Hi,

 

Set out below are clarifying questions on behalf of RySG and RrSG:

 

6(1)(b) Memo

 

1. Does the EDPB’s “Guidelines 2/2019 on the processing of personal data under Art. 6(1)(b) GDPR in the context of the provision of online services to data subjects” (adopted 9 Apr. 2019) affect your analysis and, if so, how?

 

Natural v. Legal Persons Memo

 

1. Paragraph 14 references how “important it is that the personal data is accurate.” Whose perspective determines this importance (e.g., data subject, controller, processor, 3P)?
2. Paragraph 17 references a “risk of liability.” How do you characterize the level of risk of liability - low, medium, or high?  What threshold (e.g., how likely) of registrant incorrect self-identification triggers this risk of liability?
3. Is the level of risk of liability identified in response to #2 above the same for the liability referenced in paragraph 23?  If not, how and why is it different?
4. Are there any decisions, proceedings, or other guidance in which sending a confirmation email was found to decrease the risk of liability?

 

Technical Contact Memo

 

1. Is it correct that the best way to eliminate liability is to prohibit the Registered Name Holder (RNH) from submitting personal data for a Technical Contact where the RNH is not the Technical Contact?  If not, why not?
2. What impact, if any, does requiring the RNH to certify that it provided notice to the Technical Contact have on potential liability? On the risk of an enforcement action?

 

Accuracy

 

1. Would you please provide any specific guidance about or examples of the “serious consequences” referenced in paragraph 8?
2. Would you please identify the “relevant parties” referenced in paragraph 21?

 

City Field

 

1. Would you please identify the specific types of “further information” and “more information” (as referenced in paragraph 3.16) that are needed/required?
2. Is it correct to conclude that the lawfulness of publication of the “City” field is highly factually and contextually dependent?

 

Territorial Scope

 

1. Given the narrow question posed in paragraph 1.1, the analysis leading to the conclusion in the last sentence of paragraph 6.9 is unclear. Would you please clarify?

 

-*-

 

Many thanks.

 

K

 

 

Reminder: EPDP Team Members to review all Phase 1 legal memos: https://community.icann.org/pages/viewpage.action?pageId=105386422 and identify any clarifying questions by 15 May at the latest to determine whether a briefing by Bird & Bird is needed.

 

Best regards,

 

Caitlin, Berry and Marika

 

Dear EPDP Team,

 

Please find the notes and action items from today’s EPDP Team meeting below.

 

Best regards,

 

Marika, Berry, and Caitlin

 

 

--

EPDP Phase 2 Meeting #1

2 May 2019

Action Items

 

1. Staff to develop worksheet templates for all topics in phase 2. EPDP Team Members to provide feedback on proposed worksheet template, both substance and outline.
2. EPDP Team Members to review all Phase 1 legal memos: https://community.icann.org/pages/viewpage.action?pageId=105386422 and identify any clarifying questions by 15 May at the latest to determine whether a briefing by Bird & Bird is needed.
3. Janis to reach out to Goran Marby to obtain further information in relation to the expectations, working methods and time commitment expected from the small team that is to work with ICANN Org to move forward the discussions with DPAs on UAM.
4. Leadership team to develop first draft of proposed approach / work plan for review during next EPDP Team meeting (16 May 2019).
5. Staff to schedule separate zoom training session for interested EPDP Team members.

 

Questions for ICANN Org

 

1. Is there an attorney-client relationship between ICANN Org and Bird & Bird?


 

Notes & Action items

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ.

1.               Roll Call & SOI Updates (5 minutes)

 

• Attendance will be taken from Zoom
• Remember to mute your microphones upon entry to Zoom, which is typically the first icon on the left on the bottom toolbar.
• Please state your name before speaking for transcription purposes.
• Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

 

2.               Brief introduction to Zoom (5 minutes)

 

• The bottom toolbar provides helpful icons, such as:
  • Mute, look to the left of the bottom toolbar. Please mute upon entry.
  • Manage Participants - your name will always be at the top, then hosts, co-hosts, then anyone with an open mic, then alphabetical order.
  • Chat - you will only see Zoom chat from the time that you joined the meeting and nothing before you joined. However, the full chat will be sent to the list following the meeting.
• In order to see both screens, you must go to the top toolbar and toggle. The agenda will be shared by Andrea or Terri. The documents will be shared by EPDP staff support - Marika, Caitlin, or Berry.
• Question: how will the queue be managed as it does not appear the queue appears in the order in which hands are raised?

3.               Welcome from EPDP Team Chair (10 minutes)

a.   Chair introduction

 

• Congratulations on completing the Phase 1 Final Report.
• Applying to this position was a desire to return to the ICANN community after retiring as GAC chair in 2010. My goal is to reach a good conclusion.
• I have met with the ICANN CEO as well as members of ICANN staff.
• Some constituencies have reached out to me directly. I have spoken to IPC, and I am willing to do the same for any other interested group.
• As a result of today’s conversation, I will make a draft outline of Phase 2, to be discussed during our next call on Thursday, 16 May.
• I have been in public service for 27 years. From 2007 - 2010, I was the GAC Chair.
• For Phase 2, the focus should be standardized access and outstanding issues from Phase 1.
• My understanding is the EPDP Team would like a less rigorous schedule after Phase 1; however, it will still be important to establish a target date for Phase 2 completion.
• Proposal to proceed with weekly calls of 90 minutes. There will be homework between each call - each group should express their views on the call topic after the call. Team members should not only talk, but also listen.

