My understanding is that GDPR requires reporting (subject to some restrictions), not asking permission. Moreover this wording sets a minimum time for responding to any request, and informs the data subject of a request, even if it will be refused. Alan -- Sent from my mobile. Please excuse brevity and typos. On September 21, 2019 2:41:05 PM EDT, "Ayden Férdeline" <icann@ferdeline.com> wrote: Hi, Regarding building block k, I have alternate language that I would like to table for consideration please. The language circulated in the below email is: Building Block k) (Receipt of acknowledgement) The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible. The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below. Proposed new language (changes in red): Building Block k) (Acknowledgement of request) The EPDP Team recommends that upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed. Kind regards, Ayden Férdeline ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, 21 September 2019 02:19, Marika Konings <marika.konings@icann.org> wrote: Dear EPDP Team, Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review. Best regards, Caitlin, Berry and Marika =========== EPDP Phase 2 - Meeting #20 Proposed Agenda Tuesday, 24 September 2019 at 14.00 UTC 1. Roll Call & SOI Updates (5 minutes) 2. Confirmation of agenda (Chair) 3. Welcome and housekeeping issues (Chair) (5 minutes) a) Reminder - the EPDP Team members to populate the contents of the lawful basis table by Wednesday 25 September (see https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT-- 9aD2lHZI/edit<https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--%099aD2lHZI/edit>) b) Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting 4. Acceptable Use Policy (Building block d & h) – first reading (30 minutes). a) Initial discussion b) Feedback from EPDP Team c) Confirm next steps 5. Receipt of acknowledgement (building block k) – first reading (30 minutes) a) Initial discussion b) Feedback from EPDP Team c) Confirm next steps 6. Who should be responsible for disclosure decision (15 minutes) a) Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQun...) b) Consider team input and approach forward c) Confirm next steps 7. Wrap and confirm next EPDP Team meeting (5 minutes): a) Thursday 26 September 2019 at 14.00 UTC b) Confirm action items c) Confirm questions for ICANN Org, if any Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org<mailto:marika.konings@icann.org> Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>.

Ayden, Can you describe what form this "Receipt Acknowledgement Letter" would take? Alex ___________ *Alex Deacon* Cole Valley Consulting alex@colevalleyconsulting.com +1.415.488.6009 On Sat, Sep 21, 2019 at 11:41 AM Ayden Férdeline <icann@ferdeline.com> wrote:

Hi,

Regarding building block k, I have alternate language that I would like to table for consideration please.

*The language circulated in the below email is:*

*Building Block k) **(Receipt of acknowledgement)*

The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible.

The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below.

*Proposed new language (changes in red):*

*Building Block k) **(Acknowledgement of request)*

The EPDP Team recommends that *upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed. *

Kind regards,

Ayden Férdeline

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, 21 September 2019 02:19, Marika Konings < marika.konings@icann.org> wrote:

Dear EPDP Team,

Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review.

Best regards,

Caitlin, Berry and Marika

===========

*EPDP Phase 2 - Meeting #20*

*Proposed Agenda*

Tuesday, 24 September 2019 at 14.00 UTC

1. Roll Call & SOI Updates (5 minutes)

2. Confirmation of agenda (Chair)

3. Welcome and housekeeping issues (Chair) (5 minutes)

a) Reminder - the EPDP Team members to populate the contents of the lawful basis table *by Wednesday 25 September *(see https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT-- 9aD2lHZI/edit <https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--%099aD2lHZI/edit>)

b) Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting

4. Acceptable Use Policy (Building block d & h) – first reading (30 minutes).

a) Initial discussion

b) Feedback from EPDP Team

c) Confirm next steps

5. Receipt of acknowledgement (building block k) – first reading (30 minutes)

a) Initial discussion

b) Feedback from EPDP Team

c) Confirm next steps

6. Who should be responsible for disclosure decision (15 minutes)

a) Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQun... )

b) Consider team input and approach forward

c) Confirm next steps

7. Wrap and confirm next EPDP Team meeting (5 minutes):

a) Thursday 26 September 2019 at 14.00 UTC

b) Confirm action items

c) Confirm questions for ICANN Org, if any

*Marika Konings*

*Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) *

*Email: marika.konings@icann.org <marika.konings@icann.org> *

*Follow the GNSO via Twitter @ICANN_GNSO*

*Find out more about the GNSO by taking our interactive courses <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>. *

