Thank you to Caitlin, Berry, and Marika for compiling this draft approach. We appreciate your effort, and we generally agree with this proposed approach, with specific comments below:

As the IPC has suggested, we should set as one of our top, near-term priorities to address the legal status and legal liability of all parties involved in controlling and processing registration data, including ICANN, contracted parties, and (as all will be encouraged to hear) third parties who access registration data. Aiming for this clarity is a better objective for the EPDP team than “legal certainty” or “alleviat[ing] the legal liability” of any party, neither of which would be possible. So, we’re on board – let’s just be clear about the realistic outcome we’re aiming for.

 

We’ve refrained from engaging in the access vs. disclosure discussion because as long as the eventual model supports unified/standardized access, we frankly don’t care what it’s called. Our thoughts on this matter are as follows: We’re mindful that the word disclosure seems to imply a focus on the party doing the disclosing, and that Phase 1, Recommendation 18 used “disclosure” to define the request-and-contracted-party-review style of ‘data obtaining’ (to generalize the concept) contemplated by the Temporary Specification. This was great collaborative work by the EPDP team, and we’re encouraged by it. Now that it’s finished, we’re eager to move on to creating the discloser-agnostic unified/standardized access model in Phase 2. So it seems to make more sense to focus on establishing the parameters within which someone with a lawful basis may expect unified/standardized access when they have such lawful basis, from whatever the source. Accordingly, we have a slight preference for “access” as it more accurately describes our Phase 2 work objective, but we’re probably nomenclature-agnostic if the EPDP team agrees with the goal of unified/standardized access.

 

We reiterate our support for two work streams as we have much to cover, and the EPDP team has committed to work diligently toward successful resolution of Phase 2.

 

We agree with Volker and Hadia that the more accurate description of the data is “non-public registration data,” which encompasses both personal information and non-personal information.

 

 

 

Obviously, according to the European Court of Justice, all information that in combination with other pieces of information could lead to the identification of the data subject is also personal information, so that differentiation is moot. (See: IP-Addresses in Case 582/14 – Patrick Breyer v Germany)

The only scenario where nonpublic information is not public information is when the data cannot lead to the identification of the data subject, but that cannot usually be seen on its face. For example the commonly used role "Domain Manager" could be personal information if someone on that company website is listed as such, the company only has one staff member in that role or other factors and data sources allow the identification or the ability to build a personal profile.

So yes, even legal entities may have used data in their registation data sets that can be considered personal information, which is why contracted parties have argued for no differentiation between entity types. Ultimately, the type is irrelevant, the data used is relevant.

Best,

Volker

Hi All,

 

I would not use the term " disclosure/access to personal information" but would rather use the term " disclosure/access to nonpublic registration data". The reason for this is that by definition, some of the redacted data is not personal information, but was redacted because it was thought that in combination with other pieces of information it could lead to identifying the data subject.

 

Best Regards,

Hadia

 

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings
Sent: Wednesday, May 08, 2019 11:39 PM
To: Mueller, Milton L; gnso-epdp-team@icann.org
Subject: Re: [Gnso-epdp-team] [Ext] RE: For your review - Phase 2 Draft Approach

 

Apologies, it looks like the pdf conversion got rid of the ticks. We’ve replaced them with ‘X’ in the attached version.

 

Best regards,

 

Caitlin, Berry and Marika

 

From: "Mueller, Milton L" <milton@gatech.edu>
Date: Wednesday, May 8, 2019 at 15:35
To: Marika Konings <marika.konings@icann.org>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org>
Subject: [Ext] RE: For your review - Phase 2 Draft Approach

 

Hi,

Looks like Janis and staff have been busy!

I have a question about Slide 7. There are no “X’s” or ticks in the columns for WS 1 and WS 2.

So I can’t tell what this means. Are we proposing (I hope) that WS1 meets on Tuesdays and WS2 meets on Thursdays? Or is this still open-ended?

 

--MM

 

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Marika Konings
Sent: Wednesday, May 8, 2019 2:07 PM
To: gnso-epdp-team@icann.org
Subject: [Gnso-epdp-team] For your review - Phase 2 Draft Approach

 

Sending on behalf of Janis Karklins

 

Dear EPDP Team,

 

Following last week’s meeting, the leadership team and staff support have worked together on developing a draft approach for tackling phase 2. We hope this strikes a balance between the different views expressed and will form the basis for a detailed work plan with concrete milestones and deliverables. You will find attached a couple of slides that outline our current thinking in further detail, but here are some points I want to emphasize:

 

• This is a draft approach for discussion and review. Based on your input prior and our discussion during next week’s meeting, we will further iterate and detail our approach, the proposed work plan and accompanying timeline. This draft is for discussion that, hopefully, will lead to a consensual agreement.
• For the purpose of our exercise it is important to use definitions and terminology with the same understanding. We propose to develop and use working definitions without prejudice  to consensual outcome. Final definitions can only be developed once the Team has finalized its work and agreed on its recommendations.
• Based on the Team’s feedback in relation to the request to form a small team to engage with ICANN Org, I suggest to keep a plenary setting which will avoid creating a separate structure and ensure that everyone is part of discussion. Nevertheless, as this work on obtaining legal certainty is ongoing, I would propose that we deal with the charter questions and list of issues identified on slide 5 in an agnostic manner.  In other words, we should refrain at the outset to deliberate on whether or not a System for Standardized Disclosure should be centralized or not, but rather we should focus on the commonalities and where needed identify that differentiation may be required depending on which model is ultimately determined to be legally compliant with GDPR and workable. I also expect that this approach would help inform the engagement of ICANN org and DPAs.
• I appreciate that some of you may consider the timeline ambitious, but I’ve heard from almost everyone that the work on a System for Standardized Disclosure is a priority and as such I am committed to setting a target date for us to work towards. This will require your support and dedication. I am pretty confident I can count on that.

 

I look forward to receiving your feedback and would like to encourage you to focus your input on what, why and how things could or should be done differently, instead of simply saying that something cannot be acceptable or should not be done.

 

Janis Karklins

 

Marika Konings

Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) 

Email: marika.konings@icann.org  

 

Follow the GNSO via Twitter @ICANN_GNSO

Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages. 

 

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team