Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote:

I strongly second Vicky’s comments.  The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe.  Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time.  Moving to 1500 UTC would retain the pre-existing local start times, I  believe.

Steve Metalitz

*image001*

*Steven J. Metalitz *|***Partner, through his professional corporation*

T: 202.355.7902 |met@msk.com <mailto:met@msk.com>**

*Mitchell Silberberg & Knupp**LLP*|*www.msk.com <http://www.msk.com/>*

1818 N Street NW, 8th Floor, Washington, DC 20036

*_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._**THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:*gdd-gnso-ppsai-impl-bounces@icann.org [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Victoria Sheckler *Sent:* Tuesday, October 31, 2017 5:55 PM *To:* gdd-gnso-ppsai-impl@icann.org; Sara Bockey *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was.  So please let’s get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote:

Caitlin,

Thanks for the revised docs.  A few items at first glance that need to be revised, as I believe they have been discussion/raised before.  I will take a closer look and follow up with additional edits, but in the meantime…

1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA

1. The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. 2. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. 3. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA.

2. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent.

1. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service.  Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise.

3. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August.  The first sentence in its entirety should be removed.

1. The section should start with “Well founded…”

Additionally, the following sections need revision or at a minimum further discuss by the IRT

4. Edit Section 3.14 to remove the language re no automation. This is not feasible.  This language must be removed:

1. Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

5. Edit Section 3.15 – Labeling – to remove excessive language.

1. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto.  This language is duplicative and not necessary.  Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

*sara bockey*

*sr. policy manager | **Go**Daddy^™ *

*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*

*skype: sbockey*

/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./

*From: *<gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> <mailto:caitlin.tubergen@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday, October 25, 2017 at 4:44 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017.

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of *Tuesday,* *14 November* for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list.  Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program’s status to the community.  Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT’s discussion this morning, we received feedback to:

1. Edit the definition of *Working Group in Section 1.43*, to specify that the Provider Stakeholder Group, if formed, shall only appoint the /provider/ representatives of the Working Group, and the GNSO may appoint other members of the community.

**

2. Add back in the previously-deleted *Code of Conduct *language in *Section 3.5.1*.

**

**

3. Add back in the previously-deleted *review provision *in *Section 7 of the Customer Data Accuracy Program Specification*.

**

If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by *14 November 2017*.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

*Caitlin Tubergen*

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org>

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Well said, Darcy. Agree 100%. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Darcy Southwell <darcy.southwell@endurance.com> Date: Tuesday, November 7, 2017 at 8:47 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of theo geurts <gtheo@xs4all.nl> Reply-To: <gdd-gnso-ppsai-impl@icann.org> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz [age001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

PPSAI colleagues, I offer the following comments and suggested edits regarding the Oct. 20 redline version of the PPAA. I may have a few other suggestions by tomorrow’s deadline, and will definitely have responses later to some of the other proposed edits that have been sent to the list. (And thanks to Theo and colleagues for their comprehensive review of the document!) First, I would reiterate the suggestions made in my Oct. 21 posting to the list, as follows: Subsection 3.5.3.15: strike “should” and insert “shall,” for consistency with parallel provisions throughout this section 3.5. Section 3.7, third line from the bottom: “employee” should be “employ.” Section 3.17.1: I suggest adding the words “as applicable” or “to the extent applicable” at the end of the section. Not every Disclosure or Publication request that Provider receives will fall under the IP or LEA disclosure frameworks. Section 5.7.3: the notice that the suspended Provider must send to customers should specify “that it is unable to offer or provide the Services for any new registrations” (adding the last 4 words). A suspended Provider can (and indeed must) provide the Services to its current customers. [Note that the phrasing “any additional registrations” might be more accurate here, and in the corresponding provision of 5.7.1 --- otherwise it might be possible for a suspended provider to being providing services for the first time to an existing registration whose registrant decides to engage a service.] Here are some additional suggestions: Section 1.43: strike “comprising the Working Group,” insert “representatives of the Service Providers.” This issue is noted on page 2 of the Discussion Items document. Section 3.5.3.3: since this has to do with p/p services and not with registration per se, the references to “initial registration and each renewal registration” should be changed to something like “each initial agreement to provide Services and each renewal or extension of such agreement.” I believe this is also responsive to Theo’s sticky note on the RrSG redline for this section. Section 3.8.1 (specifying what needs to be stated on request forms) should include a cross-reference to section 3.8.2 (requiring publication of links to request forms in some circumstances). Alternatively, perhaps the order of these two sections should be reversed. Section 3.8.5.5 needs some rephrasing. Reveal is not a defined term in the PPAA, and the provider does not itself Publish data in the RDS (the registrar or registry does that), but can cause it to be Published. This may a rare instance in which use of the passive voice may be preferable (“the circumstances under which the Customer’s identity or contact data will be published in the RDDS….”). Section 3.19: substitute “shall” for “should.” In fact the entire document should be reviewed to see where this change is needed. Section 5.3: this is another issue I raised in my Oct. 21 posting: “Section 5.3 does not give ICANN the right to substitute the new version of the agreement, it gives that right to the provider. Furthermore, 5.3 addresses the scenario in which the new agreement is swapped in during the term of the current agreement. The point I was trying to raise on the call (and I am sorry if this was not clear) is ensuring that all renewals of the agreement at the end of the term reflect the most recent version. As currently drafted, section 5.2 seems to give the provider the option of renewing under the terms of the old agreement (“under the terms and conditions of this agreement”), even if it has been superseded by a new form of agreement that is materially different. This could be fixed by adding a subsection 5.2.5 along the following lines: ‘5.2.5: this Agreement has been superseded by a revised form accreditation agreement for the provision of the Services (“Updated PPAA”) that is materially different from this Agreement, in which case the right of renewal provided by this section shall be under the terms and conditions of the Updated PPAA.’” Section 5.7.4: consider inserting at the end of the first sentence “or its invocation of section 5.5.7,” which is another path ICANN could take to deal with the situation of an uncured “endangerment” scenario. Section 7.4.1: shouldn’t the Working Group be the party to receive the notice re revision of the Agreement? This would be consistent with the rest of section 7.4. Glad to try to answer any questions about these. Steve Metalitz [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Metalitz, Steven Sent: Tuesday, November 07, 2017 11:42 AM To: 'Sara Bockey'; Darcy Southwell; gdd-gnso-ppsai-impl@icann.org Subject: RE: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with a lot of what Darcy says. Let me make sure my view is clearly stated. Most of the items Darcy identifies are completely appropriate for discussion in our team before the documents are finalized. These issues include: perceived discrepancies between the WG Final Report and the implementation documents; loose ends in the Law Enforcement disclosure framework; and clarifying the status of each of the four documents under review. I support addressing these points on our next call so that we can continue to make progress. And based on the postings made to our list over the last couple of weeks, I would certainly be comfortable with some relaxation of the deadline for proposing edits to the accreditation agreement – if necessary, to December 1. My concerns are focused primarily on the suggestion that we can’t move forward until we determine whether our recommendations are GDPR-compliant. To me that sounds like some on the IRT want to suspend work until ICANN’s separate work on GDPR is concluded. If that is not what is meant, then I would ask proponents of that view to clarify just how they think we should proceed at this point. I am also sad to see the IRTP-C issue brought up again. I thought we had reached agreement that the current suspension of ICANN enforcement of this aspect of that policy could be continued until an appropriate group is formed to address it; or put another way, that we could proceed to get our PPSAI implementation plan out for public comment without delaying it until the IRTP-C issue is resolved. That is my recollection, anyway, but if I am mistaken then please show me how. Finally I will repeat my question of whether our call time on 11/14 remains at 1400 UTC or whether it will be moved an hour later to preserve the usual start time in most Northern Hemisphere time zones. Steve [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Sara Bockey [mailto:sbockey@godaddy.com] Sent: Tuesday, November 07, 2017 11:07 AM To: Darcy Southwell; gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven Cc: Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Well said, Darcy. Agree 100%. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 8:47 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en<https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en> I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz [age001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017<https://community.icann.org/display/IRT/24+October+2017>. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

Hi all, In my last-minute reviewing of the PPAA, I’ve had a few additional thoughts: We need to revisit PPAA, Spec 2: Customer Data Accuracy. This entire Spec needs to be revisited and made clearer since the entire spec is dependent on whether or not the Service Provider is affiliated or non-affiliated. It’s very disjointed, it starts out Section 1, this is what you need to do, then in Section 3, it says you don’t need to do this if you are an affiliated Provider, and then in Section 4 it goes back to this is what you need to do and forgets about section 3. It seems to me that this entire section is dependent on if there is an Affiliated Registrar. This section got me thinking and IMHO, in addition to going thru every comment that has been submitted and sorting through those issues, I think we need to take a serious look at the approach of the PPAA. I think the document as it stands is not recognizing the Service Provider as an Affiliate of an ICANN accredited Registrar. I’m wondering if what we really need is 2 separate PPAAs – one for an Affiliated Service Provider and one for a Non-Affiliated Service Provider. For the Affiliated Service Provider, it should set out at the very beginning the affiliate relationship, and both parties would sign. The basic idea would be something like: Service Provider X, as an Affiliate of ICANN accredited Registrar A, enters into this PPAA to provide a privacy/proxy service. Registrar A, as a party to this agreement, agrees to uphold its obligations under the RAA and its related consensus policies. Should the relationship between Service Provider X and Registrar A cease, so shall this agreement, and Service Provider X will have ___ number of days to secure a new affiliate registrar and enter into a new Affiliated PPAA or complete the Non-Affiliated process and sign the Non-Affiliate PPAA. It needs work, I know, but just trying to illustrate the idea. I think this would allow the affiliated agreement to be considerably more light weight. The Non-Affiliate PPAA would be more in line with what we have now (and, granted, would need additional work). If the Affiliate Provider became unaffiliated, it would need to go thru an accreditation process to ensure it meet the requirements. So there would need to be 2 accreditation procedures, but again I’m thinking the Affiliated process would be relatively light weight based on the relationship of the provider to the accredited registrar. Also, we need to correct some of the language in the PPAA. Specifically, as I’ve stated numerous times before, I think staff’s use of “Customer” in place of RNH is problematic when the PPAA is an extension of/referenced in the RAA, particularly when considering the above line of thinking. The 2013 RAA defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. This is a service for the RNH, provided via an Affiliate Registrar, the use of “customer” is problematic. I’ll admit I’ve not thought thru all the issues and this is kind of loose, but it’s an idea that came to mind and something we might ought to consider so I’m putting a marker down to discuss the above in case it offers a better path forward. Happy to hear what others think. Sara sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Caitlin Tubergen <caitlin.tubergen@icann.org> Date: Thursday, November 30, 2017 at 5:05 PM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>, Sara Bockey <sbockey@godaddy.com>, 'Darcy Southwell' <darcy.southwell@endurance.com> Cc: "Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Thank you, Steve, and thank you to the registrars who submitted comments. I will compile all of the comments, and we can begin going through the comments on Tuesday’s call. If any other IRT members have comments on the draft PPAA, please submit them by the deadline of Friday, 1 December. Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Metalitz, Steven" <met@msk.com> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Thursday, November 30, 2017 at 2:16 PM To: 'Sara Bockey' <sbockey@godaddy.com>, 'Darcy Southwell' <darcy.southwell@endurance.com>, "'gdd-gnso-ppsai-impl@icann.org'" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call PPSAI colleagues, I offer the following comments and suggested edits regarding the Oct. 20 redline version of the PPAA. I may have a few other suggestions by tomorrow’s deadline, and will definitely have responses later to some of the other proposed edits that have been sent to the list. (And thanks to Theo and colleagues for their comprehensive review of the document!) First, I would reiterate the suggestions made in my Oct. 21 posting to the list, as follows: Subsection 3.5.3.15: strike “should” and insert “shall,” for consistency with parallel provisions throughout this section 3.5. Section 3.7, third line from the bottom: “employee” should be “employ.” Section 3.17.1: I suggest adding the words “as applicable” or “to the extent applicable” at the end of the section. Not every Disclosure or Publication request that Provider receives will fall under the IP or LEA disclosure frameworks. Section 5.7.3: the notice that the suspended Provider must send to customers should specify “that it is unable to offer or provide the Services for any new registrations” (adding the last 4 words). A suspended Provider can (and indeed must) provide the Services to its current customers. [Note that the phrasing “any additional registrations” might be more accurate here, and in the corresponding provision of 5.7.1 --- otherwise it might be possible for a suspended provider to being providing services for the first time to an existing registration whose registrant decides to engage a service.] Here are some additional suggestions: Section 1.43: strike “comprising the Working Group,” insert “representatives of the Service Providers.” This issue is noted on page 2 of the Discussion Items document. Section 3.5.3.3: since this has to do with p/p services and not with registration per se, the references to “initial registration and each renewal registration” should be changed to something like “each initial agreement to provide Services and each renewal or extension of such agreement.” I believe this is also responsive to Theo’s sticky note on the RrSG redline for this section. Section 3.8.1 (specifying what needs to be stated on request forms) should include a cross-reference to section 3.8.2 (requiring publication of links to request forms in some circumstances). Alternatively, perhaps the order of these two sections should be reversed. Section 3.8.5.5 needs some rephrasing. Reveal is not a defined term in the PPAA, and the provider does not itself Publish data in the RDS (the registrar or registry does that), but can cause it to be Published. This may a rare instance in which use of the passive voice may be preferable (“the circumstances under which the Customer’s identity or contact data will be published in the RDDS….”). Section 3.19: substitute “shall” for “should.” In fact the entire document should be reviewed to see where this change is needed. Section 5.3: this is another issue I raised in my Oct. 21 posting: “Section 5.3 does not give ICANN the right to substitute the new version of the agreement, it gives that right to the provider. Furthermore, 5.3 addresses the scenario in which the new agreement is swapped in during the term of the current agreement. The point I was trying to raise on the call (and I am sorry if this was not clear) is ensuring that all renewals of the agreement at the end of the term reflect the most recent version. As currently drafted, section 5.2 seems to give the provider the option of renewing under the terms of the old agreement (“under the terms and conditions of this agreement”), even if it has been superseded by a new form of agreement that is materially different. This could be fixed by adding a subsection 5.2.5 along the following lines: ‘5.2.5: this Agreement has been superseded by a revised form accreditation agreement for the provision of the Services (“Updated PPAA”) that is materially different from this Agreement, in which case the right of renewal provided by this section shall be under the terms and conditions of the Updated PPAA.’” Section 5.7.4: consider inserting at the end of the first sentence “or its invocation of section 5.5.7,” which is another path ICANN could take to deal with the situation of an uncured “endangerment” scenario. Section 7.4.1: shouldn’t the Working Group be the party to receive the notice re revision of the Agreement? This would be consistent with the rest of section 7.4. Glad to try to answer any questions about these. Steve Metalitz [e001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Metalitz, Steven Sent: Tuesday, November 07, 2017 11:42 AM To: 'Sara Bockey'; Darcy Southwell; gdd-gnso-ppsai-impl@icann.org Subject: RE: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with a lot of what Darcy says. Let me make sure my view is clearly stated. Most of the items Darcy identifies are completely appropriate for discussion in our team before the documents are finalized. These issues include: perceived discrepancies between the WG Final Report and the implementation documents; loose ends in the Law Enforcement disclosure framework; and clarifying the status of each of the four documents under review. I support addressing these points on our next call so that we can continue to make progress. And based on the postings made to our list over the last couple of weeks, I would certainly be comfortable with some relaxation of the deadline for proposing edits to the accreditation agreement – if necessary, to December 1. My concerns are focused primarily on the suggestion that we can’t move forward until we determine whether our recommendations are GDPR-compliant. To me that sounds like some on the IRT want to suspend work until ICANN’s separate work on GDPR is concluded. If that is not what is meant, then I would ask proponents of that view to clarify just how they think we should proceed at this point. I am also sad to see the IRTP-C issue brought up again. I thought we had reached agreement that the current suspension of ICANN enforcement of this aspect of that policy could be continued until an appropriate group is formed to address it; or put another way, that we could proceed to get our PPSAI implementation plan out for public comment without delaying it until the IRTP-C issue is resolved. That is my recollection, anyway, but if I am mistaken then please show me how. Finally I will repeat my question of whether our call time on 11/14 remains at 1400 UTC or whether it will be moved an hour later to preserve the usual start time in most Northern Hemisphere time zones. Steve [e001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Sara Bockey [mailto:sbockey@godaddy.com] Sent: Tuesday, November 07, 2017 11:07 AM To: Darcy Southwell; gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven Cc: Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Well said, Darcy. Agree 100%. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 8:47 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz [01] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