 

Questions/Comments

 

·         Regarding a proposed target date - it would be reasonable to develop a work plan and identify an estimated time for each issue before identifying a target date.

·         Regarding the recent email from Keith Drazek referencing dialogue b/w Goran’s team and data protection authorities, it would be helpful if the details of this conversation are shared with this team.

 

• The proposed target date will flow from the proposed work plan.

 

b.                    EPDP Statement of Participation – reminder

4.               Phase 2 Potential modalities of work – Marika Konings (15 minutes):

1. Scope (see mind map - EPDP Team Phase 2 - upd 10 March 2019.pdf)

·         A number of items were identified in the original EPDP Charter - including standardized access to registration data and the annex of further issues for community consideration

·         In addition, as a result of Phase 1 work, there were a number of items that were deferred.

·         Staff created a mind map to organize the issues.

o    Yellow items are deferred items from Phase 1

o    Blue items come from the charter re: standardized access.

o    White items come from charter re: the annex.

 

2. Use of worksheets to ensure a common understanding and agreement in relation to scope / issues to be discussed; information to be gathered; briefings to be planned; legal questions to be answered; dependencies identified, and; approach to be taken.

·         Example worksheet - privacy/proxy issues

·         One hope from staff support - if the Team is OK using this as a template, we could build upon it, add deliberations, proposed recommendations, and ultimately include it in the Initial Report.

·         Issue description and Charter question - this comes from Phase 1. Support staff added expected deliverable. (As a reminder, this deals with display of information by affiliated P/P providers.)

·         There is a section where legal questions could be identified. Support staff did not identify any legal questions at this time.

·         There is a section for required reading and briefings to be provided. In Phase 1, for example, the Team identified that it would be helpful to have a GDPR briefing.

·         There is a section for dependencies.

·         Lastly, there is a section for proposed timing and approach. This is the section where we anticipate the group to identify proposed approach and dependencies.

·         The template is a starting point. If this is helpful, support staff will move forward and complete templates for all of the identified issues. If you believe this is unhelpful and/or something is missing, please let us know so we can edit the template accordingly.

 

Questions/Comments

5.                Discussion of phase 2 process, focus, timeline and expected outcomes (45 minutes)

a.                    Each team and team member to provide their input on expectations and vision for phase 2:

           

• RySG - The Registries Stakeholder Group is committed to participating actively and in good faith to develop appropriate consensus policy recommendations around access to non-public registration data per our charter and to ensuring such recommendations provide a clear path to compliance with the GDPR, are commercially reasonable and implementable, take into account our differing business models, and do not inhibit innovation.  We agree that developing a responsible and reasonable timeline and milestones are important to ensuring a comprehensive approach to the important work of Phase 2, however we note that this is something we will need to discuss within our stakeholder group to ensure proper resourcing is available.

 

• RrSG - Three concerns and objectives - first, to gain some sort of legal and regulatory assurances that we can participate in an access model. We have operational concerns because we do not know what volume we expect. We must also guard against abuse. There are also economic concerns - deploying a system such as this will likely be expensive. With respect to a target date, the pace of Phase 1 was unsustainable. It’s reasonable to set a target date but the date should be supported by a realistic work plan. We’d like clarity regarding Goran’s proposal for a small group to interact with DPAs.

 

• IPC - The IPC would like to get to consensus on recommendations related to questions in the charter. We hope we can reach agreement on a concrete and specific group of third parties who may access non-public registration data. We hope there is agreement on questions related to access that strikes a balance b/w privacy rights of the registrant and the legitimate interests of third parties. We believe Phase 2 work should occur in two concurrent workstreams. One workstream should be standardized access and the other workstream will be deferred issues from Phase 1. We would like to see demonstrable progress by the Montreal meeting.

 

• BC - It will be helpful to set a date and get this done quickly. Essential to ensure ICANN is complying with the GDPR. We hope the work plan will move quickly and focus on the important work of the TSG and the unified access model. We believe it’s critical to the security and stability of the DNS to provide access to non-public registration data. One of the first things to focus on is third party interests. One work track should be focused on unified access model. The other work track should focus on issues deferred from Phase 1.

 

• ISPCP - Looking forward to working with you all in a collegial manner towards a solution compliant with GDPR.

 

• NCSG - Build upon what was recommended in Phase 1, particularly the items that had consensus. The stakeholder group is a basic unit of representation - we advise the Chair to keep in mind that constituencies are not the same as stakeholders group. As we deal with legitimate interest, this should be done on a case-by-case basis - we do not see the process of disclosure by a group being categorically accredited as having a legitimate interest. We would like the team to consider whether a data privacy impact assessment needs to be conducted- specifically article 34 of the GDPR.

