Dear All,

Below, please find the notes and action items from today’s EPDP Team call.

Thank you.

Best regards,

Marika, Berry, and Caitlin

EPDP Team Call #32

Thursday, 06 December 2018 14:00 UTC

High-level Notes/Actions

Action Item #1: Kurt to edit the latest version of the EDPB letter and notify the GNSO Council that the EPDP Team will hold off on sending a communication to the EDPB at this time.

Action Item #2: EPDP Team to provide any proposed updates to the draft Statement of Work to obtain legal advice on GDPR issues by the end of the week.

Action Item #3: EPDP Support Team to send an email to the Team with a list of additional topics for discussion, and EPDP Team members who suggested or who would like to discuss the topics to provide the objective for the discussion in writing to the Team.

Action Item #4: EPDP leadership to contact ICANN or facilitate contact with ICANN to gain their participation in the “Purpose O” discussion regarding processing data for ICANN research purposes.

Notes

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ

1. Roll Call & SOI Updates

· Attendance will be taken from Adobe Connect

· Remember to mute your microphones when not speaking and state your name before speaking for transcription purposes.

· Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

2. Welcome and Updates from EPDP Team Chair (5 minutes)

a. Review of outstanding action items

EPDP Team to send message to ICANN indicating that, after discussion of ICANN-raised issues with regard to data processing agreements with Dispute Resolution Providers, that no change is required to the current Initial Report recommendation and ask for a detailed explanation if ICANN Org disagrees with that assessment.
EPDP Team to develop message to request ICANN Org to: (a) commence development of legally compliant data processing agreements with escrow providers, and (b) create agreements that indicate that data escrow providers are in a processor (rather than controller role) or provide information to the EPDP team why that should not be the case. ICANN to share this work with the EPDP Team to help inform its deliberations. Some Team Members mentioned interest in controller conversation - if you are interested, please be sure to fill out the Doodle Poll so the Support Team can schedule the call.

b. Other updates, if applicable

Kurt will review the draft EDPB letter, with Hadia and Kavouss' edits, and do a final round of edits.
Additional edits to the EDPB letter -
First paragraph re: role of ICANN - replace unique identifiers with "domain name system" to avoid confusion with the IANA function
Replace stakeholders with "ICANN and its contracted parties"
Has the EPDP Team definitively agreed to send this letter?
The benefits of sending this letter are in question; however, the previously-identified harms in sending the letter have been mitigated with the edits to the letter.
It is wishful thinking to the think the EDPB will provide general comments. The purpose of the letter is to inform the EDPB that the Initial Report has been published. There is no harm in sending the letter, but there is also no value in sending the letter. Sending something more precise would have more benefit, but if the questions are not in a state to be sent, we should not send the letter.
Why does the Team need to formally write this letter - it is almost empty?
Would it be helpful to notify the GAC EU rep what is going on, or instead, what would make the letter meaningful or still appropriate?
There are already representatives from the EU delegation, so that is not necessary. We should include questions in a letter.
It may be beneficial to reach out to specific DPAs who are familiar with the issues with specific questions, but this letter is not in a state for that.
The letter shows what the Team is working on and helps in managing expectations.
Action: Kurt to touch up the latest version of the letter and write to the GNSO Council and notify them that the Team will hold off on sending the letter at this time.

Draft SOW for Legal Counsel

The scope is provided, as well as two sample questions to demonstrate the types of questions the Team would be asking and the type of expertise we are looking for.
Procuring services may not best serve the Team - firstly, the cost could be an issue. Secondly, determining the questions and resourcing the effort could be an issue. The SOW should reference previous guidance ICANN has received from the Art. 29 Working Party, etc.
There is a conversation in the chat re: budget implications. If the Team decides this is important, we need to make sure this can be paid for.
What is the process for selecting counsel? Where did the example questions come from, and what is the process for adding to this?
It would also be helpful to have sanity checks with the methodology. The biggest financial risk is this team seeking legal advice and ICANN seeking separate legal advice and ending up with conflicting legal advice.
This should not be deferred as if we decide later that we need counsel, we should start the process now as the process can take a long time.
Action Item: EPDP Team Members to provide any proposed updates to the draft SOW by the end of the week.