​​Hi all, I agree with Sara's idea about separating the agreement (and process) for affiliated and non-affiliated providers. As I read (and re-read several times) parts of the draft agreement, I find that we are working to push affiliated and non-affiliated providers into the same agreement/process when they are not really the same. IMO separating the agreements/processes would alleviate the conflicts members of the IRT are trying to resolve when reading through as there are lines that try to emphasize what each provider type is obligated to follow. If in our discussions we agree how these parties are separate in their business models, it only makes sense that we work towards having 2 separate agreements tailored to accommodate. In addition, here are our additional concerns: 1.37 - "Service Provider" is defined here and should be used consistently throughout (i.e., don’t use “Provider” when “Service Provider” is the defined term). 3.2.3 - As Theo and Sara had already articulated in a previous comment, need specifics illustrated with regards to data and adding "subject to applicable" law. 3.5.3.1 - "Terminating a Registered name" should not be included and a viable option here. 3.5.3.17 - Should be removed. Service Providers will not have control to cancel a registered name. 3.7 - Change "at all times employee" to "dedicated" 3.16.7 - Language should be revised to follow Final Report. 3.17.2 - Language should be revised to follow Final Report: "*Before Service Provider decides whether or not to comply with a Disclosure or Publication request, Service Provider shall not mandate that a Requester first make a Relay request.*" 3.18.2 - Theo made comments here that I agree with. Staff, will you please identify which paragraphs of the policy does this operation relate to? I think at minimum we must remove "facilitate and" as Service Provider does not have control in respect to those registrar functions called out within. 7.4 - "Provider Stakeholder Group" needs to be defined here, but also recommend revising this paragraph to be more clear. Maybe we have this in brackets with a footnote that this is TBD until a stakeholder group is first created? Spec 2, 1.(ii) - Service Providers do not control transfers so this should be removed. Spec 2, 5. - Requests to Registrars to terminate or suspend (at least terminate) should be removed. Registrars not bound to this. Spec 3 - "P/P Customer" is defined in RAA along with "beneficial user." Why are we not using that defined term here? Spec 4 LEA Framework - Question to staff - Is this framework the most up to date with our comments from prior meetings? Based on comments below for this Spec, it seems there are still open-ended questions that were in discussions IRT had had (including with PSWG)? We need to identify how the GDPR will affect this framework when it comes to Disclosure (or Publication) for EU resident registrants and address those issues in the framework. Spec 4, 3.2.2 - Question to staff - How would Service Provider verify? Also if in section 2 of the spec (minimum standard set requirements); if provider does not receive all LEA Requestor details including their identity, they will respond back inquiring as such. This section seems redundant as a result. Spec 4, 4.1.2. and 4.2.1. - We can't continue to reference "High Priority" and use, as criteria was removed from 4.1.1. (an example regarding if all proposed edits were included). Spec 4, 4.2.2. - Change "Disclosure can be reasonably refused by Provider" to "Provider may reasonably refuse Disclosure" Spec 4, 4.2.2.2. - Change "national or international" to "applicable" law. Spec 4, 4.2.5. - What does "give due consideration" mean as this was only defined in the IP Framework in the Final Report? Spec 4, 4.3.3. – Is this a requirement of the Final Report? What was the discussion in prior meetings? This doesn’t seem to be needed. Spec 4, 6.3. - Does this exceed the provision in the Final Report? Something to review with PSWG? Spec 6 – We need to identify how the GDPR will affect this framework when it comes to Disclosure (or Publication) for EU resident registrants and address those issues in the framework. Regards, Eric On Fri, Dec 1, 2017 at 3:00 PM, theo geurts <gtheo@xs4all.nl> wrote:

I like the idea, Sara.

You have two parties here anyways, who operate very differently. Let's see if we can flesh this out some more. Or we could expand on this and get two different tracks with their own set of procedures and contractual obligations.

Theo

Ps I won't make the call on Dec 5, my apologies.

On 1-12-2017 19:08, Sara Bockey wrote:

Hi all,

In my last-minute reviewing of the PPAA, I’ve had a few additional thoughts:

We need to revisit PPAA, Spec 2: Customer Data Accuracy. This entire Spec needs to be revisited and made clearer since the entire spec is dependent on whether or not the Service Provider is affiliated or non-affiliated. It’s very disjointed, it starts out Section 1, this is what you need to do, then in Section 3, it says you don’t need to do this if you are an affiliated Provider, and then in Section 4 it goes back to this is what you need to do and forgets about section 3. It seems to me that this entire section is dependent on if there is an Affiliated Registrar.

This section got me thinking and IMHO, in addition to going thru every comment that has been submitted and sorting through those issues, I think we need to take a serious look at the approach of the PPAA. I think the document as it stands is not recognizing the Service Provider as an Affiliate of an ICANN accredited Registrar. I’m wondering if what we really need is 2 separate PPAAs – one for an Affiliated Service Provider and one for a Non-Affiliated Service Provider. For the Affiliated Service Provider, it should set out at the very beginning the affiliate relationship, and both parties would sign. The basic idea would be something like:

Service Provider X, as an Affiliate of ICANN accredited Registrar A, enters into this PPAA to provide a privacy/proxy service. Registrar A, as a party to this agreement, agrees to uphold its obligations under the RAA and its related consensus policies. Should the relationship between Service Provider X and Registrar A cease, so shall this agreement, and Service Provider X will have ___ number of days to secure a new affiliate registrar and enter into a new Affiliated PPAA or complete the Non-Affiliated process and sign the Non-Affiliate PPAA.

It needs work, I know, but just trying to illustrate the idea. I think this would allow the affiliated agreement to be considerably more light weight.

The Non-Affiliate PPAA would be more in line with what we have now (and, granted, would need additional work).

If the Affiliate Provider became unaffiliated, it would need to go thru an accreditation process to ensure it meet the requirements. So there would need to be 2 accreditation procedures, but again I’m thinking the Affiliated process would be relatively light weight based on the relationship of the provider to the accredited registrar.

Also, we need to correct some of the language in the PPAA. Specifically, as I’ve stated numerous times before, I think staff’s use of “Customer” in place of RNH is problematic when the PPAA is an extension of/referenced in the RAA, particularly when considering the above line of thinking.

The 2013 RAA defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name.

This is a service for the RNH, provided via an Affiliate Registrar, the use of “customer” is problematic.

I’ll admit I’ve not thought thru all the issues and this is kind of loose, but it’s an idea that came to mind and something we might ought to consider so I’m putting a marker down to discuss the above in case it offers a better path forward. Happy to hear what others think.

Sara

*sara bockey*

*sr. policy manager | **Go**Daddy™*

*sbockey@godaddy.com <sbockey@godaddy.com> 480-366-3616 <(480)%20366-3616>*

*skype: sbockey*

*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*

*From: *Caitlin Tubergen <caitlin.tubergen@icann.org> <caitlin.tubergen@icann.org> *Date: *Thursday, November 30, 2017 at 5:05 PM *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org>, Sara Bockey <sbockey@godaddy.com> <sbockey@godaddy.com>, 'Darcy Southwell' <darcy.southwell@endurance.com> <darcy.southwell@endurance.com> *Cc: *"Roman, Peter (CRM)" <Peter.Roman@usdoj.gov> <Peter.Roman@usdoj.gov> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Thank you, Steve, and thank you to the registrars who submitted comments.

I will compile all of the comments, and we can begin going through the comments on Tuesday’s call.

If any other IRT members have comments on the draft PPAA, please submit them by the deadline of *Friday, 1 December*.

Kind regards,

*Caitlin Tubergen*

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org

*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of "Metalitz, Steven" <met@msk.com> <met@msk.com> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> *Date: *Thursday, November 30, 2017 at 2:16 PM *To: *'Sara Bockey' <sbockey@godaddy.com> <sbockey@godaddy.com>, 'Darcy Southwell' <darcy.southwell@endurance.com> <darcy.southwell@endurance.com>, "'gdd-gnso-ppsai-impl@icann.org'" <'gdd-gnso-ppsai-impl@icann.org'> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

PPSAI colleagues,

I offer the following comments and suggested edits regarding the Oct. 20 redline version of the PPAA. I may have a few other suggestions by tomorrow’s deadline, and will definitely have responses later to some of the other proposed edits that have been sent to the list. (And thanks to Theo and colleagues for their comprehensive review of the document!)

First, I would reiterate the suggestions made in my Oct. 21 posting to the list, as follows:

Subsection 3.5.3.15: strike “should” and insert “shall,” for consistency with parallel provisions throughout this section 3.5.

Section 3.7, third line from the bottom: “employee” should be “employ.”

Section 3.17.1: I suggest adding the words “as applicable” or “to the extent applicable” at the end of the section. Not every Disclosure or Publication request that Provider receives will fall under the IP or LEA disclosure frameworks.

Section 5.7.3: the notice that the suspended Provider must send to customers should specify “that it is unable to offer or provide the Services *for any new registrations”* (adding the last 4 words). A suspended Provider can (and indeed must) provide the Services to its current customers. [Note that the phrasing “any additional registrations” might be more accurate here, and in the corresponding provision of 5.7.1 --- otherwise it might be possible for a suspended provider to being providing services for the first time to an existing registration whose registrant decides to engage a service.]

Here are some additional suggestions:

Section 1.43: strike “comprising the Working Group,” insert “representatives of the Service Providers.” This issue is noted on page 2 of the Discussion Items document.

Section 3.5.3.3: since this has to do with p/p services and not with registration per se, the references to “initial registration and each renewal registration” should be changed to something like “each initial agreement to provide Services and each renewal or extension of such agreement.” I believe this is also responsive to Theo’s sticky note on the RrSG redline for this section.

Section 3.8.1 (specifying what needs to be stated on request forms) should include a cross-reference to section 3.8.2 (requiring publication of links to request forms in some circumstances). Alternatively, perhaps the order of these two sections should be reversed.

Section 3.8.5.5 needs some rephrasing. Reveal is not a defined term in the PPAA, and the provider does not itself Publish data in the RDS (the registrar or registry does that), but can cause it to be Published. This may a rare instance in which use of the passive voice may be preferable (“the circumstances under which the Customer’s identity or contact data will be published in the RDDS….”).

Section 3.19: substitute “shall” for “should.” In fact the entire document should be reviewed to see where this change is needed.

