Contracted Parties and Small Teams #1 and #2
ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy
James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy
Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy
James, the Whois Verification in the 2013 RAA called for domains to be suspended in some circumstances (as you have just described). What provisions have been discussed in the EPDP that would similarly require suspension? Alan At 05/11/2018 04:28 PM, James M. Bladel wrote: Mark � Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Alan – you called for having a “hard deadline” for existing registrants to make this determination so the logical next step would be some sort of impact to the domain name registration in cases where there was no response, correct? Any suggestion of a policy recommendation that results in registrants potentially having their domain name suspended or worse should be considered very carefully and have majority support within the group…something which I don’t believe would be the case here. Regards, Matt From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Alan Greenberg <alan.greenberg@mcgill.ca> Date: Monday, November 5, 2018 at 3:49 PM To: "James M. Bladel" <jbladel@godaddy.com>, "Mark Svancarek (CELA)" <marksv@microsoft.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 James, the Whois Verification in the 2013 RAA called for domains to be suspended in some circumstances (as you have just described). What provisions have been discussed in the EPDP that would similarly require suspension? Alan At 05/11/2018 04:28 PM, James M. Bladel wrote: Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives†Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email†or “have the Registrant check a box.†It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.†From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence†of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Correct, Matt. I presume there would be -some- consequence for registrant inaction? If not, then it�s an Honor System. Or in this case, the default �punishment� would probably be redaction from WHOIS/RDS, because the registrar couldn�t leave the classification to chance. ------------- James Bladel GoDaddy ________________________________ From: Matt Serlin <matt@brandsight.com> Sent: Monday, November 5, 2018 4:53:43 PM To: Alan Greenberg; James M. Bladel; Mark Svancarek (CELA); gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 Alan � you called for having a �hard deadline� for existing registrants to make this determination so the logical next step would be some sort of impact to the domain name registration in cases where there was no response, correct? Any suggestion of a policy recommendation that results in registrants potentially having their domain name suspended or worse should be considered very carefully and have majority support within the group�something which I don�t believe would be the case here. Regards, Matt From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Alan Greenberg <alan.greenberg@mcgill.ca> Date: Monday, November 5, 2018 at 3:49 PM To: "James M. Bladel" <jbladel@godaddy.com>, "Mark Svancarek (CELA)" <marksv@microsoft.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 James, the Whois Verification in the 2013 RAA called for domains to be suspended in some circumstances (as you have just described). What provisions have been discussed in the EPDP that would similarly require suspension? Alan At 05/11/2018 04:28 PM, James M. Bladel wrote: Mark � Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
It was my understanding that Alan’s request was for CPs to have a hard deadline for implementing a system to allow existing registrants to make the determination, not a deadline for making the determination. (For example, if a system is in place, it might not be presented to an existing registrant until they renew.) Was I mistaken? From: Matt Serlin <matt@brandsight.com> Sent: Monday, November 5, 2018 14:54 To: Alan Greenberg <alan.greenberg@mcgill.ca>; James M. Bladel <jbladel@godaddy.com>; Mark Svancarek (CELA) <marksv@microsoft.com>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 Alan – you called for having a “hard deadline” for existing registrants to make this determination so the logical next step would be some sort of impact to the domain name registration in cases where there was no response, correct? Any suggestion of a policy recommendation that results in registrants potentially having their domain name suspended or worse should be considered very carefully and have majority support within the group…something which I don’t believe would be the case here. Regards, Matt From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of Alan Greenberg <alan.greenberg@mcgill.ca<mailto:alan.greenberg@mcgill.ca>> Date: Monday, November 5, 2018 at 3:49 PM To: "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>>, "Mark Svancarek (CELA)" <marksv@microsoft.com<mailto:marksv@microsoft.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 James, the Whois Verification in the 2013 RAA called for domains to be suspended in some circumstances (as you have just described). What provisions have been discussed in the EPDP that would similarly require suspension? Alan At 05/11/2018 04:28 PM, James M. Bladel wrote: Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives†Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due-to-2013-raa/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdomainnamewire.com%2F2014%2F06%2F24%2Fover-800000-domain-names-suspended-due-to-2013-raa%2F&data=02%7C01%7Cmarksv%40microsoft.com%7C29ce75dfd1284d61a86808d643718a82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636770552273936398&sdata=2aQheouUGzDWRVDDg1xdZ%2FvUkQvcfE5uEoRnBpzjpE4%3D&reserved=0> Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email†or “have the Registrant check a box.†It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com<mailto:marksv@microsoft.com>> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.†From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence†of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7C29ce75dfd1284d61a86808d643718a82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636770552273936398&sdata=MsrEd3NRFb8%2FvBQ6Fw40g7%2Bhi7sgsa7MlWiWrPW%2FRm8%3D&reserved=0>
Matt, you asked that question once, suggesting that perhaps revocation would be that solution and I answered - without including a revocation or suspension result. You may not like my suggestion but please don't put words in my mouth. **NOTE** I just realized that my message went only to you, so apologies to others. I will forward to the list. Alan At 05/11/2018 05:53 PM, Matt Serlin wrote: Alan � yoou called for having a “hard deadline” for existing registrants to make this determination so the logical next step would be some sort of impact to the domain name registration in cases where there was no response, correct? Any suggestion of a policy recommendation that results in registrants potentially having their domain name suspended or worse should be considered very carefully and have majority support within the group…something which I don’t believe would be the case here. Regards, Matt From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Alan Greenberg <alan.greenberg@mcgill.ca> Date: Monday, November 5, 2018 at 3:49 PM To: "James M. Bladel" <jbladel@godaddy.com>, "Mark Svancarek (CELA)" <marksv@microsoft.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 James, the Whois Verification in the 2013 RAA called for domains to be suspended in some circumstances (as you have just described). What provisions have been discussed in the EPDP that would similarly require suspension? Alan At 05/11/2018 04:28 PM, James M. Bladel wrote: Mark � Shortly folllowing the launch of the 2013 RAAâ��s requirements fs for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as â��false positivesâ�� Hereâ��s some coverage of that data at at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. Itâ��s thithis experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just â��send an emailâ�� or â��have the Regthe Registrant check a box.â�� It doesnâ��t s��t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: â��many of whom could l lose access to their registrations.â�� From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the â��picket fenceâ�� of Rof Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Thanks James for some actual data. Always nice when reality intrudes on these discussions. I have to say it is not just registrars who believe that we cannot differentiate natural and legal persona at the point of registration - the NCSG views this as a threat to privacy as well. Milton L Mueller Professor, School of Public Policy Georgia Institute of Technology On Nov 5, 2018, at 17:28, James M. Bladel <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> wrote: Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com<mailto:marksv@microsoft.com>> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Sorry for being dense, I still have questions. 1. It is not surprising that the addition of a new process step would generate short term inefficiencies. It’s 5 years later – are the verification rates improved from 2014? 2. How would an optional “let me self-identify as a corporation” capability be likely to cause verification disruptions? /marksv From: James M. Bladel <jbladel@godaddy.com> Sent: Monday, November 5, 2018 13:28 To: Mark Svancarek (CELA) <marksv@microsoft.com>; gnso-epdp-team@icann.org Subject: Re: Contracted Parties and Small Teams #1 and #2 Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due-to-2013-raa/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdomainnamewire.com%2F2014%2F06%2F24%2Fover-800000-domain-names-suspended-due-to-2013-raa%2F&data=02%7C01%7Cmarksv%40microsoft.com%7Cda2443c1e64e4e0ee1c908d6436e0151%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636770537081603248&sdata=fcfDJ%2FNKrCk6V%2FOd8hitL1LkU%2FmIQUltDyn9e8UJo5I%3D&reserved=0> Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com<mailto:marksv@microsoft.com>> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy
Hi Everyone: After all of this thought and writing, I think we have two paths forward that are relatively straightforward to describe. Rather than recap the arguments made here, I will just go right into my recommendations for next step and why. The Support Team will follow this with a better summation of what has transpired and how that leads to the recommendations below. It is clear that camps within our the team are at loggerheads with regard to how geographic basis and natural v legal persons should be handled within the proposed policy recommendations. Current situation and recent developments: Coming out of the small group meeting #1 during a teleconference, there was an agreement in principle that it was necessary to perform research in order to inform the policy discussion regarding the feasibility of differentiating between legal and natural persons. That agreement survived its initial introduction into the whole team where the comments centered around: (1) the adjectives used to describe the sense of urgency concerning the work, and (2) sharpening the detail regarding steps to be taken after the research. (There was never an agreement about how to proceed regarding differentiation of data subjects based on geographical considerations.) Starting Friday, substantial markups to the legal v natural agreement on doing research initiated this current three-day email chain. Preferred Recommendation (there are two): Go back to the agreement in principle that was reached in the small team with representatives from all groups to undertake research to determine if, how and to what extent we can distinguish between legal and natural persons. Then extend that research on to the geographic basis issue. A small group of us can contribute to the terms of reference for this research after the initial report is issued. Here is my rationale for this recommendation: 1) The various arguments laid out in all these emails on this list make the case themselves for the need to do research. For example, if the ICO says that processors can rely on data subject-provided information, does that mean that personal information mistakenly disclosed can be published without liability? We don’t know. We are setting up this and other questions for DPAs. Isn’t that … research? There are other scenarios in the emails that will take research to sort through: whether ccTLD experiences are relevant, or whether a registrant boarding a train and leaving the EU for China while another registrant boarding a ferry for Marseilles will both be protected by GDPR. All this takes research to sort out. Nearly all of the emails on this list have to do with scenarios in support of one position or another - but all need to be studied in order for us to determine if and how distinctions can be made. 2) Many of the arguments laid out are conclusory or without authority. I don’t think the research can have a preordained outcome. To make one point for each line of thinking: a) In the case of natural vs legal data subjects, some seek to build in in an implementation plan without knowing if or to what degree a solution is implementable b) In the case of Geographical distinctions between registrants, some are stating that such a distinction is categorically unimplementable without authority or evidence provided. I think the “truth will out” on these questions and we should not try to push research or our arguments to a pre-ordained outcome. 3) This will provide time to take the effects of existing laws in other jurisdictions into account - if that is deemed desirable. 4) This will take this discussion out of the critical path of finishing our reports, without leaving a blank. 