I agree with Stephanie, and would further like to strongly caution us from assuming that ICANN are a sole controller for 'ALL' processing here. 

Should ICANN be considered sole controller for the whole kit and caboodle here, then we are stating that the CPs have zero influence on the manner in which we process data. In such an instance, it is up to ICANN to provide us with documented instructions as to all aspects of the processing. I think we should consider what such a statement means for ICANN and indeed the substantial ramifications that such a statement would have for the the Multistakeholder model itself here. In addition, I think we shall find that the legal reality of the situation is never going support the finding of a sole controllership (in all aspects). Pragmatically, any CP could confirm that our requirements under the RA or RAA is simply nowhere near 'comprehensive' enough to qualify as 'documented instructions' for our processing. Let alone the complications regarding aspects such as Sub-processor arrangements, 'technical and organizational measures', and of huge importance, the taking care of any and all data subject requests re registration (which are the Controller's responsibility). The means of processing the CPs implement are varying, but with united goals, but this still suggests such processing means extend beyond the contracts, and we need to be mindful of that in our assessment of the facts here. Additionally ICANN cannot possibly implement and monitor, and enforce compliance with their 'processing' instructions as would be required under Art 28 in any meaningful manner. 

I have always maintained that we do not, as an industry, fit nicely into the clean controller/processor relationship and thus defining our exact relationship must be the work of new thinking on our combined behalf. Thankfully such an approach fits with the intention of the GDPR, and within the  expanded appreciation of non-traditional processing situations, as is supported by Art 26 of the GDPR. Hence why the Joint Controller path with a detailed roles and responsibility carve up is the most pragmatic and likely only viable path open to us.

Alan








Donuts Inc.
Alan Woods
Senior Compliance & Policy Manager, Donuts Inc.
The Victorians, 
15-18 Earlsfort Terrace
Dublin 2, County Dublin
Ireland

    

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful.  If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.


On Tue, Nov 13, 2018 at 4:44 PM Stephanie Perrin <stephanie.perrin@mail.utoronto.ca> wrote:

If you are talking about the IPC team agreeing, Brian, fine.  I don't think the EPDP has any consensus position on controllership at all, which is why I support delaying the release of the report until we can at least frame our questions.  ICANN as a body, including this PDP, needs to analyze the current situation and determine status.  Given the inattention to registrant rights and data protection law throughout the history of ICANN, not much is clear....the contracts have embedded policy that was not community-developed, ICANN has taken on sole responsibility for some functions that are normal business requirements (eg Escrow), so determining what the framework is is not so simple.  WE need to do that to figure out quite a few things under GDPR.

Stephanei

On 2018-11-13 11:03, King, Brian via Gnso-epdp-team wrote:

Hi All,

 

If I still have posting rights to the list, here is some language for your consideration as a first draft of the EPDP’s position on ICANN controllership for the Initial Report:

 

The team agrees that ICANN is at least a controller for all purposes identified, and perhaps the sole controller for some or all purposes. The team eagerly awaits the receipt of the legal memorandum about ICANN’s controllership role that is currently being drafted. As the memorandum was not received prior to the publication deadline for the Initial Report, the team requests that this memorandum be produced as soon as possible to inform both public comment and the group’s views on controllership for the Final Report.

 

I’ll defer to Alex and Diane on further IPC input from here.

 

Brian J. King

Director of Internet Policy & Industry Affairs

MarkMonitor / Part of Clarivate Analytics

Phone: +1 (443) 761-3726

brian.king@markmonitor.com

 


_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team