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Adyen’s proposal has major flaws, and IMHO is a non-starter. One: it does not propose a deadline for the registry/registrar to provide any substantive response, i.e. the data or a denial. Instead, it seems to allow contracted parties to not provide a substantive response for sixteen days, and maybe more. That sets a very long response floor and expectation for the entire gTLD world. The effective result will be: no flow of data. Two: as we discussed in Los Angeles, we are trying to automate what can be automated, including automated decision-making where it is possible. For anything that is automated, an ACK letter is not necessary -- instead the data (or a 6(1)f denial) should just come back in reply. That would leverage RDAP, which is a goal of ours. See also the TSG paper. Three: a written ACK is appropriate for requests that are made offline, outside the system. Even then, an acknowledgement of receipt can be issued automatically and immediately by the contracting party (with a tracking number). That’s SOP for any system that requires the tracking of submissions, and most registrars already do it with customer service tickets. Four: the proposal assumes that data subjects must be informed every time a request for their data comes in, and that data subjects have the right to decline the processing. The GDPR does not require either of those. Instead, GDPR requires that the data subject be made aware before of the processing that may happen, and who generally the recipients may be. Appropriately, the Temp Spec already covers this – it requires registrars to notify their registrants of the specific purposes for which their data will be processed, and potential recipients, so case-based notification is not required. (Temp Spec, Section 7.) If the policy needs to be more specific and tell registrants that they are subject to GDPR Article 6 disclosures, then we should make that happen. Unfortunately Adyen’s proposal builds in a way for data subjects to hide their criminal activity and cover their tracks. That is not necessary under the law, and it is contrary to the GDPR’s intent. SSAC provided the legal-sub team with draft questions about these topics in the last submission round, and hopefully those will go to Bird & Bird soon. All best, --Greg From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Ayden Férdeline Sent: Sunday, September 22, 2019 7:06 PM To: Alex Deacon <alex@colevalleyconsulting.com> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC Hi Alex, I envision this being some form of written communication (most likely an email) that lets the SSAD requestor know that their request has been successfully received and is being processed. I also imagine it containing a copy of their request. Thanks, Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, 22 September 2019 22:45, Alex Deacon <alex@colevalleyconsulting.com <mailto:alex@colevalleyconsulting.com> > wrote: Ayden, Can you describe what form this "Receipt Acknowledgement Letter" would take? Alex ___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com <mailto:alex@colevalleyconsulting.com> +1.415.488.6009 On Sat, Sep 21, 2019 at 11:41 AM Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com> > wrote: Hi, Regarding building block k, I have alternate language that I would like to table for consideration please. The language circulated in the below email is: Building Block k) (Receipt of acknowledgement) The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible. The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below. Proposed new language (changes in red): Building Block k) (Acknowledgement of request) The EPDP Team recommends that upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed. Kind regards, Ayden Férdeline ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, 21 September 2019 02:19, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org> > wrote: Dear EPDP Team, Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review. Best regards, Caitlin, Berry and Marika =========== EPDP Phase 2 - Meeting #20 Proposed Agenda Tuesday, 24 September 2019 at 14.00 UTC 1. Roll Call & SOI Updates (5 minutes) 2. Confirmation of agenda (Chair) 3. Welcome and housekeeping issues (Chair) (5 minutes) a) Reminder - the EPDP Team members to populate the contents of the lawful basis table by Wednesday 25 September (see https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT-- <https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--%099aD2lHZI/edit> 9aD2lHZI/edit) b) Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting 4. Acceptable Use Policy (Building block d & h) – first reading (30 minutes). a) Initial discussion b) Feedback from EPDP Team c) Confirm next steps 5. Receipt of acknowledgement (building block k) – first reading (30 minutes) a) Initial discussion b) Feedback from EPDP Team c) Confirm next steps 6. Who should be responsible for disclosure decision (15 minutes) a) Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQun...) b) Consider team input and approach forward c) Confirm next steps 7. Wrap and confirm next EPDP Team meeting (5 minutes): a) Thursday 26 September 2019 at 14.00 UTC b) Confirm action items c) Confirm questions for ICANN Org, if any Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: <mailto:marika.konings@icann.org> marika.konings@icann.org Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> interactive courses and visiting the <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...> GNSO Newcomer pages. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Greg, I believe the existing legal advice, contained in Bird & Bird's legal memo of 10 September 2019 (question 3), supports the need for natural persons to have a right to object to data processing activities. On page 10 of the memo Bird & Bird advised, "The initial and annual notice and opt-out process suggested by the EPDP would not be sufficient: an individual would be given general notice that an automated process may be used, but would not know that a decision has actually been taken on this basis and, unless an individual was aware of this, he or she would not be in a positon to take advantage of the safeguards required by the GDPR." They also advised (same page): "... safeguards require the controller to notify the data subject as soon as possible that a decision has been taken, at which point the data subject has up to one month to require the controller to reconsider the decision, with significant operational implications for any urgent requests." I still need to consult with NCSG colleagues regarding the language that I proposed, but I believe any building block k language that does not ensure there are mechanisms in place that allow registrants to exercise their rights under the GDPR would be unacceptable to us. Thanks, Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, 23 September 2019 18:10, Greg Aaron <greg@illumintel.com> wrote:

Adyen’s proposal has major flaws, and IMHO is a non-starter.

One: it does not propose a deadline for the registry/registrar to provide any substantive response, i.e. the data or a denial. Instead, it seems to allow contracted parties to not provide a substantive response for sixteen days, and maybe more. That sets a very long response floor and expectation for the entire gTLD world. The effective result will be: no flow of data.

Two: as we discussed in Los Angeles, we are trying to automate what can be automated, including automated decision-making where it is possible. For anything that is automated, an ACK letter is not necessary -- instead the data (or a 6(1)f denial) should just come back in reply. That would leverage RDAP, which is a goal of ours. See also the TSG paper.

Three: a written ACK is appropriate for requests that are made offline, outside the system. Even then, an acknowledgement of receipt can be issued automatically and immediately by the contracting party (with a tracking number). That’s SOP for any system that requires the tracking of submissions, and most registrars already do it with customer service tickets.

Four: the proposal assumes that data subjects must be informed every time a request for their data comes in, and that data subjects have the right to decline the processing. The GDPR does not require either of those. Instead, GDPR requires that the data subject be made aware before of the processing that may happen, and who generally the recipients may be. Appropriately, the Temp Spec already covers this – it requires registrars to notify their registrants of the specific purposes for which their data will be processed, and potential recipients, so case-based notification is not required. (Temp Spec, Section 7.) If the policy needs to be more specific and tell registrants that they are subject to GDPR Article 6 disclosures, then we should make that happen. Unfortunately Adyen’s proposal builds in a way for data subjects to hide their criminal activity and cover their tracks. That is not necessary under the law, and it is contrary to the GDPR’s intent. SSAC provided the legal-sub team with draft questions about these topics in the last submission round, and hopefully those will go to Bird & Bird soon.

All best,

--Greg

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Ayden Férdeline Sent: Sunday, September 22, 2019 7:06 PM To: Alex Deacon <alex@colevalleyconsulting.com> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC

Hi Alex,

I envision this being some form of written communication (most likely an email) that lets the SSAD requestor know that their request has been successfully received and is being processed. I also imagine it containing a copy of their request.

Thanks,

Ayden

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, 22 September 2019 22:45, Alex Deacon <alex@colevalleyconsulting.com> wrote:

...

Ayden,

Can you describe what form this "Receipt Acknowledgement Letter" would take?

Alex

___________

Alex Deacon

Cole Valley Consulting

alex@colevalleyconsulting.com

+1.415.488.6009

On Sat, Sep 21, 2019 at 11:41 AM Ayden Férdeline <icann@ferdeline.com> wrote:

...

Hi,

Regarding building block k, I have alternate language that I would like to table for consideration please.

The language circulated in the below email is:

Building Block k) (Receipt of acknowledgement)

The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible.

The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below.

Proposed new language (changes in red):

Building Block k) (Acknowledgement of request)

The EPDP Team recommends that upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed.

Kind regards,

Ayden Férdeline

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, 21 September 2019 02:19, Marika Konings <marika.konings@icann.org> wrote:

...

Dear EPDP Team,

Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review.

Best regards,

Caitlin, Berry and Marika

===========

EPDP Phase 2 - Meeting #20

Proposed Agenda

Tuesday, 24 September 2019 at 14.00 UTC

1. Roll Call & SOI Updates (5 minutes)

2. Confirmation of agenda (Chair)

3. Welcome and housekeeping issues (Chair) (5 minutes)

a) Reminder - the EPDP Team members to populate the contents of the lawful basis table by Wednesday 25 September (see [https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT-- 9aD2lHZI/edit](https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT--%099aD2lHZI/edit))

b) Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting

4. Acceptable Use Policy (Building block d & h) – first reading (30 minutes).

a) Initial discussion

b) Feedback from EPDP Team

c) Confirm next steps

5. Receipt of acknowledgement (building block k) – first reading (30 minutes)

a) Initial discussion

b) Feedback from EPDP Team

c) Confirm next steps

6. Who should be responsible for disclosure decision (15 minutes)

a) Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQun...)

b) Consider team input and approach forward

c) Confirm next steps

7. Wrap and confirm next EPDP Team meeting (5 minutes):

a) Thursday 26 September 2019 at 14.00 UTC

b) Confirm action items

c) Confirm questions for ICANN Org, if any

Marika Konings

Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)

Email: marika.konings@icann.org

Follow the GNSO via Twitter @ICANN_GNSO

Find out more about the GNSO by taking our [interactive courses](https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...) and visiting the [GNSO Newcomer pages](https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...).

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org

https://mm.icann.org/mailman/listinfo/gnso-epdp-team

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi Brian, you seem to be under a fundamental misunderstanding about the concepts of the balancing test and decision-making as the decision whether to disclose the data is the fundamental decision about the data of the data subject in this case. I thought this would be understood by all and therefore would not need mentioning. Automated decision making about how to handle the data and therefore the decision whether to disclose fundamentally affects the rights of the data subject. Best, Volker Am 24.09.2019 um 00:36 schrieb King, Brian via Gnso-epdp-team:

Hi all,

It seems that we are mixing up a couple concepts that require clarification in order for this conversation to be more productive.

First, the concept of automated decision-making should be clarified. As discussed in the Bird & Bird memo, the concept of automated decision-making is limited to decisions about the data subject (not decisions about whether to disclose their data). The types of decisions about the data subject protected by GDPR include decisions carrying the legal significance of denial of child or housing benefit or refused admission to a country or denial of citizenship. It’s necessary to clarify here that while the third parties who request and might process this data need be cautious about their own automated decision-making when using the requested data, the decision about whether to disclose the data itself is not Article 22 decision-making.

Then, the section of the Bird & Bird memo that Ayden references describes requirements if the types of decision-making spelled out above is explicitly authorized by national law. Those provisions are irrelevant to our work for two reasons: 1) again, the disclosure decision is not the type of legally significant decision-making that Article 22 is intended to prevent, and 2) even if it were, the disclosure decisions we’re talking about are grounded in 6.1.f or some other 6.1. basis and not on the basis of a national law permitting such decision-making.

*Brian J. King * Director of Internet Policy and Industry Affairs

T +1 443 761 3726_ markmonitor.com <http://www.markmonitor.com>_

*MarkMonitor *Protecting companies and consumers in a digital world

*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> *On Behalf Of *Ayden Férdeline *Sent:* Monday, September 23, 2019 2:40 PM *To:* Greg Aaron <greg@illumintel.com> *Cc:* gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC

Greg,

I believe the existing legal advice, contained in Bird & Bird's legal memo of 10 September 2019 (question 3), supports the need for natural persons to have a right to object to data processing activities.

On page 10 of the memo Bird & Bird advised, /"The initial and annual notice and opt-out process suggested by the EPDP would not be sufficient: an individual would be given general notice that an automated process may be used, but would not know that a decision has actually been taken on this basis and, unless an individual was aware of this, he or she would not be in a positon to take advantage of the safeguards required by the GDPR."/

They also advised (same page):

/"... safeguards require the controller to notify the data subject as soon as possible that a decision has been taken, at which point the data subject has up to one month to require the controller to reconsider the decision, with significant operational implications for any urgent requests."/

I still need to consult with NCSG colleagues regarding the language that I proposed, but I believe any building block k language that does not ensure there are mechanisms in place that allow registrants to exercise their rights under the GDPR would be unacceptable to us.

Thanks,

Ayden

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Monday, 23 September 2019 18:10, Greg Aaron <greg@illumintel.com <mailto:greg@illumintel.com>> wrote:

Adyen’s proposal has major flaws, and IMHO is a non-starter.

One: it does not propose a deadline for the registry/registrar to provide any substantive response, i.e. the data or a denial.  Instead, it seems to allow contracted parties to not provide a substantive response for sixteen days, and maybe more.  That sets a very long response floor and expectation for the entire gTLD world. The effective result will be: no flow of data.

Two: as we discussed in Los Angeles, we are trying to automate what can be automated, including automated decision-making where it is possible.  For anything that is automated, an ACK letter is not necessary -- instead the data (or a 6(1)f denial) should just come back in reply.  That would leverage RDAP, which is a goal of ours.  See also the TSG paper.

Three: a written ACK is appropriate for requests that are made offline, outside the system.  Even then, an acknowledgement of receipt can be issued automatically and immediately by the contracting party (with a tracking number).  That’s SOP for any system that requires the tracking of submissions, and most registrars already do it with customer service tickets.

Four: the proposal assumes that data subjects must be informed every time a request for their data comes in, and that data subjects have the right to decline the processing.  The GDPR does not    require either of those.  Instead, GDPR requires that the data subject be made aware before of the processing that may happen, and who generally the recipients may be.  Appropriately, the Temp Spec already covers  this – it requires registrars to notify their registrants of the  specific purposes for which their data will be processed, and potential recipients, so case-based notification is not required. (Temp Spec, Section 7.)  If the policy needs to be more specific and tell registrants that they are subject to GDPR Article 6 disclosures, then we should make that happen.  Unfortunately Adyen’s proposal builds in a way for data subjects to hide their criminal activity and cover their tracks.  That is not necessary under the law, and it is contrary to the GDPR’s intent.  SSAC provided the legal-sub team with draft questions about these topics in the last submission round, and hopefully those will go to Bird & Bird soon.

All best,

--Greg

*From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> *On Behalf Of *Ayden Férdeline

*Sent:* Sunday, September 22, 2019 7:06 PM

*To:* Alex Deacon <alex@colevalleyconsulting.com <mailto:alex@colevalleyconsulting.com>>

*Cc:* gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>

*Subject:* Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC

Hi Alex,

I envision this being some form of written communication (most likely an email) that lets the SSAD requestor know that their request has been successfully received and is being processed. I also imagine it containing a copy of their request.

Thanks,

Ayden

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Sunday, 22 September 2019 22:45, Alex Deacon <alex@colevalleyconsulting.com <mailto:alex@colevalleyconsulting.com>> wrote:

Ayden,

Can you describe what form this "Receipt Acknowledgement Letter" would take?

Alex

___________

*Alex Deacon*

Cole Valley Consulting

alex@colevalleyconsulting.com <mailto:alex@colevalleyconsulting.com>

+1.415.488.6009

On Sat, Sep 21, 2019 at 11:41 AM Ayden Férdeline <icann@ferdeline.com <mailto:icann@ferdeline.com>> wrote:

Hi,

Regarding building block k, I have alternate language that I would like to table for consideration please.

_The language circulated in the below email is:_

*Building Block k) */(Receipt of acknowledgement)/

The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible.

The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below.

_Proposed new language (changes in red):_

*Building Block k) */(_A_cknowledgement_of request_)/

The EPDP Team recommends that _upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed._

Kind regards,

Ayden Férdeline

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, 21 September 2019 02:19, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:

Dear EPDP Team,

Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review.

Best regards,

Caitlin, Berry and Marika

===========

*EPDP Phase 2 - Meeting #20*

*Proposed Agenda*

Tuesday, 24 September 2019 at 14.00 UTC

1.Roll Call & SOI Updates (5 minutes)

2.Confirmation of agenda (Chair)

3.Welcome and housekeeping issues (Chair) (5 minutes)

a)Reminder - the EPDP Team members to populate the contents of the lawful basis table *by Wednesday 25 September *(see https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT-- 9aD2lHZI/edit <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_documen...>)

b)Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting

4.Acceptable Use Policy (Building block d & h) – first reading (30 minutes).

a)Initial discussion

b)Feedback from EPDP Team

c)Confirm next steps

5.Receipt of acknowledgement (building block k) – first reading (30 minutes)

a)Initial discussion

b)Feedback from EPDP Team

c)Confirm next steps

6.Who should be responsible for disclosure decision (15 minutes)

a)Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQun... <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_documen...>)

b)Consider team input and approach forward

c)Confirm next steps

7.Wrap and confirm next EPDP Team meeting (5 minutes):

a)Thursday 26 September 2019 at 14.00 UTC

b)Confirm action items

c)Confirm questions for ICANN Org, if any

*/Marika Konings/*

/Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) /

/Email: marika.konings@icann.org <mailto:marika.konings@icann.org> /

//

/Follow the GNSO via Twitter @ICANN_GNSO/

/Find out more about the GNSO by taking our interactive courses <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>. /

_______________________________________________

Gnso-epdp-team mailing list

Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org>

https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_li...>

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_p...>) and the website Terms of Service (https://www.icann.org/privacy/tos <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_t...>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

-- Volker A. Greimann General Counsel and Policy Manager *KEY-SYSTEMS GMBH* T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

+1 From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Volker Greimann Sent: Monday, September 23, 2019 1:42 AM To: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Proposed agenda - EPDP Team meeting #20 on Tuesday 24 September at 14.00 UTC Wjhile I appreciate the intent of this, this seems to be very difficult to operationalize. Ideally, we would look at any one request once, maybe twice if it is deficient in some way. Adding in all this overhead seems to be a recipe for decreasing response times and increasing the time a request spends in the queue. Volker Am 21.09.2019 um 20:41 schrieb Ayden Férdeline: Hi, Regarding building block k, I have alternate language that I would like to table for consideration please. The language circulated in the below email is: Building Block k) (Receipt of acknowledgement) The EPDP Team recommends that, consistent with the EPDP Phase 1 recommendations, the response time for acknowledging receipt of a SSAD request should be without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible. The response should also include information about the subsequent steps as well as the timeline consistent with the recommendations outlined below. Proposed new language (changes in red): Building Block k) (Acknowledgement of request) The EPDP Team recommends that upon receipt of an SSAD request, the receiving entity shall issue a Receipt Acknowledgement Letter which summarizes the applicant’s requests. This should happen without undue delay and, ideally, within two business days of the request being received by the receiving entity. This response shall include information about the subsequent steps to be taken as well as a timeline for its processing. Following the issuance of the Receipt Acknowledgement Letter, the applicant shall have a fourteen-calendar-day period within which it may make certain types of corrections to its request. This is to permit the applicant to correct data entry errors, change contact information, and to withdraw the request if it is no longer required. Similarly, the receiving entity of the request shall inform the data subject(s) whose personal information is sought, unless prohibited to make such a disclosure by law, and provide the data subject with a reasonable window of time and the opportunity within which they may object to their data being processed. Kind regards, Ayden Férdeline ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Saturday, 21 September 2019 02:19, Marika Konings <marika.konings@icann.org><mailto:marika.konings@icann.org> wrote: Dear EPDP Team, Please find attached the proposed agenda for the next EPDP Team meeting which is scheduled for Tuesday 24 September at 14.00 UTC. To facilitate your preparation, please review the attached documents which include in addition to the relevant section from the zero draft, the relevant section from the SSAD worksheet that contains information in relation to the objective of addressing the topic as well as materials to review. Best regards, Caitlin, Berry and Marika =========== EPDP Phase 2 - Meeting #20 Proposed Agenda Tuesday, 24 September 2019 at 14.00 UTC 1. Roll Call & SOI Updates (5 minutes) 2. Confirmation of agenda (Chair) 3. Welcome and housekeeping issues (Chair) (5 minutes) a) Reminder - the EPDP Team members to populate the contents of the lawful basis table by Wednesday 25 September (see https://docs.google.com/document/d/1U9jt9nOHs9QMjWTDl7UPaT-- 9aD2lHZI/edit<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.googl...>) b) Reminder - submit alternate form if members are not attending the Jan 2020 F2F meeting 4. Acceptable Use Policy (Building block d & h) – first reading (30 minutes). a) Initial discussion b) Feedback from EPDP Team c) Confirm next steps 5. Receipt of acknowledgement (building block k) – first reading (30 minutes) a) Initial discussion b) Feedback from EPDP Team c) Confirm next steps 6. Who should be responsible for disclosure decision (15 minutes) a) Review additional team input provided (see https://docs.google.com/document/d/10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQuniv8/edit<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F10VRZRziGDXvckC_y3ob_SGB-1NN9WrL6Y6A3XQuniv8%2Fedit&data=02%7C01%7Cmarksv%40microsoft.com%7Cacfa4422f135425d574c08d74001f840%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048249533048829&sdata=bmGVT3%2FZJ99pyYz1onjP9EXSqgwT3VuEHmYaEBUMK5M%3D&reserved=0>) b) Consider team input and approach forward c) Confirm next steps 7. Wrap and confirm next EPDP Team meeting (5 minutes): a) Thursday 26 September 2019 at 14.00 UTC b) Confirm action items c) Confirm questions for ICANN Org, if any Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org<mailto:marika.konings@icann.org> Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense...> and visiting the GNSO Newcomer pages<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefense...>. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Cacfa4422f135425d574c08d74001f840%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048249533058820&sdata=sT8D2fjYZlJOidnsaCKefVbmbJzOjcRAK5wAccW9jP0%3D&reserved=0> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Fpolicy&data=02%7C01%7Cmarksv%40microsoft.com%7Cacfa4422f135425d574c08d74001f840%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048249533058820&sdata=661cTNk1HDGAHOUdMTp17uV3JrhGx9Ki00K64iwDcDE%3D&reserved=0>) and the website Terms of Service (https://www.icann.org/privacy/tos<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fprivacy%2Ftos&data=02%7C01%7Cmarksv%40microsoft.com%7Cacfa4422f135425d574c08d74001f840%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637048249533068817&sdata=e14uPQ%2Fl%2B3vBgYrW9Jb7OxIgbagkJlenu3uJ4WmVGWc%3D&reserved=0>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Volker A. Greimann General Counsel and Policy Manager KEY-SYSTEMS GMBH T: +49 6894 9396901 M: +49 6894 9396851 F: +49 6894 9396851 W: www.key-systems.net<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.key-sys...> Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835 CEO: Alexander Siffrin Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.