5) The results of the research still must be considered by this team (or its successor) and a consensus derived. Research informs policy; it does not create policy. 6) If we agree to this approach, we can start the research now. If we temporize, there will be little done that will resolve this issue set over the next few months. Taking action in an attempt to understand all the complexity is the responsible thing to do. 7) These are complicated questions and research-based policy-making is required to answer them. How do we meet the timeline and still act in a thorough, detailed manner? By launching research and, in the meantime, going back to the rest of our questions. Whatever our policy conclusions are, even if we are deadlocked in several months time, we should be informed by information garnered from DPAs and other sources. The only other recommendation: MemorialIze the differences between the two sides on each of the two issues, explaining the arguments for each and asking for public comment on these issues. Here is my rationale for and against this recommendation: 1) It will allow us to publish the initial report and, properly framed, can garner specific public comment. However, other factors really argue against maintaining the current status and not taking some action: 2) In the time allotted for public comment, no commenter will be able to perform any meaningful research either. There might be reference to a study that partially informs our work, but not a dispositive study. At the end of the comment period, we are likely to be in the same place. 3) It is hard to see how the public comment will differ from our discussion, in this list, to date. 4) Even if we take the preferred research path above, we can still conduct the comment period on the current position of the parties. 5) If we have no outcome on this issue, the result, to me, is unknown and represent a risk to all parties at the table. Conclusion I thought is was remarkable that we came together and agreed to undertake this research on this difficult topic. It was a significant, meaningful compromise that embodied our reason for being here. I don’t see anything in all the emails that indicate another compromise is possible unless that discussion is informed with significant, new information. I believe the appropriate path for this group is to recognize the differences cannot be resolved without something new and to take this path. Talk to you soon and best regards, Kurt
On Nov 5, 2018, at 4:38 PM, Mark Svancarek (CELA) via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Sorry for being dense, I still have questions.
It is not surprising that the addition of a new process step would generate short term inefficiencies. It’s 5 years later – are the verification rates improved from 2014? How would an optional “let me self-identify as a corporation” capability be likely to cause verification disruptions?
/marksv
From: James M. Bladel <jbladel@godaddy.com> Sent: Monday, November 5, 2018 13:28 To: Mark Svancarek (CELA) <marksv@microsoft.com>; gnso-epdp-team@icann.org Subject: Re: Contracted Parties and Small Teams #1 and #2
Mark –
Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives”
Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due... <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdomainnamew...>
Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted.
It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale.
J.
------------- James Bladel GoDaddy
From: "Mark Svancarek (CELA)" <marksv@microsoft.com <mailto:marksv@microsoft.com>> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com <mailto:jbladel@godaddy.com>>, "gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>> Subject: RE: Contracted Parties and Small Teams #1 and #2
James, can you clarify this:
“many of whom could lose access to their registrations.”
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org <mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2
ePDP Colleagues and WG Leadership -
This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report.
We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas.
Our concerns involve:
Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties.
Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error.
Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations.
Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties.
Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts.
As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations.
Thank you,
J.
------------- James Bladel GoDaddy
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
I applaud the concept of research. Scoping it will be difficult because we don't agree at all about the questions we are asking. I would remind you that as far as NCSG is concerned, ICANN must comply with all data protection law, not just the GDPR. This adds complexity to the jurisdictional questions, as laws vary in how they manage cross border issues. Secondly, just a reminder that on top of the various questions that have been raised about distinguishing between natural persons and legal persons for the purposes of data protection law, we believe that a great many entities are entitled to confidentiality to protect their charter protected status...as religious groups, political groups, gender based support groups, etc. Stephanie Perrin On 2018-11-05 20:44, Kurt Pritz wrote: Hi Everyone: After all of this thought and writing, I think we have two paths forward that are relatively straightforward to describe. Rather than recap the arguments made here, I will just go right into my recommendations for next step and why. The Support Team will follow this with a better summation of what has transpired and how that leads to the recommendations below. It is clear that camps within our the team are at loggerheads with regard to how geographic basis and natural v legal persons should be handled within the proposed policy recommendations. Current situation and recent developments: Coming out of the small group meeting #1 during a teleconference, there was an agreement in principle that it was necessary to perform research in order to inform the policy discussion regarding the feasibility of differentiating between legal and natural persons. That agreement survived its initial introduction into the whole team where the comments centered around: (1) the adjectives used to describe the sense of urgency concerning the work, and (2) sharpening the detail regarding steps to be taken after the research. (There was never an agreement about how to proceed regarding differentiation of data subjects based on geographical considerations.) Starting Friday, substantial markups to the legal v natural agreement on doing research initiated this current three-day email chain. Preferred Recommendation (there are two): Go back to the agreement in principle that was reached in the small team with representatives from all groups to undertake research to determine if, how and to