Section 5.3: this is another issue I raised in my Oct. 21 posting: “Section 5.3 does not give ICANN the right to substitute the new version of the agreement, it gives that right to the *provider. *Furthermore, 5.3 addresses the scenario in which the new agreement is swapped in during the term of the current agreement. The point I was trying to raise on the call (and I am sorry if this was not clear) is ensuring that all renewals of the agreement *at the end of the term* reflect the most recent version. As currently drafted, section 5.2 seems to give the provider the option of renewing under the terms of the old agreement (“under the terms and conditions of this agreement”), even if it has been superseded by a new form of agreement that is materially different. This could be fixed by adding a subsection 5.2.5 along the following lines: ‘5.2.5: this Agreement has been superseded by a revised form accreditation agreement for the provision of the Services (“Updated PPAA”) that is materially different from this Agreement, in which case the right of renewal provided by this section shall be under the terms and conditions of the Updated PPAA.’”

Section 5.7.4: consider inserting at the end of the first sentence “or its invocation of section 5.5.7,” which is another path ICANN could take to deal with the situation of an uncured “endangerment” scenario.

Section 7.4.1: shouldn’t the Working Group be the party to receive the notice re revision of the Agreement? This would be consistent with the rest of section 7.4.

Glad to try to answer any questions about these.

Steve Metalitz

*[image: e001]*

*Steven J. Metalitz *| *Partner, through his professional corporation*

T: 202.355.7902 <(202)%20355-7902> | met@msk.com

*Mitchell Silberberg & Knupp* *LLP* | *www.msk.com* <http://www.msk.com/>

1818 N Street NW, 8th Floor, Washington, DC 20036

*THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS.** THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:* Metalitz, Steven *Sent:* Tuesday, November 07, 2017 11:42 AM *To:* 'Sara Bockey'; Darcy Southwell; gdd-gnso-ppsai-impl@icann.org *Subject:* RE: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with a lot of what Darcy says. Let me make sure my view is clearly stated.

Most of the items Darcy identifies are completely appropriate for discussion in our team before the documents are finalized. These issues include: perceived discrepancies between the WG Final Report and the implementation documents; loose ends in the Law Enforcement disclosure framework; and clarifying the status of each of the four documents under review. I support addressing these points on our next call so that we can continue to make progress. And based on the postings made to our list over the last couple of weeks, I would certainly be comfortable with some relaxation of the deadline for proposing edits to the accreditation agreement – if necessary, to December 1.

My concerns are focused primarily on the suggestion that we can’t move forward until we determine whether our recommendations are GDPR-compliant. To me that sounds like some on the IRT want to suspend work until ICANN’s separate work on GDPR is concluded. If that is not what is meant, then I would ask proponents of that view to clarify just how they think we should proceed at this point.

I am also sad to see the IRTP-C issue brought up again. I thought we had reached agreement that the current suspension of ICANN enforcement of this aspect of that policy could be continued until an appropriate group is formed to address it; or put another way, that we could proceed to get our PPSAI implementation plan out for public comment without delaying it until the IRTP-C issue is resolved. That is my recollection, anyway, but if I am mistaken then please show me how.

Finally I will repeat my question of whether our call time on 11/14 remains at 1400 UTC or whether it will be moved an hour later to preserve the usual start time in most Northern Hemisphere time zones.

Steve

*[image: e001]*

*Steven J. Metalitz *| *Partner, through his professional corporation*

T: 202.355.7902 <(202)%20355-7902> | met@msk.com

*Mitchell Silberberg & Knupp* *LLP* | *www.msk.com* <http://www.msk.com/>

1818 N Street NW, 8th Floor, Washington, DC 20036

*THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS.** THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:* Sara Bockey [mailto:sbockey@godaddy.com <sbockey@godaddy.com>] *Sent:* Tuesday, November 07, 2017 11:07 AM *To:* Darcy Southwell; gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven *Cc:* Sara Bockey *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Well said, Darcy. Agree 100%.

*sara bockey*

*sr. policy manager | **Go**Daddy™*

*sbockey@godaddy.com* <sbockey@godaddy.com>* 480-366-3616 <(480)%20366-3616>*

*skype: sbockey*

*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*

*From: *Darcy Southwell <darcy.southwell@endurance.com> *Date: *Tuesday, November 7, 2017 at 8:47 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date).

Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first.

Thanks,

Darcy

*From: *<gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of theo geurts < gtheo@xs4all.nl> *Reply-To: *<gdd-gnso-ppsai-impl@icann.org> *Date: *Monday, November 6, 2017 at 12:27 PM *To: *<gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, Vicky,

Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here.

My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation.

In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is.

I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws.

So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance -statement-2017-11-02-en

I think that scenario is unwanted for everyone on the IRT is it not?

Thanks,

Theo Geurts

On 6-11-2017 19:40, Metalitz, Steven wrote:

I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe.

Steve Metalitz

*[image: 01]*

*Steven J. Metalitz *| *Partner, through his professional corporation*

T: 202.355.7902 <(202)%20355-7902> | met@msk.com

*Mitchell Silberberg & Knupp* *LLP* | *www.msk.com* <http://www.msk.com/>

1818 N Street NW, 8th Floor, Washington, DC 20036

*THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS.** THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:* gdd-gnso-ppsai-impl-bounces@icann.org [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org <gdd-gnso-ppsai-impl-bounces@icann.org>] *On Behalf Of *Victoria Sheckler *Sent:* Tuesday, October 31, 2017 5:55 PM *To:* gdd-gnso-ppsai-impl@icann.org; Sara Bockey *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote:

Caitlin,

Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime…

1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA

1. The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. 2. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. 3. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA.

1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent.

1. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise.

1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed.

1. The section should start with “Well founded…”

Additionally, the following sections need revision or at a minimum further discuss by the IRT

1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed:

1. Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

1. Edit Section 3.15 – Labeling – to remove excessive language.

1. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

*sara bockey*

*sr. policy manager | GoDaddy™*

*sbockey@godaddy.com* <sbockey@godaddy.com>* 480-366-3616 <(480)%20366-3616>*

*skype: sbockey*

*This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.*

*From: *<gdd-gnso-ppsai-impl-bounces@icann.org> <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> <caitlin.tubergen@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday, October 25, 2017 at 4:44 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann. org/display/IRT/24+October+2017.

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of *Tuesday,* *14 November* for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT’s discussion this morning, we received feedback to:

1. Edit the definition of *Working Group in Section 1.43*, to specify that the Provider Stakeholder Group, if formed, shall only appoint the *provider* representatives of the Working Group, and the GNSO may appoint other members of the community.

1. Add back in the previously-deleted *Code of Conduct *language in *Section 3.5.1*.

1. Add back in the previously-deleted *review provision *in *Section 7 of the Customer Data Accuracy Program Specification*.

If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by *14 November 2017*.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

*Caitlin Tubergen*

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/l istinfo/gdd-gnso-ppsai-impl

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/l istinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing listGdd-gnso-ppsai-impl@icann.orghttps://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Hi All, I completely agree with Theo’s and Darcy’s comments. If we end up creating documents that are contradicting the PDP output or aren't compliant with GDPR then in my view we are creating an ineffective program which will become a massive compliance burden on future P/P Providers. I am not comfortable with that. Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues. I’m not sure if we can achieve that because if everything has some link to GDPR or contradicts the PDP then we will be going around in circles and having to review our work again and again. Let’s look to tackle the critical issues first, and hopefully by the time we have done that ICANN will have more clarity for us in terms of GDPR related issues. Kind Regards, Vlad Dinculescu ———————— DNS Africa Ltd

On 07 Nov 2017, at 6:54 PM, Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com> wrote:

Hi all

I also agree with Theo and Darcy. In view of the GDPR legislation, this has to be considered in light of this agreement when moving forward with the P/P accreditation framework. We must include all issues which will have an effect rather than having to constantly amend the agreement. Whatever ICANN decide in view of the GDPR, certainly as a lawyer, my view will be that we will not contravene the legislation. It is absolutely right that we establish a programme that is going to work; if not, then this whole exercise will be drawn out and will make our workloads far heavier than is required.

We are currently reviewing the documents from a legal and operational perspective. Agreed we should focus on critical issues at our next call.

Many thanks

Lindsay

Lindsay Hamilton-Reid Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk <mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk <http://www.fasthosts.co.uk/> www.1and1.co.uk <http://www.1and1.co.uk/> <image002.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image003.jpg> <http://www.linkedin.com/company/fasthosts-internet-ltd><image004.jpg> <https://twitter.com/Fasthosts><image005.jpg> <https://www.facebook.com/fasthostsinternet><image006.jpg> <https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image007.jpg> <http://blogs.fasthosts.co.uk/><image008.jpg> <http://www.youtube.com/user/Fasthostsinternet>

From: gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Sara Bockey Sent: 07 November 2017 16:07 To: Darcy Southwell <darcy.southwell@endurance.com <mailto:darcy.southwell@endurance.com>>; gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven <met@msk.com <mailto:met@msk.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Well said, Darcy. Agree 100%.

sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.

From: Darcy Southwell <darcy.southwell@endurance.com <mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 8:47 AM To: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first.

Thanks, Darcy

From: <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, Vicky,

Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here.

My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation.

In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is.

I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws.

So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... <https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en>

I think that scenario is unwanted for everyone on the IRT is it not?

Thanks,

Theo Geurts

On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe.

Steve Metalitz

<image009.gif> Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com <mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com <http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

From: gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote: Caitlin,

Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime…

Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA.

Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise.

Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. The section should start with “Well founded…”

Additionally, the following sections need revision or at a minimum further discuss by the IRT

Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

Edit Section 3.15 – Labeling – to remove excessive language. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey

This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments.

From: <gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> <mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017 <https://community.icann.org/display/IRT/24+October+2017>.

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT’s discussion this morning, we received feedback to:

Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community.

Add back in the previously-deleted Code of Conduct language in Section 3.5.1.

Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification.

If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by14 November 2017.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

Regarding moving the meeting to 1500 UTC, since I’m in Arizona and we do not observe DST, this will actually change the time of the meeting for me and put it in conflict with another PDP which has a rotating meeting schedule that includes 1500 UTC on Tuesday. Therefore I will likely have to miss some IRT meetings. Sara Sent from my iPhone. Apologies for typos and/or brevity. On Nov 8, 2017, at 9:22 AM, Caitlin Tubergen <caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org>> wrote: Dear Colleagues, Thank you for the active discussion. To address a few of the administrative questions: 1. I propose we keep the meeting hour the same for the avoidance of conflicts. Specifically, if we update the calendar invite from 1400UTC to 1500UTC, the meeting should still occur at the same time in your local time zone. If anyone has an issue with this, please respond to the list. 1. Does anyone have an objection to some of the IRT members’ proposed extension of 1 December to provide feedback on the draft accreditation agreement? 1. If you have feedback on the draft agreement, please send the feedback via the email list and/or add the feedback to the feedback tracker. We specifically did not distribute a word version of the agreement because version control becomes an issue when many members are providing feedback via different documents. 1. For our next meeting on 14 November, we can discuss some of the higher-level concerns mentioned on this list. If there are any specific concerns you would like to raise to the group, please feel free to keep replying to the list and/or plan on attending the call and raising your concern(s) there. Please let me know if you have any questions. Kind regards, Caitlin -- Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Lindsay Hamilton-Reid <Lindsay.Hamilton-Reid@fasthosts.com<mailto:Lindsay.Hamilton-Reid@fasthosts.com>> Reply-To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Tuesday, November 7, 2017 at 4:54 PM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all I also agree with Theo and Darcy. In view of the GDPR legislation, this has to be considered in light of this agreement when moving forward with the P/P accreditation framework. We must include all issues which will have an effect rather than having to constantly amend the agreement. Whatever ICANN decide in view of the GDPR, certainly as a lawyer, my view will be that we will not contravene the legislation. It is absolutely right that we establish a programme that is going to work; if not, then this whole exercise will be drawn out and will make our workloads far heavier than is required. We are currently reviewing the documents from a legal and operational perspective. Agreed we should focus on critical issues at our next call. Many thanks Lindsay Lindsay Hamilton-Reid Legal Counsel Direct: +44 (0)1452 509145 | Mobile: 07720 091147 | Email: Lindsay.Hamilton-Reid@1and1.co.uk<mailto:Lindsay.Hamilton-Reid@1and1.co.uk> www.fasthosts.co.uk<http://www.fasthosts.co.uk/> www.1and1.co.uk<http://www.1and1.co.uk/> <image001.jpg> © 2015 All rights reserved. Fasthosts is the trading name of Fasthosts Internet Limited. Company registration no. 03656438. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 720821857. 1&1 is the trading name of 1&1 Internet Limited. Company registration no. 03953678. Registered in England and Wales. Registered office: Discovery House, 154 Southgate Street, Gloucester, GL1 2EX. VAT no. 752539027. This message (including any attachments) is confidential and may be legally privileged. If you are not the intended recipient, you should not disclose, copy or use any part of it - please delete all copies immediately and notify 1&1 on 0844 335 1211 or Fasthosts on 0333 0142 700. Any statements, opinions or information in this message are provided by the author, not on behalf of 1&1 and/or Fasthosts, unless subsequently confirmed by an individual who is authorised to represent 1&1 and/or Fasthosts. <image002.jpg><http://www.linkedin.com/company/fasthosts-internet-ltd><image003.jpg><https://twitter.com/Fasthosts><image004.jpg><https://www.facebook.com/fasthostsinternet><image005.jpg><https://plus.google.com/u/0/b/107582097021398424605/+fasthosts/posts><image006.jpg><http://blogs.fasthosts.co.uk/><image007.jpg><http://www.youtube.com/user/Fasthostsinternet> From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Sara Bockey Sent: 07 November 2017 16:07 To: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>>; gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven <met@msk.com<mailto:met@msk.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Well said, Darcy. Agree 100%. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 8:47 AM To: "gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz <image008.gif> Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <image001.jpg> <image002.jpg> <image003.jpg> <image004.jpg> <image005.jpg> <image006.jpg> <image007.jpg> <image008.gif> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Re item 3 in Darcy’s list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad’s earlier comment to the list, which I support: “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.” Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [mailto:darcy.southwell@endurance.com] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 7:47 AM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en<https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en> I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz [age001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017<https://community.icann.org/display/IRT/24+October+2017>. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

