Controllership Language for Initial Report
Hi All, If I still have posting rights to the list, here is some language for your consideration as a first draft of the EPDP's position on ICANN controllership for the Initial Report: The team agrees that ICANN is at least a controller for all purposes identified, and perhaps the sole controller for some or all purposes. The team eagerly awaits the receipt of the legal memorandum about ICANN's controllership role that is currently being drafted. As the memorandum was not received prior to the publication deadline for the Initial Report, the team requests that this memorandum be produced as soon as possible to inform both public comment and the group's views on controllership for the Final Report. I'll defer to Alex and Diane on further IPC input from here. Brian J. King Director of Internet Policy & Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com<mailto:brian.king@markmonitor.com>
If you are talking about the IPC team agreeing, Brian, fine. I don't think the EPDP has any consensus position on controllership at all, which is why I support delaying the release of the report until we can at least frame our questions. ICANN as a body, including this PDP, needs to analyze the current situation and determine status. Given the inattention to registrant rights and data protection law throughout the history of ICANN, not much is clear....the contracts have embedded policy that was not community-developed, ICANN has taken on sole responsibility for some functions that are normal business requirements (eg Escrow), so determining what the framework is is not so simple. WE need to do that to figure out quite a few things under GDPR. Stephanei On 2018-11-13 11:03, King, Brian via Gnso-epdp-team wrote: Hi All, If I still have posting rights to the list, here is some language for your consideration as a first draft of the EPDP’s position on ICANN controllership for the Initial Report: The team agrees that ICANN is at least a controller for all purposes identified, and perhaps the sole controller for some or all purposes. The team eagerly awaits the receipt of the legal memorandum about ICANN’s controllership role that is currently being drafted. As the memorandum was not received prior to the publication deadline for the Initial Report, the team requests that this memorandum be produced as soon as possible to inform both public comment and the group’s views on controllership for the Final Report. I’ll defer to Alex and Diane on further IPC input from here. Brian J. King Director of Internet Policy & Industry Affairs MarkMonitor / Part of Clarivate Analytics Phone: +1 (443) 761-3726 brian.king@markmonitor.com<mailto:brian.king@markmonitor.com> _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
I agree with Stephanie, and would further like to strongly caution us from assuming that ICANN are a sole controller for 'ALL' processing here. Should ICANN be considered sole controller for the whole kit and caboodle here, then we are stating that the CPs have *zero* influence on the manner in which we process data. In such an instance, it is up to ICANN to provide us with documented instructions as to all aspects of the processing. I think we should consider what such a statement means for ICANN and indeed the substantial ramifications that such a statement would have for the the Multistakeholder model itself here. In addition, I think we shall find that the legal reality of the situation is never going support the finding of a sole controllership (in all aspects). Pragmatically, any CP could confirm that our requirements under the RA or RAA is simply nowhere near 'comprehensive' enough to qualify as 'documented instructions' for our processing. Let alone the complications regarding aspects such as Sub-processor arrangements, 'technical and organizational measures', and of huge importance, the taking care of any and all data subject requests re registration (which are the Controller's responsibility). The means of processing the CPs implement are varying, but with united goals, but this still suggests such processing means extend beyond the contracts, and we need to be mindful of that in our assessment of the facts here. Additionally ICANN cannot possibly implement and monitor, and enforce compliance with their 'processing' instructions as would be required under Art 28 in any meaningful manner. I have always maintained that we do not, as an industry, fit nicely into the clean controller/processor relationship and thus defining our exact relationship must be the work of new thinking on our combined behalf. Thankfully such an approach fits with the intention of the GDPR, and within the expanded appreciation of non-traditional processing situations, as is supported by Art 26 of the GDPR. Hence why the Joint Controller path with a detailed roles and responsibility carve up is the most pragmatic and likely only viable path open to us. Alan [image: Donuts Inc.] <http://donuts.domains> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland <https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Tue, Nov 13, 2018 at 4:44 PM Stephanie Perrin < stephanie.perrin@mail.utoronto.ca> wrote:
If you are talking about the IPC team agreeing, Brian, fine. I don't think the EPDP has any consensus position on controllership at all, which is why I support delaying the release of the report until we can at least frame our questions. ICANN as a body, including this PDP, needs to analyze the current situation and determine status. Given the inattention to registrant rights and data protection law throughout the history of ICANN, not much is clear....the contracts have embedded policy that was not community-developed, ICANN has taken on sole responsibility for some functions that are normal business requirements (eg Escrow), so determining what the framework is is not so simple. WE need to do that to figure out quite a few things under GDPR.
Stephanei On 2018-11-13 11:03, King, Brian via Gnso-epdp-team wrote:
Hi All,
If I still have posting rights to the list, here is some language for your consideration as a first draft of the EPDP’s position on ICANN controllership for the Initial Report:
The team agrees that ICANN is at least a controller for all purposes identified, and perhaps the sole controller for some or all purposes. The team eagerly awaits the receipt of the legal memorandum about ICANN’s controllership role that is currently being drafted. As the memorandum was not received prior to the publication deadline for the Initial Report, the team requests that this memorandum be produced as soon as possible to inform both public comment and the group’s views on controllership for the Final Report.
I’ll defer to Alex and Diane on further IPC input from here.
*Brian J. King*
*Director of Internet Policy & Industry Affairs*
*MarkMonitor */ *Part of Clarivate Analytics *
Phone: +1 (443) 761-3726
brian.king@markmonitor.com
_______________________________________________ Gnso-epdp-team mailing listGnso-epdp-team@icann.orghttps://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
participants (3)
-
Alan Woods -
King, Brian -
Stephanie Perrin