what extent we can distinguish between legal and natural persons. Then extend that research on to the geographic basis issue. A small group of us can contribute to the terms of reference for this research after the initial report is issued. Here is my rationale for this recommendation: 1) The various arguments laid out in all these emails on this list make the case themselves for the need to do research. For example, if the ICO says that processors can rely on data subject-provided information, does that mean that personal information mistakenly disclosed can be published without liability? We don’t know. We are setting up this and other questions for DPAs. Isn’t that … research? There are other scenarios in the emails that will take research to sort through: whether ccTLD experiences are relevant, or whether a registrant boarding a train and leaving the EU for China while another registrant boarding a ferry for Marseilles will both be protected by GDPR. All this takes research to sort out. Nearly all of the emails on this list have to do with scenarios in support of one position or another - but all need to be studied in order for us to determine if and how distinctions can be made. 2) Many of the arguments laid out are conclusory or without authority. I don’t think the research can have a preordained outcome. To make one point for each line of thinking: a) In the case of natural vs legal data subjects, some seek to build in in an implementation plan without knowing if or to what degree a solution is implementable b) In the case of Geographical distinctions between registrants, some are stating that such a distinction is categorically unimplementable without authority or evidence provided. I think the “truth will out” on these questions and we should not try to push research or our arguments to a pre-ordained outcome. 3) This will provide time to take the effects of existing laws in other jurisdictions into account - if that is deemed desirable. 4) This will take this discussion out of the critical path of finishing our reports, without leaving a blank. 5) The results of the research still must be considered by this team (or its successor) and a consensus derived. Research informs policy; it does not create policy. 6) If we agree to this approach, we can start the research now. If we temporize, there will be little done that will resolve this issue set over the next few months. Taking action in an attempt to understand all the complexity is the responsible thing to do. 7) These are complicated questions and research-based policy-making is required to answer them. How do we meet the timeline and still act in a thorough, detailed manner? By launching research and, in the meantime, going back to the rest of our questions. Whatever our policy conclusions are, even if we are deadlocked in several months time, we should be informed by information garnered from DPAs and other sources. The only other recommendation: MemorialIze the differences between the two sides on each of the two issues, explaining the arguments for each and asking for public comment on these issues. Here is my rationale for and against this recommendation: 1) It will allow us to publish the initial report and, properly framed, can garner specific public comment. However, other factors really argue against maintaining the current status and not taking some action: 2) In the time allotted for public comment, no commenter will be able to perform any meaningful research either. There might be reference to a study that partially informs our work, but not a dispositive study. At the end of the comment period, we are likely to be in the same place. 3) It is hard to see how the public comment will differ from our discussion, in this list, to date. 4) Even if we take the preferred research path above, we can still conduct the comment period on the current position of the parties. 5) If we have no outcome on this issue, the result, to me, is unknown and represent a risk to all parties at the table. Conclusion I thought is was remarkable that we came together and agreed to undertake this research on this difficult topic. It was a significant, meaningful compromise that embodied our reason for being here. I don’t see anything in all the emails that indicate another compromise is possible unless that discussion is informed with significant, new information. I believe the appropriate path for this group is to recognize the differences cannot be resolved without something new and to take this path. Talk to you soon and best regards, Kurt On Nov 5, 2018, at 4:38 PM, Mark Svancarek (CELA) via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Sorry for being dense, I still have questions. 1. It is not surprising that the addition of a new process step would generate short term inefficiencies. It’s 5 years later – are the verification rates improved from 2014? 2. How would an optional “let me self-identify as a corporation” capability be likely to cause verification disruptions? /marksv From: James M. Bladel <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> Sent: Monday, November 5, 2018 13:28 To: Mark Svancarek (CELA) <marksv@microsoft.com<mailto:marksv@microsoft.com>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: Contracted Parties and Small Teams #1 and #2 Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due-to-2013-raa/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdomainnamewire.com%2F2014%2F06%2F24%2Fover-800000-domain-names-suspended-due-to-2013-raa%2F&data=02%7C01%7Cmarksv%40microsoft.com%7Cda2443c1e64e4e0ee1c908d6436e0151%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636770537081603248&sdata=fcfDJ%2FNKrCk6V%2FOd8hitL1LkU%2FmIQUltDyn9e8UJo5I%3D&reserved=0> Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com<mailto:marksv@microsoft.com>> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Following on from Kurt’s message, please find hereby the proposed language for inclusion in the Initial Report. Attached is the document that would be linked so that those interested would be able to review the different perspectives and proposals put forward. h3) Should Contracted Parties be allowed or required to treat legal and natural persons differently, and what mechanism is needed to ensure reliable determination of status? h4) Is there a legal basis for Contracted Parties to treat legal and natural persons differently? h5) What are the risks associated with differentiation of registrant status as legal or natural persons across multiple jurisdictions? (See EDPB letter of 5 July 2018). The EPDP Team discussed these questions extensively (see [include link to attached document which includes the different proposals]) and although the EPDP Team agrees that Contracted Parties should be allowed to treat legal and natural persons differently, the EPDP Team did not agree on whether this should be required and/or what further steps could or should be undertaken to determine