Agree with Theo. @Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months.  It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes.  We need to take a step back to do that first.  I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR. Darcy From: theo geurts <gtheo@xs4all.nl> Date: Tuesday, November 21, 2017 at 12:50 PM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all, Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting. 1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability? @Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined. Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target. The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO. Does this make any sense? Best Theo Geurts On 21-11-2017 20:39, Metalitz, Steven wrote: Re item 3 in Darcy’s list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad’s earlier comment to the list, which I support: “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.” Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [mailto:darcy.southwell@endurance.com] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell <darcy.southwell@endurance.com> Date: Tuesday, November 7, 2017 at 7:47 AM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of theo geurts <gtheo@xs4all.nl> Reply-To: <gdd-gnso-ppsai-impl@icann.org> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. Edit Section 3.15 – Labeling – to remove excessive language. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

I disagree – we need to move the process along as far as we can, while considering GDPR, but we cannot get bogged down or delay other progress that we can accomplish while assessing GDPR issues. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Darcy Southwell Sent: Wednesday, November 22, 2017 10:19 AM To: theo geurts <gtheo@xs4all.nl>; gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven <met@msk.com>; Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Agree with Theo. @Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months. It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes. We need to take a step back to do that first. I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR. Darcy From: theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Date: Tuesday, November 21, 2017 at 12:50 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, 'Darcy Southwell' <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all, Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting. 1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability? @Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined. Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target. The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO. Does this make any sense? Best Theo Geurts On 21-11-2017 20:39, Metalitz, Steven wrote: Re item 3 in Darcy’s list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad’s earlier comment to the list, which I support: “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.” Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? [mage001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [mailto:darcy.southwell@endurance.com] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 7:47 AM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz [ge001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. * It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Just to add to Jennifer's note, I believe it would also be useful for those advocating for discussion on GDPR in this context to provide a couple of examples of specific items in the current draft of the accreditation agreement (or other documents) that they consider problematic in the GDPR context. In other words, concrete examples with respect to item 1 as well as item 2. [image001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Jennifer Gore [mailto:jennifer.gore@icann.org] Sent: Saturday, November 25, 2017 8:03 PM To: gdd-gnso-ppsai-impl@icann.org Cc: theo geurts; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Thank you Darcy and all for re-raising your concerns. As I believe we can jointly discuss items 1&3 constructively, it would still be helpful for those IRT members whom believe item number 2 is actually an issue, please provide concrete examples for reference. Thank you, Jennifer Gore Jennifer On Nov 22, 2017, at 11:28 AM, Victoria Sheckler <vsheckler@riaa.com<mailto:vsheckler@riaa.com>> wrote: I disagree - we need to move the process along as far as we can, while considering GDPR, but we cannot get bogged down or delay other progress that we can accomplish while assessing GDPR issues. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Darcy Southwell Sent: Wednesday, November 22, 2017 10:19 AM To: theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>>; gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven <met@msk.com<mailto:met@msk.com>>; Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Agree with Theo. @Steve, My concern here is that we're moving forward with developing processes that may violate the GDPR, which goes into effect in just six months. It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes. We need to take a step back to do that first. I'm certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR. Darcy From: theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Date: Tuesday, November 21, 2017 at 12:50 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, 'Darcy Southwell' <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all, Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting. 1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability? @Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined. Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target. The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO. Does this make any sense? Best Theo Geurts On 21-11-2017 20:39, Metalitz, Steven wrote: Re item 3 in Darcy's list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad's earlier comment to the list, which I support: "Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues." Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively "before moving forward with reviewing the draft documents." Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? <image001.gif> Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [mailto:darcy.southwell@endurance.com] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 7:47 AM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don't believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we're not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we're making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven't gotten past this issue, and should probably take a fresh look at that to ensure we're not making this implementation more complicated than it needs to be. We all know that doesn't lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn't about derailing the IRT; it's about ensuring we don't create an implementation that's an operational nightmare for providers as well as registrants and end users - and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en<https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en> I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky's comments. The ongoing ICANN work re GDPR is of course very important, but let's not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz <image002.gif> Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN's work on GDPR's on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let's get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime... 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA * The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines "Registered Name" as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and "Registered Name Holder" is defined as the holder of a Registered Name. * It's noted that ICANN staff has replace "Registered Name Holder" with "Customer" in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. * Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. - 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. * The section should start with "Well founded..." Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: * Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 - Labeling - to remove excessive language. * Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let's not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy(tm) sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today's Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017<https://community.icann.org/display/IRT/24+October+2017>. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program's status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT's discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group's recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl>

Agree with Theo.  In addition, I suspect the GDPR affects: · ¶3.4 “Data Escrow. Provider shall comply with the data escrow requirements and procedures set forth in the Data Escrow Specification attached hereto.” · Specification 7 (Data Retention Specification) – what is collected and the retention requirements. · The Law Enforcement Authority Disclosure Framework Specification (which I can’t find the latest copy of because it’s not posted to the IRT wiki). Darcy From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Theo Geurts <gtheo@xs4all.nl> Reply-To: <gdd-gnso-ppsai-impl@icann.org> Date: Monday, November 27, 2017 at 9:29 AM To: "Metalitz, Steven" <met@msk.com>, 'Jennifer Gore' <jennifer.gore@icann.org>, "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, et al. I will post the RrSG comments tomorrow, which will include a few examples. Though when I look at the .Amsterdam GDPR solution by the Registry, is a key example where our members are thinking, will such solutions nullify the PPSAI efforts? And perhaps this is not obvious for some folks on this IRT. But development time is extremely scarce and very costly nowadays. So yes, the RrSG folks in here are cautious as they will be the ones who will have a very hard time convincing the developers that this all needs to be coded and developed. And if it turns out to be all in vain, that is not acceptable. If we look at language draft and the WG recommendations. DRAFT 3.14 Intellectual Property Disclosure Framework Specification. Provider shall comply with the Intellectual Property Disclosure Framework Specification attached hereto. Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. WG language “Given the balance that this Policy attempts to strike, evidence of the use of high-volume, automated electronic processes for sending Requests or responses to Requests (without human review) to the systems of Requesters, Providers, or Customers in performing any of the steps in the processes outlined in this Policy shall create a rebuttable presumption of non-compliance with this Policy.” It sounds to me it is conflicting. Or perhaps my interpretation is off. Thanks, Theo On 27-11-2017 15:52, Metalitz, Steven wrote: Just to add to Jennifer’s note, I believe it would also be useful for those advocating for discussion on GDPR in this context to provide a couple of examples of specific items in the current draft of the accreditation agreement (or other documents) that they consider problematic in the GDPR context. In other words, concrete examples with respect to item 1 as well as item 2. Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Jennifer Gore [mailto:jennifer.gore@icann.org] Sent: Saturday, November 25, 2017 8:03 PM To: gdd-gnso-ppsai-impl@icann.org Cc: theo geurts; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Thank you Darcy and all for re-raising your concerns. As I believe we can jointly discuss items 1&3 constructively, it would still be helpful for those IRT members whom believe item number 2 is actually an issue, please provide concrete examples for reference. Thank you, Jennifer Gore Jennifer On Nov 22, 2017, at 11:28 AM, Victoria Sheckler <vsheckler@riaa.com> wrote: I disagree – we need to move the process along as far as we can, while considering GDPR, but we cannot get bogged down or delay other progress that we can accomplish while assessing GDPR issues. From: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Darcy Southwell Sent: Wednesday, November 22, 2017 10:19 AM To: theo geurts <gtheo@xs4all.nl>; gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven <met@msk.com>; Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Agree with Theo. @Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months. It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes. We need to take a step back to do that first. I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR. Darcy From: theo geurts <gtheo@xs4all.nl> Date: Tuesday, November 21, 2017 at 12:50 PM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all, Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting. 1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability? @Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined. Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target. The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO. Does this make any sense? Best Theo Geurts On 21-11-2017 20:39, Metalitz, Steven wrote: Re item 3 in Darcy’s list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad’s earlier comment to the list, which I support: “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.” Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? <image001.gif> Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [mailto:darcy.southwell@endurance.com] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell <darcy.southwell@endurance.com> Date: Tuesday, November 7, 2017 at 7:47 AM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of theo geurts <gtheo@xs4all.nl> Reply-To: <gdd-gnso-ppsai-impl@icann.org> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz <image002.gif> Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. Edit Section 3.15 – Labeling – to remove excessive language. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Hi Steve, https://www.icann.org/en/system/files/correspondence/jeffrey-to-sprey-01nov1... We now have this process. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... So I am not sure what the result is going to be of all this. But if we end up at with a GDPR or data protection law solution at the Registry level through an RESP, well, I am not sure where we are going to end up, what are your thoughts? Thanks, Theo Metalitz, Steven schreef op 2017-11-28 01:52 AM:

Thanks Theo, looking forward to seeing RrSG comments.

Not sure I understand your reference to the .amsterdam GDPR solution in this context, but if you could point me to a description of it, perhaps that would make your point clearer to me. Thank you.

Steve

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM [1]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: Theo Geurts [mailto:gtheo@xs4all.nl] SENT: Monday, November 27, 2017 12:30 PM TO: Metalitz, Steven; 'Jennifer Gore'; gdd-gnso-ppsai-impl@icann.org CC: Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, et al.

I will post the RrSG comments tomorrow, which will include a few examples. Though when I look at the .Amsterdam GDPR solution by the Registry, is a key example where our members are thinking, will such solutions nullify the PPSAI efforts?

And perhaps this is not obvious for some folks on this IRT. But development time is extremely scarce and very costly nowadays. So yes, the RrSG folks in here are cautious as they will be the ones who will have a very hard time convincing the developers that this all needs to be coded and developed. And if it turns out to be all in vain, that is not acceptable.

If we look at language draft and the WG recommendations.

DRAFT 3.14 Intellectual Property Disclosure Framework Specification. Provider shall comply with the Intellectual Property Disclosure Framework Specification attached hereto. Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

WG language "Given the balance that this Policy attempts to strike, evidence of the use of high-volume, automated electronic processes for sending Requests or responses to Requests (without human review) to the systems of Requesters, Providers, or Customers in performing any of the steps in the processes outlined in this Policy shall create a rebuttable presumption of non-compliance with this Policy."

It sounds to me it is conflicting. Or perhaps my interpretation is off.

Thanks,

Theo

On 27-11-2017 15:52, Metalitz, Steven wrote:

...

Just to add to Jennifer's note, I believe it would also be useful for those advocating for discussion on GDPR in this context to provide a couple of examples of specific items in the current draft of the accreditation agreement (or other documents) that they consider problematic in the GDPR context. In other words, concrete examples with respect to item 1 as well as item 2.

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM [1]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: Jennifer Gore [mailto:jennifer.gore@icann.org] SENT: Saturday, November 25, 2017 8:03 PM TO: gdd-gnso-ppsai-impl@icann.org CC: theo geurts; Metalitz, Steven; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Thank you Darcy and all for re-raising your concerns. As I believe we can jointly discuss items 1&3 constructively, it would still be helpful for those IRT members whom believe item number 2 is actually an issue, please provide concrete examples for reference.

Thank you,

Jennifer Gore

Jennifer

On Nov 22, 2017, at 11:28 AM, Victoria Sheckler <vsheckler@riaa.com> wrote:

I disagree - we need to move the process along as far as we can, while considering GDPR, but we cannot get bogged down or delay other progress that we can accomplish while assessing GDPR issues.

FROM: Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] ON BEHALF OF Darcy Southwell SENT: Wednesday, November 22, 2017 10:19 AM TO: theo geurts <gtheo@xs4all.nl>; gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven <met@msk.com>; Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Agree with Theo.

@Steve, My concern here is that we're moving forward with developing processes that may violate the GDPR, which goes into effect in just six months. It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes. We need to take a step back to do that first. I'm certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR.

Darcy

FROM: theo geurts <gtheo@xs4all.nl> DATE: Tuesday, November 21, 2017 at 12:50 PM TO: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi all,

Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting.

1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability?

@Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined.

Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target.

The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO.

Does this make any sense?

Best

Theo Geurts

On 21-11-2017 20:39, Metalitz, Steven wrote:

Re item 3 in Darcy's list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5?

Re item 1 I would note Vlad's earlier comment to the list, which I support: "Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues."

Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively "before moving forward with reviewing the draft documents." Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR?

<IMAGE001.GIF>

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM [1]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: Darcy Southwell [mailto:darcy.southwell@endurance.com] SENT: Tuesday, November 21, 2017 2:00 PM TO: gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

@ICANN Staff,

I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically:

1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR).

