Dear EPDP Team,

Please find below the notes and action items from today’s meeting.

The next EPDP Team meeting will be Thursday, 18 March at 14:00 UTC.

Best regards,

Berry, Marika, and Caitlin

EPDP Phase 2A - Meeting #10

Proposed Agenda

Thursday 11 March 2021 at 14.00 UTC

1. Roll Call & SOI Updates (5 minutes)

2. Welcome & Chair updates (Chair) (5 minutes)

a. ICANN org supplemental information on legal / natural study submitted

- Please note that ICANN Org’s responses are now posted on the wiki: https://community.icann.org/pages/viewpage.action?pageId=159482147

- Action: EPDP Team members to identify additional questions to ICANN org (if any) by Wednesday, 17 March

3. Feasibility of unique contacts (15 minutes)

i. Whether or not unique contacts to have a uniform anonymized email address is feasible, and if feasible, whether it should be a requirement.

ii. ii. If feasible, but not a requirement, what guidance, if any, can be provided to Contracted Parties who may want to implement uniform anonymized email addresses.

a. Update from Legal Committee on definitions and questions referred to Legal Committee on topic of feasibility of unique contacts (Becky)

- Becky: he Legal Committee has worked hard in the last few weeks and has almost finished work on all questions.

- The feasibility questions have been pared down to a single three-part question that will employ the definitions the Legal Committee previously circulated to the plenary, i.e., “registration-based email contact” and “registrant-based email contact”).

-This will be circulated to the plenary shortly and then to Bird & Bird.

- NCSG: Question – is the legal committee concerned with the feasibility or legality of anonymized contacts?

- Becky: The Legal Committee is asking B&B to compare the level of risk and type of risk for automated disclosure of registrant-based email contact (which is an email contact that is consistent across the registrations of a single registrant) and, on the other hand, of a registration-based email contact, which would be unique to a particular registration.

- The question that had been raised in one case (the Breyer case) – notwithstanding the definition of anonymity in GDPR - that would render the risk of reidentification by third parties insignificant. The Legal Committee is looking for a comparison with the legal risks associated with those choices.

- SSAC: The business of trying to set up anonymous and pseudonymous is often the wrong direction. If you’d like to contact the registrant without revealing the contact information, could there be an easily computable email address that is forwarded to the registrant. There is no guarantee of a reply – it doesn’t have to be heavyweight. However, this is straightforward and trivial to implement system.

- Becky: That would be work that would not be within the legal committee’s gambit; that is a policy question.

b. Confirm next steps

4. Legal vs. natural (60 minutes)

i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);

ii. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.

a. Update from Legal Committee in relation to questions referred to legal committee on legal / natural (Becky)

Becky: The questions on legal v. natural follow up on the previous legal v. natural memo – specifically the mitigation procedures
There is also a question re: useful precedent with EURid’s interpretation of the regulation, as well as RIPE NCC re: publication of resource holders, and the extent the NIS2 regulation might implicate the balancing test
All questions sent to Bird & Bird were sent to the EPDP Team as an FYI
The Team is still discussing two questions with plans to finalize at the next meeting on Tuesday.
Keith: Regarding the implications of NIS-2 – this is directionally significant. It has the potential to impact the work of ICANN and consensus policies and contracts, but it is far from complete. However, because it is directionally significant, it is important for the Legal Committee to ask for advice.

b. Follow up questions to Jamboard brainstorming – Proposal 1a

· Review RrSG and RySG responses to leadership follow up questions to input provided on JamBoard (seehttps://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit)