what mechanism is needed to ensure reliable determination of status. The EPDP Team further agrees under GDPR there is a legal basis to treat legal and natural persons differently, but does not agree on whether that means Contracted Parties should be required to do so, or whether the challenges and legal risks involved in doing so result in leaving this optional. Similarly, the EPDP Team discussed the implication of other data protection regimes which could have different requirements that impact both natural and/or legal persons that would need to be factored in. The EPDP Team identified a number of risks, including: * While legal persons don’t have the same protections under GDPR, natural persons employed by a legal person (and who may be designated as the registrant, admin or technical contact) are still natural persons enjoying rights and protections under GDPR. Some noted that this risk may be minimized through clear explanatory language beneath each field when filling in data fields within domain name registrations. * There may be situations in which it can be difficult to separate the data of natural persons from that of legal persons. This can be the case, for example, if the legal person is a sole proprietorship, if the name of a person appears in the company’s name, if the business address is a natural person’s residence, or if an email address is assigned to a single individual (“john.doe@company.example.com” as opposed to “info@company.example.com. The EPDP has discussed whether this risk may be somewhat mitigated through educational resources. Some in the EPDP Team expressed caution, as a stated necessity to rely on educational resources may not be considered to be compatible with the concepts of privacy by default or privacy by design i.e. where additional ‘educational resources’ are deemed necessary, the process itself is likely not established or presented in a sufficiently clear manner. To help further inform the EPDP Team’s deliberations on this topic as the team works towards a Final Report, the EPDP Team would like to request that GDD staff, who will design the implementation of these policy recommendations, commences research by investigating how ccTLDs and contracted parties currently distinguish between natural and legal persons to inform the EPDP Team. In addition, the EPDP Team would like to request input on the following questions in relation to this topic: * Are there examples from other industries or areas, e.g. ccTLDs, where a mechanism has been successfully developed and implemented to distinguish between natural and legal person, factoring in some of the challenges identified above? * Should the EPDP Team decide to recommend requiring distinguishing between natural and legal persons, how should implementation be carried out, especially considering legacy registrations? * Should the EPDP Team decide to recommend that further research is undertaken, beyond the information that GDD staff may encounter, what and how should this research be carried out? * (For the EDPB) If registrars allow registrants to self-identify at the time as a natural or legal person, who will be held liable if the registrant incorrectly self-identifies and personal information is publicly displayed? Apart from self-identification, are there any other ways in which risk of liability could be mitigated by registrars? The research requested and input on these charter questions will help the EPDP Team further analyze if it is possible and desirable to make this distinction in the context of domain name registrations, in a manner that is commercially reasonable, implementable and does not result in unreasonable liability for contracted parties. Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Kurt Pritz <kurt@kjpritz.com> Date: Monday, November 5, 2018 at 7:45 PM To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 Hi Everyone: After all of this thought and writing, I think we have two paths forward that are relatively straightforward to describe. Rather than recap the arguments made here, I will just go right into my recommendations for next step and why. The Support Team will follow this with a better summation of what has transpired and how that leads to the recommendations below. It is clear that camps within our the team are at loggerheads with regard to how geographic basis and natural v legal persons should be handled within the proposed policy recommendations. Current situation and recent developments: Coming out of the small group meeting #1 during a teleconference, there was an agreement in principle that it was necessary to perform research in order to inform the policy discussion regarding the feasibility of differentiating between legal and natural persons. That agreement survived its initial introduction into the whole team where the comments centered around: (1) the adjectives used to describe the sense of urgency concerning the work, and (2) sharpening the detail regarding steps to be taken after the research. (There was never an agreement about how to proceed regarding differentiation of data subjects based on geographical considerations.) Starting Friday, substantial markups to the legal v natural agreement on doing research initiated this current three-day email chain. Preferred Recommendation (there are two): Go back to the agreement in principle that was reached in the small team with representatives from all groups to undertake research to determine if, how and to what extent we can distinguish between legal and natural persons. Then extend that research on to the geographic basis issue. A small group of us can contribute to the terms of reference for this research after the initial report is issued. Here is my rationale for this recommendation: 1) The various arguments laid out in all these emails on this list make the case themselves for the need to do research. For example, if the ICO says that processors can rely on data subject-provided information, does that mean that personal information mistakenly disclosed can be published without liability? We don’t know. We are setting up this and other questions for DPAs. Isn’t that … research? There are other scenarios in the emails that will take research to sort through: whether ccTLD experiences are relevant, or whether a registrant boarding a train and leaving the EU for China while another registrant boarding a ferry for Marseilles will both be protected by GDPR. All this takes research to sort out. Nearly all of the emails on this list have to do with scenarios in support of one position or another - but all need to be studied in order for us to determine if and how distinctions can be made. 2) Many of the arguments laid out are conclusory or without authority. I don’t think the research can have a preordained outcome. To make one point for each line of thinking: a) In the case of natural vs legal data subjects, some seek to build in in an implementation plan without knowing if or to what degree a solution is implementable b) In the case of Geographical distinctions between registrants, some are stating that such a distinction is categorically unimplementable without authority or evidence provided. I think the “truth will out” on these questions and we should not try to push research or our arguments to a pre-ordained outcome. 