Materials, Action Items From 30 Aug PP IRT Meeting
Dear Colleagues, Thanks so much for your active participation on today's PP IRT call. The recording and associated materials are now available on the wiki: https://community.icann.org/display/IRT/30+August+2018 For those of you who could not attend, I encourage you to listen to the recording. We did not make it all the way through our list of discussion questions today, but hope to keep the discussion moving on the list between now and next week's call. Our main topics of discussion today were: 1. An overview of the draft changes to the PPAA, which everyone is asked to review this week. * Action Item: I will consult with Legal regarding scope of remaining changes/work that are expected in re: the GDPR-related review (and timeline). * Action Item: IRT is asked to share any feedback with the list and bring any issues ready to discuss to the call next week. 1. How to manage PPAA provisions that are similar to or related to the Temporary Specification for gTLD Registration Data and/or the ePDP. * Action Item: I will consult with Legal regarding whether the proposed Specification 8 (or some version of it) must, in ICANN org's view, appear in this agreement, or whether some other solution to this issue could be developed. * Action Item: IRT members who have ideas for other approaches are asked to share these with the list. 1. A discussion of whether we are ready to proceed to public comment after discussion on the PPAA is complete. Ideally, we could finalize these discussions before ICANN63, but if issues need more time, we will take it. * IRT appeared to generally favor this course of action, but some IRT members raised questions about how the proposed requirements would operate under a gated access model. * IRT members would like to review how material in call for comments is presented. ICANN org agreed to provide that opportunity, provided that this will not unduly extend timeline. * Action Item: Answer on whether ICANN org views the inclusion of processing spec as a requirement may impact this decision (see Action Item (a) under 2 above). * Action Item: Any additional IRT feedback is requested on-list. * Action Item: Peter Roman, PSWG, will share proposal on-list re: treatment of data under gated access model, with goal of discussing whether this could be addressed in this IRT or some other forum. If anyone else who was on the call would like to flag other issues for those who were not in attendance, please do. I'll return my action items as quickly as possible, and look forward to continued discussion this week. Best, Amy Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
Hi Amy, Regarding the action item of the processing spec. As I and Volker mentioned we need that to comply that with applicable law as mentioned on the call. Personally, I have a very strong opinion about this. The GDPR is a principle-based law and not a rule-based law. The GDPR mentions multiple times there must be an adequate level of protection, this is very broad, but this is with good reason. See art 32, 25 etc. Something like the below is a no go; 3.8.5. Using industry standard 256-bit AES encryption or suitable equivalent where necessary or appropriate; The GDPR expects you to use 256-bit AES (but does not specify that), and if something comes along that is better and stronger you are supposed to use that if it becomes best practice. The GDPR does not state or mention you need to do a "pentest", https://en.wikipedia.org/wiki/Penetration_test But the ICO (Brittish supervising authority), ruled recently that the lack of a pentest was a reason to issue higher fines. This was due to the scale of the breach and the size of the company (very large company). Does the above mean that every company has to do a "pentest" in Europe? No, this all matters on the amount of processing and size of the company and the data being processed and the means available. The GDPR will push companies to use the best of the best protection and security that is available but within reason. But companies themselves need to determine what is adequate and if they fail, they will get fined. So if you could ask ICANN legal not to turn principle based law into rule-based law much obliged. Theo Amy Bivins schreef op 2018-08-30 08:24 PM:
Dear Colleagues,
Thanks so much for your active participation on today's PP IRT call. The recording and associated materials are now available on the wiki: https://community.icann.org/display/IRT/30+August+2018
For those of you who could not attend, I encourage you to listen to the recording. We did not make it all the way through our list of discussion questions today, but hope to keep the discussion moving on the list between now and next week's call.
Our main topics of discussion today were:
1. An overview of the draft changes to the PPAA, which everyone is asked to review this week. * Action Item: I will consult with Legal regarding scope of remaining changes/work that are expected in re: the GDPR-related review (and timeline). * Action Item: IRT is asked to share any feedback with the list and bring any issues ready to discuss to the call next week.
1. How to manage PPAA provisions that are similar to or related to the Temporary Specification for gTLD Registration Data and/or the ePDP. * Action Item: I will consult with Legal regarding whether the proposed Specification 8 (or some version of it) must, in ICANN org's view, appear in this agreement, or whether some other solution to this issue could be developed. * Action Item: IRT members who have ideas for other approaches are asked to share these with the list.
1. A discussion of whether we are ready to proceed to public comment after discussion on the PPAA is complete. Ideally, we could finalize these discussions before ICANN63, but if issues need more time, we will take it. * IRT appeared to generally favor this course of action, but some IRT members raised questions about how the proposed requirements would operate under a gated access model. * IRT members would like to review how material in call for comments is presented. ICANN org agreed to provide that opportunity, provided that this will not unduly extend timeline. * Action Item: Answer on whether ICANN org views the inclusion of processing spec as a requirement may impact this decision (see Action Item (a) under 2 above). * Action Item: Any additional IRT feedback is requested on-list. * Action Item: Peter Roman, PSWG, will share proposal on-list re: treatment of data under gated access model, with goal of discussing whether this could be addressed in this IRT or some other forum.
If anyone else who was on the call would like to flag other issues for those who were not in attendance, please do. I'll return my action items as quickly as possible, and look forward to continued discussion this week.
Best, Amy
Amy E. Bivins Registrar Services and Engagement Senior Manager Registrar Services and Industry Relations Internet Corporation for Assigned Names and Numbers (ICANN) Direct: +1 (202) 249-7551 Fax: +1 (202) 789-0104 Email: amy.bivins@icann.org<mailto:amy.bivins@icann.org> www.icann.org<http://www.icann.org>
_______________________________________________ Gdd-gnso-ppsai-impl mailing list Gdd-gnso-ppsai-impl@icann.org https://mm.icann.org/mailman/listinfo/gdd-gnso-ppsai-impl
participants (2)
-
Amy Bivins -
gtheo