2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening).

3. Concerns with proposed framework Public Safety Working Group.

I suggest that our 5 Dec. agenda should focus on these discussion items.

Thanks,

Darcy

FROM: Darcy Southwell <darcy.southwell@endurance.com> DATE: Tuesday, November 7, 2017 at 7:47 AM TO: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don't believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we're not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we're making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven't gotten past this issue, and should probably take a fresh look at that to ensure we're not making this implementation more complicated than it needs to be. We all know that doesn't lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date).

Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn't about derailing the IRT; it's about ensuring we don't create an implementation that's an operational nightmare for providers as well as registrants and end users - and that means addressing these critical issues first.

Thanks,

Darcy

FROM: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of theo geurts <gtheo@xs4all.nl> REPLY-TO: <gdd-gnso-ppsai-impl@icann.org> DATE: Monday, November 6, 2017 at 12:27 PM TO: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, Vicky,

Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here.

My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation.

In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is.

I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws.

So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer.

https://www.icann.org/resources/pages/contractual-compliance-statement-2017-...

...

I think that scenario is unwanted for everyone on the IRT is it not?

Thanks,

Theo Geurts

On 6-11-2017 19:40, Metalitz, Steven wrote:

I strongly second Vicky's comments. The ongoing ICANN work re GDPR is of course very important, but let's not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe.

Steve Metalitz

<IMAGE002.GIF>

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM [1]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: gdd-gnso-ppsai-impl-bounces@icann.org [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] ON BEHALF OF Victoria Sheckler SENT: Tuesday, October 31, 2017 5:55 PM TO: gdd-gnso-ppsai-impl@icann.org; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN's work on GDPR's on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let's get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote:

Caitlin,

Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime…

* Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA

* The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. * In this context, the 2013 RAA also defines "Registered Name" as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and "Registered Name Holder" is defined as the holder of a Registered Name. * It's noted that ICANN staff has replace "Registered Name Holder" with "Customer" in many instances, but I question the logic in that since it is inconsistent with the RAA.

* Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent.

* Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. - 3.5.3.6 (at a minimum) are not compatible and must be revise.

* Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed.

* The section should start with "Well founded…"

Additionally, the following sections need revision or at a minimum further discuss by the IRT

* Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed:

* Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

* Edit Section 3.15 - Labeling - to remove excessive language.

* Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let's not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

SARA BOCKEY

SR. POLICY MANAGER | GODADDY™

SBOCKEY@GODADDY.COM 480-366-3616

SKYPE: SBOCKEY

_This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments._

FROM: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> REPLY-TO: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> DATE: Wednesday, October 25, 2017 at 4:44 AM TO: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> SUBJECT: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today's Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017 [2].

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of TUESDAY, 14 NOVEMBER for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program's status to the community. Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT's discussion this morning, we received feedback to:

* Edit the definition of WORKING GROUP IN SECTION 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the _provider_ representatives of the Working Group, and the GNSO may appoint other members of the community.

* Add back in the previously-deleted CODE OF CONDUCT language in SECTION 3.5.1.

* Add back in the previously-deleted REVIEW PROVISION in SECTION 7 OF THE CUSTOMER DATA ACCURACY PROGRAM SPECIFICATION.

If you believe the above items do not reflect the intent of the Working Group's recommendations, please reply to the list by 14 NOVEMBER 2017.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

CAITLIN TUBERGEN

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [3]

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [3]

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

...

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Links: ------ [1] http://www.msk.com/ [2] https://community.icann.org/display/IRT/24+October+2017 [3] https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

I agree with Darcy, before running, we need to walk and understand the GDPR implications first for our work. There is no point wasting valuable time creating policy/procedures if at the end of the day they will be in violation of GDPR - it wastes everyones time and resources. Kind regards, Chris From: "Darcy Southwell" <darcy.southwell@endurance.com> To: "theo geurts" <gtheo@xs4all.nl>, gdd-gnso-ppsai-impl@icann.org, "Steven Metalitz" <met@msk.com>, "Sara Bockey" <sbockey@godaddy.com> Sent: Wednesday, 22 November, 2017 15:19:11 Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Agree with Theo. @Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months. It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes. We need to take a step back to do that first. I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR. Darcy From: theo geurts <gtheo@xs4all.nl> Date: Tuesday, November 21, 2017 at 12:50 PM To: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all, Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting. 1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability? @Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined. Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target. The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO. Does this make any sense? Best Theo Geurts On 21-11-2017 20:39, Metalitz, Steven wrote: Re item 3 in Darcy’s list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad’s earlier comment to the list, which I support: “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.” Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [ mailto:darcy.southwell@endurance.com ] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org ; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell < darcy.southwell@endurance.com > Date: Tuesday, November 7, 2017 at 7:47 AM To: < gdd-gnso-ppsai-impl@icann.org >, "Metalitz, Steven" < met@msk.com >, Sara Bockey < sbockey@godaddy.com > Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: < gdd-gnso-ppsai-impl-bounces@icann.org > on behalf of theo geurts < gtheo@xs4all.nl > Reply-To: < gdd-gnso-ppsai-impl@icann.org > Date: Monday, November 6, 2017 at 12:27 PM To: < gdd-gnso-ppsai-impl@icann.org >, "Metalitz, Steven" < met@msk.com >, Sara Bockey < sbockey@godaddy.com > Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: BQ_BEGIN I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com Mitchell Silberberg & Knupp LLP | www.msk.com 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org [ mailto:gdd-gnso-ppsai-impl-bounces@icann.org ] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org ; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: BQ_BEGIN Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA 1. The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. 2. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. 3. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 1. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. 1. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 1. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. 1. The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 1. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: 1. Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 1. Edit Section 3.15 – Labeling – to remove excessive language. 1. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | Go Daddy ™ sbockey@godaddy.com 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017 . During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: 1. Edit the definition of Working Group in Section 1.43 , to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. 1. Add back in the previously-deleted Code of Conduct language in Section 3.5.1 . 1. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification . If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017 . Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl BQ_END _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

Hi Theo, all, A few comments (before I turn into a Turkey) Theo – can you clarify what you mean by moving out of scope? And the earlier comment regarding scope and the need to go back to the GNSO. It is not clear what you are suggesting (to me at least). As for the statements that we must halt work until we understand implications of the GDPR I don’t agree. (it is not a binary issue/decision IMO) Is GDPR an important issue that we need to consider? Of course it is. Yet we should not jump to conclusions that the policy defined isn’t compliant (or close to compliant) given 1) the data of natural persons (and others) is already “behind a gate”, 2) we have defined a process for those with legit interests to access this data, 3) we have agreed that use of any data received is minimized and must be managed/processed in a way that complies with data protection laws. 4) a detailed process that describes the action on request, 5) etc, etc. I don’t believe the sky is falling here – and think (and suggest) we can continue to make forward progress where possible. Thanks! Alex From: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Theo Geurts <gtheo@xs4all.nl> Reply-To: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, November 22, 2017 at 9:10 AM To: Chris Pelling <chris@netearth.net>, "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call How much of this is expected to be obsolete next year, even if only for some subset (EU) of Registrants? It looks like we are going to end up with a very complex & burdensome accreditation program, with the above in mind is this justified? Again, I think we are moving out of scope due to shifting dynamics. Theo On 22-11-2017 17:59, Chris Pelling wrote: I agree with Darcy, before running, we need to walk and understand the GDPR implications first for our work. There is no point wasting valuable time creating policy/procedures if at the end of the day they will be in violation of GDPR - it wastes everyones time and resources. Kind regards, Chris ________________________________ From: "Darcy Southwell" <darcy.southwell@endurance.com><mailto:darcy.southwell@endurance.com> To: "theo geurts" <gtheo@xs4all.nl><mailto:gtheo@xs4all.nl>, gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>, "Steven Metalitz" <met@msk.com><mailto:met@msk.com>, "Sara Bockey" <sbockey@godaddy.com><mailto:sbockey@godaddy.com> Sent: Wednesday, 22 November, 2017 15:19:11 Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Agree with Theo. @Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months. It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes. We need to take a step back to do that first. I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR. Darcy From: theo geurts <gtheo@xs4all.nl><mailto:gtheo@xs4all.nl> Date: Tuesday, November 21, 2017 at 12:50 PM To: <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com><mailto:met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com><mailto:darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com><mailto:sbockey@godaddy.com> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi all, Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting. 1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3 PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability? @Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined. Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg, that thing has been a moving target. The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO. Does this make any sense? Best Theo Geurts On 21-11-2017 20:39, Metalitz, Steven wrote: Re item 3 in Darcy’s list, I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on December 5? Re item 1 I would note Vlad’s earlier comment to the list, which I support: “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.” Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents. Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR? [age001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msk.com%2F&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=ipqD0zxxC6d3NMzXa0aJI9pe2kVgJN6JPhhDZXxSRj8%3D&reserved=0> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: Darcy Southwell [mailto:darcy.southwell@endurance.com] Sent: Tuesday, November 21, 2017 2:00 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call @ICANN Staff, I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December. I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents. Specifically: 1. Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR). 2. Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening). 3. Concerns with proposed framework Public Safety Working Group. I suggest that our 5 Dec. agenda should focus on these discussion items. Thanks, Darcy From: Darcy Southwell <darcy.southwell@endurance.com<mailto:darcy.southwell@endurance.com>> Date: Tuesday, November 7, 2017 at 7:47 AM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call I agree with Theo. The scope has changed and implementation is impacted by GDPR. While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy. The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy. Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants. Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy. There have also been repeated questions raised about the over-engineering of this implementation. Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be. We all know that doesn’t lead us to a better implementation. Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum). Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date). Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first. This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first. Thanks, Darcy From: <gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl<mailto:gtheo@xs4all.nl>> Reply-To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>> Date: Monday, November 6, 2017 at 12:27 PM To: <gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com<mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com<mailto:sbockey@godaddy.com>> Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Hi Steve, Vicky, Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here. My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation. In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is. I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws. So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fresources%2Fpages%2Fcontractual-compliance-statement-2017-11-02-en&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=icMv3YN%2BHoft3q1B6cwVXNzFcyYeTOAaZBU5vfxrupY%3D&reserved=0> I think that scenario is unwanted for everyone on the IRT is it not? Thanks, Theo Geurts On 6-11-2017 19:40, Metalitz, Steven wrote: I strongly second Vicky’s comments. The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community. In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary. Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe. Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe. Steve Metalitz [e001] Steven J. Metalitz | Partner, through his professional corporation T: 202.355.7902 | met@msk.com<mailto:met@msk.com> Mitchell Silberberg & Knupp LLP | www.msk.com<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msk.com%2F&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=ipqD0zxxC6d3NMzXa0aJI9pe2kVgJN6JPhhDZXxSRj8%3D&reserved=0> 1818 N Street NW, 8th Floor, Washington, DC 20036 THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU. From: gdd-gnso-ppsai-impl-bounces@icann.org<mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] On Behalf Of Victoria Sheckler Sent: Tuesday, October 31, 2017 5:55 PM To: gdd-gnso-ppsai-impl@icann.org<mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey Subject: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was. So please let’s get those rules in place as expeditiously as possible. On 30-10-2017 11:32, Sara Bockey wrote: Caitlin, Thanks for the revised docs. A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime… 1. Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA a. The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA. b. In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name. c. It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA. 2. Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent. a. Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service. Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise. 3. Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed. a. The section should start with “Well founded…” Additionally, the following sections need revision or at a minimum further discuss by the IRT 4. Edit Section 3.14 to remove the language re no automation. This is not feasible. This language must be removed: a. Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification. 5. Edit Section 3.15 – Labeling – to remove excessive language. a. Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR. sara bockey sr. policy manager | GoDaddy™ sbockey@godaddy.com<mailto:sbockey@godaddy.com> 480-366-3616 skype: sbockey This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments. From: <gdd-gnso-ppsai-impl-bounces@icann.org><mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org><mailto:caitlin.tubergen@icann.org> Reply-To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Date: Wednesday, October 25, 2017 at 4:44 AM To: "gdd-gnso-ppsai-impl@icann.org"<mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org><mailto:gdd-gnso-ppsai-impl@icann.org> Subject: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call Dear Colleagues, Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.icann.org%2Fdisplay%2FIRT%2F24%2BOctober%2B2017&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=1qmqDOSib8cz7oSSE3lYtChxzCshDo3wBbsI%2BW8YFIo%3D&reserved=0>. During the call, we discussed an overview of the changes to the draft PPAA. Please note that ICANN proposed a deadline of Tuesday, 14 November for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list. Please respond to the list if you would like to request a longer review period. During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation. To highlight a few notes from the IRT’s discussion this morning, we received feedback to: a. Edit the definition of Working Group in Section 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the provider representatives of the Working Group, and the GNSO may appoint other members of the community. b. Add back in the previously-deleted Code of Conduct language in Section 3.5.1. c. Add back in the previously-deleted review provision in Section 7 of the Customer Data Accuracy Program Specification. If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 November 2017. Thank you, and safe travels to those of you attending ICANN 60! Kind regards, Caitlin Tubergen Registrar Services and Engagement Senior Manager ICANN 12025 Waterfront Drive, Suite 300 Los Angeles, CA 90094 Office: +1 310 578 8666 Mobile: +1 310 699 5326 Email: caitlin.tubergen@icann.org<mailto:caitlin.tubergen@icann.org> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0> _______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org<mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

Hi Alex, My thinking is here. Currently, the sky is not falling, and I think the sentiment amongst the registrars is, the sky might be falling if we continue. The reason we want to discuss this more in-depth on the next call. I think we got a healthy exchange here so I would guess there are no objections to seeing if we can get some more discussion and clarity?The issues Darcy raised are also somewhat of an SG issue, our members asked us, and we have no answers, so there is also a very practical reason here. Now we are currently reviewing the drafts since the last few weeks; we got active discussions going on amongst the registrars. While reviewing, I noticed we still have some work ahead, which is normal, I also note that there is language and though not yet perfect could be the basis to nail two items that been dragging this IRT down. The de-accreditation process. Nonaffiliated third party providers. I will post the combined comments soon, the discussion has not fizzled out yet, as soon it does I will post them right away and share them with the IRT. Best regards, Theo On 22-11-2017 19:08, Deacon, Alex wrote:

Hi Theo, all,

A few comments (before I turn into a Turkey)

Theo – can you clarify what you mean by moving out of scope?  And the earlier comment regarding scope and the need to go back to the GNSO.   It is not clear what you are suggesting (to me at least).