 

• GAC - We concur with much of what has been said so far, particularly by the RrSG and IPC. We would like any system to be GDPR compliant and to meet the various needs in the group. A target date would be ideal, and we are looking forward to a commitment to meeting a timeline in Phase 2. We would like to put forward 12 months as a target date. We also believe in categories of interests - in order to help set a process for credentialing. If workstreams can be done in parallel, that would be helpful. We could also look to the TSG to help guide our work.

 

• ALAC - Committed to seeing this through and that we end up with something that protects privacy where appropriate. We also need to consider the needs of those that want access. The EU comment on the Phase 1 Final Report indicated that we have a responsibility to balance the interests. We have a concern with a UAM if we look at data elements which every group will get access to and look to the conditions of every request, we may be here forever. If we serialize the two work streams, we may end up changing the rules as contracted parties are already implementing recommendations. Working in parallel could be helpful.

 

• SSAC - Wish to avoid the unsustainable pace that occurred at the end of Phase 1; however, we do need to maintain momentum to have reliable and predictable access to appropriate levels of registration data. Emphasize SSR issues as it relates to the Internet ecosystem as a whole. Our focus will include appropriate legitimate access for security researchers.

 

• Board liaisons

 

• ICANN Org liaisons - As per the EPDP Charter - we are here to provide timely input on ICANN org-related questions. We are not here to advocate for a specific position or to participate on consensus calls.

 

• Everyone is eager to get back to work. No one questioned the outcome of Phase 1 or the GDPR. The team cannot establish the target date until we review the tasks ahead of us and the pace at which we want to accomplish the tasks. There did not seem to be any objections to working in parallel, so we can take that into account when building the work proposal.

                                                                         

6.               Review of legal guidance obtained during phase 1 (5 minutes)

1. Proposed approach

 

·         All legal memos are housed on the wiki: https://community.icann.org/pages/viewpage.action?pageId=105386422

·         EPDP team members should review all of the legal memos

·         Proposal to have a call with Bird & Bird to review the memos

·         All Team members please review or revisit the legal memos. If there is a prevailing feeling that we need to organize a special briefing, we can do so. If not, we will not.

2. Discussion

·         Does Bird & Bird have attorney-client relationship with ICANN org?

7.               ICANN65 planning –

1. EPDP Team Phase 2 meetings planned:

• Tuesday 25 June from 8.30 – 15.00
• Thursday 27 June from 8.30 – 15.00

2. IRT meetings planned:

• Wednesday 26 June from 10.30 – 12.00

3. Travel support – Staff support team is following up with those who identified a potential need. As a reminder, requirement is that the requesting member is (1) otherwise not able to attend AND (2) no alternate is already funded to ICANN65.

• Please let us know as soon as possible if you have not yet responded.
• Per the previous process, supported members will be posted to the wiki page.

 

·         Please note that these meeting dates and times are still tentative - members should already pencil these in, but a confirmation will come later once the overall schedule has been finalized.

·         Janis will not be able to attend the entire Marrakech meeting due to a family commitment. Rafik agreed to moderate the conversation on 25 June.

·         Goran Marby letter regarding sub team - is there any objection to creating a sub team? The main issue of the sub team would be what kind of policy questions do we need to raise in relation to a unified access model.

 

Feedback

·         The track Goran is working on is a siloed effort from what this team is doing. Caution against more silos with smaller groups of people working.

·         Understanding what may be required to potential volunteers would be helpful. For example, is travel required, how often will the team meet, where will the team meet, etc.

·         This is an excellent idea - it’s good that ICANN is doing its best to get clarification now regarding uniform access. It’s also a good idea b/c it provides transparency into the conversations that are happening.

·         It is important if we form a group, we understand what this group is doing. Also, those within the EPDP should know what is going on within ICANN. If we are going to do this, we need representation, which may the group larger than it would otherwise be.

·         Constant consultation with DPAs on models, until we decide to differentiate b/w one request and another, we may not get anywhere. We need to come up with a model of layered access. There were a number of policy decisions inherent in the TSG’s work - proceeding ahead where policy decisions are made at the ICANN org level instead of at the community level is worrisome. Building the TSG system may be overkill - contracted parties may be able to handle requests without using a big, expensive system.

·         Recommendation 3 - a unified access model is one form, but not the only form, of standardized access. The proposed TSG is one form, but not the only form, of a model. It’s unclear everyone is referring to the same thing when referring to UAM.

·         Action: Janis to reach out to Goran to get more confirmation.

8.               Wrap and confirm next meeting to be scheduled for Thursday, 16 May at 14.00 UTC (5 minutes)

1. Proposed call schedule going forward

·         90-minute call every Thursday at 14:00 UTC

2. Confirm action items

3. Confirm questions for ICANN Org, if any

 

·         No meeting next week, but will discuss the proposed work plan on 16 May.

·         We may consider a F2F meeting b/w Marrakech and Montreal but that can be discussed at a later meeting.