Hi Marc,

Thank you for your message.

Support Staff added some context to the draft text. Please let us know if this helps alleviate your concern.

At the time of publication of this report, the implementation of the Privacy and Proxy Services Accreditation Issues (“PPSAI”) Working Group’s recommendations is on hold. Accordingly, the EPDP Team’s Recommendation 14 from the Phase 1 Final Report remains in place.

The EPDP Team notes the current implementation plan for the PPSAI Working Group’s recommendations contemplates that all accredited privacy/proxy services providers will be labeled or flagged in the RDS system. Assuming all accredited privacy and proxy service providers are clearly labeled in the RDS system, the EPDP Team recommends the following:

In the case of a domain name registration where an accredited privacy/proxy service is used, e.g., where data associated with a natural person is masked, Registrar (and Registry, where applicable) MUST include the full non-personal RDDS data of the accredited privacy/proxy service in both the public RDDS and in response to an RDDS query. The full non-personal RDDS data MAY also include the existing privacy/proxy pseudonymized email.

Thank you.

Best regards,

Marika, Berry, and Caitlin

All,

I’m responding to action item #3 from the 20 Feb meeting.  That action item asks us to review the staff proposed language:

Based on input received, EPDP Support Staff recommends the EPDP Team to consider the following recommendation:

Following the implementation of the PPSAI recommendations, the EPDP Team recommends that EPDP Phase 1 recommendation #14 (“In the case of a domain name registration where an "affiliated" privacy/proxy service used (e.g. where data associated with a natural person is masked), Registrar (and Registry where applicable) MUST include in the public RDDS and return in response to any query full non-personal RDDS data of the privacy/proxy service, which MAY also include the existing privacy/proxy pseudonymized email.”) applies to all accredited privacy and proxy services. 

I’m ok with the principle that we as a working group already agreed in phase 1 that privacy and proxied data should NOT also be redacted.  In phase 1 the best we could do at the time was a recommendation to not redact where an “affiliated” service was used.  In theory, once privacy/proxy services are accredited that scope could be expanded.  What we heard from the Privacy/Proxy implementation is that “the PP IRT was considering a proposed requirement that all privacy and proxy service providers include a label, which would flag each registration as a privacy/proxy registration and identify which provider is associated with that registration, in the existing WHOIS output “registrant organization” field.”

I’m concerned that the draft text isn’t clear and is very conditional.  I think this text is intended to become a new EPDP phase 2 recommendation (rec 20?).  That recommendation would replace, modify or otherwise supersede the EPDP phase 1 recommendation #14 (that hasn’t yet been implemented), but only when/if the Privacy/Proxy implementation produces a new policy that results in domain registration data that clearly identifies that it is a privacy/proxy registration, thus enabling an automated determination by the registrar (and registry if applicable) NOT to redact the data.  Otherwise EPDP phase 1 rec #14 stands.

Is this everyone else’s understanding?  As I said, the principle sounds fine, but I don’t think the text reflects my recollection of what we discussed and I’m concerned about the squishy conditional nature of this new recommendation.

Thanks,

Marc

Dear EPDP Team:

Please find below the notes and action items from EPDP Meeting #43 on Thursday, 20 February 2020.

As a reminder, the next plenary EPDP Team meeting will be Thursday, 27 February at 14:00 UTC. The small team of volunteers for automation use cases will meet on Tuesday, 25 February at 14:00 UTC.

Thank you.

Best regards,

Marika, Berry, and Caitlin

Action Items

1. EPDP Team to review the Priority 2 compilation overview and timetable in detail and flag any major scheduling concerns by Tuesday, 25 February. 
2. EPDP Team members are encouraged to provide feedback on Priority 2 topics via the list in advance of the scheduled date(s) for discussion.
3. EPDP Team to review the EPDP Support Staff’s proposed updated recommendation for the display of information of affiliated vs. accredited privacy / proxy providers [docs.google.com] by Wednesday, 26 February COB. Specifically, if any EPDP Team members cannot live with the updated recommendation as proposed, please provide an alternate proposal to the list by Wednesday, 26 February COB.
4. For those EPDP Team members interested in participating in the small team discussion on automation use cases, please attend the meeting on Tuesday, 25 February at 14:00 UTC. EPDP Support Staff sent a calendar invite to the Team; if you did not receive the invite and would like to attend, please reach out to gnso-secs@icann.org.