3) This will provide time to take the effects of existing laws in other jurisdictions into account - if that is deemed desirable. 4) This will take this discussion out of the critical path of finishing our reports, without leaving a blank. 5) The results of the research still must be considered by this team (or its successor) and a consensus derived. Research informs policy; it does not create policy. 6) If we agree to this approach, we can start the research now. If we temporize, there will be little done that will resolve this issue set over the next few months. Taking action in an attempt to understand all the complexity is the responsible thing to do. 7) These are complicated questions and research-based policy-making is required to answer them. How do we meet the timeline and still act in a thorough, detailed manner? By launching research and, in the meantime, going back to the rest of our questions. Whatever our policy conclusions are, even if we are deadlocked in several months time, we should be informed by information garnered from DPAs and other sources. The only other recommendation: MemorialIze the differences between the two sides on each of the two issues, explaining the arguments for each and asking for public comment on these issues. Here is my rationale for and against this recommendation: 1) It will allow us to publish the initial report and, properly framed, can garner specific public comment. However, other factors really argue against maintaining the current status and not taking some action: 2) In the time allotted for public comment, no commenter will be able to perform any meaningful research either. There might be reference to a study that partially informs our work, but not a dispositive study. At the end of the comment period, we are likely to be in the same place. 3) It is hard to see how the public comment will differ from our discussion, in this list, to date. 4) Even if we take the preferred research path above, we can still conduct the comment period on the current position of the parties. 5) If we have no outcome on this issue, the result, to me, is unknown and represent a risk to all parties at the table. Conclusion I thought is was remarkable that we came together and agreed to undertake this research on this difficult topic. It was a significant, meaningful compromise that embodied our reason for being here. I don’t see anything in all the emails that indicate another compromise is possible unless that discussion is informed with significant, new information. I believe the appropriate path for this group is to recognize the differences cannot be resolved without something new and to take this path. Talk to you soon and best regards, Kurt On Nov 5, 2018, at 4:38 PM, Mark Svancarek (CELA) via Gnso-epdp-team <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> wrote: Sorry for being dense, I still have questions. 1. It is not surprising that the addition of a new process step would generate short term inefficiencies. It’s 5 years later – are the verification rates improved from 2014? 2. How would an optional “let me self-identify as a corporation” capability be likely to cause verification disruptions? /marksv From: James M. Bladel <jbladel@godaddy.com<mailto:jbladel@godaddy.com>> Sent: Monday, November 5, 2018 13:28 To: Mark Svancarek (CELA) <marksv@microsoft.com<mailto:marksv@microsoft.com>>; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: Contracted Parties and Small Teams #1 and #2 Mark – Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives” Here’s some coverage of that data at the time. https://domainnamewire.com/2014/06/24/over-800000-domain-names-suspended-due-to-2013-raa/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdomainnamewire.com%2F2014%2F06%2F24%2Fover-800000-domain-names-suspended-due-to-2013-raa%2F&data=02%7C01%7Cmarksv%40microsoft.com%7Cda2443c1e64e4e0ee1c908d6436e0151%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636770537081603248&sdata=fcfDJ%2FNKrCk6V%2FOd8hitL1LkU%2FmIQUltDyn9e8UJo5I%3D&reserved=0> Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted. It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale. J. ------------- James Bladel GoDaddy From: "Mark Svancarek (CELA)" <marksv@microsoft.com<mailto:marksv@microsoft.com>> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com<mailto:jbladel@godaddy.com>>, "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: RE: Contracted Parties and Small Teams #1 and #2 James, can you clarify this: “many of whom could lose access to their registrations.” From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2 ePDP Colleagues and WG Leadership - This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report. We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas. Our concerns involve: * Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties. * Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error. * Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations. * Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties. * Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts. As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations. Thank you, J. ------------- James Bladel GoDaddy _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Kurt, Respectfully, I’d like to offer a different take on where we are, and how we arrived to this point on these two topics. Speaking for myself, I’ve participated in one of the two Small Teams in question, and my understanding was not that the output of the Small Teams would in any way represent a consensus among those who participated in them. Rather, it was my understanding that the output would be illustrative of all the views expressed, and that these views would be shared with the EPDP Team in its entirety for further reflection and deliberation. Following up on that understanding, the NCSG submitted its thoughts on the outputs of these two Small Teams, as well as its view on what changes are deemed desirable in the context of what should be included in the initial report. Other groups have clearly gone through the same exercise, and I, at the risk of being mistaken, assume that they had similar understandings as we did. As an example, the Small Team working on legal vs natural recommended that research should be pursued by GDD staff, who would be responsible for implementing whatever Consensus Policies resulted from the EPDP Team’s work, and that this research should be used to inform additional discussion on the topic by the EPDP Team. I don’t believe that this was, in any way, reflective of a consensus to proceed