Thanks Benedict. I would gladly accept this and I predict that the ALAC would concur.

I would suggest that we add to #4 that the declaration would be required when contact information is changed as that is both a good opportunity where the registrant is adjusting their information and the status could in fact change at that time.

Alan

At 14/11/2018 04:06 PM, Benedict Addis wrote:

Dear Alan, Hadia,

I’ve discussed this with SSAC colleagues, and propose the following compromise:

1. Introduction of policy requiring registrant to make a legal / natural person declaration.

2. Declaration would be mandatory for registrars to implement within a reasonable time.

3. No obligation for registrars to verify accuracy of declaration.

4. A declaration would only be required during ‘contact' with registrant, ie on registration, renewal, and transfer (by gaining registrar).

5. Registrar may make declaration on behalf of registrant if it has reasonable knowledge of registrant’s status.

6. Registrant may change their declaration at any time.

7. Fail safe: the absence of a declaration results in assumption that the registrant is a natural person; i.e. default redaction of data.

8. No obligation to obtain retroactive declarations. (The average domain lifespan is 1.4 years so adoption will happen naturally.)

9. "edge case" legal persons - for example those trading from home (like me!) or in certain protected categories (as suggested by Stephanie) - may additionally declare that the registration data contained personal or sensitive information, so that it may be redacted.

10. False declarations will be subject to the normal whois inaccuracy complaint process.

If the team thinks this proposal has merit, there may be an opportunity to run it past the EDPB for approval. Your thoughts welcome!

Best,
Benedict.

On 14 Nov 2018, at 18:11, Alan Woods <alan@donuts.email> wrote:

Dear Team,

Thank you, Hadia and Alan for your statements. As the Ry reps (supported by the registrars) have already explained we believe the mandatory policy is unsuitable noting our assessment as to the reasons grounding that position. I believe it would be beneficial to the team, if the ALAC could similarly provide us with your grounding reasoning as to why you believe such a mandatory policy is appropriate, given the risks we have already noted to both the Data Subject AND, the CPs, both of whom will be impacted to the greatest extent by such a recommendation.

To leadership Team:
I think at this point, given the relatively small time left remaining in this process, that we need to set clear expectations for the provision of any such SO/AC/SG/C ‘recommendations’. At a minimum we should be insisting that SO/AC/SG/Cs who wish to make any recommendations must also provide their assessment/reasoning for such a conclusion, capable of grounding any such recommendation; more so specifically in cases such as this, where such views are at complete odds with strongly stated concerns and reservations of another SO/AC/SG/C already on record, of which they are reasonably aware of at the time of submission.

Using this recommendation as an example, and my apologies, this is not aimed specifically at ALAC, but it is the example to hand. I’m fully sure that Hadia and Alan have not come to this conclusion lightly.

That being said, if I may illustrate the point however by highlighting why grounding reasons are so vital in this particular recommendation. In my consideration of the proposal I would pose the following questions which immediately spring to mind.

WHY is minimum mandatory policy considered suitable, given the concerns raised? What factors were considered that seem to outweigh such concerns?
Given the representations on record as to the inability to implement a mandatory policy, how is the recommendation made compatible with Art 25 of the GDPR?
Given that representations on record as to concerns regarding the security of personal data, should a mandatory policy be implemented?

At the very least, any such recommendation must be accompanied by an assessment under Art 32?

Art 32 (2) requires an assessment as to security and the preventive methods against breaches be undertaken. The ePDP recommendation must ultimately also include such an assessment, therefore for clarity, any party who makes such a recommendation, should also provide a grounding assessment as to such a recommendation.
Again this assessment must take into account matters such as risk of breach, with due deference to the helpful headings as provided by Art 32 (1). It must also provide acceptable answers or at least provide reasons for dismissing to concerns raised.
So given the strongly stated concerns the CPs have raised regarding the likelihood of a higher risk of breach of data, were a mandatory policy to be imposed, it is incumbent on those suggesting to disregard such a concern, to provide their reasoning for such a decision.

I appreciate we all have viewpoints (strong ones) on this, but without providing a reasoned supported argument for a certain recommendation to the group, we cannot possibly fairly assess such a recommendation. I must therefore urge and request leadership to be insistent going forward, that any such recommendations made by any SO/AC/SG/C (Registries included of course) MUST be accompanied by a full statement of the reasons grounding the recommendation, including, as we are talking about data subject rights, an assessment as to the impact the proposed policy recommendation may have on the privacy rights of the individual, or indeed on the ability of the CPs to implement.

Kind regards,
Alan Woods

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team