Thanks Mathew and Milton @RySG/BC representatives is it acceptable for you to drop the footnote and have everyone to "live with" this recommendation without the footnote? Best, Rafik Le mar. 28 juil. 2020 à 01:21, Mueller, Milton L <milton@gatech.edu> a écrit :

NCSG approves of the modified language, which is more generic (obligations of regulated entities). But we strongly object to the footnote being included. We have had no opportunity to review the EU NIS Directive legislation and its implications for disclosure or what it might commit ICANN to doing. During the consideration of this we asked for specific examples of what obligations we might be talking about and never got them. It's too late to include this now. We can accept item (iv) without the footnote. ------------------------------ *From:* Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Crossman, Matthew via Gnso-epdp-team <gnso-epdp-team@icann.org> *Sent:* Monday, July 27, 2020 11:54 AM *To:* gnso-epdp-team@icann.org <gnso-epdp-team@icann.org> *Subject:* [Gnso-epdp-team] Requestor Purpose - Rec 7

Hi team,

As an update, Margie, Brian, and I worked on a compromise for the Rec 7 language on Requestor Purposes. We agreed on the following edit to 7.1(a):

*7.1(a)*

Requestors MUST submit data disclosure requests for specific purposes such as but not limited to: but not limited to: (i) criminal law enforcement, national or public security, (ii) non law enforcement investigations and civil claims, including, intellectual property infringement and UDRP and URS claims, (iii) consumer protection, abuse prevention, and network security, and (iv) obligations applicable to regulated entities.[1] <#m_9205616789594008789_x__ftn1> Requestors MAY also submit data verification requests on the basis of Registered Name Holder (RNH) consent that has been obtained by the Requestor (and is at the sole responsibility of that Requestor), for example to validate the RNH’s claim of ownership of a domain name registration, or contract with the Requestor.

(Footnote below)

1 For example, the EU Directive on security of network and information systems (known as the NIS Directive) imposes specific obligations on Digital Service Providers and Operators of Essential Services.

With these changes this is no longer a CLW item for the RySG. Let us know if this new language causes any concern for other groups.

Thanks, Matt

*Matthew Crossman* | *Amazon* Corporate Counsel gTLD Registry, IP

P: 206-266-1103 | C: 530-574-2956

Email: mmcross@amazon.com

------------------------------

[1] <#m_9205616789594008789_x__ftnref1> This approach is very similar to the business model ARSI had previously discussed with the Author Central Pro teams for the .AUTHOR TLD. _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi, I don’t think we’ve discussed it enough, and am not sure what the relevance of adding the reference. Regulated entities can use the SSAD, same as anyone else, will require a legitimate interest just like any other SSAD user, and the CPs being asked to disclose data will need a legal basis to disclose registration data to the regulated entity, just like they would with any other SSAD user. If all that is being sought is an example of regulation making entities regulated, would (just for the sake of argument) it be ok to replace the NIS with HIPAA? The thing is, it isn’t clear to us how the footnote “allows these entities to request disclosure of redacted data to enable them to comply with their obligations under the NIS”. I would assume that this is perfectly possible without the footnote, so what gives? Clearly, we haven’t discussed this nearly as much as we should have. Thanks. Amr

On Jul 28, 2020, at 8:30 PM, Margie Milam via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:

Hi-

Regarding the footnote – we need to retain the footnote since it gives a concrete example of what we mean by regulated companies, and, more importantly, it avoids confusion later that a digital service provider is not a regulated company for the purposes of Rec 7.

We’ve discussed the NIS directive as it applies to digital service providers numerous times, and have referred the team to the description[here:](https://ico.org.uk/for-organisations/the-guide-to-nis/digital-service-provid...) Examples of the types of obligations are listed here:https://ico.org.uk/for-organisations/the-guide-to-nis/key-concepts-and-defin.... These pages describe how theNIS requires these types of organizations to have sufficient security to prevent any action that compromises either the data they store, or any related services they provide. This proactive requirement doesn’t commit ICANN to do anything specific related the NIS but allows these entities to request disclosure of redacted data to enable them to comply with their obligations under the NIS.

