Thanks Diane. If "data protection agreements" provides sufficient flexibility, then I would suggest deleting the reference to Joint Controller Agreement. Otherwise I would retain the Article 28 reference as I believe there are circumstances when the controller/processor relationship may be or may become relevant. Cheers, CD

On 26 Jan 2019, at 02:53, Plaut, Diane <Diane.Plaut@corsearch.com> wrote:

Chris –

The change still provides flexibility by the verbiage “data protection agreements.”

Sincerely,

Diane

Diane Plaut General Counsel and Privacy Officer <image001.png> Direct +1 646-899-2806 
> diane.plaut@corsearch.com <mailto:diane.plaut@corsearch.com> 220 West 42nd Street, 11th Floor, New York, NY 10036, United States
> www.corsearch.com <http://www.corsearch.com/> Join Corsearch on Twitter <https://twitter.com/corsearch> Linkedin <https://www.linkedin.com/company/2593860/> Trademarks + Brands <http://trademarksandbrands.corsearch.com/> Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241)
> Corsearch.USCustomerService@corsearch.com <mailto:Corsearch.USCustomerService@corsearch.com>

Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession.

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> on behalf of Chris Disspain <chris@disspain.uk <mailto:chris@disspain.uk>> Date: Saturday, January 26, 2019 at 7:15 AM To: Kurt Pritz <kurt@kjpritz.com <mailto:kurt@kjpritz.com>> Cc: EPDP <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Hello All,  <>

Apologies for taking a couple of days to respond. I am concerned by: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. I thought we had discussed this and agreed a way forward. I don’t understand why we would strike the reference to a Data Processing Agt and leave the reference to a Joint Controller Agt. I thought we had agreed that we needed flexibility.

Cheers,

CD

On 23 Jan 2019, at 15:22, Kurt Pritz <kurt@kjpritz.com <mailto:kurt@kjpritz.com>> wrote:

Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>

All, Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change "shall" to "should" in the 3rd sentence. As revised, Recommendation 13 reads: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Dear all, I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here. So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements: *Art 28:* (processor) "Processing by a processor shall be governed *by a contract or other legal act*" *[emphasis added] * *Art 26:* (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, *by means of an arrangement between them* " *[emphasis added] * I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 <http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states: " Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner* by means of an agreement in writing between them*, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. *[emphasis added] * So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data. So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it. Kind regards, Alan [image: Donuts Inc.] <http://donuts.domains> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland <https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org> wrote:

Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.”

Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this.

Dan and Trang

ICANN Org Liaisons

*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org> *Reply-To: *"Rosette, Kristina" <rosettek@amazon.com> *Date: *Monday, January 28, 2019 at 5:14 PM *To: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

All,

Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rd sentence.

As revised, Recommendation 13 reads:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

Kristina

*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Sarah Wyld *Sent:* Monday, January 28, 2019 3:29 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Hello All,

Here is the RrSG's proposed text for Rec 13:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input.

--

Sarah Wyld

Domains Product Team

Tucows

+1.416 535 0123 Ext. 1392

On 1/23/2019 6:22 PM, Kurt Pritz wrote:

Hi Everyone:

With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)

*Discussion*

The language below is the same language proposed by the small team that reviewed the comments, but modified:

- as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and - by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.

I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.

*Proposed Recommendation #13 Language*

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [*Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.*]

*Action:*

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Sincerely,

Kurt

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason. Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect). Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative. I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios: 1. We say joint controllers and in fact the parties are independent controllers In this scenario, there should not be any risk for the parties at all. The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects. 2. We go for independent controllers and in fact a joint controller scenario is present In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.: - a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless. I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so. In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so. Thanks for reading all this. Best, Thomas PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach.

Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email>:

Dear all,

I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here.

So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements:

Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act" [emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added]

I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 <http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states:

" Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added]

So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data.

So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it.

Kind regards,

Alan

<http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org <mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.”

Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this.

Dan and Trang

ICANN Org Liaisons

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com <mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

All, <>

Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rd sentence.

As revised, Recommendation 13 reads:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

Kristina

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Hello All,

Here is the RrSG's proposed text for Rec 13:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input.

-- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392

On 1/23/2019 6:22 PM, Kurt Pritz wrote:

Hi Everyone:

With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)

Discussion

The language below is the same language proposed by the small team that reviewed the comments, but modified:

as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.

I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.

Proposed Recommendation #13 Language

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.]

Action:

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Sincerely,

Kurt

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion I agree with Thomas. I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to! As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table? Farzaneh On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja> wrote: All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason. Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect). Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative. I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios: 1. We say joint controllers and in fact the parties are independent controllers In this scenario, there should not be any risk for the parties at all. The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects. 2. We go for independent controllers and in fact a joint controller scenario is present In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.: - a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless. I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so. In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so. Thanks for reading all this. Best, Thomas PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach. Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email<mailto:alan@donuts.email>>: Dear all, I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here. So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements: Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act" [emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added] I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018<http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states: " Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added] So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data. So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it. Kind regards, Alan [Donuts Inc.]<http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [http://storage.googleapis.com/signaturesatori/icons/facebook.png]<https://www.facebook.com/donutstlds> [http://storage.googleapis.com/signaturesatori/icons/twitter.png] <https://twitter.com/DonutsInc> [http://storage.googleapis.com/signaturesatori/icons/linkedin.png] <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org<mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this. Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com<mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion All, Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rd sentence. As revised, Recommendation 13 reads: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

it seems like USG has suggested deleting the whole recommendation. I do not see any other opposition against JCA. h ttps://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool?preview=/102139731/102139865/gnso-EPDP-pcrt-Initial-Report-REC13_20181228.docx Unless you agreed on something during the F2F, I don't think we should remove JCA because of a single entity opposition - maybe staff can tell us if there have been other public comments specifically against JCA. Farzaneh On Wed, Jan 30, 2019 at 1:48 PM Heineman, Ashley <AHeineman@ntia.doc.gov> wrote:

Attaching the narrative version of the USG comments should it be of interest.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com>, Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

I agree with Thomas.

I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to!

As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table?

Farzaneh

On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja> wrote:

...

All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason.

Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect).

Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative.

I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios:

1. We say joint controllers and in fact the parties are independent controllers

In this scenario, there should not be any risk for the parties at all.

The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects.

2. We go for independent controllers and in fact a joint controller scenario is present

In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.:

- a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless.

I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so.

In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so.

Thanks for reading all this.

Best, Thomas

PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach.

Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email>:

Dear all,

I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here.

So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements:

*Art 28:* (processor) "Processing by a processor shall be governed *by a contract or other legal act*" *[emphasis added] * *Art 26:* (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, *by means of an arrangement between them*" *[emphasis added] *

I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 <http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states:

" Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner* by means of an agreement in writing between them*, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. *[emphasis added] *

So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data.

So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it.

Kind regards,

Alan

[image: Donuts Inc.] <http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc>

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org> wrote:

...

Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.”

Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this.

Dan and Trang

ICANN Org Liaisons

*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org> *Reply-To: *"Rosette, Kristina" <rosettek@amazon.com> *Date: *Monday, January 28, 2019 at 5:14 PM *To: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

All,

Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rd sentence.

As revised, Recommendation 13 reads:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

Kristina

*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Sarah Wyld *Sent:* Monday, January 28, 2019 3:29 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Hello All,

Here is the RrSG's proposed text for Rec 13:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input.

--

Sarah Wyld

Domains Product Team

Tucows

+1.416 535 0123 Ext. 1392

On 1/23/2019 6:22 PM, Kurt Pritz wrote:

Hi Everyone:

With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)

*Discussion*

The language below is the same language proposed by the small team that reviewed the comments, but modified:

- as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and - by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.

I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.

*Proposed Recommendation #13 Language*

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [*Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.* ]

*Action:*

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Sincerely,

Kurt

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Hi Everyone: To me, it seems as if we are in agreement with a set of principles and a variety of wordings will suit our purpose. I believe we need to point directly to the thorough work done by several of our team that indicates that JCAs are an appropriate solution in many of the data processing cases. Before we made any recommendation, we started with this analysis of data, purposes, etc. I also have learned that the responsibilities of the parties (contracted parties and ICANN) will vary for each purpose even for each data processing step. There is analysis left to go. Taking into account the Initial Report Recommendation, the work of the small group subsequent to that, and the comments on this list, I’d like to settle on the following wording: "The EPDP Team recommends that ICANN Org develop and implement any required data protection arrangements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall clearly specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team ("Processors, Controllers, Co-Controllers and Joint Controllers," above in this Final Report).” In addition, if Thomas or others wish to augment the analysis in the Initial Report with his email that are part of this chain (about avoiding liability), we should include that as an individual contribution to the team analysis. It’s my hope we can accept this as a team. Thanks for letting me weigh in on this and thank for the energy that’s gone into this discussion and the others. Best regards, Kurt

On Jan 30, 2019, at 11:22 AM, Heineman, Ashley <AHeineman@ntia.doc.gov> wrote:

I won't belabor this, but just to correct the record, the USG does not ask that the recommendation be deleted. It does however specifically express concern about the EPDP proposing a "specific legal vehicle (i.e., Joint Controller Agreement)."