3. Continue review of list of topics for further discussion

a. Purpose O – Research Purpose

· This purpose is required within ICANN to support its work.

· There are two ways of going about this under GDPR - this could be secondary processing - take personal data collected for another purpose and without getting consent again, Art. VI (4) - recital 50 allows for secondary processing.

· The data would not be shared outside of ICANN - it will only be for ICANN's internal work.

· This purpose would be for ICANN to collect and use data, and while the data would not be shared with third parties, but the findings would be shared with third parties.

· Given ICANN's role, I don't see how we could not have this purpose.

· When Purpose O was forwarded to the team, ICANN's previous responses to questions regarding research, and this doesn't seem to be a problem that needs solving as ICANN is not asking for this.

· Noting there is not subsequent consent from the data subject, why do we not disclose this processing at the time of collection? Re: pseudonymization, how will this work?

· Two ways to approach this - proposed approach is to disclose to the data subject at the time of collection, in spite of the broad exemption under GDPR. There is no sense of global unique identifiers

· ARS is not included in this purpose as GDD owns ARS, not OCTO.

· Secondary purpose may not apply in this case

· Cannot gage whether we need this in the future based on the fact that we do not need/use it right now

· Why are reports only on threats mentioned?

· We could consider including reports on country uptake.

· Previous questions to ICANN Org noted want vs. need. There may be a hidden idea behind this - does this purpose necessitate a new obligation to hash all data and send to ICANN to conduct the new purpose.

· Action Item: EPDP Leadership to follow up with OCTO regarding the conversation

· Support this specific purpose - this is important for SSR.

· Does this address a specific need and is ICANN asking for this? This is probably not appropriate for Phase 1.

· If the Team concludes this is a missing purpose, then it is within our scope.

· In taking down crime - it is hard to determine the legitimate/false positives because of redaction - be mindful of the unintended consequences of what we are doing.

· We want to hear from ICANN directly about the program and get enough into the implementation details that it would not inflict material costs on contracted parties.

i. Commence review of Purpose O Workbook

ii. Discuss next steps

b. WHOIS Accuracy

· What is the outcome(s) people are looking for here?

· Among the recommendations from the first WHOIS Review Team - noting studies had been done on WHOIS contact data and noting there are significant problems with WHOIS data. One recommendation was ICANN should report on the data. The WHOIS ARS program came out of this.

· Names that come back with problems are submitted to Compliance. Roughly 40% or more of data is inaccurate. This is something that needs to be looked at in some depth.

· One thing to ascertain is the impact of the inaccuracy - losing a valuable asset b/c of not changing an address within three weeks of moving seems a high impact.

· Is this a program that can be retained without undue costs?

· One impact of inaccuracy is to not be compliant with GDPR.

· Want to make sure we're not putting an onus on contracted parties to do more than they're already doing.

· The EPDP Team does not have time to deal with all of these issues.

· Additional topics in the list – it would be helpful to provide for the objective in writing.

i. Footnote 4 - The topic of accuracy as related to GDPR compliance is expected to be considered further, as well as the WHOIS Accuracy Reporting System. (Initial Report)

ii. Discuss objective of the discussions on Whois data accuracy and the Whois Accuracy Reporting System, taking into account the Team's scope as described by the Charter and Temporary Specification.

4. Preview of Phase 2 work items (15 minutes):

a. Review mind map (see attached)

b. Confirm understanding of EPDP Team on where it is on meeting requirements to commence phase 2 work.

c. Confirm next steps, if any

5. Wrap and confirm next meeting to be scheduled for Tuesday 11 December 2018 at 14.00 UTC

a. Confirm action items

b. Confirm questions for ICANN Org, if any