EPDP Phase 2 - Meeting #43

Proposed Agenda

Thursday, 20 February 2020 at 14.00 UTC

1.                            Roll Call & SOI Updates (5 minutes)

2.                            Confirmation of agenda (Chair)

3.                            Welcome and housekeeping issues (Chair) (5 minutes)

1. ICANN67 Update

• The ICANN Board announced that ICANN67 will be a remote meeting.

EPDP Team Feedback:

• Would be helpful to ask groups to provide feedback following this announcement – it will likely be difficult to have a 10-hour meeting on a Saturday
• There is value to F2F interactions – the location could be subject to discussion
• Option that makes the most sense – two normal-sized meeting during ICANN67, and another meeting in May
• 10-hour meeting on a Saturday is not viable

2. ICANN Belgian DPA Update

• See blog post [icann.org]
• Imperative that ICANN org and Janis provide more detail regarding the meeting with the Belgian DPA
• Position of the roles of Janis and Georgios – Janis was there to present the work of the EPDP Team.
• Question: was there any discussion on the DPA reviewing the Initial Report in detail and providing input during the public comment period, or input on the Final Report?
• Blog post was very high level and did not seem to have anything actionable from the EPDP Team’s work
• An important question that needed to be asked was the allocation of liability based on the allocation of processing
• If there is not enough detail in the current draft recommendations, what does that mean? Does it mean there should be more details or are critical details being left to the implementation phase? Perhaps the Team should be more specific in its recommendations. It would be helpful if Janis could provide more detail in a future update.

3. Update from legal committee

• Legal Committee reviewed the previously-sent legal questions – decided the question regarding reverse look-ups should be removed from consideration since this topic is no longer part of the Initial Report
• Recommended proceeding with the SSAC question re: representations b/w legal vs. natural. (Legal vs. Natural Question 2)
• Did the legal committee consider the issue of instances where the inclusion of personal data is included within a legal person’s contact information?
• Answer: yes
• Legal Committee still reviewing additional questions
• Reminder of the role of the legal committee – it is a representative group and approved questions will be sent to the EPDP Team as an FYI, but not for approval. All members of the EPDP Team may channel questions/concerns through their dedicated legal committee rep.

4.       Timeline review and priority 2 worksheet compilation (20 minutes)

a)      Priority 2 worksheet compilation overview

• EPDP Leadership and Support Staff have compiled the remaining Priority 2 issues, which includes both suggested dates when the Team will discuss the topic as well as leadership-proposed paths forward, where applicable.
• The compilation includes links to the Priority 2 worksheets, which were populated as a result of small team calls. All EPDP Team members should review the Priority 2 worksheets in detail, as they include details regarding expected deliverables, required reading, etc.
• Action: EPDP Team to review the compilation overview in detail and flag any concerns, alternative proposals, etc. EPDP Team members are encouraged to provide feedback in advance of the scheduled date for discussion.

b)      Consider input received to date

c)      EPDP team input

d)      Confirm volunteers for Automation Use Cases Small Team

e)      Confirm next steps

5.       Display of information of affiliated vs. accredited privacy / proxy providers [docs.google.com] (priority 2) (45 minutes)

1. EPDP Team to review ICANN Org feedback

• During Phase 1 deliberations, the EPDP Team was unsure whether one could tell if a domain name is a privacy or proxy registration by looking at the output. The answer to the question that the P/P recommendations would include a recommendation that would lead to a clear indication in the RDDS response if the registration was a P/P service.
• This is a concern that all accredited P/P providers will be visible in RDDS – this has been addressed, and the recommendation as proposed by staff.
• There is doubt that the accreditation program for these services is still needed – the recommendation should be that the PDP should be reopened to reassess the recommendations of that group
• It’s a giant leap of faith to assume that P/P services will be deactivated

2. Consider Support Staff proposed recommendation

• No EPDP Team objections expressed on the call over Support Staff’s proposal for P/P services.
• Action: EPDP Team to review the proposed recommendation in detail and flag objections on the list by Thursday, 27 February.

3. Confirm next steps

6.                            Wrap and confirm next EPDP Team meeting (5 minutes):

1. Thursday 27 February 2020 at 14.00 UTC (topics: data retention & feasibility of unique contacts to have a uniform anonymized email address)
2. Confirm action items
3. Confirm questions for ICANN Org, if any