[TSG-Access-RD] Additional information about the concept of independent controllership

Wed Jan 23 03:01:33 UTC 2019

Hi all, 

As promised, here's some further input on the memo Scott shared and its connection to the TSG's work: 

As noted on Tuesday's call, I think it's important to remember that ICANN org's understanding is that whatever solution ICANN proposes for third-party access to redacted registration data is unlikely to eliminate liability for the contracted parties. ICANN org's goal is to explore ways to diminish that liability to the extent possible. To that end, the TSG is tasked with developing a technical solution that ICANN org may test against the law to determine if a unified access model is possible. 

The memo on independent controllership was drafted by ICANN org as part of the EPDP's discussion on processing activities. The EPDP has not yet tackled third-party access to gTLD registration data. They anticipate discussing that during Phase II. 

Finally, I would point to some language in the opening paragraph of the memo: "ICANN org continues to analyze the issue and this document does not present ICANN org’s or the ICANN Board’s final view of the matter; rather, based on analysis to-date, the document provides an alternative view for consideration by the EPDP Team to stimulate further discussion. The possible status of ICANN org and the contracted parties as joint controllers or independent controllers is not a matter of the preferences of the parties, but it is ultimately a question of law about whether Article 26 of the GDPR applies."

Please let me know of any further questions.

Thank you,
Eleeza

-----Original Message-----
From: TSG-Access-RD <tsg-access-rd-bounces at icann.org> On Behalf Of Benedict Addis
Sent: Tuesday, January 22, 2019 8:49 AM
To: Hollenbeck, Scott <shollenbeck at verisign.com>
Cc: tsg-access-rd at icann.org
Subject: Re: [TSG-Access-RD] Additional information about the concept of independent controllership

> On 18 Jan 2019, at 12:33, Hollenbeck, Scott via TSG-Access-RD <tsg-access-rd at icann.org> wrote:
> 
> Folks, someone just brought this to my attention:
> 
> https://mm.icann.org/pipermail/gnso-epdp-team/2019-January/001220.html
> 
> The document attached to the email describes processing alternatives concerning gTLD registration data. As it says, "This document outlines an alternative approach to joint controllership for identifying the roles and responsibilities of the participants processing gTLD registration data". During our meeting last Tuesday, Göran said (I'm paraphrasing here) that one of the goals of the Unified Access Model would be to have ICANN act as the sole data controller to relieve the contracted parties of that responsibility. Could someone from ICANN please clarify how whatever is being discussed with the EPDP team relates to the guidance we were given on Tuesday?
> 
> Scott
> 

I think Göran said that ICANN would be a controller, to lessen the risk on the CPH.

He didn’t specify whether sole or joint controller.

ICANN legal has a mild preference for the former, and the ePDP a mild preference for the latter.

What’s important is that both sides are open to negotiation!

B