thu, 21 Oct 2021 17:36:33 +0300 Subject: [ODP-SSAD] Request for verification/feedback on SSAD recommendations In-Reply-To: <817CAB99-09EC-4C2D-9561-1EA5C887C6E8@icann.org> References: <0DF2A168-7C33-4038-A6E7-E357FD113EDF@icann.org> <817CAB99-09EC-4C2D-9561-1EA5C887C6E8@icann.org> Message-ID: Dear Yuko, Thank you for clarification of the question. Pls see below my answers to both of them: *Automation of Disclosure Request Processing* Per recommendation 9.4, only the following categories are considered to meet the criteria for automated processing of data disclosure: ? Requests from Law Enforcement in local or otherwise applicable jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2) processing is to be carried out under a GDPR, Article 2 exemption; ? The investigation of an infringement of the data protection legislation allegedly committed by ICANN/Contracted Parties affecting the registrant; ? Request for city field only, to evaluate whether to pursue a claim or for statistical purposes; ? No personal data on registration record that has been previously disclosed by the Contracted Party. *Question 2: We note the first bullet specifically references the GDPR. Our understanding is the above categories were included in the legal guidance provided to the EPDP Team, and the legal guidance specifically referenced the GDPR. Our assumption is the EPDP Team considered this guidance in developing this recommendation but did not intend to exclude privacy laws outside the GDPR. In other words, though this first use case only references the specific scenario in which a law enforcement requestor has a legal basis for processing under GDPR 6(1)e (or whose processing is explicitly exempted from GDPR?s restrictions on data processing), other law enforcement authorities who are outside the EU might also qualify for automated disclosure if they have a comparable legitimate interest in processing such data under their own local law. Can you please confirm if this assumption is correct (or if, conversely, the intention was only for EU law enforcement requests to have the potential for automation under this use case)? * The assumption is correct. Even EPDP was created to develop ICANN policy to accommodate the GDPR requirements, the EPDP Team took broader approach and attempted to formulate recommendations that would correspond not only to the GDPR, but also to all existing and possible future privacy regulations in different parts of the world. Reference to specific provisions of GDPR in 9.4.1 is evident as it was existing regulation at the time of the formulation of the recommendation. The areas identified in the SSAD that interact with ICANN Contractual Compliance, like requestor/data subject procedural complaints and Contracted Party SLA issues, appear to integrate well within the existing processes that ICANN Contractual Compliance employs. For instance, the complaints from requestors and *data subjects* could come through external facing complaint forms that would be developed, and if needed, automated processes may be developed for processing issues such as those related to SLA violations. From there, the complaints can be processed per ICANN Contractual Compliance?s standard approach and processes. *Question 1: Does the proposed approach regarding development of potential complaint forms or automated notifications (where possible) fulfill the intentions of the recommendations?* Indeed, it was intention ? to use the existing ICANN compliance mechanism in case the requestors or registries/registrars could file a compliance complaint in situations prescribed by the policy recommendations. It was never planned, though, that data subjects would be able to use ICANN's compliance mechanism. On Wed, Oct 20, 2021 at 10:43 PM Yuko Yokoyama wrote: > Dear Janis, > > > > As discussed during today?s call, here is the additional context behind > the question 1: > > > > The areas identified in the SSAD that interact with ICANN Contractual > Compliance, like requestor/data subject procedural complaints and > Contracted Party SLA issues, appear to integrate well within the existing > processes that ICANN Contractual Compliance employs. For instance, the > complaints from requestors and data subjects could come through external > facing complaint forms that would be developed, and if needed, automated > processes may be developed for processing issues such as those related to > SLA violations. From there, the complaints can be processed per ICANN > Contractual Compliance?s standard approach and processes. > > > > *Question 1: Does the proposed approach regarding development of potential > complaint forms or automated notifications (where possible) fulfill the > intentions of the recommendations?* > > > > Please let me know if we may provide any further clarifications. > > > > Regards, > > Yuko > > > > *From: *Yuko Green > *Date: *Monday, October 18, 2021 at 1:59 PM > *To: *Janis Karklins > *Cc: *"odp-ssad at icann.org" > *Subject: *Request for verification/feedback on SSAD recommendations > > > > Dear Janis, > > > > As we continue to develop Org?s assessment for the SSAD ODP, we came to > additional questions/assumptions that we would like GNSO Council?s > confirmation and/or clarifications. > > *Contractual Compliance* > > In the SSAD, there are two areas that implicate ICANN Contractual > Compliance intervention: > > 1. Alert mechanisms/complaints regarding Contracted Party behavior > (Recs 5.3, 5.4) > > The recommendation states the ?alert mechanism is not an appeal mechanism > ? to contest disclosure or non-disclosure affected parties are expected to > use available dispute resolution mechanisms such as courts or Data > Protection Authorities?? > > > > As a result, Compliance?s role is limited to investigating complaints > related to procedural failures by the contracted party. > > > > 1. Contracted Party SLA requirements (Rec 10) > > > > Similar to existing processes, complaints or investigations related to > contracted party requirements for SSAD may be received and processed > through public-facing complaint forms that feed into the Naming Services > portal (NSp) and result in individual cases. > > > > If needed, develop automation of complaints related to violations as those > may be triggered from internal reporting. > > > > *Question 1: Does the proposed approach regarding development of potential > complaint forms or automated notifications (where possible) fulfill the > intentions of the recommendations?* > > *Automation of Disclosure Request Processing* > > Per recommendation 9.4, only the following categories are considered to > meet the criteria for automated processing of data disclosure: > > - Requests from Law Enforcement in local or otherwise applicable > jurisdictions with either 1) a confirmed GDPR 6(1)e lawful basis or 2) > processing is to be carried out under a GDPR, Article 2 exemption; > - The investigation of an infringement of the data protection > legislation allegedly committed by ICANN/Contracted Parties affecting the > registrant; > - Request for city field only, to evaluate whether to pursue a claim > or for statistical purposes; > - No personal data on registration record that has been previously > disclosed by the Contracted Party. > > > > *Question 2: We note the first bullet specifically references the GDPR. > Our understanding is the above categories were included in the legal > guidance provided to the EPDP Team, and the legal guidance specifically > referenced the GDPR. Our assumption is the EPDP Team considered this > guidance in developing this recommendation but did not intend to exclude > privacy laws outside the GDPR. In other words, though this first use case > only references the specific scenario in which a law enforcement requestor > has a legal basis for processing under GDPR 6(1)e (or whose processing is > explicitly exempted from GDPR?s restrictions on data processing), other law > enforcement authorities who are outside the EU might also qualify for > automated disclosure if they have a comparable legitimate interest in > processing such data under their own local law. Can you please confirm if > this assumption is correct (or if, conversely, the intention was only for > EU law enforcement requests to have the potential for automation under this > use case)? * > > > > We would very much appreciate your help in relaying these questions to the > GNSO Council. If you have any questions, please do not hesitate to contact > us. > > > > Regards, > > > > Yuko Yokoyama > > Program Director > > Strategic Initiatives, Global Domains & Strategy > > Internet Corporation for Assigned Names and Numbers (ICANN) > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: