I want to thank you again for all your contributions on the mailing list and yesterday’s call. As several of you noted, it is important to remain constructive in these deliberations, to listen to each other, and to appreciate the different perspectives that exist on these topics. 

 

Having said this, it is important that the group starts shifting its focus to the expected deliverable, which is the publication of an Initial Report that addresses the questions that were posed by the GNSO Council. 

 

In light of this, I would like to put forward the following suggestions and observations:

 

1.       When you send a response on the mailing list, please include how this is expected to be reflected in the response that will go into the Initial Report – with specific language suggestions if possible. As you know, for the legal/natural question there is a proposed guidance write-up that includes most of the aspects that have been mentioned during the call and on the mailing list – please look at that write-up and make clear in your interventions what your group thinks is missing and/or what specific (textual) suggestions your group has for changes.

2.       Some have suggested that the focus should be on differentiating between personal and non-personal data instead of legal and natural person data. I would like to point out that the question the group has been asked is about differentiation between legal and natural person data, which is also reflected in the EPDP Phase 1 recommendation. Should a Contracted Party prefer to focus on differentiating between personal and non-personal data, as far as I am aware, nothing would prevent a Contracted Party from doing so but it is more granular than, and therefore not the specific question that we are expected to address. As a result, I would like to ask everyone to focus on the question of differentiation of legal and natural person data, which per the proposed guidance, would follow a two-step approach which could also then include consideration of whether legal person data includes personal data. 

 

3.       Substantial discussion has taken place in relation to what “publication” means. Please note that the write-up includes the definition that is used in the context of the EPDP Phase 1 implementation (“Publication”, “Publish”, and “Published” means to provide Registration Data in the publicly accessible Registration Data Directory Services”). A specific proposal was made to consider publication in the context of SSAD and although several have expressed support for such an approach, we also need to recognize that the SSAD has not been approved yet by the ICANN Board and as such it is not clear whether this will be a viable approach. At the same time, Contracted Parties are already permitted to differentiate so providing guidance on how this can be done in the current circumstances (i.e., without an SSAD) is important. This does not mean  that the EPDP Team cannot provide guidance (or possibly a conditional requirement which would enter into force upon implementation of SSAD) for how differentiation could look in the future (which could even be tied to a triggering event, e.g., NIS2). 

 

4.       The EPDP Team is a representative group – you have all been appointed by your respective groups to represent them in this effort. As a result, any proposals and interventions you make are expected to be on behalf of your group. We understand that this requires significant coordination which is not always possible in real-time but it is important that we do not find ourselves in a situation where a specific proposal or suggestion is debated to then find that other members of the same group do not stand behind the proposal or suggestion. 

 

Having said this, and hoping that you can support my suggestions and observations, looking ahead at next week’s meetings I would like to propose the following:

 

• Tuesday’s EPDP Team meeting will focus on the latest version of the write-up. Please review the latest version and identify any issues that require further discussion by Monday 26 April at 18.00 UTC at the latest, beyond those that were already identified:

1.       Definition of “publish” (note, the write up currently includes the following definition “EPDP-p1-IRT: “Publication”, “Publish”, and “Published” means to provide Registration Data in the publicly accessible Registration Data Directory Services.”)

2.       Any concern about moving “Distinguishing between legal and natural person data alone may not be dispositive, as the data provided by legal persons may include personal data that is protected under data protection law, such as GDPR” to the guidance section?

3.       See 1d – what approach should be taken when a Registrant makes substantive changes to registration data?

4.       Consider whether it would be helpful to add a timeline to scenario 2.

5.       Consider whether scenario 3 should remain and/or be adjusted.

 

Note that in addition to the issues that are flagged in the document, the Registrar Team has added a number of suggestions. If you are of the view that any of those require further discussion, please flag these so that these can be added to the list. 

 

• Thursday’s EPDP Team meeting will focus on the question of whether any changes are warranted to the EPDP Phase 1 recommendation (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”). Please come prepared to present your groups responses to the questions in the google doc (see https://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit). Please try to focus your interventions on the specific questions that were asked and come prepared to put forward specific (ideally textual) suggestions for how the group can develop a response to the charter question.

 

• By Friday 30 April, please put forward your group’s proposed response to the feasibility of unique contacts questions (i. Whether or not unique contacts to have a uniform anonymized email address is feasible, and if feasible, whether it should be a requirement. ii. If feasible, but not a requirement, what guidance, if any, can be provided to Contracted Parties who may want to implement uniform anonymized email addresses). Please note here that we have been given specific advice from B&B with a risk continuum, so we will work within that, and we will not entertain discussions seeking to obviate risk altogether. The staff support team has set up a google doc to provide your suggestions (see https://docs.google.com/document/d/1lqLOkF1jaA2NK1hmYtG4jiY4x7V432maFh1Xlv5UeBM/edit?usp=sharing). Based on the input received, leadership with the support of the staff support team will aim to develop proposed draft language for inclusion in the Initial Report. 

 

I appreciate that we are asking a lot, but we are hoping by focusing your energy on the end goal, we will be able to be more productive and effective in our deliberations, working towards the goal of publishing an Initial Report for public comment by the end of May.

Best regards,

Keith