As for the statements that we must halt work until we understand implications of the GDPR I don’t agree.   (it is not a binary issue/decision IMO)

Is GDPR an important issue that we need to consider?   Of course it is.   Yet we should not jump to conclusions that the policy defined isn’t compliant (or close to compliant) given 1) the data of natural persons (and others) is already “behind a gate”, 2) we have defined a process for those with legit interests to access this data, 3) we have agreed that use of any data received is minimized and must be managed/processed in a way that complies with data protection laws. 4) a detailed process that describes the action on request, 5) etc, etc.

I don’t believe the sky is falling here – and think (and suggest) we can continue to make forward progress where possible.

Thanks!

Alex

*From: *Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Theo Geurts <gtheo@xs4all.nl> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday, November 22, 2017 at 9:10 AM *To: *Chris Pelling <chris@netearth.net>, "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

How much of this is expected to be obsolete next year, even if only for some subset (EU) of Registrants? It looks like we are going to end up with a very complex & burdensome accreditation program, with the above in mind is this justified? Again, I think we are moving out of scope due to shifting dynamics.

Theo

On 22-11-2017 17:59, Chris Pelling wrote:

I agree with Darcy, before running, we need to walk and understand the GDPR implications first for our work. There is no point wasting valuable time creating policy/procedures if at the end of the day they will be in violation of GDPR - it wastes everyones time and resources.

Kind regards,

Chris

------------------------------------------------------------------------

*From: *"Darcy Southwell" <darcy.southwell@endurance.com> <mailto:darcy.southwell@endurance.com> *To: *"theo geurts" <gtheo@xs4all.nl> <mailto:gtheo@xs4all.nl>, gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>, "Steven Metalitz" <met@msk.com> <mailto:met@msk.com>, "Sara Bockey" <sbockey@godaddy.com> <mailto:sbockey@godaddy.com> *Sent: *Wednesday, 22 November, 2017 15:19:11 *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Agree with Theo.

@Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months.  It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes.  We need to take a step back to do that first.  I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR.

Darcy

*From: *theo geurts <gtheo@xs4all.nl> <mailto:gtheo@xs4all.nl> *Date: *Tuesday, November 21, 2017 at 12:50 PM *To: *<gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com> <mailto:met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com> <mailto:darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com> <mailto:sbockey@godaddy.com> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi all,

Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting.

1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3  PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability?

@Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined.

Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg,  that thing has been a moving target.

The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO.

Does this make any sense?

Best

Theo Geurts

On 21-11-2017 20:39, Metalitz, Steven wrote:

Re item 3 in Darcy’s list,  I understand contact has been established with the new PSWG liaison to the IRT. Can we confirm his availability to participate in a call on  December 5?

Re item 1 I would note Vlad’s earlier comment to the list, which I support:  “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.”

Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.” Items 2 and 3 seem to refer to specific points in one or more of the draft documents.  Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR?

*age001*

*Steven J. Metalitz *|***Partner, through his professional corporation*

T: 202.355.7902 | met@msk.com <mailto:met@msk.com>

*Mitchell Silberberg & Knupp**LLP*|*www.msk.com <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msk.com%2F&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=ipqD0zxxC6d3NMzXa0aJI9pe2kVgJN6JPhhDZXxSRj8%3D&reserved=0>*

1818 N Street NW, 8th Floor, Washington, DC 20036

*_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._**THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:*Darcy Southwell [mailto:darcy.southwell@endurance.com] *Sent:* Tuesday, November 21, 2017 2:00 PM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven; Sara Bockey *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

@ICANN Staff,

I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December.  I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents.  Specifically:

1.Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR).

2.Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening).

3.Concerns with proposed framework Public Safety Working Group.

I suggest that our 5 Dec. agenda should focus on these discussion items.

Thanks,

Darcy

*From: *Darcy Southwell <darcy.southwell@endurance.com <mailto:darcy.southwell@endurance.com>> *Date: *Tuesday, November 7, 2017 at 7:47 AM *To: *<gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with Theo.  The scope has changed and implementation is impacted by GDPR.  While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program. Further, in just the last week or so, issues have been raised about implementation language contradicting the policy.  The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy.  Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants.  Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy.  There have also been repeated questions raised about the over-engineering of this implementation.  Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be.  We all know that doesn’t lead us to a better implementation.  Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification.   For many members, these require operational and legal review (at a minimum).  Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date).

Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first.  This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first.

Thanks,

Darcy

*From: *<gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> *Reply-To: *<gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> *Date: *Monday, November 6, 2017 at 12:27 PM *To: *<gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> *Subject: *Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, Vicky,

Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here.

My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation.

In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is.

I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws.

So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer. https://www.icann.org/resources/pages/contractual-compliance-statement-2017-... <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fresources%2Fpages%2Fcontractual-compliance-statement-2017-11-02-en&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=icMv3YN%2BHoft3q1B6cwVXNzFcyYeTOAaZBU5vfxrupY%3D&reserved=0>

I think that scenario is unwanted for everyone on the IRT is it not?

Thanks,

Theo Geurts

On 6-11-2017 19:40, Metalitz, Steven wrote:

I strongly second Vicky’s comments.  The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe.  Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I  believe.

Steve Metalitz

*e001*

*Steven J. Metalitz *|***Partner, through his professional corporation*

T: 202.355.7902 | met@msk.com <mailto:met@msk.com>

*Mitchell Silberberg & Knupp**LLP*|*www.msk.com <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msk.com%2F&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=ipqD0zxxC6d3NMzXa0aJI9pe2kVgJN6JPhhDZXxSRj8%3D&reserved=0>*

1818 N Street NW, 8th Floor, Washington, DC 20036

*_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._**THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:*gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Victoria Sheckler *Sent:* Tuesday, October 31, 2017 5:55 PM *To:* gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was.  So please let’s get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote:

Caitlin,

Thanks for the revised docs.  A few items at first glance that need to be revised, as I believe they have been discussion/raised before.  I will take a closer look and follow up with additional edits, but in the meantime…

1.Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA

a.The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA.

b.In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name.

c.It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA.

2.Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent.

a.Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service.  Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise.

3.Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August.  The first sentence in its entirety should be removed.

a.The section should start with “Well founded…”

Additionally, the following sections need revision or at a minimum further discuss by the IRT

4.Edit Section 3.14 to remove the language re no automation.  This is not feasible.  This language must be removed:

a.Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

5.Edit Section 3.15 – Labeling – to remove excessive language.

a.Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary. Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

*sara bockey*

*sr. policy manager | GoDaddy^™ *

*sbockey@godaddy.com <mailto:sbockey@godaddy.com> 480-366-3616*

*skype: sbockey*

/This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments./

*From: *<gdd-gnso-ppsai-impl-bounces@icann.org> <mailto:gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> <mailto:caitlin.tubergen@icann.org> *Reply-To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Date: *Wednesday, October 25, 2017 at 4:44 AM *To: *"gdd-gnso-ppsai-impl@icann.org" <mailto:gdd-gnso-ppsai-impl@icann.org> <gdd-gnso-ppsai-impl@icann.org> <mailto:gdd-gnso-ppsai-impl@icann.org> *Subject: *[Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017 <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.icann.org%2Fdisplay%2FIRT%2F24%2BOctober%2B2017&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=1qmqDOSib8cz7oSSE3lYtChxzCshDo3wBbsI%2BW8YFIo%3D&reserved=0>.

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of *Tuesday,* *14 November* for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list.  Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program’s status to the community. Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT’s discussion this morning, we received feedback to:

a.Edit the definition of *Working Group in Section 1.43*, to specify that the Provider Stakeholder Group, if formed, shall only appoint the /provider/ representatives of the Working Group, and the GNSO may appoint other members of the community.

**

b.Add back in the previously-deleted *Code of Conduct *language in *Section 3.5.1*.

**

**

c.Add back in the previously-deleted *review provision *in *Section 7 of the Customer Data Accuracy Program Specification*.

**

If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by *14 November 2017*.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

*Caitlin Tubergen*

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org>

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon%40mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y%2Fed5bgadH2USlJP4DNRX0U%3D&reserved=0>

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

We should also bear in mind that registrars have recently voted to extend the RAA privacy spec for another couple of months. As most privacy services are registrar-affiliated services, it is not like there is this huge risk of providers suddenly becoming unregulated again, which might justify a speedy implementation. Let us make sure we absolutely understand what is being done here. And let us also first all agree on the attached costs and required checks. I still think that ICANN went way overboard with their proposal. Instead of a lightweight program to ensure certain needs are being met by all providers of these services, we are now looking at this heavy-handed monster of a program that no one on the contracted parties side forsaw when we were on the PDP. Volker Am 23.11.2017 um 08:42 schrieb gtheo:

Hi all,

Rather than discussing the GDPR and the 'Better the devil you know", sencario. Is it an option we can have the drafts reviewed by Hamilton? My idea is here to get the relevant sections of the GDPR identified where we might run into issues. I think as soon we know that we can take it from there.

Or, since ICANN has a Data Protection Officer for the organization itself, and as Staff is facilitating here, it could be an idea to have the DPO review if the contractual sections are in line with the data protection laws after all this is a contract between ICANN and the providers. Perhaps also a nice test case to review if all processes of Staff carried out for this IRT are within in the vision of the DPO.

Thanks,

Theo

Deacon, Alex schreef op 2017-11-22 07:08 PM:

...

Hi Theo, all,

A few comments (before I turn into a Turkey)

Theo – can you clarify what you mean by moving out of scope? And the earlier comment regarding scope and the need to go back to the GNSO.   It is not clear what you are suggesting (to me at least).

As for the statements that we must halt work until we understand implications of the GDPR I don’t agree.   (it is not a binary issue/decision IMO)

Is GDPR an important issue that we need to consider?   Of course it is.   Yet we should not jump to conclusions that the policy defined isn’t compliant (or close to compliant) given 1) the data of natural persons (and others) is already “behind a gate”, 2) we have defined a process for those with legit interests to access this data, 3) we have agreed that use of any data received is minimized and must be managed/processed in a way that complies with data protection laws. 4) a detailed process that describes the action on request, 5) etc, etc.

I don’t believe the sky is falling here – and think (and suggest) we can continue to make forward progress where possible.

Thanks!

Alex

FROM: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Theo Geurts <gtheo@xs4all.nl> REPLY-TO: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> DATE: Wednesday, November 22, 2017 at 9:10 AM TO: Chris Pelling <chris@netearth.net>, "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

How much of this is expected to be obsolete next year, even if only for some subset (EU) of Registrants? It looks like we are going to end up with a very complex & burdensome accreditation program, with the above in mind is this justified? Again, I think we are moving out of scope due to shifting dynamics.

Theo

On 22-11-2017 17:59, Chris Pelling wrote:

...

I agree with Darcy, before running, we need to walk and understand the GDPR implications first for our work.  There is no point wasting valuable time creating policy/procedures if at the end of the day they will be in violation of GDPR - it wastes everyones time and resources.

Kind regards,

Chris

-------------------------

FROM: "Darcy Southwell" <darcy.southwell@endurance.com> TO: "theo geurts" <gtheo@xs4all.nl>, gdd-gnso-ppsai-impl@icann.org, "Steven Metalitz" <met@msk.com>, "Sara Bockey" <sbockey@godaddy.com> SENT: Wednesday, 22 November, 2017 15:19:11 SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Agree with Theo.

@Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months.  It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes.  We need to take a step back to do that first. I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR.

Darcy

FROM: theo geurts <gtheo@xs4all.nl> DATE: Tuesday, November 21, 2017 at 12:50 PM TO: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, 'Darcy Southwell' <darcy.southwell@endurance.com>, Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi all,

Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting.

1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3  PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability?

@Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined.

Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg,  that thing has been a moving target.

The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO.

Does this make any sense?

Best

Theo Geurts

On 21-11-2017 20:39, Metalitz, Steven wrote:

Re item 3 in Darcy’s list,  I understand contact has been established with the new PSWG liaison to the IRT.  Can we confirm his availability to participate in a call on  December 5?

Re item 1 I would note Vlad’s earlier comment to the list, which I support:  “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.”

Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.”  Items 2 and 3 seem to refer to specific points in one or more of the draft documents.  Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR?

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM [2]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: Darcy Southwell [mailto:darcy.southwell@endurance.com] SENT: Tuesday, November 21, 2017 2:00 PM TO: gdd-gnso-ppsai-impl@icann.org; Metalitz, Steven; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

@ICANN Staff,

I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December.  I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents.  Specifically:

1.        Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR).

2.       Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening).

3.       Concerns with proposed framework Public Safety Working Group.

I suggest that our 5 Dec. agenda should focus on these discussion items.

Thanks,

Darcy

FROM: Darcy Southwell <darcy.southwell@endurance.com> DATE: Tuesday, November 7, 2017 at 7:47 AM TO: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with Theo.  The scope has changed and implementation is impacted by GDPR.  While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program.  Further, in just the last week or so, issues have been raised about implementation language contradicting the policy.  The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy.  Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants.  Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy.  There have also been repeated questions raised about the over-engineering of this implementation.  Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be.  We all know that doesn’t lead us to a better implementation.  Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum).  Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date).

Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first.  This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first.

Thanks,

Darcy

FROM: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of theo geurts <gtheo@xs4all.nl> REPLY-TO: <gdd-gnso-ppsai-impl@icann.org> DATE: Monday, November 6, 2017 at 12:27 PM TO: <gdd-gnso-ppsai-impl@icann.org>, "Metalitz, Steven" <met@msk.com>, Sara Bockey <sbockey@godaddy.com> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, Vicky,

Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here.

My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation.

In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is.

I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws.

So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer.

https://www.icann.org/resources/pages/contractual-compliance-statement-2017-...

...

[3]

I think that scenario is unwanted for everyone on the IRT is it not?

Thanks,

Theo Geurts

On 6-11-2017 19:40, Metalitz, Steven wrote:

I strongly second Vicky’s comments.  The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe.  Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe.

Steve Metalitz

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM [2]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: gdd-gnso-ppsai-impl-bounces@icann.org [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] ON BEHALF OF Victoria Sheckler SENT: Tuesday, October 31, 2017 5:55 PM TO: gdd-gnso-ppsai-impl@icann.org; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was.  So please let’s get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote:

Caitlin,

Thanks for the revised docs.  A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime…

1.      Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA

a.      The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA.

b.      In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name.

c.       It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA.

2.      Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent.

a.      Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service.  Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise.

3.      Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed.

a.      The section should start with “Well founded…”

Additionally, the following sections need revision or at a minimum further discuss by the IRT

4.      Edit Section 3.14 to remove the language re no automation. This is not feasible.  This language must be removed:

a.      Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

5.      Edit Section 3.15 – Labeling – to remove excessive language.

a.      Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary.  Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

SARA BOCKEY

SR. POLICY MANAGER | GODADDY™

SBOCKEY@GODADDY.COM  480-366-3616

SKYPE: SBOCKEY

_This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments._

FROM: <gdd-gnso-ppsai-impl-bounces@icann.org> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org> REPLY-TO: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> DATE: Wednesday, October 25, 2017 at 4:44 AM TO: "gdd-gnso-ppsai-impl@icann.org" <gdd-gnso-ppsai-impl@icann.org> SUBJECT: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017 [4].

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of TUESDAY, 14 NOVEMBER for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list.  Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program’s status to the community.  Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT’s discussion this morning, we received feedback to:

a.      Edit the definition of WORKING GROUP IN SECTION 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the _provider_ representatives of the Working Group, and the GNSO may appoint other members of the community.

b.      Add back in the previously-deleted CODE OF CONDUCT language in SECTION 3.5.1.

c.       Add back in the previously-deleted REVIEW PROVISION in SECTION 7 OF THE CUSTOMER DATA ACCURACY PROGRAM SPECIFICATION.

If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 NOVEMBER 2017.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

CAITLIN TUBERGEN

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

Links: ------ [1] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.or...

[2] https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msk.com%...

[3] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.o...

[4] https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.i...

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

---

Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

Hi Steven, there was an issue with the vote, but it was either 12 or 18 months. I think 18 months was the preferred option by one vote. Volker Am 23.11.2017 um 16:58 schrieb Metalitz, Steven:

Is anyone on this list in a position to clarify for how long a period the registrars have agreed to extend the RAA spec on privacy/proxy?  While I don’t agree that this should determine the pace of our forward progress, it would be useful to know.  Thank you.

*image001*

*Steven J. Metalitz *|***Partner, through his professional corporation*

T: 202.355.7902 |met@msk.com <mailto:met@msk.com>**

*Mitchell Silberberg & Knupp**LLP*|*www.msk.com <http://www.msk.com/>*

1818 N Street NW, 8th Floor, Washington, DC 20036

*_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._**THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.*

*From:*Gdd-gnso-ppsai-impl [mailto:gdd-gnso-ppsai-impl-bounces@icann.org] *On Behalf Of *Volker Greimann *Sent:* Thursday, November 23, 2017 8:50 AM *To:* gdd-gnso-ppsai-impl@icann.org *Subject:* Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

We should also bear in mind that registrars have recently voted to extend the RAA privacy spec for another couple of months. As most privacy services are registrar-affiliated services, it is not like there is this huge risk of providers suddenly becoming unregulated again, which might justify a speedy implementation.

Let us make sure we absolutely understand what is being done here.

And let us also first all agree on the attached costs and required checks. I still think that ICANN went way overboard with their proposal. Instead of a lightweight program to ensure certain needs are being met by all providers of these services, we are now looking at this heavy-handed monster of a program that no one on the contracted parties side forsaw when we were on the PDP.

Volker

Am 23.11.2017 um 08:42 schrieb gtheo:

...

Hi all,

Rather than discussing the GDPR and the 'Better the devil you know", sencario. Is it an option we can have the drafts reviewed by Hamilton? My idea is here to get the relevant sections of the GDPR identified where we might run into issues. I think as soon we know that we can take it from there.

Or, since ICANN has a Data Protection Officer for the organization itself, and as Staff is facilitating here, it could be an idea to have the DPO review if the contractual sections are in line with the data protection laws after all this is a contract between ICANN and the providers. Perhaps also a nice test case to review if all processes of Staff carried out for this IRT are within in the vision of the DPO.

Thanks,

Theo

Deacon, Alex schreef op 2017-11-22 07:08 PM:

...

Hi Theo, all,

A few comments (before I turn into a Turkey)

Theo – can you clarify what you mean by moving out of scope? And the earlier comment regarding scope and the need to go back to the GNSO.   It is not clear what you are suggesting (to me at least).

As for the statements that we must halt work until we understand implications of the GDPR I don’t agree.   (it is not a binary issue/decision IMO)

Is GDPR an important issue that we need to consider?   Of course it is.   Yet we should not jump to conclusions that the policy defined isn’t compliant (or close to compliant) given 1) the data of natural persons (and others) is already “behind a gate”, 2) we have defined a process for those with legit interests to access this data, 3) we have agreed that use of any data received is minimized and must be managed/processed in a way that complies with data protection laws. 4) a detailed process that describes the action on request, 5) etc, etc.

I don’t believe the sky is falling here – and think (and suggest) we can continue to make forward progress where possible.

Thanks!

Alex

FROM: Gdd-gnso-ppsai-impl <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Theo Geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> REPLY-TO: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> DATE: Wednesday, November 22, 2017 at 9:10 AM TO: Chris Pelling <chris@netearth.net <mailto:chris@netearth.net>>, "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

How much of this is expected to be obsolete next year, even if only for some subset (EU) of Registrants? It looks like we are going to end up with a very complex & burdensome accreditation program, with the above in mind is this justified? Again, I think we are moving out of scope due to shifting dynamics.

Theo

On 22-11-2017 17:59, Chris Pelling wrote:

...

I agree with Darcy, before running, we need to walk and understand the GDPR implications first for our work.  There is no point wasting valuable time creating policy/procedures if at the end of the day they will be in violation of GDPR - it wastes everyones time and resources.

Kind regards,

Chris

-------------------------

FROM: "Darcy Southwell" <darcy.southwell@endurance.com <mailto:darcy.southwell@endurance.com>> TO: "theo geurts" <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>>, gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>, "Steven Metalitz" <met@msk.com <mailto:met@msk.com>>, "Sara Bockey" <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> SENT: Wednesday, 22 November, 2017 15:19:11 SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Agree with Theo.

@Steve, My concern here is that we’re moving forward with developing processes that may violate the GDPR, which goes into effect in just six months.  It seems far more efficient to identify and discuss how GDPR affects any PDP policy recommendations before finalizing processes.  We need to take a step back to do that first. I’m certainly not a GDPR expert, but data collection and transmission registrants who are EU residents appear to be problematic if we continue to ignore the GDPR.

Darcy

FROM: theo geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> DATE: Tuesday, November 21, 2017 at 12:50 PM TO: <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, 'Darcy Southwell' <darcy.southwell@endurance.com <mailto:darcy.southwell@endurance.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi all,

Some comments. @Darcy I agree on all points, very fundamental, and I think worth discussing at the Dec 5th meeting.

1 I agree Vlad's suggestion is good, the only question I have, and we discussed this earlier, do we wait for the second Hamilton piece or do we already have enough? I am not sure where at right now, perhaps staff can weigh in some to get a sense here. 3  PSWG liaison to the IRT, what is the status? Can we indeed confirm his availability?

@Steve, your question to Darcy about the GDPR and the impact, and obviously I am not Darcy ;) but we contracted parties spent a ton of time on this GDPR thing, and we get frustrated how this GDPR keeps creeping up on us from angles we never imagined.

Thick WHOIS IRT, I don't have to remind you there, you and I spent a lot of time there wrapping it up. Since Johannesburg,  that thing has been a moving target.

The WG recommendations for the PPSAI were made under different circumstances, and I hope you and fellow IRT members can understand we registrars we do not want a repeat here. Going through an exempt process with compliance is just time-consuming, costing money and all that. We need to be in scope here, and if we are not, we go back to the GNSO.

Does this make any sense?

Best

Theo Geurts

On 21-11-2017 20:39, Metalitz, Steven wrote:

Re item 3 in Darcy’s list,  I understand contact has been established with the new PSWG liaison to the IRT.  Can we confirm his availability to participate in a call on December 5?

Re item 1 I would note Vlad’s earlier comment to the list, which I support:  “Maybe we can focus on critical issues that are not related to GDPR, and once ICANN comes back to us with some clarity on GDPR then we can tackle those issues.”

Finally, Darcy perhaps you could clarify how you think these issues could be discussed constructively “before moving forward with reviewing the draft documents.”  Items 2 and 3 seem to refer to specific points in one or more of the draft documents.  Re item 1, can you identify any specific points in the draft documents you would like to discuss with regard to the impact of GDPR?

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com <mailto:met@msk.com>

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM <http://WWW.MSK.COM> [2]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: Darcy Southwell [mailto:darcy.southwell@endurance.com] SENT: Tuesday, November 21, 2017 2:00 PM TO: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Metalitz, Steven; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

@ICANN Staff,

I wanted to re-raise the issues mentioned below in advance our next meeting on 5 December.  I think many IRT members would like to see us tackle these issues first before moving forward with reviewing the draft documents.  Specifically:

1.        Impact of GDPR on policy/implementation (i.e., aspects of the recommendations from the Final Report that will be impacted by the GDPR).

2.       Contradictions between draft implementation language and the Final Report (e.g., how/why this is happening).

3.       Concerns with proposed framework Public Safety Working Group.

I suggest that our 5 Dec. agenda should focus on these discussion items.

Thanks,

Darcy

FROM: Darcy Southwell <darcy.southwell@endurance.com <mailto:darcy.southwell@endurance.com>> DATE: Tuesday, November 7, 2017 at 7:47 AM TO: <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

I agree with Theo.  The scope has changed and implementation is impacted by GDPR.  While I appreciate that Steve wants to move forward expeditiously, I don’t believe we can do so without jeopardizing the creation of an effective program.  Further, in just the last week or so, issues have been raised about implementation language contradicting the policy.  The role of an IRT is to implement the consensus policy produced in the PDP and we need to spend sufficient time reviewing and discussing the implementation to ensure we’re not changing policy.  Similarly, I think there were questions raised about the proposed framework Public Safety Working Group. In addition to policy creep, I believe concerns were expressed that staff failed to modify the proposed framework based on the feedback from IRT participants.  Rather than picking through the documents line by line, it seems like we should step back and have a discussion about the concepts to ensure we’re making progress toward an effective implementation that reflects the policy.  There have also been repeated questions raised about the over-engineering of this implementation.  Because many of the meetings have focused on reviewing language from a specific section (rather than reviewing issues as whole items), it seems like we haven’t gotten past this issue, and should probably take a fresh look at that to ensure we’re not making this implementation more complicated than it needs to be.  We all know that doesn’t lead us to a better implementation.  Right now, we have four draft documents for review/input: (1) accreditation agreement, (2) de-accreditation process, (3) applicant guide, and (4) data escrow specification. For many members, these require operational and legal review (at a minimum).  Many registrars have commented that 1 December is the earliest they can provide full feedback given the complexity of these documents (although not all have committed to that date).

Given these issues, as well as the fact that the privacy/proxy challenge stemming from IRTP-C needs to be added to this IRT for a solution, we need to take a step back and address these critical issues first.  This isn’t about derailing the IRT; it’s about ensuring we don’t create an implementation that’s an operational nightmare for providers as well as registrants and end users – and that means addressing these critical issues first.

Thanks,

Darcy

FROM: <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of theo geurts <gtheo@xs4all.nl <mailto:gtheo@xs4all.nl>> REPLY-TO: <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> DATE: Monday, November 6, 2017 at 12:27 PM TO: <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>>, "Metalitz, Steven" <met@msk.com <mailto:met@msk.com>>, Sara Bockey <sbockey@godaddy.com <mailto:sbockey@godaddy.com>> SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Hi Steve, Vicky,

Now your argument is logical and makes sense. Yes, as I mentioned before, CPH's will implement privacy services on many different levels to comply with the GDPR, we agree here.