From: farzaneh badii <farzaneh.badii@gmail.com> Sent: Wednesday, January 30, 2019 1:57 PM To: Heineman, Ashley Cc: Thomas Rickert; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

it seems like USG has suggested deleting the whole recommendation. I do not see any other opposition against JCA. https://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool?prev... <>

Unless you agreed on something during the F2F, I don't think we should remove JCA because of a single entity opposition - maybe staff can tell us if there have been other public comments specifically against JCA.

Farzaneh

On Wed, Jan 30, 2019 at 1:48 PM Heineman, Ashley <AHeineman@ntia.doc.gov <mailto:AHeineman@ntia.doc.gov>> wrote: Attaching the narrative version of the USG comments should it be of interest.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov <mailto:AHeineman@ntia.doc.gov>> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com <mailto:farzaneh.badii@gmail.com>>, Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com <mailto:farzaneh.badii@gmail.com>> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

I agree with Thomas.

I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to!

As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table?

Farzaneh

On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja> wrote: All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason.

Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect).

Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative.

I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios:

1. We say joint controllers and in fact the parties are independent controllers

In this scenario, there should not be any risk for the parties at all.

The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects.

2. We go for independent controllers and in fact a joint controller scenario is present

In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.:

- a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless.

I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so.

In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so.

Thanks for reading all this.

Best, Thomas

PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach.

...

Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email <mailto:alan@donuts.email>>:

Dear all,

I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here.

So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements:

Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act"[emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added]

I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 <http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states:

" Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added]

So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data.

So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it.

Kind regards,

Alan

<http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org <mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this.

Dan and Trang ICANN Org Liaisons

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com <mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

All, <>

Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rdsentence.

As revised, Recommendation 13 reads:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina

From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392

On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>

---

Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Deasr Chfris Thanks for replyx asnd comments I have had problems with the qualifider such as " as appropriate " due to the fact that swe do not know who and how it swill be deciddd to be or nmot to be appropaiate . I sughgest tzhat thde language in the Kurt^s edit is good if we add by either party or both parties as mutually agreed Regards Kavouss On Mon, Feb 4, 2019 at 10:58 AM Chris Disspain < chris.disspain@board.icann.org> wrote:

Hi Kurt,

I think your suggested language below brings together all of the points of view.

I do have one concern regarding the indemnification language “Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing”. This goes beyond my understanding of ICANN’s plan to explore ways to possibly reduce risk to the contracted parties with respect to providing access to non-public WHOIS data through a unified access model. As currently drafted, I think the language might prove challenging when it comes time for the Board to consider this recommendation.

Trang also raised a related question about indemnification where she noted that it’s not clear that liability should necessarily always rest with the party or parties that determine the purposes and means of processing, for example in the case of a data breach.

I think both of these points could be addressed if the sentence were edited to say something to the effect of: “Indemnification should be addressed as appropriate as part of the arrangements between ICANN, registries, and registrars.”

I hope this makes sense. Happy to discuss as always.

Cheers,

CD

On 30 Jan 2019, at 19:53, Kurt Pritz <kurt@kjpritz.com> wrote:

Hi Everyone:

To me, it seems as if we are in agreement with a set of principles and a variety of wordings will suit our purpose.

I believe we need to point directly to the thorough work done by several of our team that indicates that JCAs are an appropriate solution in many of the data processing cases. Before we made any recommendation, we started with this analysis of data, purposes, etc.

I also have learned that the responsibilities of the parties (contracted parties and ICANN) will vary for each purpose even for each data processing step. There is analysis left to go.

Taking into account the Initial Report Recommendation, the work of the small group subsequent to that, and the comments on this list, I’d like to settle on the following wording:

"The EPDP Team recommends that ICANN Org develop and implement any required data protection arrangements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall clearly specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team ("Processors, Controllers, Co-Controllers and Joint Controllers," above in this Final Report).”

In addition, if Thomas or others wish to augment the analysis in the Initial Report with his email that are part of this chain (about avoiding liability), we should include that as an individual contribution to the team analysis.

It’s my hope we can accept this as a team.

Thanks for letting me weigh in on this and thank for the energy that’s gone into this discussion and the others.

Best regards,

Kurt

On Jan 30, 2019, at 11:22 AM, Heineman, Ashley <AHeineman@ntia.doc.gov> wrote:

I won't belabor this, but just to correct the record, the USG does not ask that the recommendation be deleted. It does however specifically express concern about the EPDP proposing a "specific legal vehicle (i.e., Joint Controller Agreement)."

------------------------------ *From:* farzaneh badii <farzaneh.badii@gmail.com> *Sent:* Wednesday, January 30, 2019 1:57 PM *To:* Heineman, Ashley *Cc:* Thomas Rickert; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

it seems like USG has suggested deleting the whole recommendation. I do not see any other opposition against JCA. h ttps://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool?preview=/102139731/102139865/gnso-EPDP-pcrt-Initial-Report-REC13_20181228.docx

Unless you agreed on something during the F2F, I don't think we should remove JCA because of a single entity opposition - maybe staff can tell us if there have been other public comments specifically against JCA.

Farzaneh

On Wed, Jan 30, 2019 at 1:48 PM Heineman, Ashley <AHeineman@ntia.doc.gov> wrote:

Attaching the narrative version of the USG comments should it be of interest.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com>, Thomas Rickert < epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements.

Sent from my Verizon, Samsung Galaxy smartphone

-------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

I agree with Thomas.

I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to!

As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table?

Farzaneh

On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja> wrote:

All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason.

Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect).

Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative.

I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios:

1. We say joint controllers and in fact the parties are independent controllers

In this scenario, there should not be any risk for the parties at all.

The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects.

2. We go for independent controllers and in fact a joint controller scenario is present

In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.:

- a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless.

I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so.

In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so.

Thanks for reading all this.

Best, Thomas

PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach.

Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email>:

Dear all,

I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here.

So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements:

*Art 28:* (processor) "Processing by a processor shall be governed *by a contract or other legal act*"*[emphasis added] * *Art 26:* (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, *by means of an arrangement between them*" *[emphasis added] *

I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 <http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states:

" Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner* by means of an agreement in writing between them*, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. *[emphasis added] *

So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data.

So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it.

Kind regards,

Alan

[image: Donuts Inc.] <http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc>

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org> wrote:

Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this.

Dan and Trang ICANN Org Liaisons

*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org> *Reply-To: *"Rosette, Kristina" <rosettek@amazon.com> *Date: *Monday, January 28, 2019 at 5:14 PM *To: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

All,

Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rdsentence.

As revised, Recommendation 13 reads:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina

*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Sarah Wyld *Sent:* Monday, January 28, 2019 3:29 PM *To:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion

Hello All, Here is the RrSG's proposed text for Rec 13:

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input.

--

Sarah Wyld

Domains Product Team

Tucows

+1.416 535 0123 Ext. 1392

On 1/23/2019 6:22 PM, Kurt Pritz wrote:

Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) *Discussion* The language below is the same language proposed by the small team that reviewed the comments, but modified:

- as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and - by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. *Proposed Recommendation #13 Language* The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [*Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.*] *Action:* Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Hi, RySG is still considering Chris’ proposed change to the indemnification language, and may wish to discuss. We had separate comments on Recommendation 13, namely: 1. RySG disagrees that “arrangements” is the correct word (instead of “agreements”). However, RySG is willing to agree to use of “arrangements” if (i) ICANN Org confirms by email to the list that “arrangements” is intended to refer to a legally binding instrument; and (ii) the recommendation contains a footnote that says this (ICANN Org confirmed that “arrangement” is intended to refer to a legally binding instrument.) along with a citation to the date and author of that email. We note the recent ICANN Org reference to Article 26, which deals with Joint Controllers. Given the ICANN Org position that ICANN is not a joint controller, on the one hand, it seems inconsistent to cite that Article as the basis for use of “arrangements,” on the other hand. 2. Separate from the issue Chris has raised below, RySG believes that the language in the original sentence should be changed from “Indemnification clauses shall” to “Indemnification clauses should.” The RAs for some gTLDs (.arab, .amsterdam, and .helsinki, for example) do not indemnify ICANN because of the governmental status of the RO. Changing from “shall” to “should” respects that existing arrangement. RySG’s comment #1 above also applies to use of “arrangements” in Recommendation 14. K From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Kurt Pritz Sent: Tuesday, February 05, 2019 1:37 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi everyone: You have seen Chris’ suggested language for Recommendation 13 below (and Kavouss’ response). The result is a less prescriptive or precise recommendation but also alerts us to possible reaction by the ICANN Board. Please let me know if you disagree with or wish to discuss Chris’ recommendation. It would be great to receive feedback today so that we can schedule a discussion if need be, but please respond by tomorrow at the latest. Thanks and regards, Kurt On Feb 4, 2019, at 1:58 AM, Chris Disspain <chris.disspain@board.icann.org<mailto:chris.disspain@board.icann.org>> wrote: Hi Kurt, I think your suggested language below brings together all of the points of view. I do have one concern regarding the indemnification language “Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing”. This goes beyond my understanding of ICANN’s plan to explore ways to possibly reduce risk to the contracted parties with respect to providing access to non-public WHOIS data through a unified access model. As currently drafted, I think the language might prove challenging when it comes time for the Board to consider this recommendation. Trang also raised a related question about indemnification where she noted that it’s not clear that liability should necessarily always rest with the party or parties that determine the purposes and means of processing, for example in the case of a data breach. I think both of these points could be addressed if the sentence were edited to say something to the effect of: “Indemnification should be addressed as appropriate as part of the arrangements between ICANN, registries, and registrars.” I hope this makes sense. Happy to discuss as always. Cheers, CD On 30 Jan 2019, at 19:53, Kurt Pritz <kurt@kjpritz.com<mailto:kurt@kjpritz.com>> wrote: Hi Everyone: To me, it seems as if we are in agreement with a set of principles and a variety of wordings will suit our purpose. I believe we need to point directly to the thorough work done by several of our team that indicates that JCAs are an appropriate solution in many of the data processing cases. Before we made any recommendation, we started with this analysis of data, purposes, etc. I also have learned that the responsibilities of the parties (contracted parties and ICANN) will vary for each purpose even for each data processing step. There is analysis left to go. Taking into account the Initial Report Recommendation, the work of the small group subsequent to that, and the comments on this list, I’d like to settle on the following wording: "The EPDP Team recommends that ICANN Org develop and implement any required data protection arrangements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall clearly specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team ("Processors, Controllers, Co-Controllers and Joint Controllers," above in this Final Report).” In addition, if Thomas or others wish to augment the analysis in the Initial Report with his email that are part of this chain (about avoiding liability), we should include that as an individual contribution to the team analysis. It’s my hope we can accept this as a team. Thanks for letting me weigh in on this and thank for the energy that’s gone into this discussion and the others. Best regards, Kurt On Jan 30, 2019, at 11:22 AM, Heineman, Ashley <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> wrote: I won't belabor this, but just to correct the record, the USG does not ask that the recommendation be deleted. It does however specifically express concern about the EPDP proposing a "specific legal vehicle (i.e., Joint Controller Agreement)." ________________________________ From: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Sent: Wednesday, January 30, 2019 1:57 PM To: Heineman, Ashley Cc: Thomas Rickert; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion it seems like USG has suggested deleting the whole recommendation. I do not see any other opposition against JCA. https://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool?prev... Unless you agreed on something during the F2F, I don't think we should remove JCA because of a single entity opposition - maybe staff can tell us if there have been other public comments specifically against JCA. Farzaneh On Wed, Jan 30, 2019 at 1:48 PM Heineman, Ashley <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> wrote: Attaching the narrative version of the USG comments should it be of interest. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>>, Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion I agree with Thomas. I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to! As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table? Farzaneh On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> wrote: All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason. Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect). Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative. I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios: 1. We say joint controllers and in fact the parties are independent controllers In this scenario, there should not be any risk for the parties at all. The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects. 2. We go for independent controllers and in fact a joint controller scenario is present In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.: - a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless. I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so. In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so. Thanks for reading all this. Best, Thomas PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach. Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email<mailto:alan@donuts.email>>: Dear all, I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here. So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements: Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act"[emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added] I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018<http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states: " Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added] So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data. So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it. Kind regards, Alan [Donuts Inc.]<http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [http://storage.googleapis.com/signaturesatori/icons/facebook.png]<https://www.facebook.com/donutstlds> [http://storage.googleapis.com/signaturesatori/icons/twitter.png] <https://twitter.com/DonutsInc> [http://storage.googleapis.com/signaturesatori/icons/linkedin.png] <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org<mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this. Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com<mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion All, Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rdsentence. As revised, Recommendation 13 reads: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

How about “a legally binding arrangement”? I think that would cover all interesting cases. From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Trang Nguyen Sent: Wednesday, February 6, 2019 15:15 To: Rosette, Kristina <rosettek@amazon.com>; Kurt Pritz <kurt@kjpritz.com>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi Kristina, All, Regarding “arrangement” versus “agreement”, ICANN org previously stated that “arrangement” could “take the form of an agreement, a policy, or a specification.” All of these would be legally binding. Here’s a link to the message where we previously stated this: https://mm.icann.org/pipermail/gnso-epdp-team/2019-January/001367.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fpipermail%2Fgnso-epdp-team%2F2019-January%2F001367.html&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226378566&sdata=Ea%2BH76pis0UVc6lvwlftUs3U7t93AAS9kTaWTBw44lI%3D&reserved=0>. Best, Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com<mailto:rosettek@amazon.com>> Date: Tuesday, February 5, 2019 at 6:39 PM To: Kurt Pritz <kurt@kjpritz.com<mailto:kurt@kjpritz.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi, RySG is still considering Chris’ proposed change to the indemnification language, and may wish to discuss. We had separate comments on Recommendation 13, namely: 1. RySG disagrees that “arrangements” is the correct word (instead of “agreements”). However, RySG is willing to agree to use of “arrangements” if (i) ICANN Org confirms by email to the list that “arrangements” is intended to refer to a legally binding instrument; and (ii) the recommendation contains a footnote that says this (ICANN Org confirmed that “arrangement” is intended to refer to a legally binding instrument.) along with a citation to the date and author of that email. We note the recent ICANN Org reference to Article 26, which deals with Joint Controllers. Given the ICANN Org position that ICANN is not a joint controller, on the one hand, it seems inconsistent to cite that Article as the basis for use of “arrangements,” on the other hand. 2. Separate from the issue Chris has raised below, RySG believes that the language in the original sentence should be changed from “Indemnification clauses shall” to “Indemnification clauses should.” The RAs for some gTLDs (.arab, .amsterdam, and .helsinki, for example) do not indemnify ICANN because of the governmental status of the RO. Changing from “shall” to “should” respects that existing arrangement. RySG’s comment #1 above also applies to use of “arrangements” in Recommendation 14. K From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Kurt Pritz Sent: Tuesday, February 05, 2019 1:37 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi everyone: You have seen Chris’ suggested language for Recommendation 13 below (and Kavouss’ response). The result is a less prescriptive or precise recommendation but also alerts us to possible reaction by the ICANN Board. Please let me know if you disagree with or wish to discuss Chris’ recommendation. It would be great to receive feedback today so that we can schedule a discussion if need be, but please respond by tomorrow at the latest. Thanks and regards, Kurt On Feb 4, 2019, at 1:58 AM, Chris Disspain <chris.disspain@board.icann.org<mailto:chris.disspain@board.icann.org>> wrote: Hi Kurt, I think your suggested language below brings together all of the points of view. I do have one concern regarding the indemnification language “Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing”. This goes beyond my understanding of ICANN’s plan to explore ways to possibly reduce risk to the contracted parties with respect to providing access to non-public WHOIS data through a unified access model. As currently drafted, I think the language might prove challenging when it comes time for the Board to consider this recommendation. Trang also raised a related question about indemnification where she noted that it’s not clear that liability should necessarily always rest with the party or parties that determine the purposes and means of processing, for example in the case of a data breach. I think both of these points could be addressed if the sentence were edited to say something to the effect of: “Indemnification should be addressed as appropriate as part of the arrangements between ICANN, registries, and registrars.” I hope this makes sense. Happy to discuss as always. Cheers, CD On 30 Jan 2019, at 19:53, Kurt Pritz <kurt@kjpritz.com<mailto:kurt@kjpritz.com>> wrote: Hi Everyone: To me, it seems as if we are in agreement with a set of principles and a variety of wordings will suit our purpose. I believe we need to point directly to the thorough work done by several of our team that indicates that JCAs are an appropriate solution in many of the data processing cases. Before we made any recommendation, we started with this analysis of data, purposes, etc. I also have learned that the responsibilities of the parties (contracted parties and ICANN) will vary for each purpose even for each data processing step. There is analysis left to go. Taking into account the Initial Report Recommendation, the work of the small group subsequent to that, and the comments on this list, I’d like to settle on the following wording: "The EPDP Team recommends that ICANN Org develop and implement any required data protection arrangements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall clearly specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team ("Processors, Controllers, Co-Controllers and Joint Controllers," above in this Final Report).” In addition, if Thomas or others wish to augment the analysis in the Initial Report with his email that are part of this chain (about avoiding liability), we should include that as an individual contribution to the team analysis. It’s my hope we can accept this as a team. Thanks for letting me weigh in on this and thank for the energy that’s gone into this discussion and the others. Best regards, Kurt On Jan 30, 2019, at 11:22 AM, Heineman, Ashley <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> wrote: I won't belabor this, but just to correct the record, the USG does not ask that the recommendation be deleted. It does however specifically express concern about the EPDP proposing a "specific legal vehicle (i.e., Joint Controller Agreement)." ________________________________ From: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Sent: Wednesday, January 30, 2019 1:57 PM To: Heineman, Ashley Cc: Thomas Rickert; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion it seems like USG has suggested deleting the whole recommendation. I do not see any other opposition against JCA. https://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool?preview=/102139731/102139865/gnso-EPDP-pcrt-Initial-Report-REC13_20181228.docx<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.icann.org%2Fdisplay%2FEOTSFGRD%2FPublic%2BComment%2BReview%2BTool%3Fpreview%3D%2F102139731%2F102139865%2Fgnso-EPDP-pcrt-Initial-Report-REC13_20181228.docx&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226388575&sdata=ISgcpay1cVSi6EX5xHFCZcMWW6e64fNlP6%2FoNljrW8U%3D&reserved=0> Unless you agreed on something during the F2F, I don't think we should remove JCA because of a single entity opposition - maybe staff can tell us if there have been other public comments specifically against JCA. Farzaneh On Wed, Jan 30, 2019 at 1:48 PM Heineman, Ashley <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> wrote: Attaching the narrative version of the USG comments should it be of interest. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>>, Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion I agree with Thomas. I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to! As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table? Farzaneh On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> wrote: All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason. Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect). Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative. I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios: 1. We say joint controllers and in fact the parties are independent controllers In this scenario, there should not be any risk for the parties at all. The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects. 2. We go for independent controllers and in fact a joint controller scenario is present In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.: - a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless. I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so. In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so. Thanks for reading all this. Best, Thomas PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach. Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email<mailto:alan@donuts.email>>: Dear all, I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here. So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements: Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act"[emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added] I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 [irishstatutebook.ie]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__www.irishstatutebook.ie_eli_2018_act_7_section_79_enacted_en_html-23sec79%26d%3DDwMGaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DNghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY%26m%3D60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU%26s%3DPyMXBr9-MlHnrZWj208jzbAJlPrj-2fx-uw5y7nK5to%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226398583&sdata=xYmMK7X3ldCCx8MYOznWiaWhydjHCObojCRT9Qh8Njc%3D&reserved=0>. Section 79. which states: " Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added] So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data. So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it. Kind regards, Alan [Image removed by sender. Donuts Inc.][donuts.domains]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttp-3A__donuts.domains_%26d%3DDwMGaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DNghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY%26m%3D60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU%26s%3DJrlpwOlEJnzzh3G1NR5FDj0jhe6HVKZXvUYOGg2Cun0%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226408596&sdata=jv42fuJRG8CNHFJ8RSfI3SeXZk9u4FOL1nIzECScmvI%3D&reserved=0> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [Image removed by sender.][facebook.com]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.facebook.com_donutstlds%26d%3DDwMGaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DNghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY%26m%3D60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU%26s%3DaOoTjhYir-RhnHQaEwTV61pyXtEnkdGaK1j4uBuaJZo%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226408596&sdata=HyCp8eJGNbzcB4hn%2Bl4kWJ4JXh4DBP4ArqGbu%2BQLURM%3D&reserved=0> [Image removed by sender.] [twitter.com]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__twitter.com_DonutsInc%26d%3DDwMGaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DNghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY%26m%3D60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU%26s%3DIt9hqgV4Yer_p90acKYWPnWmq5aMxr_hlkz07lHfwko%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226418604&sdata=yfhXskKQWIbjGZ0%2FSERNcrGA2j3UXyI0h8la3BbckhU%3D&reserved=0> [Image removed by sender.] [linkedin.com]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__www.linkedin.com_company_donuts-2Dinc%26d%3DDwMGaQ%26c%3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM%26r%3DNghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY%26m%3D60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU%26s%3DOQ027vc-UfMSJz5v8VrwUceoLRadiMoz5DDefCE1lbY%26e%3D&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226428612&sdata=enCn4nqCLUEY06fgetnuPMAQFkF1rIik3lfgvOAfTCM%3D&reserved=0> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org<mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this. Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com<mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion All, Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rdsentence. As revised, Recommendation 13 reads: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226428612&sdata=6Ff%2F8qPYAxuKaIY%2Fe6dlCMaOdivTHiyOZW6K1IeptJk%3D&reserved=0> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226438616&sdata=R7UcFvtYXyqgXZayD%2FIU0X2sjKxvbhYLxkUA1JSjkO0%3D&reserved=0> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226438616&sdata=R7UcFvtYXyqgXZayD%2FIU0X2sjKxvbhYLxkUA1JSjkO0%3D&reserved=0> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226448625&sdata=W%2Febq63DlFWNgC5vbZwMtr2eW5hkzSoxBpd%2B%2FfMhr3s%3D&reserved=0> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226458633&sdata=jmfT6iS84y6tYG15PUfSP2tsLBHLT1GhAvZzvz1vq7k%3D&reserved=0> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C12b360caa97642fb952508d68c88f62e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850917226458633&sdata=jmfT6iS84y6tYG15PUfSP2tsLBHLT1GhAvZzvz1vq7k%3D&reserved=0>

And as someone just pointed out, the same consistency should be applied to recommendation itself by updating agreement to arrangement in the two other instances in the recommendation (see below). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Marika Konings <marika.konings@icann.org> Date: Thursday, February 7, 2019 at 12:04 To: Trang Nguyen <trang.nguyen@icann.org>, "Rosette, Kristina" <rosettek@amazon.com>, Kurt Pritz <kurt@kjpritz.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Based on the discussions to date, staff would propose to include the following language in the Final Report, which should align with the input received to date: The EPDP Team recommends that ICANN Org develop and implement any required data protection arrangements*, as appropriate, with the Contracted Parties. In addition to the legally required components of such arrangement agreement, the agreement arrangement shall clearly specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification should be addressed as appropriate as part of the arrangements between ICANN, registries, and registrars. Due consideration should be given to the analysis carried out by the EPDP Team ("Processors, Controllers, Co-Controllers and Joint Controllers," above in this Final Report). *(footnote) – ICANN Org has “stated that “arrangement” could take the form of an agreement, a policy, or a specification. All of these would be legally binding.” (see https://mm.icann.org/pipermail/gnso-epdp-team/2019-January/001367.html.) As no concerns have been expressed, staff will also go ahead and make the updates to the preceding section as proposed by Trang earlier this week (see https://mm.icann.org/pipermail/gnso-epdp-team/2019-February/001491.html). In line with requests for consistency, we would also apply the term ‘data protection arrangements’ to some of the other recommendations. If you have any concern about any of the above, please flag this as soon as possible. Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Trang Nguyen <trang.nguyen@icann.org> Date: Wednesday, February 6, 2019 at 17:15 To: "Rosette, Kristina" <rosettek@amazon.com>, Kurt Pritz <kurt@kjpritz.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi Kristina, All, Regarding “arrangement” versus “agreement”, ICANN org previously stated that “arrangement” could “take the form of an agreement, a policy, or a specification.” All of these would be legally binding. Here’s a link to the message where we previously stated this: https://mm.icann.org/pipermail/gnso-epdp-team/2019-January/001367.html. Best, Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org> Reply-To: "Rosette, Kristina" <rosettek@amazon.com> Date: Tuesday, February 5, 2019 at 6:39 PM To: Kurt Pritz <kurt@kjpritz.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi, RySG is still considering Chris’ proposed change to the indemnification language, and may wish to discuss. We had separate comments on Recommendation 13, namely: 1. RySG disagrees that “arrangements” is the correct word (instead of “agreements”). However, RySG is willing to agree to use of “arrangements” if (i) ICANN Org confirms by email to the list that “arrangements” is intended to refer to a legally binding instrument; and (ii) the recommendation contains a footnote that says this (ICANN Org confirmed that “arrangement” is intended to refer to a legally binding instrument.) along with a citation to the date and author of that email. We note the recent ICANN Org reference to Article 26, which deals with Joint Controllers. Given the ICANN Org position that ICANN is not a joint controller, on the one hand, it seems inconsistent to cite that Article as the basis for use of “arrangements,” on the other hand. 2. Separate from the issue Chris has raised below, RySG believes that the language in the original sentence should be changed from “Indemnification clauses shall” to “Indemnification clauses should.” The RAs for some gTLDs (.arab, .amsterdam, and .helsinki, for example) do not indemnify ICANN because of the governmental status of the RO. Changing from “shall” to “should” respects that existing arrangement. RySG’s comment #1 above also applies to use of “arrangements” in Recommendation 14. K From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Kurt Pritz Sent: Tuesday, February 05, 2019 1:37 PM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi everyone: You have seen Chris’ suggested language for Recommendation 13 below (and Kavouss’ response). The result is a less prescriptive or precise recommendation but also alerts us to possible reaction by the ICANN Board. Please let me know if you disagree with or wish to discuss Chris’ recommendation. It would be great to receive feedback today so that we can schedule a discussion if need be, but please respond by tomorrow at the latest. Thanks and regards, Kurt On Feb 4, 2019, at 1:58 AM, Chris Disspain <chris.disspain@board.icann.org<mailto:chris.disspain@board.icann.org>> wrote: Hi Kurt, I think your suggested language below brings together all of the points of view. I do have one concern regarding the indemnification language “Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing”. This goes beyond my understanding of ICANN’s plan to explore ways to possibly reduce risk to the contracted parties with respect to providing access to non-public WHOIS data through a unified access model. As currently drafted, I think the language might prove challenging when it comes time for the Board to consider this recommendation. Trang also raised a related question about indemnification where she noted that it’s not clear that liability should necessarily always rest with the party or parties that determine the purposes and means of processing, for example in the case of a data breach. I think both of these points could be addressed if the sentence were edited to say something to the effect of: “Indemnification should be addressed as appropriate as part of the arrangements between ICANN, registries, and registrars.” I hope this makes sense. Happy to discuss as always. Cheers, CD On 30 Jan 2019, at 19:53, Kurt Pritz <kurt@kjpritz.com<mailto:kurt@kjpritz.com>> wrote: Hi Everyone: To me, it seems as if we are in agreement with a set of principles and a variety of wordings will suit our purpose. I believe we need to point directly to the thorough work done by several of our team that indicates that JCAs are an appropriate solution in many of the data processing cases. Before we made any recommendation, we started with this analysis of data, purposes, etc. I also have learned that the responsibilities of the parties (contracted parties and ICANN) will vary for each purpose even for each data processing step. There is analysis left to go. Taking into account the Initial Report Recommendation, the work of the small group subsequent to that, and the comments on this list, I’d like to settle on the following wording: "The EPDP Team recommends that ICANN Org develop and implement any required data protection arrangements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall clearly specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team ("Processors, Controllers, Co-Controllers and Joint Controllers," above in this Final Report).” In addition, if Thomas or others wish to augment the analysis in the Initial Report with his email that are part of this chain (about avoiding liability), we should include that as an individual contribution to the team analysis. It’s my hope we can accept this as a team. Thanks for letting me weigh in on this and thank for the energy that’s gone into this discussion and the others. Best regards, Kurt On Jan 30, 2019, at 11:22 AM, Heineman, Ashley <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> wrote: I won't belabor this, but just to correct the record, the USG does not ask that the recommendation be deleted. It does however specifically express concern about the EPDP proposing a "specific legal vehicle (i.e., Joint Controller Agreement)." ________________________________ From: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Sent: Wednesday, January 30, 2019 1:57 PM To: Heineman, Ashley Cc: Thomas Rickert; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion it seems like USG has suggested deleting the whole recommendation. I do not see any other opposition against JCA. https://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool?prev... Unless you agreed on something during the F2F, I don't think we should remove JCA because of a single entity opposition - maybe staff can tell us if there have been other public comments specifically against JCA. Farzaneh On Wed, Jan 30, 2019 at 1:48 PM Heineman, Ashley <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> wrote: Attaching the narrative version of the USG comments should it be of interest. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov<mailto:AHeineman@ntia.doc.gov>> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>>, Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com<mailto:farzaneh.badii@gmail.com>> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> Cc: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion I agree with Thomas. I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to! As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table? Farzaneh On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja<mailto:epdp@gdpr.ninja>> wrote: All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason. Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect). Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative. I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios: 1. We say joint controllers and in fact the parties are independent controllers In this scenario, there should not be any risk for the parties at all. The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects. 2. We go for independent controllers and in fact a joint controller scenario is present In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.: - a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless. I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so. In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so. Thanks for reading all this. Best, Thomas PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach. Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email<mailto:alan@donuts.email>>: Dear all, I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here. So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements: Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act"[emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added] I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018 [irishstatutebook.ie]<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.irishstatutebook.ie_eli_2018_act_7_section_79_enacted_en_html-23sec79&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU&s=PyMXBr9-MlHnrZWj208jzbAJlPrj-2fx-uw5y7nK5to&e=>. Section 79. which states: " Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added] So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data. So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it. Kind regards, Alan [Image removed by sender. Donuts Inc.][donuts.domains]<https://urldefense.proofpoint.com/v2/url?u=http-3A__donuts.domains_&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU&s=JrlpwOlEJnzzh3G1NR5FDj0jhe6HVKZXvUYOGg2Cun0&e=> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [Image removed by sender.][facebook.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_donutstlds&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU&s=aOoTjhYir-RhnHQaEwTV61pyXtEnkdGaK1j4uBuaJZo&e=> [Image removed by sender.] [twitter.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_DonutsInc&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU&s=It9hqgV4Yer_p90acKYWPnWmq5aMxr_hlkz07lHfwko&e=> [Image removed by sender.] [linkedin.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_donuts-2Dinc&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=NghSLFqweTwAOFMJpbYA3LcVJ0Vvvw6-wxrKoS5l6VY&m=60m_aOsdEkY6GWkjCHR57L9EfaJYZUyZobpMTpXUfjU&s=OQ027vc-UfMSJz5v8VrwUceoLRadiMoz5DDefCE1lbY&e=> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org<mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this. Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com<mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion All, Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rdsentence. As revised, Recommendation 13 reads: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

I think it is self explanatory, but I would be happy to explain further later today. In short, the US comments are basically what Kurt's last email articulated and to a certain extent ICANN'S (at a much higher level). I have been up all night with a sick child and I am sick as well (just can't win). Will do my best to be on the call later. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: "Mueller, Milton L" <milton@gatech.edu> Date: 1/30/19 21:12 (GMT-05:00) To: "Heineman, Ashley" <AHeineman@ntia.doc.gov>, Farzaneh Badiei <farzaneh.badii@gmail.com>, Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: RE: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion I’ve read these and I still don’t know. --MM From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Heineman, Ashley Sent: Wednesday, January 30, 2019 1:48 PM To: Farzaneh Badiei <farzaneh.badii@gmail.com>; Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Attaching the narrative version of the USG comments should it be of interest. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: "Heineman, Ashley" <AHeineman@ntia.doc.gov> Date: 1/30/19 13:44 (GMT-05:00) To: farzaneh badii <farzaneh.badii@gmail.com>, Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion For what it is worth, the USG comments caution against getting into legal specifics as they pertain to agreements. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: farzaneh badii <farzaneh.badii@gmail.com> Date: 1/30/19 13:36 (GMT-05:00) To: Thomas Rickert <epdp@gdpr.ninja> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion I agree with Thomas. I do not agree that we should be after giving "flexibility" to ICANN org and CPs. But since some public comments asked for such flexibility, then I think we should provide them a framework, the framework should consider ( as I gather from Alan and Thomas emails) legal, binding instruments that minimize the risk of fine and provides the appropriate and legal level of data protection for domain name registrants[ - sorry I am being sinful today]. I can live with what Kristina has proposed [Personal opinion] But I also want to point out that no one in the public comments is against having JCA. So why we are changing that I do not know. I don't think JCA will take away flexibility (as .Chris suggests). If we want to give flexibility to org and CPs that is fine but we have to provide them with a set of criteria to work with. Otherwise, what is the point of this recommendation? They would have done agreements and contracts even without it. The law asks them to! As to Trang's point about indemnification, I am a little confused. I didn't see any ICANN legal concern raised in the public comment, is this a new issue being raised now? Are we bringing new issues to the table? Farzaneh On Wed, Jan 30, 2019 at 12:41 PM Thomas Rickert <epdp@gdpr.ninja> wrote: All, I still think it is a mistake to dilute the language from where we were before we published the initial report. We are in in the process of analyzing public comment and establishing whether the comments received require us to amend our report / recommendations. What we heard and read were primarily implementation issues, which - as I hope we can agree by now - must not guide our decision, but the actually circumstances. Additionally, we heard and read about concerns, but no alternative has been suggested that would be a better solution to what we agreed on earlier. To me, that does not require a change of our recommendation. We are replacing a concrete recommendation with something vague without good reason. Also, the language in our initial report allows for a change of model as we had the language in there that our recommendation is subject to further legal analysis (or something to that effect). Thus, the JCA approach should be the starting point and only be deviated from if there is a sufficiently robust alternative. I trust what unites us is the interest in ensuring that no-one in the ICANN ecosystem will be fined. Let’s just imagine two scenarios: 1. We say joint controllers and in fact the parties are independent controllers In this scenario, there should not be any risk for the parties at all. The reason for this assumption is that the data flows between joint controllers need to be legally sound as between third parties (or independent controller for that matter). Also, JCAs provide probably the highest protection level for data subjects. 2. We go for independent controllers and in fact a joint controller scenario is present In this case, legal requirements would not be fulfilled. There would be a breach that could be sanctioned. In a proceeding with a supervisory authority, the authority will surely review the documents publicly available, which are eg.: - a letter from the Art 29 WP suggesting a joint controller scenario might be present - a memo from Wilson Sonsini pointing in the direction of joint controllers - a memo from Hamilton suggesting a joint controller scenario - a memo from ICANN quoting from the above and concluding that it should be independent controllers nonetheless. I am afraid that the authorities will then say that we could have known that joint controllers should be the way to go and that we increase the liability risk for everyone by not doing so. In other words, we would need to have very good reasons not to go for a joint controller scenario. The language in the initial report ensures that. The revised language not much so. Thanks for reading all this. Best, Thomas PS - In practical terms, I think joint controller agreements can be operationalized without insurmountable difficulties. In the long run, we should apply for a code of conduct anyway and we could present a different approach than joint controllers. If there is blessing for an alternative form the authorities via that route or by means of a guidance or other confirmation, we can certainly take a different and potentially more light-weight approach. Am 30.01.2019 um 14:40 schrieb Alan Woods <alan@donuts.email<mailto:alan@donuts.email>>: Dear all, I am perplexed, if not a little bit frustrated by continuous tendency to wordsmith matters out of existence here. So this end, and regardless of the ultimate settling of Roles and Responsibilities can we just go back to basic principles and remind ourselves of the GDPR's requirements: Art 28: (processor) "Processing by a processor shall be governed by a contract or other legal act" [emphasis added] Art 26: (Joint Controllers) "They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them" [emphasis added] I appreciate this is likely where Trang's suggestion is deriving from and I have no real issue with the concept of 'Arrangement' - but can we please be very clear, that as a contracted party, who's lead DPA is clearly going to be Ireland (as will also be the case for a number of other CPs), my interpretation MUST be led by the laws which will be applicable to me, which is the Data Protection Act, 2018<http://www.irishstatutebook.ie/eli/2018/act/7/section/79/enacted/en/html#sec79>. Section 79. which states: " Where 2 or more controllers jointly determine the purposes and means of the processing of personal data (in this Part referred to as “joint controllers”), they shall determine their respective responsibilities for compliance with this Part in a transparent manner by means of an agreement in writing between them, save in so far as the said responsibilities are determined by the law of the European Union or the law of the State. [emphasis added] So regardless of whether or not we are considered Processors, Controllers or Joint controllers at some point in time, CPs will require a Contract (or more correctly an addendum to our existing contracts) with ICANN, in writing, that governs the processing of data. So long as it is clear, on the record, that whatever word is used, be it agreement, arrangement, or Ketubah, it means a legally binding instrument, then I'm fine with it. Kind regards, Alan [Image removed by sender. Donuts Inc.]<http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [Image removed by sender.]<https://www.facebook.com/donutstlds> [Image removed by sender.] <https://twitter.com/DonutsInc> [Image removed by sender.] <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Jan 29, 2019 at 1:18 AM Trang Nguyen <trang.nguyen@icann.org<mailto:trang.nguyen@icann.org>> wrote: Thank you, Sarah and Kristina for circulating revised text for recommendation 13. We would like to make one additional suggestion: replace “…negotiates and enters into required data protection agreements…” with “…develop and implement any required data protection arrangements…” Referring to an “arrangement” instead of an “agreement” would provide greater flexibility during implementation, which might take the form of an agreement, a policy, or a specification. Accordingly, the following sentence should also refer to “arrangement” instead of “agreement.” Also, we would like to ask for clarity on the sentence regarding indemnification. Implementation discussions will work out the details of allocation of responsibility and liability and it’s not clear that liability should necessarily always rest with the party or parties that determine(s) the purposes and means of processing, for example in the case of a data breach. We look forward to additional discussions with the EPDP Team on this. Dan and Trang ICANN Org Liaisons From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of "Rosette, Kristina via Gnso-epdp-team" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Reply-To: "Rosette, Kristina" <rosettek@amazon.com<mailto:rosettek@amazon.com>> Date: Monday, January 28, 2019 at 5:14 PM To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion All, Subject to a friendly amendment, RySG supports the RrSG proposed text for Recommendation 13. Our friendly amendment is to change “shall” to “should” in the 3rd sentence. As revised, Recommendation 13 reads: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Kristina From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Sarah Wyld Sent: Monday, January 28, 2019 3:29 PM To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hello All, Here is the RrSG's proposed text for Rec 13: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. The RrSG is aware that ICANN's status as controller, joint or independent, is not yet fully determined. As such, this proposed wording allows the flexibility to determine the appropriate type of data protection agreement following further input. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/23/2019 6:22 PM, Kurt Pritz wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Hi all I support Alan's point of view. While I understand the need to retain flexibility, and to avoid overly restrictive language that will cause problems later on, the word 'arrangement' could mean almost anything - from something that imposes legal benefits and responsibilities to something that's very informal, undocumented and just a way of working. So, I support use of the word 'agreement' instead of 'arrangement'. Best wishes Emily On Fri, Feb 8, 2019 at 1:02 PM Alan Woods <alan@donuts.email> wrote:

Just to be exceptionally clear and although I do not wish to belabor the point any farther, I still submit, on the record, that the correct term to be used in the recommendation is 'AGREEMENT'

Whereas I appreciate that ICANN have mirrored the GDPR language of Art 26 in their use of the word of 'arrangement' I believe it would make more sense to consider the subsequent interpretation of their lead DPA (i.e Belgium, as confirmed by the Belgian Autorité de Protection des Données (APD) letter of 15th January 2019 <https://www.icann.org/en/system/files/correspondence/debeuckelaere-to-marby-15jan19-en.pdf> and the therein referenced letter of September 26th, 2018 <https://www.icann.org/en/system/files/correspondence/debeuckelaere-to-marby-26sep18-en.pdf> ).

I would therefore respectfully submit that it remains more proper for our recommendation to therefore consider and mirror the Belgian legislatures and the APD's interpretation of the GDPR as being our guiding, if not determinative factor:

*1)* *Article 52* of the Loi relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel (30 July 2018) <http://www.ejustice.just.fgov.be/cgi_loi/loi_a.pl?language=fr&dt=LOI&chercher=t&choix1=ET&fr=f&choix2=ET&numero=12&table_name=LOI&fromtab=loi_all&imgcn.x=32&DETAIL=2018073046/F&nm=2018040581&imgcn.y=3&ddda=2018&sql=dt+contains++%27LOI%27+and+dd+=+date%272018-07-30%27and+actif+=+%27Y%27&rech=12&tri=dd+AS+RANK+&trier=promulgation&dddj=30&cn=2018073046&row_id=1&caller=image_a1&dddm=07&la=F&pdf_page=10&pdf_file=http://www.ejustice.just.fgov.be/mopdf/2018/09/05_1.pdf> (see page 27 of the Gazette as linked) requires

" *Un accord définit de manière transparente les obligations respectives

...

des responsables conjoints de traitement*, " [emphasis added],

Which translates to "*an agreement* which defines the respective obligations of the joint controllers" [emphasis added]

*2)* The APD have also released a legal notation of the July 2018 law <https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Notions_RT_ST.pdf>, and they note the joint controller requirement as being "*par voie d’accord*' (see page three under heading or again to translate, is an "by agreement". (see page 3 under the heading "*Responsables conjoints de traitment"*)

Therefore I still believe and submit that the ePDP teams original wording of "agreement" should stand, and I don't believe that ICANN's reference to their past statement i.e. "*arrangement”* could take the form of an agreement, a policy, or a specification" is sufficient as it dilutes the expectation of the APD. This is not sufficiently specific in the circumstances; nor does it provide the comfort that the ePDP team is seeking in this recommendation from ICANN.

Kind regards,

Alan

[image: Donuts Inc.] <http://donuts.domains> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc>

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Fri, Feb 8, 2019 at 11:28 AM Kavouss Arasteh <kavouss.arasteh@gmail.com> wrote:

...

Dear Kurt I have indicated at several occasions that when we refer to an action to be performed by two parties / entities ,we need to indicated " as mutually agreed" The proposed text to be amended to read as below

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties, "AS MUTUALLY AGREED " that determine the purpose and means of the processing. [*Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.*]

*Action:*

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Please kindly insert that in the text

Regards

Kavouss

On Thu, Jan 24, 2019 at 12:23 AM Kurt Pritz <kurt@kjpritz.com> wrote:

...

Hi Everyone:

With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)

*Discussion*

The language below is the same language proposed by the small team that reviewed the comments, but modified:

- as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and - by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.

I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.

*Proposed Recommendation #13 Language*

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [*Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.* ]

*Action:*

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Sincerely,

Kurt

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

-- Emily Taylor CEO, Oxford Information Labs *MA (Cantab), Solicitor (non-practising), MBA, * *A**ssociate Fellow, Chatham House; Editor, Journal of Cyber Policy* Lincoln House, Pony Road, Oxford OX4 2RD | T: 01865 582885 E: emily.taylor@oxil.co.uk | D: 01865 582811 | M: +44 7540 049322 <http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017> <http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017> Registered office: Lincoln House, 4 Pony Road, Oxford OX4 2RD. Registered in England and Wales No. 4520925. VAT No. 799526263 .

Hi Everyone: To summarize this discussion: We have read Trang’s intervention carefully and recognize the wording referenced in the GDPR. In this email chain, we also recognized the research that Thomas (with Farzaneh) conducted in forming their advice to this team and Alan’s reference to local laws and authoritative GDPR guidance. After considering that, 1) I have not seen any team member representing a Stakeholder Group or Advisory Committee recommend a departure from the use of the word “agreement’ in the recommendation. I.e., I have not seen support for changing “agreement” to “arrangement.” Kavouss has made a good faith offer of compromise in suggesting “mutually agreed upon…” but I don’t see the purpose of compromise at this juncture. Without describing the rationale for staying with “agreement,” I can easily see reasons why each SO/AC here would appreciate that level of specificity. 2) While I agree with the conclusions Thomas has reached regarding the requirement for JCAs, I think the wording currently proposed (by the contracted parities and supported by the GAC) is acceptable in order to provide the parties negotiating the ability to determine which processing steps are best addressed with the parties as Joint Controllers, Controllers and Processors. 3) With regard to concerns about the clause, “Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing," as raised by Chris, I don’t read this as meaning that all liability is borne by the Controller, or as Chris states the ICANN Board concern, “by ICANN.” For example, negligence on the part of a processor should not raise liability in the Controller absent some specific circumstances. On this last topic, I think we ae waiting to hear more from the Board or elsewhere in ICANN. Itaking Chris recommendation into account and doing some type of mashup: “Indemnification clauses shall ensure that the risk for certain data processing is borne, to the extent appropriate, by either one or multiple parties that determine the purpose and means of the processing." In total: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne, to the extent appropriate, by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Please respond and let me know whether you believe this to be an appropriate solution. Best regards, Kurt

On Feb 8, 2019, at 5:05 AM, Emily Taylor <emily.taylor@oxil.co.uk> wrote:

Hi all

I support Alan's point of view. While I understand the need to retain flexibility, and to avoid overly restrictive language that will cause problems later on, the word 'arrangement' could mean almost anything - from something that imposes legal benefits and responsibilities to something that's very informal, undocumented and just a way of working.

So, I support use of the word 'agreement' instead of 'arrangement'.

Best wishes

Emily

On Fri, Feb 8, 2019 at 1:02 PM Alan Woods <alan@donuts.email> wrote: Just to be exceptionally clear and although I do not wish to belabor the point any farther, I still submit, on the record, that the correct term to be used in the recommendation is 'AGREEMENT'

Whereas I appreciate that ICANN have mirrored the GDPR language of Art 26 in their use of the word of 'arrangement' I believe it would make more sense to consider the subsequent interpretation of their lead DPA (i.e Belgium, as confirmed by the Belgian Autorité de Protection des Données (APD) letter of 15th January 2019  <https://www.icann.org/en/system/files/correspondence/debeuckelaere-to-marby-15jan19-en.pdf> and the therein referenced letter of September 26th, 2018 <https://www.icann.org/en/system/files/correspondence/debeuckelaere-to-marby-26sep18-en.pdf> ).

I would therefore respectfully submit that it remains more proper for our recommendation to therefore consider and mirror the Belgian legislatures and the APD's interpretation of the GDPR as being our guiding, if not determinative factor:

1) Article 52 of the  Loi relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel (30 July 2018) <http://www.ejustice.just.fgov.be/cgi_loi/loi_a.pl?language=fr&dt=LOI&chercher=t&choix1=ET&fr=f&choix2=ET&numero=12&table_name=LOI&fromtab=loi_all&imgcn.x=32&DETAIL=2018073046/F&nm=2018040581&imgcn.y=3&ddda=2018&sql=dt+contains++%27LOI%27+and+dd+=+date%272018-07-30%27and+actif+=+%27Y%27&rech=12&tri=dd+AS+RANK+&trier=promulgation&dddj=30&cn=2018073046&row_id=1&caller=image_a1&dddm=07&la=F&pdf_page=10&pdf_file=http://www.ejustice.just.fgov.be/mopdf/2018/09/05_1.pdf> (see page 27 of the Gazette as linked) requires

" Un accord définit de manière transparente les obligations respectives des responsables conjoints de traitement, " [emphasis added],

Which translates to "an agreement which defines the respective obligations of the joint controllers" [emphasis added]

2) The APD have also released a legal notation of the July 2018 law <https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Notions_RT_ST.pdf>, and they note the joint controller requirement as being "par voie d’accord' (see page three under heading or again to translate, is an "by agreement". (see page 3 under the heading "Responsables conjoints de traitment")

Therefore I still believe and submit that the ePDP teams original wording of "agreement" should stand, and I don't believe that ICANN's reference to their past statement i.e. "arrangement” could take the form of an agreement, a policy, or a specification" is sufficient as it dilutes the expectation of the APD. This is not sufficiently specific in the circumstances; nor does it provide the comfort that the ePDP team is seeking in this recommendation from ICANN.

Kind regards,

Alan

<http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

<https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

On Fri, Feb 8, 2019 at 11:28 AM Kavouss Arasteh <kavouss.arasteh@gmail.com <mailto:kavouss.arasteh@gmail.com>> wrote: Dear Kurt I have indicated at several occasions that when we refer to an action to be performed by two parties / entities ,we need to indicated " as mutually agreed" The proposed text to be amended to read as below The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties, "AS MUTUALLY AGREED " that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Please kindly insert that in the text Regards Kavouss

On Thu, Jan 24, 2019 at 12:23 AM Kurt Pritz <kurt@kjpritz.com <mailto:kurt@kjpritz.com>> wrote: Hi Everyone:

With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)

Discussion

The language below is the same language proposed by the small team that reviewed the comments, but modified:

as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.

I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.

Proposed Recommendation #13 Language

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.]

Action:

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Sincerely,

Kurt

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>

-- Emily Taylor CEO, Oxford Information Labs MA (Cantab), Solicitor (non-practising), MBA,

Associate Fellow, Chatham House; Editor, Journal of Cyber Policy

Lincoln House, Pony Road, Oxford OX4 2RD | T: 01865 582885 E: emily.taylor@oxil.co.uk <mailto:emily.taylor@oxil.co.uk> | D: 01865 582811 | M: +44 7540 049322 <>

<http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017> <http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017>

<> Registered office: Lincoln House, 4 Pony Road, Oxford OX4 2RD. Registered in England and Wales No. 4520925. VAT No. 799526263

.

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Kurt, I think your proposed language is acceptable. This is not an official RySG position (as I have not had a chance to caucus with them), but by my read this language is compatible with the RySG position on this recommendation. Thanks, Marc From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Kurt Pritz Sent: Friday, February 08, 2019 1:26 PM To: GNSO EPDP <gnso-epdp-team@icann.org> Subject: [EXTERNAL] Re: [Gnso-epdp-team] Recommendation 13 - Responsibilities of the Parties - email list discussion Hi Everyone: To summarize this discussion: We have read Trang’s intervention carefully and recognize the wording referenced in the GDPR. In this email chain, we also recognized the research that Thomas (with Farzaneh) conducted in forming their advice to this team and Alan’s reference to local laws and authoritative GDPR guidance. After considering that, 1) I have not seen any team member representing a Stakeholder Group or Advisory Committee recommend a departure from the use of the word “agreement’ in the recommendation. I.e., I have not seen support for changing “agreement” to “arrangement.” Kavouss has made a good faith offer of compromise in suggesting “mutually agreed upon…” but I don’t see the purpose of compromise at this juncture. Without describing the rationale for staying with “agreement,” I can easily see reasons why each SO/AC here would appreciate that level of specificity. 2) While I agree with the conclusions Thomas has reached regarding the requirement for JCAs, I think the wording currently proposed (by the contracted parities and supported by the GAC) is acceptable in order to provide the parties negotiating the ability to determine which processing steps are best addressed with the parties as Joint Controllers, Controllers and Processors. 3) With regard to concerns about the clause, “Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing," as raised by Chris, I don’t read this as meaning that all liability is borne by the Controller, or as Chris states the ICANN Board concern, “by ICANN.” For example, negligence on the part of a processor should not raise liability in the Controller absent some specific circumstances. On this last topic, I think we ae waiting to hear more from the Board or elsewhere in ICANN. Itaking Chris recommendation into account and doing some type of mashup: “Indemnification clauses shall ensure that the risk for certain data processing is borne, to the extent appropriate, by either one or multiple parties that determine the purpose and means of the processing." In total: The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne, to the extent appropriate, by either one or multiple parties that determine the purpose and means of the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report. Please respond and let me know whether you believe this to be an appropriate solution. Best regards, Kurt On Feb 8, 2019, at 5:05 AM, Emily Taylor <emily.taylor@oxil.co.uk<mailto:emily.taylor@oxil.co.uk>> wrote: Hi all I support Alan's point of view. While I understand the need to retain flexibility, and to avoid overly restrictive language that will cause problems later on, the word 'arrangement' could mean almost anything - from something that imposes legal benefits and responsibilities to something that's very informal, undocumented and just a way of working. So, I support use of the word 'agreement' instead of 'arrangement'. Best wishes Emily On Fri, Feb 8, 2019 at 1:02 PM Alan Woods <alan@donuts.email<mailto:alan@donuts.email>> wrote: Just to be exceptionally clear and although I do not wish to belabor the point any farther, I still submit, on the record, that the correct term to be used in the recommendation is 'AGREEMENT' Whereas I appreciate that ICANN have mirrored the GDPR language of Art 26 in their use of the word of 'arrangement' I believe it would make more sense to consider the subsequent interpretation of their lead DPA (i.e Belgium, as confirmed by the Belgian Autorité de Protection des Données (APD) letter of 15th January 2019 <https://www.icann.org/en/system/files/correspondence/debeuckelaere-to-marby-15jan19-en.pdf> and the therein referenced letter of September 26th, 2018<https://www.icann.org/en/system/files/correspondence/debeuckelaere-to-marby-26sep18-en.pdf> ). I would therefore respectfully submit that it remains more proper for our recommendation to therefore consider and mirror the Belgian legislatures and the APD's interpretation of the GDPR as being our guiding, if not determinative factor: 1) Article 52 of the Loi relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel (30 July 2018)<http://www.ejustice.just.fgov.be/cgi_loi/loi_a.pl?language=fr&dt=LOI&chercher=t&choix1=ET&fr=f&choix2=ET&numero=12&table_name=LOI&fromtab=loi_all&imgcn.x=32&DETAIL=2018073046/F&nm=2018040581&imgcn.y=3&ddda=2018&sql=dt+contains++%27LOI%27+and+dd+=+date%272018-07-30%27and+actif+=+%27Y%27&rech=12&tri=dd+AS+RANK+&trier=promulgation&dddj=30&cn=2018073046&row_id=1&caller=image_a1&dddm=07&la=F&pdf_page=10&pdf_file=http://www.ejustice.just.fgov.be/mopdf/2018/09/05_1.pdf> (see page 27 of the Gazette as linked) requires " Un accord définit de manière transparente les obligations respectives des responsables conjoints de traitement, " [emphasis added], Which translates to "an agreement which defines the respective obligations of the joint controllers" [emphasis added] 2) The APD have also released a legal notation of the July 2018 law<https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Notions_RT_ST.pdf>, and they note the joint controller requirement as being "par voie d’accord' (see page three under heading or again to translate, is an "by agreement". (see page 3 under the heading "Responsables conjoints de traitment") Therefore I still believe and submit that the ePDP teams original wording of "agreement" should stand, and I don't believe that ICANN's reference to their past statement i.e. "arrangement” could take the form of an agreement, a policy, or a specification" is sufficient as it dilutes the expectation of the APD. This is not sufficiently specific in the circumstances; nor does it provide the comfort that the ePDP team is seeking in this recommendation from ICANN. Kind regards, Alan <http://donuts.domains/> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. _____ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland <https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Fri, Feb 8, 2019 at 11:28 AM Kavouss Arasteh <kavouss.arasteh@gmail.com<mailto:kavouss.arasteh@gmail.com>> wrote: Dear Kurt I have indicated at several occasions that when we refer to an action to be performed by two parties / entities ,we need to indicated " as mutually agreed" The proposed text to be amended to read as below The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties, "AS MUTUALLY AGREED " that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Please kindly insert that in the text Regards Kavouss On Thu, Jan 24, 2019 at 12:23 AM Kurt Pritz <kurt@kjpritz.com<mailto:kurt@kjpritz.com>> wrote: Hi Everyone: With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.) Discussion The language below is the same language proposed by the small team that reviewed the comments, but modified: * as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and * by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements. This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued. I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered. Proposed Recommendation #13 Language The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team -- Emily Taylor CEO, Oxford Information Labs MA (Cantab), Solicitor (non-practising), MBA, Associate Fellow, Chatham House; Editor, Journal of Cyber Policy Lincoln House, Pony Road, Oxford OX4 2RD | T: 01865 582885 E: emily.taylor@oxil.co.uk<mailto:emily.taylor@oxil.co.uk> | D: 01865 582811 | M: +44 7540 049322 <http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017><http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017> Registered office: Lincoln House, 4 Pony Road, Oxford OX4 2RD. Registered in England and Wales No. 4520925. VAT No. 799526263 . _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team

Dear All As I mentioned in the call, I have serious difficulties to replace Agreement with arrangement As proposed by ICANN Liaison Pls correct that Tks Kavouss Sent from my iPhone

On 8 Feb 2019, at 14:00, Alan Woods <alan@donuts.email> wrote:

Just to be exceptionally clear and although I do not wish to belabor the point any farther, I still submit, on the record, that the correct term to be used in the recommendation is 'AGREEMENT'

Whereas I appreciate that ICANN have mirrored the GDPR language of Art 26 in their use of the word of 'arrangement' I believe it would make more sense to consider the subsequent interpretation of their lead DPA (i.e Belgium, as confirmed by the Belgian Autorité de Protection des Données (APD) letter of 15th January 2019 and the therein referenced letter of September 26th, 2018 ).

I would therefore respectfully submit that it remains more proper for our recommendation to therefore consider and mirror the Belgian legislatures and the APD's interpretation of the GDPR as being our guiding, if not determinative factor:

1) Article 52 of the Loi relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel (30 July 2018) (see page 27 of the Gazette as linked) requires

...

" Un accord définit de manière transparente les obligations respectives des responsables conjoints de traitement, " [emphasis added],

Which translates to "an agreement which defines the respective obligations of the joint controllers" [emphasis added]

2) The APD have also released a legal notation of the July 2018 law, and they note the joint controller requirement as being "par voie d’accord' (see page three under heading or again to translate, is an "by agreement". (see page 3 under the heading "Responsables conjoints de traitment")

Therefore I still believe and submit that the ePDP teams original wording of "agreement" should stand, and I don't believe that ICANN's reference to their past statement i.e. "arrangement” could take the form of an agreement, a policy, or a specification" is sufficient as it dilutes the expectation of the APD. This is not sufficiently specific in the circumstances; nor does it provide the comfort that the ePDP team is seeking in this recommendation from ICANN.

Kind regards,

Alan

Alan Woods Senior Compliance & Policy Manager, Donuts Inc. The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland

Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.

...

On Fri, Feb 8, 2019 at 11:28 AM Kavouss Arasteh <kavouss.arasteh@gmail.com> wrote: Dear Kurt I have indicated at several occasions that when we refer to an action to be performed by two parties / entities ,we need to indicated " as mutually agreed" The proposed text to be amended to read as below The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties, "AS MUTUALLY AGREED " that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.] Action: Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed. Deadline: Monday, 28 January, additional email discussion might follow depending on responses. Please kindly insert that in the text Regards Kavouss

...

On Thu, Jan 24, 2019 at 12:23 AM Kurt Pritz <kurt@kjpritz.com> wrote: Hi Everyone:

With the goal of progressing on issues via email, the leadership team has considered the discussion provided during the Toronto meeting and suggests the following compromise language to address the different positions expressed. (This is a resend of an earlier email with only the subject line of the email updated.)

Discussion

The language below is the same language proposed by the small team that reviewed the comments, but modified:

as suggested by Diane during the meeting to reflect that GDPR Art 28 is unlikely to apply in this situation, and by an addition (bracketed & bolded below) to reference the analysis in the Final Report that this team recommends the creation of Joint Controller Agreements, to appropriately influence the negotiation of GDPR-compliant agreements.

This language is intended to strike a balance between those preferring to leave some flexibility for ICANN Org and Contracted Parties to consider the appropriate agreements and those preferring to be specific about the type of agreement to be pursued.

I understand this is a complex topic that might require additional discussion but it is also possible that we cannot be dispositive on this issue prior to a lengthy contract formation discussion that extends well beyond our time frames. For that reason, we are taking the liberty of making this recommendation and hope you accept it in the spirit it is offered.

Proposed Recommendation #13 Language

The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing. [Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.]

Action:

Please indicate on the mailing list whether you have any concerns about these modifications and/or what other aspects of this recommendation should be discussed.

Deadline: Monday, 28 January, additional email discussion might follow depending on responses.

Sincerely,

Kurt

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team

---

Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team