with this recommendation among the Small Team members. To me, it was only an acknowledgement that this view was expressed, discussed, and subsequently required consideration by the whole team. Recommendation #12 in the draft initial report says that “The distinction between legal and natural persons is useful and necessary for GDPR and some other data protection laws”. Members of the NCSG have already expressed disagreement with the truth in this while we were in Barcelona, so it should come as no surprise that we still disagree with it now. Furthermore, the recommendation to conduct the research seems to be based on the validity of this statement; not to inform further discussion on its adoption, but rather to better inform us on potential implementation measures similar to some ccTLDs and Contracted Parties. The NCSG attempted to reassert our view on this (because it wasn’t the first time we brought it up) with our formal input to the EPDP Team on this issue last Friday. Kurt, procedurally, I believe that your “The only other recommendation” is the right path to pursue, and the “Preferred Recommendation” is not. “The only other recommendation” would allow all views expressed to be presented in the initial report, while not making a recommendation on which there is clearly no consensus (noting that there has been no formal consensus call made). At some point, we will need to hold consensus calls on these 2 issues, and when that time comes, the EPDP Team should not make recommendations concerning potential new obligations on Contracted Parties on which there is divergence from the EPDP Team members involved. I do agree that it is unlikely that public comments we receive in response to the initial report being published is unlikely to yield new input, but we’ll need to wait and see. In the meantime, I don’t believe the “Preferred Recommendation” is accurately descriptive of the general sentiment on the EPDP Team. “The only other recommendation” seems like a better fit to me. Thanks. Amr
On Nov 6, 2018, at 3:44 AM, Kurt Pritz <kurt@kjpritz.com> wrote:
Hi Everyone:
After all of this thought and writing, I think we have two paths forward that are relatively straightforward to describe. Rather than recap the arguments made here, I will just go right into my recommendations for next step and why. The Support Team will follow this with a better summation of what has transpired and how that leads to the recommendations below.
It is clear that camps within our the team are at loggerheads with regard to how geographic basis and natural v legal persons should be handled within the proposed policy recommendations.
Current situation and recent developments:
Coming out of the small group meeting #1 during a teleconference, there was an agreement in principle that it was necessary to perform research in order to inform the policy discussion regarding the feasibility of differentiating between legal and natural persons. That agreement survived its initial introduction into the whole team where the comments centered around: (1) the adjectives used to describe the sense of urgency concerning the work, and (2) sharpening the detail regarding steps to be taken after the research. (There was never an agreement about how to proceed regarding differentiation of data subjects based on geographical considerations.)
Starting Friday, substantial markups to the legal v natural agreement on doing research initiated this current three-day email chain.
Preferred Recommendation (there are two):
Go back to the agreement in principle that was reached in the small team with representatives from all groups to undertake research to determine if, how and to what extent we can distinguish between legal and natural persons. Then extend that research on to the geographic basis issue. A small group of us can contribute to the terms of reference for this research after the initial report is issued.
Here is my rationale for this recommendation:
1) The various arguments laid out in all these emails on this list make the case themselves for the need to do research.
For example, if the ICO says that processors can rely on data subject-provided information, does that mean that personal information mistakenly disclosed can be published without liability? We don’t know. We are setting up this and other questions for DPAs. Isn’t that … research?
There are other scenarios in the emails that will take research to sort through: whether ccTLD experiences are relevant, or whether a registrant boarding a train and leaving the EU for China while another registrant boarding a ferry for Marseilles will both be protected by GDPR. All this takes research to sort out.
Nearly all of the emails on this list have to do with scenarios in support of one position or another - but all need to be studied in order for us to determine if and how distinctions can be made.
2) Many of the arguments laid out are conclusory or without authority. I don’t think the research can have a preordained outcome. To make one point for each line of thinking:
a) In the case of natural vs legal data subjects, some seek to build in in an implementation plan without knowing if or to what degree a solution is implementable
b) In the case of Geographical distinctions between registrants, some are stating that such a distinction is categorically unimplementable without authority or evidence provided.
I think the “truth will out” on these questions and we should not try to push research or our arguments to a pre-ordained outcome.
3) This will provide time to take the effects of existing laws in other jurisdictions into account - if that is deemed desirable.
4) This will take this discussion out of the critical path of finishing our reports, without leaving a blank.
5) The results of the research still must be considered by this team (or its successor) and a consensus derived. Research informs policy; it does not create policy.
6) If we agree to this approach, we can start the research now. If we temporize, there will be little done that will resolve this issue set over the next few months. Taking action in an attempt to understand all the complexity is the responsible thing to do.
7) These are complicated questions and research-based policy-making is required to answer them. How do we meet the timeline and still act in a thorough, detailed manner? By launching research and, in the meantime, going back to the rest of our questions. Whatever our policy conclusions are, even if we are deadlocked in several months time, we should be informed by information garnered from DPAs and other sources.
The only other recommendation:
MemorialIze the differences between the two sides on each of the two issues, explaining the arguments for each and asking for public comment on these issues.
Here is my rationale for and against this recommendation:
1) It will allow us to publish the initial report and, properly framed, can garner specific public comment.