My biggest problem with the PPSAI IRT is the changing dynamics. The WG contemplated and discussed and made recommendations based on a very fixed situation.

In my opinion, privacy services should not be used as bandaid for data protection problems. Complying with data protection laws was not the driving force during the WG days, and now it is.

I think the scope of the IRT has changed and we should deal with this before we move on. We need to think a little smarter and deeper here before we unleash this to many contracted parties who have zero experience with these services and will be required to implement this to comply with data protection laws.

So how do we do that? I think a fixed set of procedures and contractual agreements are essential, yet I do not want us to enter into a situation that causes more issues and forces providers into a situation that we need to ask compliance to defer.

https://www.icann.org/resources/pages/contractual-compliance-statement-2017-...

...

...

...

[3]

I think that scenario is unwanted for everyone on the IRT is it not?

Thanks,

Theo Geurts

On 6-11-2017 19:40, Metalitz, Steven wrote:

I strongly second Vicky’s comments.  The ongoing ICANN work re GDPR is of course very important, but let’s not let it derail progress on the path we have moved so far along toward a P/P service accreditation framework to present to the community.

In that regard, I have some sympathy (empathy?) for those requesting a relaxation of the comment deadline in light of so much other activity demanding our attention. May I suggest that we try to get as many proposed edits onto the list before our November 14 call (with much thanks to those who have already done so), with the goal of dealing with them then if possible, but leaving the door open for further edits over the next couple of weeks if necessary.

Finally, some ICANN groups are adjusting the scheduling of their calls to reflect the return to standard time in North America and Europe.  Is this group doing so as well? If our calls stay at 1400 UTC that is now 9 am EST and 6 am for those on Pacific time. Moving to 1500 UTC would retain the pre-existing local start times, I believe.

Steve Metalitz

STEVEN J. METALITZ | PARTNER, THROUGH HIS PROFESSIONAL CORPORATION

T: 202.355.7902 | met@msk.com <mailto:met@msk.com>

MITCHELL SILBERBERG & KNUPP LLP | WWW.MSK.COM <http://WWW.MSK.COM> [2]

1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

FROM: gdd-gnso-ppsai-impl-bounces@icann.org

<mailto:gdd-gnso-ppsai-impl-bounces@icann.org>

...

...

[mailto:gdd-gnso-ppsai-impl-bounces@icann.org] ON BEHALF OF Victoria Sheckler SENT: Tuesday, October 31, 2017 5:55 PM TO: gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>; Sara Bockey SUBJECT: Re: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Please note that ICANN’s work on GDPR’s on a separate track and that one thing we know almost for sure is that the adoption of rational, predictable rules for privacy/proxy will be more important post-GDPR than it ever was.  So please let’s get those rules in place as expeditiously as possible.

On 30-10-2017 11:32, Sara Bockey wrote:

Caitlin,

Thanks for the revised docs.  A few items at first glance that need to be revised, as I believe they have been discussion/raised before. I will take a closer look and follow up with additional edits, but in the meantime…

1.      Edit the definitions of Proxy Service and Privacy Service to match the definitions provided in the Final Report/2013 RAA

a.      The definitions of Privacy Service and Proxy Service reflect those in the 2013 RAA.

b.      In this context, the 2013 RAA also defines “Registered Name” as a domain name within the domain of a gTLD, about which a gTLD Registry Operator (or an Affiliate or subcontractor thereof engaged in providing Registry Services) maintains data in a Registry Database, arranges for such maintenance, or derives revenue from such maintenance, and “Registered Name Holder” is defined as the holder of a Registered Name.

c.       It’s noted that ICANN staff has replace “Registered Name Holder” with “Customer” in many instances, but I question the logic in that since it is inconsistent with the RAA.

2.      Edit Sections 3.5.3.3. thru 3.5.3.6 to take into consideration GDPR requirements regarding consent.

a.      Consent must be explicitly given for each purpose and can be withdrawn at any time and not a requirement for registration or use of the service.  Therefore, 3.5.3.3. – 3.5.3.6 (at a minimum) are not compatible and must be revise.

3.      Edit section 3.12.2, as it still contains new language that has been added since the IRT agreement on language in August. The first sentence in its entirety should be removed.

a.      The section should start with “Well founded…”

Additionally, the following sections need revision or at a minimum further discuss by the IRT

4.      Edit Section 3.14 to remove the language re no automation. This is not feasible.  This language must be removed:

a.      Provider shall not use high-volume, automated electronic processes (for example, processes that do not utilize human review) for sending Requests or responses to Requests to Requesters or Customers in performing any of the steps in the processes outlined in the Intellectual Property Disclosure Framework Specification.

5.      Edit Section 3.15 – Labeling – to remove excessive language.

a.      Provider shall ensure that each Registered Name for which Provider is providing the Services is clearly labeled as such in the Registration Data Directory Service, as specified in the Labeling Specification attached hereto, and shall otherwise comply with the requirements of the Labeling Specification attached hereto. This language is duplicative and not necessary.  Let’s not add unnecessary words to this already long document. If there are doing to be extra works, perhaps mention complying with applicable local laws in light of GDPR.

SARA BOCKEY

SR. POLICY MANAGER | GODADDY™

SBOCKEY@GODADDY.COM <mailto:SBOCKEY@GODADDY.COM>  480-366-3616

SKYPE: SBOCKEY

_This email message and any attachments hereto is intended for use only by the addressee(s) named herein and may contain confidential information. If you have received this email in error, please immediately notify the sender and permanently delete the original and any copy of this message and its attachments._

FROM: <gdd-gnso-ppsai-impl-bounces@icann.org <mailto:gdd-gnso-ppsai-impl-bounces@icann.org>> on behalf of Caitlin Tubergen <caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org>> REPLY-TO: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> DATE: Wednesday, October 25, 2017 at 4:44 AM TO: "gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>" <gdd-gnso-ppsai-impl@icann.org <mailto:gdd-gnso-ppsai-impl@icann.org>> SUBJECT: [Gdd-gnso-ppsai-impl] Materials, action items from 17 Oct Privacy/Proxy IRT call

Dear Colleagues,

Thanks so much for your participation on today’s Privacy/Proxy IRT call. For those who could not attend, I encourage you to review the recording and materials on the wiki, https://community.icann.org/display/IRT/24+October+2017 [4].

During the call, we discussed an overview of the changes to the draft PPAA.

Please note that ICANN proposed a deadline of TUESDAY, 14 NOVEMBER for all comments, concerns, and edits to the draft PPAA. The changes from the last iteration, provided to the IRT in July, have been highlighted in the attached issues list.  Please respond to the list if you would like to request a longer review period.

During ICANN60, we will be presenting an overview of the P/P program’s status to the community.  Attached, please find the slide deck for the presentation.

To highlight a few notes from the IRT’s discussion this morning, we received feedback to:

a.      Edit the definition of WORKING GROUP IN SECTION 1.43, to specify that the Provider Stakeholder Group, if formed, shall only appoint the _provider_ representatives of the Working Group, and the GNSO may appoint other members of the community.

b.      Add back in the previously-deleted CODE OF CONDUCT language in SECTION 3.5.1.

c.       Add back in the previously-deleted REVIEW PROVISION in SECTION 7 OF THE CUSTOMER DATA ACCURACY PROGRAM SPECIFICATION.

If you believe the above items do not reflect the intent of the Working Group’s recommendations, please reply to the list by 14 NOVEMBER 2017.

Thank you, and safe travels to those of you attending ICANN 60!

Kind regards,

CAITLIN TUBERGEN

Registrar Services and Engagement Senior Manager

ICANN

12025 Waterfront Drive, Suite 300

Los Angeles, CA 90094

Office: +1 310 578 8666

Mobile: +1 310 699 5326

Email: caitlin.tubergen@icann.org <mailto:caitlin.tubergen@icann.org>

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________

Gdd-gnso-ppsai-impl mailing list

Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org>

https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl [1]

Links: ------ [1]

https://na01.safelinks.protection.outlook.com/?url=https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl&data=02|01|Alex_Deacon@mpaa.org|1a81c6cfcac64603188208d531cbe0d0|17e50b56d5dd439b962acc7ecd9ab7fe|0|0|636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y/ed5bgadH2USlJP4DNRX0U=&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl&data=02%7C01%7CAlex_Deacon@mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=0YSIvwzAzqSfumzXt3K8Y/ed5bgadH2USlJP4DNRX0U=&reserved=0>

...

...

[2]

https://na01.safelinks.protection.outlook.com/?url=http://www.msk.com/&data=02|01|Alex_Deacon@mpaa.org|1a81c6cfcac64603188208d531cbe0d0|17e50b56d5dd439b962acc7ecd9ab7fe|0|0|636469674104293238&sdata=ipqD0zxxC6d3NMzXa0aJI9pe2kVgJN6JPhhDZXxSRj8=&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=http://www.msk.com/&data=02%7C01%7CAlex_Deacon@mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=ipqD0zxxC6d3NMzXa0aJI9pe2kVgJN6JPhhDZXxSRj8=&reserved=0>

...

...

[3]

https://na01.safelinks.protection.outlook.com/?url=https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en&data=02|01|Alex_Deacon@mpaa.org|1a81c6cfcac64603188208d531cbe0d0|17e50b56d5dd439b962acc7ecd9ab7fe|0|0|636469674104293238&sdata=icMv3YN+Hoft3q1B6cwVXNzFcyYeTOAaZBU5vfxrupY=&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en&data=02%7C01%7CAlex_Deacon@mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=icMv3YN+Hoft3q1B6cwVXNzFcyYeTOAaZBU5vfxrupY=&reserved=0>

...

...

[4]

https://na01.safelinks.protection.outlook.com/?url=https://community.icann.org/display/IRT/24+October+2017&data=02|01|Alex_Deacon@mpaa.org|1a81c6cfcac64603188208d531cbe0d0|17e50b56d5dd439b962acc7ecd9ab7fe|0|0|636469674104293238&sdata=1qmqDOSib8cz7oSSE3lYtChxzCshDo3wBbsI+W8YFIo=&reserved=0 <https://na01.safelinks.protection.outlook.com/?url=https://community.icann.org/display/IRT/24+October+2017&data=02%7C01%7CAlex_Deacon@mpaa.org%7C1a81c6cfcac64603188208d531cbe0d0%7C17e50b56d5dd439b962acc7ecd9ab7fe%7C0%7C0%7C636469674104293238&sdata=1qmqDOSib8cz7oSSE3lYtChxzCshDo3wBbsI+W8YFIo=&reserved=0>

...

...

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung.

Mit freundlichen Grüßen,

Volker A. Greimann - Rechtsabteilung -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen.

--------------------------------------------

Should you have any further questions, please do not hesitate to contact us.

Best regards,

Volker A. Greimann - legal department -

Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net <mailto:vgreimann@key-systems.net>

Web: www.key-systems.net <http://www.key-systems.net> / www.RRPproxy.net <http://www.RRPproxy.net> www.domaindiscount24.com <http://www.domaindiscount24.com> / www.BrandShelter.com <http://www.BrandShelter.com>

Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems <http://www.facebook.com/KeySystems> www.twitter.com/key_systems <http://www.twitter.com/key_systems>

CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534

Member of the KEYDRIVE GROUP www.keydrive.lu <http://www.keydrive.lu>

This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org <mailto:Gdd-gnso-ppsai-impl@icann.org> https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl

-- Bei weiteren Fragen stehen wir Ihnen gerne zur Verfügung. Mit freundlichen Grüßen, Volker A. Greimann - Rechtsabteilung - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Folgen Sie uns bei Twitter oder werden Sie unser Fan bei Facebook: www.facebook.com/KeySystems www.twitter.com/key_systems Geschäftsführer: Alexander Siffrin Handelsregister Nr.: HR B 18835 - Saarbruecken Umsatzsteuer ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu Der Inhalt dieser Nachricht ist vertraulich und nur für den angegebenen Empfänger bestimmt. Jede Form der Kenntnisgabe, Veröffentlichung oder Weitergabe an Dritte durch den Empfänger ist unzulässig. Sollte diese Nachricht nicht für Sie bestimmt sein, so bitten wir Sie, sich mit uns per E-Mail oder telefonisch in Verbindung zu setzen. -------------------------------------------- Should you have any further questions, please do not hesitate to contact us. Best regards, Volker A. Greimann - legal department - Key-Systems GmbH Im Oberen Werk 1 66386 St. Ingbert Tel.: +49 (0) 6894 - 9396 901 Fax.: +49 (0) 6894 - 9396 851 Email: vgreimann@key-systems.net Web: www.key-systems.net / www.RRPproxy.net www.domaindiscount24.com / www.BrandShelter.com Follow us on Twitter or join our fan community on Facebook and stay updated: www.facebook.com/KeySystems www.twitter.com/key_systems CEO: Alexander Siffrin Registration No.: HR B 18835 - Saarbruecken V.A.T. ID.: DE211006534 Member of the KEYDRIVE GROUP www.keydrive.lu This e-mail and its attachments is intended only for the person to whom it is addressed. Furthermore it is not permitted to publish any content of this email. You must not use, disclose, copy, print or rely on this e-mail. If an addressing or transmission error has misdirected this e-mail, kindly notify the author by replying to this e-mail or contacting us by telephone.