Hi Milton,


Thank you for your questions.  Hopefully, this response will cure your concern.


In short, staff understands this as an evolution of workbook template structure and perhaps Question #1 within the latest version can be reworded.


You will recall that the first iteration of our workbooks only contained a Purpose Statement with a series of nine questions to better understand the purpose.  During the LA F2F, we started to deliberate the lawful basis against the Purpose Statement only and by Wednesday morning of the F2F the lawful basis small team started to define multiple Processing Activities for each Purpose Statement.  This is where the group recognized the possibility of a lawful basis for each defined Processing Activity and not just the Purpose Statement itself.  As it turned out, a few of the questions within that set of nine was an initial attempt at defining a processing activity, but the first version of the workbook template fell short in that the Data Elements section along the left side only referred to the processing activity of Collection.  The old workbook format outgrew its usefulness in that we also needed to identify/confirm the Data Elements for the other three standard Processing Activities such as Transmission, Disclosure, and Retention.  Hence the launch of the next generation workbook the EPDP has been using for the last several weeks.


As you will now see, each Processing Activity (Collection, Transmission, Disclosure, Retention) has its own lawful basis (either 6(1)(b) or 6(1)(f)) along with a brief rationale statement.  The intent here is that each Processing Activity, its lawful basis, and its brief rational are each connected back to an reinforce the rationale for the Purpose Statement.


With the latest version of the workbook, the attempt to complete the rationale for Question #1 of the Purpose Statement was to key off the part of question “if the purpose was based on a ICANN contract.”  Or, as in Question #2 identifying the relevant ICANN bylaw that supports the definition of the Purpose Statement and finally Question #3 about the “picket fence” which is connected to both questions #1 & #2.


In transitioning to the next version of the workbook template, I wanted to stay as true to the prior version as much as possible.  Therefore, Question #1 did not change, even though the lawful basis determination in answering the question of “is the processing necessary to achieve the purpose” shifted to the Lawfulness of Processing Test section.


Would a modification of Question #1 address your concern to perhaps “Cite the relevant section of the ICANN contracts that corresponds to the above purpose, if any.”?   In keeping with the nature of the drilling down framework, we can even swap Question #1 with Question #2 so that we start at the top with the identification of ICANN Bylaws and then second the identification ICANN contract provisions and third to the “picket fence” considerations.


Please advise if this may address the concerns you raise below.


Thank you.


Marika, Caitlin, and Berry.


Berry Cobb

GNSO Policy Consultant



From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Mueller, Milton L
Sent: Monday, October 29, 2018 06:23
Subject: [Gnso-epdp-team] Major issue in the Data Elements workbooks


I’ve gone through three workbooks now (Purposes A, B and C) and have noticed a significant error in all three of them. Whoever did the last revision of these documents has confused the question whether something is within ICANN’s mission with the question whether it is lawful under GDPR.


For example, in Purpose A, Purpose Rationale 1 asks,

1) If the purpose is based on an ICANN contract, is this lawful as tested against GDPR and other laws?”


The answer provided has struck out all the appropriate language about 6.1.b vs 6.1.f, and has inserted: “Yes, this purpose is lawful based on ICANN’s mission to coordinate the allocation and assignment of names in the root zone of the Domain Name System.” It goes on to cite the RAA.


Something similar has happened with Purposes B and C.  Language about lawfulness under GDPR has been replaced with language about ICANN’s mission or contracts.


This is a mistake, and cannot stand. References to ICANN’s mission and contracts tell us nothing about whether something is “lawful as tested against GDPR and other laws.”

Perhaps the staff and Kurt can clarify how this happened.


NCSG members are preparing modified versions of the workbooks which correct the error, but it might be easier if whoever made these modifications would systematically reverse them. My problem is that I do not know what exact language regarding purpose rationale was accepted before these changes were made.



Dr. Milton L. Mueller

Professor, School of Public Policy

Georgia Institute of Technology