All the best,

Margie

From:Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Rafik Dammak <rafik.dammak@gmail.com> Date:Monday, July 27, 2020 at 11:52 PM To:"Mueller, Milton L" <milton@gatech.edu> Cc:"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject:Re: [Gnso-epdp-team] Requestor Purpose - Rec 7

Thanks Mathew and Milton

@RySG/BC representatives is it acceptable for you to drop the footnote and have everyone to "live with" this recommendation without the footnote?

Best,

Rafik

Le mar. 28 juil. 2020 à 01:21, Mueller, Milton L <milton@gatech.edu> a écrit :

...

NCSG approves of the modified language, which is more generic (obligations of regulated entities). But we strongly object to the footnote being included. We have had no opportunity to review the EU NIS Directive legislation and its implications for disclosure or what it might commit ICANN to doing. During the consideration of this we asked for specific examples of what obligations we might be talking about and never got them. It's too late to include this now. We can accept item (iv) without the footnote.

---------------------------------------------------------------

From:Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Crossman, Matthew via Gnso-epdp-team <gnso-epdp-team@icann.org> Sent:Monday, July 27, 2020 11:54 AM To:gnso-epdp-team@icann.org<gnso-epdp-team@icann.org> Subject:[Gnso-epdp-team] Requestor Purpose - Rec 7

Hi team,

As an update, Margie, Brian, and I worked on a compromise for the Rec 7 language on Requestor Purposes. We agreed on the following edit to 7.1(a):

7.1(a)

Requestors MUST submit data disclosure requests for specific purposes such as but not limited to: but not limited to: (i) criminal law enforcement, national or public security, (ii) non law enforcement investigations and civil claims, including, intellectual property infringement and UDRP and URS claims,(iii) consumer protection, abuse prevention, and network security, and (iv) obligations applicable to regulated entities.[][1](x-msg://5/#m_9205616789594008789_x__ftn1)Requestors MAY also submit data verification requests on the basis of Registered Name Holder (RNH) consent that has been obtained by the Requestor (and is at the sole responsibility of that Requestor), for example to validate the RNH’s claim of ownership of a domain name registration, or contract with the Requestor.

(Footnote below)

1 For example, the EU Directive on security of network and information systems (known as the NIS Directive) imposes specific obligations on Digital Service Providers and Operators of Essential Services.

With these changes this is no longer a CLW item for the RySG. Let us know if this new language causes any concern for other groups.

Thanks, Matt

Matthew Crossman|Amazon Corporate Counsel gTLD Registry, IP

P: 206-266-1103 | C: 530-574-2956

Email:mmcross@amazon.com

---------------------------------------------------------------

[][1](x-msg://5/#m_9205616789594008789_x__ftnref1)This approach is very similar to the business model ARSI had previously discussed with the Author Central Pro teams for the .AUTHOR TLD.

_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org [https://mm.icann.org/mailman/listinfo/gnso-epdp-team](https://urldefense.proofpoint.com/v2/url?u=https-3A__mm.icann.org_mailman_listinfo_gnso-2Depdp-2Dteam&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=f40qXENVwTNlHaI3M3teHJv_-eTQbKL7yJarKwfvn3A&s=6X1FwkRZ2KxhtmfyU3Ndk1tLjP1ofTsGjuyEmOyppyo&e=) _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy ([https://www.icann.org/privacy/policy](https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_policy&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=f40qXENVwTNlHaI3M3teHJv_-eTQbKL7yJarKwfvn3A&s=sOyjkCW5ErH-zqC67ds8MhFCp-dYrE_oiH5Tmq6nmf8&e=)) and the website Terms of Service ([https://www.icann.org/privacy/tos](https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_privacy_tos&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=_4XWSt8rUHZPiRG6CoP4Fnk_CCk4p550lffeMi3E1z8&m=f40qXENVwTNlHaI3M3teHJv_-eTQbKL7yJarKwfvn3A&s=oB13Y4B3b0nGxJ7TpDWHafSmV6Qf7FE8zbFKWFAzahk&e=)). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.