Registrars have provided additional input on Proposal 1a
RrSG: For the 1(a) proposal, the registrar has direct contact with the domain owner at the time of registration. This idea could work for a retail or brand registrar; however, in the reseller model, this would not work because a registrar does not interact with the registrant at the time of registration (or at any point).
It is difficult to provide implementation guidance at this time since we’re not sure what the final policy will be.
Keith: Note of caution: the Team should endeavor to be careful in terms of being overly prescriptive, factoring in the wide range of business models.
RrSG: Guidance for Registrars When Distinguishing Registrant Type –
In putting together this table, the registrar team wants to emphasize that when registrars process data, we must adhere to the principles GDPR requires. On the left-hand column, you will see the principles for data processing under the GDPR. Each row shows what the registrar can do in line with these principles.
In response to Laureen’s clarifying comment, what registrars intended with person type information is when the data subject indicates whether it is a natural or legal person
This chart provides helpful guidance registrars who may not be familiar with GDPR obligations and make sure that domain name owners are able to make an informed choice about how their data is processed while allowing flexibility to registrars based on their own customer base
Keith: Please review this proposal in detail over the coming week so that we can have further discussion at the next meeting.
GAC: Appreciate the registrars’ effort on this – it would be helpful for registrars to zero in on the key differences b/w this proposal and the GAC proposal
RrSG: The key difference is that the GAC proposal is a step-by-step process to be followed in order to achieve a certain goal, while this is a set of principles that a registrar would need to adhere to if they would like to differentiate. It shows the pieces that are necessary without a specific prescription.
BC: Is this a proposal that could be combined with Laureen’s proposal?
RrSG: Not sure if that could work. Anyone that follows Proposal 1(a) should also be following these principles, but in terms of how to combine them - there is still the same difficulty with the GAC proposal because it is overly prescriptive.
Keith: It seems that the “what” is what the guidance or policy should cover, and that as you move into the “how” and “when” is when it becomes potentially too prescriptive in that it may not appropriately cover the range of business models. If we can agree on “what” is expected, the questions of “how” and “when” become the responsibility of each registrar to make that determination.
GAC: It would be incomplete and unhelpful if there is no specificity when this occurs. Practically speaking, it is only useful if it occurs some time before the information is actually published.
Keith: “when” should not be off the table entirely but it should acknowledge these variations
RrSG: The step-by-step process of what to do and when is too much, and the registrar guidance is applicable across business models. In terms of the question of if differentiation can happen – yes it can, but there is a risk, and assuming this risk should ultimately be up to the controller.
BC: There could be a requirement for “within a certain amount of days” for reseller-based registrars. Resellers have to agree to certain conditions and requirements, so not sure why it is impossible to do this within the registration process for resellers. Perhaps we can consider adding a delay to accommodate resellers.
NCSG: The operative question is whether there is personal information including that of employees. Why doesn’t the business constituency come up with a template for businesses to attest that there is no personal data in their registration. This is increasingly difficult when employees work from home.
GAC: If we are talking about reasonable steps and there is inadvertent publication, if the contracted parties will be covered. The risk discussion does not have a lot of merit. The Team is trying to discuss limiting the risks with mitigation techniques. Hopeful the Team can agree that differentiation is important and should happen and CPs come up with suggestions of a way this can be done in line with their business model.
Keith: Part of the group’s work is to come up with guidance for groups who choose to differentiate at this time.
NCSG: This is ignoring the fact that the risk to the registrant is frequently overlooked – registrants are looked at as a source of data that can be freely accumulated. Some groups want data to be available and others want to limit it. Understand that it is convenient for many stakeholders to have access to data in a restrictive manner. And understand that free access to that data creates security and privacy risks that the GDPR was designed to protect. Recommend allowing registrants to consent to publication. Some jurisdictions already require this data to be published. There will also be an SSAD in place – if you really need the data and you have a valid legal basis, you will be able to get it via the SSAD.
RrSG: The case for requiring differentiation has not been made. Where is the necessity to make this a policy requirement as opposed to a voluntary option for registrars to disclose?
RrSG: Surprised to hear that there is no risk to registrars to override the input of a registrant. Creating a new flag for legal v. natural would be a broad and significant change.
Keith: Input from the registrars is important – EPDP Team to take a week to consider it. There will be further discussion on this next week. There have been questions of consent of registrants. Some of this will be further informed by the questions posed to Bird & Bird.

· EPDP Team to discuss and confirm updates to be made to proposal 1a

· Confirm next steps

c. Review input provided on legal vs natural thought experiment

· See https://docs.google.com/document/d/1Hf-Nt-VMznpGE4WZ7wWaHF8pXdm8qA28OW7Mjr4MH_A/edit

· The purpose of this discussion is to we assume, for a moment, that there is a requirement for CPs to distinguish b/w legal and natural persons – how would contracted parties go about doing this?

· The first section of the document is the thought experiment – hypothetical requirement of legal v. natural differentiation.

· The next section is trying to leverage what the previous two phases of the EPDP agreed to

· Hoping to tease out (at the bottom of the document) where in the registration cycle these checks can occur and what this could actually look like. For each of the recommendations, we requested the registrar reps to respond; however, the rest of the Team is welcome to provide sidebar comments. The concept was to tease out what registrars might be implementing at a conceptual level.

· Keith: Nothing discussed in this thought experiment will bind or commit anyone to anything.

· In light of the time, we will get into this next week while we await feedback from Bird & Bird.

· Resist making policy arguments over whether this should happen.

· It’s not a question of how this could be done; it’s about identifying potential challenges and how to mitigate the challenges.

· If your group has already provided input, it should not stop you from providing additional input or responding to other groups. Groups who have not yet participated are welcome to provide feedback – particularly in response to the input already provided.

· Confirm next steps

5. Wrap and confirm next EPDP Team meeting (5 minutes):

a. Meeting #11 Thursday 18 March at 14.00 UTC.

b. Confirm action items

c. Confirm questions for ICANN Org, if any