However, other factors really argue against maintaining the current status and not taking some action:
2) In the time allotted for public comment, no commenter will be able to perform any meaningful research either. There might be reference to a study that partially informs our work, but not a dispositive study. At the end of the comment period, we are likely to be in the same place.
3) It is hard to see how the public comment will differ from our discussion, in this list, to date.
4) Even if we take the preferred research path above, we can still conduct the comment period on the current position of the parties.
5) If we have no outcome on this issue, the result, to me, is unknown and represent a risk to all parties at the table.
Conclusion
I thought is was remarkable that we came together and agreed to undertake this research on this difficult topic. It was a significant, meaningful compromise that embodied our reason for being here.
I don’t see anything in all the emails that indicate another compromise is possible unless that discussion is informed with significant, new information. I believe the appropriate path for this group is to recognize the differences cannot be resolved without something new and to take this path.
Talk to you soon and best regards,
Kurt
On Nov 5, 2018, at 4:38 PM, Mark Svancarek (CELA) via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Sorry for being dense, I still have questions.
- It is not surprising that the addition of a new process step would generate short term inefficiencies. It’s 5 years later – are the verification rates improved from 2014?
- How would an optional “let me self-identify as a corporation” capability be likely to cause verification disruptions?
/marksv
From: James M. Bladel <jbladel@godaddy.com> Sent: Monday, November 5, 2018 13:28 To: Mark Svancarek (CELA) <marksv@microsoft.com>; gnso-epdp-team@icann.org Subject: Re: Contracted Parties and Small Teams #1 and #2
Mark –
Shortly following the launch of the 2013 RAA’s requirements for WHOIS Verification, registrars noted that approx. 800,000 domains had been suspended in the first few months. The number continued to climb for a few years, and most were categorized as “false positives”
Here’s some coverage of that data at the time.
Any program that depends on Registrant self-categorization, self-declaration, or receipt & acting upon a notice has a huge error factor. For GoDaddy in 2014, the RAA verification rate was in the high 70% or low 80%, meaning that service to tens of thousands of customers was delayed or disrupted.
It’s this experience that causes Contracted Parties (but particularly Registrars) to be skeptical of any requirement to just “send an email” or “have the Registrant check a box.” It doesn’t scale.
J.
-------------
James Bladel
GoDaddy
From: "Mark Svancarek (CELA)" <marksv@microsoft.com> Date: Monday, November 5, 2018 at 15:14 To: "James M. Bladel" <jbladel@godaddy.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: RE: Contracted Parties and Small Teams #1 and #2
James, can you clarify this:
“many of whom could lose access to their registrations.”
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of James M. Bladel Sent: Monday, November 5, 2018 10:57 To: gnso-epdp-team@icann.org Subject: [Gnso-epdp-team] Contracted Parties and Small Teams #1 and #2
ePDP Colleagues and WG Leadership -
This morning, Registry and Registrar representatives met to discuss the status of potential recommendations from Small Group #1 (Legal vs. Natural) and Small Group #2 (Geographic Regions) in our Draft Initial Report.
We concluded that there are some legal bases supporting these distinctions under GDPR and other data protection laws, and note that our Initial Report supports this. However, we reiterate our numerous high-level concerns against making any Consensus Policy recommendations for contractual requirements in these areas.
Our concerns involve:
- Legal - Aside from GDPR, other data protection laws are less clear on the distinction between legal and natural persons. Future regulations may contain contrary requirements. Furthermore, data of legal entities may contain or consist of personal information of natural persons, which would be entitled to protection under the GDPR and similar data protection regimes. Likewise, the geographic distinctions also create uncertainties.
- Technical - Contracted Parties are uniquely situated to assess the current level of the technological means available to us, and it is our stated position that a technical basis to reliably and confidently make such a distinction does not exist. Especially because any distinction schema would be dependent upon Registrant Self-Identification, which is fraught with error.
- Commercial - Developing and deploying this technology will involve significant costs, which may be prohibitive for smaller organizations and a barrier to market entry. Regardless of whether the distinction(s) are applied to new registrations or legacy domain names, it would be a logistical nightmare for Contracted Parties, and a source of confusion for Registrants, many of whom could lose access to their registrations.
- Asymmetrical Risks vs. Benefits - Contracted Parties would assume all regulatory risks of such an obligations, exclusively for the benefit of unburdened third parties.
- Scope - The distinction between Legal and Natural persons, or geographic regions, does not currently exist in the Domain Name System. Therefore, any recommendation mandating this change is outside the scope of the ePDP, and possibly the “picket fence” of Registrar and Registry contracts.
As a result, and for the avoidance of doubt, Contracted Parties oppose/reject any recommendations for new contractual requirements in the ePDP Draft Initial Report, and will remain opposed to these recommendations as we move towards final recommendations.
Thank you,
J.
-------------
James Bladel
GoDaddy
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
participants (9)
-
Alan Greenberg -
Amr Elsadr -
James M. Bladel -
Kurt Pritz -
Marika Konings -
Mark Svancarek (CELA) -
Matt Serlin -
Mueller, Milton L -
Stephanie Perrin