Hi Marika,

 

Thank you to Caitlin, Berry, Marika for getting us started on defining SSAD user groups. This is important work for us in Phase 2. IPC’s general and specific comments follow:

 

General

 

Processing

In each section, we should change c) and d) from “requesting data” to “processing data.” While we understand that a demand or query must be made, we note that we covered “requesting data” in Recommendation 18 in Phase 1, and now we must develop the mechanism for processing data in the SSAD context.  GDPR requires that we go through this exercise to establish the purposes and bases for “processing data,” so that’s the more accurate term here.

 

Overriding Interests

In general, we caution against assuming that the privacy interests of the data subject will always override a particular user group’s interest; this is legally inaccurate. There is a broad spectrum of 6.1(f) interest weighing (https://iapp.org/media/pdf/resource_center/wp217_legitimate-interests_04-2014.pdf), including data protection safeguards we should build into the system. Building in these safeguards works to our advantage as we can change “the balance of rights and interests to the extent that the data controller’s legitimate interests will not be overridden,” which will make standardized access as legally sound as possible.

 

Specific

 

ICANN

To add to the list, we probably need a user group for ICANN. This will help show that we’re not conflating ICANN purposes with third party purposes. ICANN users could be listed together, or separately as OCTO, ARS or DAAR work specifically, Contractual Compliance, or established as several different user groups. What does the EPDP team think?

 

Registrants

Registrants are an important user group, and must be included. We must ensure through policy that registrants are able to access the data that’s processed about them, in the system where it’s contractually obligated to be provided. This is key to exercising the registrant’s right to withdraw consent, right to rectification, erasure, etc., and a GDPR-compliant system requires data subject access. While many registrars make this information available in their customer portals, it’s not required that registrars do so, so we cannot assume it will be available to registrants in the registrar portal, especially with data minimization principles in play. We also should not presuppose a policy outcome that requires registrars to hold authoritative domain registration data. In fact, as suggested by the GAC, registrar liability may be lessened if the data were stored and accessed via a third-party portal. Registrars have been clear that registrar account credentials and data processed for a registrar’s business needs do not necessarily equal “WHOIS” data, which is separate and distinct from registrar purposes. Use cases for the registrant end user group include confirming registration data for releasing funds from escrow, verifying transfer completion, validating that renewal reminders and web form notices are going to the intended email address, and SSL Certificate provisioning.

 

End users

End users are an important user group, and must be included as a registration data user group. Lawful uses of registration data by end users can come in many forms, including establishing trustworthiness before the end user purchases a product, provides information on a web form, or clicks a suspicious link. “Consumer protection” is a fundamental right under the Charter of Fundamental Rights of the European Union (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT), and has been confirmed in the context of registration data access by the EC’s comments to the EPDP.

 

LEA

If the LEA distinction was intended to capture the difference between 6.1(e) and 6.1(f) processing, we note that the standard for 6.1(e) is not based on the LEA being European; rather, the processing must simply have a basis in Union or Member State law. A foreign LEA investigating a malicious botnet, for example, has a 6.1(e) basis because this form of cybercrime is illegal under Union or Member State law. Other bases (including but not limited to 6.1(c) and 6.1(d)) may also apply, according to the EC. LEA access should also not be limited to cybercrime or DNS abuse – LEAs use domain registration data to investigate all manner of crimes, not just those related to the DNS. To keep us focused, our goal here is to establish access that is standardized. LEAs with authority in a contracted party’s jurisdiction should already have legal means to subpoena any data needed, according to the differing standards present across the world’s various jurisdictions. The scope of our work vis-à-vis LEAs is to establish legal, standardized access to registration data notwithstanding local subpoena rules. So, we should have a single standard for LEAs, regardless of the jurisdiction of the contracted party or the LEA.

 

Intellectual Property

Intellectual property is a fundamental right under the Charter of Fundamental Rights of the European Union (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:12012P/TXT). It is protected in It is not an “interest or position.” Accordingly:

a) should read, “Holders of intellectual property rights and their agents, attorneys, and rights enforcement representatives;”

b) should read, “Attestation in good faith that the user is the owner, agent, attorney, or rights enforcement representative of the intellectual property in question;”

c) should read, “•To investigate whether the registration or use of the domain name is violating intellectual property rights

•             In order to enable contact with parties using a domain name that is being investigated for violation of intellectual property rights

•             To enable identification of domain name Registrants to support trademark clearance (risk analysis) when establishing new brands

d) should read, “each of 6.1(a) through (f), depending on the facts of the investigation”

e) as a placeholder, should read, “various data elements may be necessary, depending on the facts of the investigation”

 

Thanks, all. Welcome robust discussion on this tomorrow.

 

 

 

Dear EPDP Team,

 

Please see below the proposed agenda for Thursday’s EPDP Team meeting. Due to unforeseen circumstances, Steve Crocker will not be able to attend so his presentation to the EPDP Team will be rescheduled for another time. Please review the attached document prior to the meeting in preparation for agenda item 6.

 

Best regards,

 

Caitlin, Berry and Marika

 

EPDP Phase 2 - Meeting #5

Proposed Agenda

Thursday, 6 June 2019 at 14.00 UTC

 

1.               Roll Call & SOI Updates (5 minutes)

 

2.               Confirmation of agenda (Chair)

 

3.               Welcome and housekeeping issues (Chair) (10 minutes)

• SG/C/SO/AC input requests have been sent – deadline for input 21 June
• Working definitions
• Legal advisory group

 

4.               Review of clarifying questions, concerns and/or background information submitted in relation to GNSO Council -Board consultation in relation to Board action on Phase 1 recommendations - see https://www.icann.org/resources/board-material/resolutions-2019-05-15-en#1.b (Chair) (15 minutes)

1. Overview of clarifying questions, concerns and/or background information put forward
2. Discuss which of these have support of EPDP Team to be submitted to GNSO Council
3. Confirm next steps

 

5.               SSAD Priority 1 worksheet (15 minutes) (Marika)

1. Overview of input received – see https://docs.google.com/document/d/1uoolznpxb0JxddFZA5n9ueRkB4tjDOQQCoMeQWpbiSc/edit?usp=sharing
2. Further comments / questions
3. Confirm next steps for finalization of priority 1 worksheet

 

6.               SSAD – Topic c Topic: Define user groups, criteria and purposes / lawful basis per user group (Marika) (60 minutes)

1. Review template developed by staff support team (see attached)
2. EPDP Team input
3. Confirm next steps

 

7.               Any other business

1. Priority 2 small team meetings update

Reminder - Call schedule remaining priority 2 worksheets:

·         Wednesday, 12 June - 20:00 – 21.30 UTC 

City field redaction 

Data Retention

·         Monday 17 June – 13:00 – 14:30 UTC

Potential OCTO Purpose

Feasibility of unique contacts to have a uniform anonymized email address

·         TBC (post ICANN65)

Accuracy and WHOIS ARS

 

8.               Wrap and confirm next meeting to be scheduled for Thursday, 13 June at 14.00 UTC (5 minutes)

1. Confirm action items
2. Confirm questions for ICANN Org, if any

 

 

Marika Konings

Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) 

Email: marika.konings@icann.org  

 

Follow the GNSO via Twitter @ICANN_GNSO

Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages.