Revised Recommendations for (Final) Review - with attachments
Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt
Dear Kurt Tks Will revert to you soon Kavouss On Fri, Feb 1, 2019 at 5:32 AM Kurt Pritz <kurt@kjpritz.com> wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi again everyone: In a followup to yesterday’s email that proposed conclusions to four Recommendations, I am writing to provide one more. This Recommendation incorporates the Team’s latest verbally developed conclusions on the “Research Purpose. As with the memoranda furnished yesterday, this one provides a brief summary of the latest discussion and then follows with proposed Final Report language: (1) a narrative describing the group discussion, and (2) an amended Recommendation - i.e., amended from the Initial Report version of the Recommendation. As mentioned in the earlier emails, please review this revised wording with your groups and return to us by Monday 4 Feb if you believe a region or additional discussion is require - so that we can put any this topic on the Tues/Wed/Thur agendas. Let me know if you have any questions, procedural or substantive. I have one more paper to deliver to you - Recommendation 11 Data Retention. Thanks again and best regards, Kurt
Begin forwarded message:
From: Kurt Pritz <kurt@kjpritz.com> Subject: Revised Recommendations for (Final) Review - with attachments Date: January 31, 2019 at 8:31:45 PM PST To: EPDP <gnso-epdp-team@icann.org>
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
Thank you Kurt. I have a couple of points to make about the research purpose, in the report you mention that: "The team continued to discuss the so-called purpose O. The Team agreed that, to include such a purpose, we would require: some expression from ICANN (and OCTO in particular), that personal data was necessary to carry out OCTO’s mission, and" *FB: *OCTO has said it does not need personal data for its research for now. While OCTO clearly said it does not need personal information to carry out its mission, how did we come to the conclusion that we need some expression from ICANN (and OCTO) in particular that personal data is necessary? Are we going to ask OCTO again? I have copy pasted their response at the end of this email. [...] The discussion led to the preliminary conclusions that, *it was unclear*: whether OCTO required the use of personal data in its work *FB:* There is nothing unclear for now. OCTO has clearly said (as I cited them in various shape and form) that at the present they do not need personal information. In fact, as Benedict has been saying they will never need personal information for research. What they might need (in the future but *not now*) is hashed personal data. To process that, some argue that, research should be an ICANN purpose. But there were objections to the speculative nature of this purpose. As some said during the meeting we cannot speculate what might be needed in the future for research. This observation needs to be recorded. *Solution? *I think what should be discussed if the team wants to discuss in phase 2 is: is it legal to have purposes for processing data for *future "research"* that might need disclosure of *hashed* data (pseudonymized data)? can the group reach consensus over having a purpose of speculative nature? *** Link: https://community.icann.org/display/EOTSFGRD/Input+from+ICANN+Org OCTO's response: Also, in discussions that the EPDP Team has had regarding purposes, ICANN Office of the CTO (OCTO) has been mentioned. To inform the EPDP Team’s continued discussion on this topic, ICANN Org would like to *clarify that ICANN OCTO does not require personal data in domain name registration data for its work.* For example, OCTO’s Domain Abuse Activity Reporting (DAAR) project <https://www.icann.org/octo-ssr/daar> uses only the registrar and nameserver information. Farzaneh On Fri, Feb 1, 2019 at 5:32 PM Kurt Pritz <kurt@kjpritz.com> wrote:
Hi again everyone:
In a followup to yesterday’s email that proposed conclusions to four Recommendations, I am writing to provide one more. This Recommendation incorporates the Team’s latest verbally developed conclusions on the “Research Purpose.
As with the memoranda furnished yesterday, this one provides a brief summary of the latest discussion and then follows with proposed Final Report language: (1) a narrative describing the group discussion, and (2) an amended Recommendation - i.e., amended from the Initial Report version of the Recommendation.
As mentioned in the earlier emails, please review this revised wording with your groups and return to us by Monday 4 Feb if you believe a region or additional discussion is require - so that we can put any this topic on the Tues/Wed/Thur agendas. Let me know if you have any questions, procedural or substantive.
I have one more paper to deliver to you - Recommendation 11 Data Retention.
Thanks again and best regards,
Kurt
Begin forwarded message:
*From: *Kurt Pritz <kurt@kjpritz.com> *Subject: **Revised Recommendations for (Final) Review - with attachments* *Date: *January 31, 2019 at 8:31:45 PM PST *To: *EPDP <gnso-epdp-team@icann.org>
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Dear All, We are up to the teeth on work before finalizing the Final Report Not wirthstanding the need or otherwise " Purpose O"my question is do we really need to conclude on that ? Does it have a priority within the framework of GPDR ,Phase 1 ( Current EPDP work ) If not stop discussion and prostpone itz to later stage ,perhaps Phase 2 or later Regards Kavouss On Sun, Feb 3, 2019 at 6:25 AM farzaneh badii <farzaneh.badii@gmail.com> wrote:
Thank you Kurt.
I have a couple of points to make about the research purpose, in the report you mention that:
"The team continued to discuss the so-called purpose O. The Team agreed that, to include such a purpose, we would require: some expression from ICANN (and OCTO in particular), that personal data was necessary to carry out OCTO’s mission, and"
*FB: *OCTO has said it does not need personal data for its research for now. While OCTO clearly said it does not need personal information to carry out its mission, how did we come to the conclusion that we need some expression from ICANN (and OCTO) in particular that personal data is necessary? Are we going to ask OCTO again? I have copy pasted their response at the end of this email.
[...]
The discussion led to the preliminary conclusions that, *it was unclear*: whether OCTO required the use of personal data in its work
*FB:* There is nothing unclear for now. OCTO has clearly said (as I cited them in various shape and form) that at the present they do not need personal information. In fact, as Benedict has been saying they will never need personal information for research. What they might need (in the future but *not now*) is hashed personal data. To process that, some argue that, research should be an ICANN purpose. But there were objections to the speculative nature of this purpose. As some said during the meeting we cannot speculate what might be needed in the future for research. This observation needs to be recorded.
*Solution? *I think what should be discussed if the team wants to discuss in phase 2 is: is it legal to have purposes for processing data for *future "research"* that might need disclosure of *hashed* data (pseudonymized data)? can the group reach consensus over having a purpose of speculative nature?
*** Link: https://community.icann.org/display/EOTSFGRD/Input+from+ICANN+Org OCTO's response: Also, in discussions that the EPDP Team has had regarding purposes, ICANN Office of the CTO (OCTO) has been mentioned. To inform the EPDP Team’s continued discussion on this topic, ICANN Org would like to *clarify that ICANN OCTO does not require personal data in domain name registration data for its work.* For example, OCTO’s Domain Abuse Activity Reporting (DAAR) project <https://www.icann.org/octo-ssr/daar> uses only the registrar and nameserver information.
Farzaneh
On Fri, Feb 1, 2019 at 5:32 PM Kurt Pritz <kurt@kjpritz.com> wrote:
Hi again everyone:
In a followup to yesterday’s email that proposed conclusions to four Recommendations, I am writing to provide one more. This Recommendation incorporates the Team’s latest verbally developed conclusions on the “Research Purpose.
As with the memoranda furnished yesterday, this one provides a brief summary of the latest discussion and then follows with proposed Final Report language: (1) a narrative describing the group discussion, and (2) an amended Recommendation - i.e., amended from the Initial Report version of the Recommendation.
As mentioned in the earlier emails, please review this revised wording with your groups and return to us by Monday 4 Feb if you believe a region or additional discussion is require - so that we can put any this topic on the Tues/Wed/Thur agendas. Let me know if you have any questions, procedural or substantive.
I have one more paper to deliver to you - Recommendation 11 Data Retention.
Thanks again and best regards,
Kurt
Begin forwarded message:
*From: *Kurt Pritz <kurt@kjpritz.com> *Subject: **Revised Recommendations for (Final) Review - with attachments* *Date: *January 31, 2019 at 8:31:45 PM PST *To: *EPDP <gnso-epdp-team@icann.org>
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
To Alan and Farzaneh: Thanks for your comments. I believe I am in agreement with both of you but perhaps did not choose my words as carefully as I could have. To Alan: I agree that if there is a need to furnish data for an ICANN research purpose at some future point that it should be able to be done on short notice. I was thinking that we need some kind of signal - any kind of signal from OCTO that they are for this purpose also. It seems somewhat incongruous that some on the team are recommending this ‘purpose’ while OCTO is seemingly saying we don’t need it. I agree with you that the better answer would have been, “we don’t need it yet,” in order to give the proponents of this purpose a place to stand. My intent was that the Phase2 discussion would provide time to have that discussion with ICANN and come to that understanding. Can we modify the addition at the end ("and the expression for the need of such data by ICANN”) to make that intent more clear? To me, it does not matter whether that sentence is included as I think ICANN will have to step up and support the Research Purpose if it is going to be included. Maybe, "and the expression for the need of such data by ICANN,” becomes, “and the need for ICANN research as a purpose for processing registration data is supported by ICANN." To Farzaneh: Yes, I think the letter from OCTO was clear. My characterization of uncertainty went to future need as Alan stated. I think the group might address the speculative issue by requiring that each request or set of requests pass the Art 6(1)f tests. (To Alan, that does not mean that the request can be satisfied on short notice. The ICANN request for data should be accompanied by the necessary demonstration and principles of data minimization and the like are satisfied.) Perhaps the following should be reworded in some way: So that, "it was unclear … whether OCTO required the use of personal data in its work.” becomes, “OCTO has not yet made it clear whether it supports such a purpose,” or something like that. Would these rewordings resolve the concerns raised? At the end of the day, we need more time (i.e., Phase 2) to understand some legal issues and to have a conversation with ICANN regarding their appetite for processing data for a research purpose. I think a wide range of wording would preserve all the arguments that can be made. Best regards, Kurt
On Feb 2, 2019, at 9:24 PM, farzaneh badii <farzaneh.badii@gmail.com> wrote:
Thank you Kurt.
I have a couple of points to make about the research purpose, in the report you mention that:
"The team continued to discuss the so-called purpose O. The Team agreed that, to include such a purpose, we would require: some expression from ICANN (and OCTO in particular), that personal data was necessary to carry out OCTO’s mission, and"
FB: OCTO has said it does not need personal data for its research for now. While OCTO clearly said it does not need personal information to carry out its mission, how did we come to the conclusion that we need some expression from ICANN (and OCTO) in particular that personal data is necessary? Are we going to ask OCTO again? I have copy pasted their response at the end of this email.
[...]
The discussion led to the preliminary conclusions that, it was unclear: whether OCTO required the use of personal data in its work
FB: There is nothing unclear for now. OCTO has clearly said (as I cited them in various shape and form) that at the present they do not need personal information. In fact, as Benedict has been saying they will never need personal information for research. What they might need (in the future but not now) is hashed personal data. To process that, some argue that, research should be an ICANN purpose. But there were objections to the speculative nature of this purpose. As some said during the meeting we cannot speculate what might be needed in the future for research. This observation needs to be recorded.
Solution? I think what should be discussed if the team wants to discuss in phase 2 is: is it legal to have purposes for processing data for future "research" that might need disclosure of hashed data (pseudonymized data)? can the group reach consensus over having a purpose of speculative nature?
*** Link: https://community.icann.org/display/EOTSFGRD/Input+from+ICANN+Org <https://community.icann.org/display/EOTSFGRD/Input+from+ICANN+Org> OCTO's response: Also, in discussions that the EPDP Team has had regarding purposes, ICANN Office of the CTO (OCTO) has been mentioned. To inform the EPDP Team’s continued discussion on this topic, ICANN Org would like to clarify that ICANN OCTO does not require personal data in domain name registration data for its work. For example, OCTO’s Domain Abuse Activity Reporting (DAAR) project <https://www.icann.org/octo-ssr/daar <https://www.icann.org/octo-ssr/daar>> uses only the registrar and nameserver information.
Farzaneh
On Fri, Feb 1, 2019 at 5:32 PM Kurt Pritz <kurt@kjpritz.com <mailto:kurt@kjpritz.com>> wrote: Hi again everyone:
In a followup to yesterday’s email that proposed conclusions to four Recommendations, I am writing to provide one more. This Recommendation incorporates the Team’s latest verbally developed conclusions on the “Research Purpose.
As with the memoranda furnished yesterday, this one provides a brief summary of the latest discussion and then follows with proposed Final Report language: (1) a narrative describing the group discussion, and (2) an amended Recommendation - i.e., amended from the Initial Report version of the Recommendation.
As mentioned in the earlier emails, please review this revised wording with your groups and return to us by Monday 4 Feb if you believe a region or additional discussion is require - so that we can put any this topic on the Tues/Wed/Thur agendas. Let me know if you have any questions, procedural or substantive.
I have one more paper to deliver to you - Recommendation 11 Data Retention.
Thanks again and best regards,
Kurt
Begin forwarded message:
From: Kurt Pritz <kurt@kjpritz.com <mailto:kurt@kjpritz.com>> Subject: Revised Recommendations for (Final) Review - with attachments Date: January 31, 2019 at 8:31:45 PM PST To: EPDP <gnso-epdp-team@icann.org <mailto:gnso-epdp-team@icann.org>>
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
I agree with Farzaneh that OCTO's advice must be recorded in the final report. I have not been able to touch base with NCSG colleagues just yet to run this language past them, but given our tight time frame, I have taken the liberty of suggesting some edits to the text in track changes that I hope fairly capture and address the concerns raised in this thread. Please find attached; of course, I defer to Farzaneh to correct me if I have captured anything here incorrectly. Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, February 4, 2019 8:10 PM, Kurt Pritz <kurt@kjpritz.com> wrote:
To Alan and Farzaneh:
Thanks for your comments. I believe I am in agreement with both of you but perhaps did not choose my words as carefully as I could have.
To Alan:
I agree that if there is a need to furnish data for an ICANN research purpose at some future point that it should be able to be done on short notice. I was thinking that we need some kind of signal - any kind of signal from OCTO that they are for this purpose also. It seems somewhat incongruous that some on the team are recommending this ‘purpose’ while OCTO is seemingly saying we don’t need it. I agree with you that the better answer would have been, “we don’t need it yet,” in order to give the proponents of this purpose a place to stand. My intent was that the Phase2 discussion would provide time to have that discussion with ICANN and come to that understanding.
Can we modify the addition at the end ("and the expression for the need of such data by ICANN”) to make that intent more clear? To me, it does not matter whether that sentence is included as I think ICANN will have to step up and support the Research Purpose if it is going to be included.
Maybe, "and the expression for the need of such data by ICANN,” becomes, “and the need for ICANN research as a purpose for processing registration data is supported by ICANN."
To Farzaneh:
Yes, I think the letter from OCTO was clear. My characterization of uncertainty went to future need as Alan stated. I think the group might address the speculative issue by requiring that each request or set of requests pass the Art 6(1)f tests. (To Alan, that does not mean that the request can be satisfied on short notice. The ICANN request for data should be accompanied by the necessary demonstration and principles of data minimization and the like are satisfied.)
Perhaps the following should be reworded in some way:
So that, "it was unclear … whether OCTO required the use of personal data in its work.”
becomes, “OCTO has not yet made it clear whether it supports such a purpose,” or something like that.
Would these rewordings resolve the concerns raised?
At the end of the day, we need more time (i.e., Phase 2) to understand some legal issues and to have a conversation with ICANN regarding their appetite for processing data for a research purpose. I think a wide range of wording would preserve all the arguments that can be made.
Best regards,
Kurt
On Feb 2, 2019, at 9:24 PM, farzaneh badii <farzaneh.badii@gmail.com> wrote:
Thank you Kurt.
I have a couple of points to make about the research purpose, in the report you mention that:
"The team continued to discuss the so-called purpose O. The Team agreed that, to include such a purpose, we would require: some expression from ICANN (and OCTO in particular), that personal data was necessary to carry out OCTO’s mission, and"
FB: OCTO has said it does not need personal data for its research for now. While OCTO clearly said it does not need personal information to carry out its mission, how did we come to the conclusion that we need some expression from ICANN (and OCTO) in particular that personal data is necessary? Are we going to ask OCTO again? I have copy pasted their response at the end of this email.
[...]
The discussion led to the preliminary conclusions that, it was unclear: whether OCTO required the use of personal data in its work
FB: There is nothing unclear for now. OCTO has clearly said (as I cited them in various shape and form) that at the present they do not need personal information. In fact, as Benedict has been saying they will never need personal information for research. What they might need (in the future but not now) is hashed personal data. To process that, some argue that, research should be an ICANN purpose. But there were objections to the speculative nature of this purpose. As some said during the meeting we cannot speculate what might be needed in the future for research. This observation needs to be recorded.
Solution? I think what should be discussed if the team wants to discuss in phase 2 is: is it legal to have purposes for processing data for future "research" that might need disclosure of hashed data (pseudonymized data)? can the group reach consensus over having a purpose of speculative nature?
*** Link: https://community.icann.org/display/EOTSFGRD/Input+from+ICANN+Org OCTO's response: Also, in discussions that the EPDP Team has had regarding purposes, ICANN Office of the CTO (OCTO) has been mentioned. To inform the EPDP Team’s continued discussion on this topic, ICANN Org would like to clarify that ICANN OCTO does not require personal data in domain name registration data for its work. For example, OCTO’s Domain Abuse Activity Reporting (DAAR) project <https://www.icann.org/octo-ssr/daar> uses only the registrar and nameserver information.
Farzaneh
On Fri, Feb 1, 2019 at 5:32 PM Kurt Pritz <kurt@kjpritz.com> wrote:
Hi again everyone:
In a followup to yesterday’s email that proposed conclusions to four Recommendations, I am writing to provide one more. This Recommendation incorporates the Team’s latest verbally developed conclusions on the “Research Purpose.
As with the memoranda furnished yesterday, this one provides a brief summary of the latest discussion and then follows with proposed Final Report language: (1) a narrative describing the group discussion, and (2) an amended Recommendation - i.e., amended from the Initial Report version of the Recommendation.
As mentioned in the earlier emails, please review this revised wording with your groups and return to us by Monday 4 Feb if you believe a region or additional discussion is require - so that we can put any this topic on the Tues/Wed/Thur agendas. Let me know if you have any questions, procedural or substantive.
I have one more paper to deliver to you - Recommendation 11 Data Retention.
Thanks again and best regards,
Kurt
Begin forwarded message:
From: Kurt Pritz <kurt@kjpritz.com> Subject: Revised Recommendations for (Final) Review - with attachments Date: January 31, 2019 at 8:31:45 PM PST To: EPDP <gnso-epdp-team@icann.org>
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Kurt, I need to consult with my colleagues and ALAC whether this is "die in the ditch" issue, but I do not believe that the "expression of need" at this very moment should be a pre-requisite for haveing the ability to request such data in the future on short notice. Alan At 01/02/2019 05:31 PM, Kurt Pritz wrote: Hi again everyone: In a followup to yesterday’s email that proposed conclusions to four Recommendations, I am writing to provide one more. This Recommendation incorporates the Team’s latest verbally developed conclusions on the “Research Purpose. As with the memoranda furnished yesterday, this one provides a brief summary of the latest discussion and then follows with proposed Final Report language: (1) a narrative describing the group discussion, and (2) an amended Recommendation - i.e., amended from the Initial Report version of the Recommendation. As mentioned in the earlier emails, please review this revised wording with your groups and return to us by Monday 4 Feb if you believe a region or additional discussion is require - so that we can put any this topic on the Tues/Wed/Thur agendas. Let me know if you have any questions, procedural or substantive. I have one more paper to deliver to you - Recommendation 11 Data Retention. Thanks again and best regards, Kurt Begin forwarded message: From: Kurt Pritz <kurt@kjpritz.com<mailto:kurt@kjpritz.com>> Subject: Revised Recommendations for (Final) Review - with attachments Date: January 31, 2019 at 8:31:45 PM PST To: EPDP <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> > Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt
On Rec 12 - Reasonable Access, I believe that the criteria to be developed must include some reference to an average or median response time. Just providing the outer limit does not address the problem of determining whether the typical response is reasonable or not. On Rec 10, you will recall that the Temp Spec reuires (after reasonable implementation delay) that REDACTED information be displayable with the consent of the data subject, but since e-mail addresses are not "redacted" it did not apply. I believe there was agreement that there must be a provision for a registrant to specify that their e-mail addresses display. That implies that part 1 should end with something like "... but MUST NOT identify the contact email address or the contact itself unless the registrant explicitly requests such display." Alan At 31/01/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Kurt, A few comments on the updated Rec 12 language 1. I support the use of the phrase “Reasonable Requests for Lawful Disclosure of Non-Public Registration Data.” instead of "Reasonable Access". It is much more precise. 2. At the end of the 3rd paragraph it states "Contracted parties will consider each request on its merits with regard to GDPR legal basis". This is reasonable, however it is inconstant with the Temp Spec language quoted in paragraph 1 that limits reasonable access to 6(1)(f). (e.g. "Registrar and Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR") If contracted parties will be responding to "reasonable disclosure" requests for any legal basis we need to ensure existing temp spec language is updated (made consistent)in any future policy implementation created to replace it 3. As I mentioned on a past call we have kept the specificity regarding the request but lost specificity regarding the response. Hoping we can find a pragmatic middle ground for the latter here is a suggested solution. ... - Requirements for what information responses should include (for example, auto-acknowlegement of requests and rationale for rejection of request}, e.g. : - Responses where disclosure of data (in whole or in part) has been denied should include rationale sufficient for the requestor to understand the reasons for the decision. Including for example analysis and explanation of how the balancing test was applied (if applicable). Nits: - replace "...may further complement or overwrite these requirements." with "...may further complement or revise these requirements." - replace "...and the requirements for an acknowledgement ? response will be..." with ".... and the requirements for an acknowledgement and response will be..." Thanks. Alex ___________ *Alex Deacon* Cole Valley Consulting alex@colevalleyconsulting.com +1.415.488.6009 On Thu, Jan 31, 2019 at 8:32 PM Kurt Pritz <kurt@kjpritz.com> wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi, I agree with Alex that "?" should be replaced with "and", as that is a typo. That aside, I think the language that you have presented Kurt represents a fair compromise. If we are to continue wordsmithing this, I would like to note my objection to the language around response times. I would suggest deleting the text in brackets entirely, as this is something I would prefer be left to the individual contracted party to determine. As a general rule I do not support recommendations which impose externalities on other actors. Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, February 4, 2019 7:19 PM, Alex Deacon <alex@colevalleyconsulting.com> wrote:
Hi Kurt,
A few comments on the updated Rec 12 language
- I support the use of the phrase “Reasonable Requests for Lawful Disclosure of Non-Public Registration Data.” instead of "Reasonable Access". It is much more precise. - At the end of the 3rd paragraph it states "Contracted parties will consider each request on its merits with regard to GDPR legal basis". This is reasonable, however it is inconstant with the Temp Spec language quoted in paragraph 1 that limits reasonable access to 6(1)(f). (e.g. "Registrar and Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR") If contracted parties will be responding to "reasonable disclosure" requests for any legal basis we need to ensure existing temp spec language is updated (made consistent)in any future policy implementation created to replace it - As I mentioned on a past call we have kept the specificity regarding the request but lost specificity regarding the response. Hoping we can find a pragmatic middle ground for the latter here is a suggested solution.
...
- Requirements for what information responses should include (for example, auto-acknowlegement of requests and rationale for rejection of request}, e.g. :
- Responses where disclosure of data (in whole or in part) has been denied should include rationale sufficient for the requestor to understand the reasons for the decision. Including for example analysis and explanation of how the balancing test was applied (if applicable).
Nits:
- replace "...may further complement or overwrite these requirements." with "...may further complement or revise these requirements." - replace "...and the requirements for an acknowledgement ? response will be..." with ".... and the requirements for an acknowledgement and response will be..."
Thanks. Alex
___________ Alex Deacon Cole Valley Consulting alex@colevalleyconsulting.com +1.415.488.6009
On Thu, Jan 31, 2019 at 8:32 PM Kurt Pritz <kurt@kjpritz.com> wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Thanks, Sarah. EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi all, the below comments are on behalf of Alan G the proposal. 1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity. From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Thanks, Sarah. EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
While I do think it is useful for there to be some guidelines around time frame so that requestors can understand, in ordinary circumstances, how long it will take for their request to be considered, I do not agree that "all" requests must be considered within a specified limit. The review of requests is not automated and will require human judgement in the balancing of competing considerations and legal rights. Some requests may be more complex than others, and in such circumstances, it is perfectly right that the contracted party exercises care before making the decision to release a registrant's personal information to a third party. I do not know how this process will be operationalised by the individual contracted parties, but as we have seen in the case of Google and how it assesses right to be forgotten requests, for instance, this can often involve complex cases going before internal committees that only meet once a month. As Recommendation 12 reads at present there is already an allowance for the distinction to be made between regular and 'urgent' requests; I oppose us being so prescriptive as to mandate that "all" requests must be processed within an arbitrary timeframe, as to maintain such a consistent service, 365 days a year, will inevitably impose ongoing costs on registrants. Thank you, Ayden Férdeline ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 6, 2019 5:32 AM, Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> wrote:
Hi all, the below comments are on behalf of Alan G
the proposal.
1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times.
2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity.
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Thanks, Sarah.
EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly).
Best regards,
Caitlin, Berry and Marika
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hello All,
As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you.
--
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries
Recommendation 10 - Email communication
Recommendation 12 - Reasonable Access
Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12 " The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests. The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests. The implementation of this policy will include at a minimum " The above is to replace "The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] of these policy recommendations but will include at a minimum: " Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 06, 2019 12:32 PM To: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hi all, the below comments are on behalf of Alan G the proposal. 1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity. From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Thanks, Sarah. EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team ________________________________ [Kristina 1]see previous comment about IRT/actor
To be perfectly honest, I think that Hadia & Alan's suggestions, are perilously close to going against the the very nature of the tentative agreements we have on Recommendation 12. If their point of view is that ICANN compliance must be used as a stick to beat the Contracted parties into submission/compliance, I find that exceptionally unhelpful. It is not the role of the ePDP to create new obligations for CPs outside of that which is necessary for GDPR compliance! The repeated issue of the parties is that it is nigh on impossible to set this in stone; every single request received must be considered individually, on its own merits (as the GDPR, which supersedes all our machinations, requires). The CPs are coming to the table in goodwill noting that we understand the need for predictability for 3rd party requests. We have discussed at length the impossibility of setting a strict timeline on such requests, I simply think this squanders the goodwill in this agreement in now suggesting a frankly unimplementable, or more likely a utterly ad hoc and random audit system, rather than accepting that the contracted parties are acting in good faith, and will continue to do so. For those CPs who do not act in good faith, I have a feeling that a poor audit result regarding response to disclosure requests will be the least of the issues. There are elements that are tangible and capable of ICANN review upon complaints regarding same, using existing complaints processes. Let's not reinvent the wheel here! So to be clear. The RYSG strongly opposes the ALAC addition. Alan [image: Donuts Inc.] <http://donuts.domains> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ------------------------------ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland <https://www.facebook.com/donutstlds> <https://twitter.com/DonutsInc> <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Wed, Feb 6, 2019 at 12:10 PM Hadia Abdelsalam Mokhtar EL miniawi < Hadia@tra.gov.eg> wrote:
Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12
"
The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests.
The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests.
The implementation of this policy will include at a minimum "
The above is to replace
"The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] <#m_-1680002464776310590_m_-790824542429628105__msocom_1> of these policy recommendations but will include at a minimum: "
Hadia
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Hadia Abdelsalam Mokhtar EL miniawi *Sent:* Wednesday, February 06, 2019 12:32 PM *To:* Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi all, the below comments are on behalf of Alan G
the proposal.
1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times.
2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity.
*From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] *On Behalf Of *Marika Konings *Sent:* Tuesday, February 05, 2019 11:43 PM *To:* Sarah Wyld; gnso-epdp-team@icann.org *Subject:* Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Thanks, Sarah.
EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly).
Best regards,
Caitlin, Berry and Marika
*From: *Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.com> *Organization: *Tucows *Date: *Tuesday, February 5, 2019 at 12:31 *To: *"gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> *Subject: *[Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hello All,
As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you.
--
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries
Recommendation 10 - Email communication
Recommendation 12 - Reasonable Access
Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-team
------------------------------
[Kristina 1] <#m_-1680002464776310590_m_-790824542429628105__msoanchor_1>see previous comment about IRT/actor _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hi Alan, I am sorry that this is how you feel about our suggestion with regard to compliance, certainly there was no intention to having a stick to beat the contracted parties. Usually auditing is something that both parties benefit from. In what sense does our suggestion put new obligations on the contracted parties? It is just a means of verifying the process and this is good for the CPs as well because it ascertains the functionality of their system. Moreover how does the suggestion of having some kind of auditing contradict with the fact that every single request received must be considered individually? Additionally, we never said that existing complaints' processes can not be used we only said that you need to agree on the auditing mechanisms/means or whatever you want to call it. This is merely a suggestion to implement a sense of trust into the system, rather than having that trust something as intangible as good faith between the parties involved. Finally I invite you to put a few lines that speak about using existing complaints processes in this regard. Hadia ________________________________ From: Alan Woods <alan@donuts.email> Sent: 06 February 2019 19:01 To: Hadia Abdelsalam Mokhtar EL miniawi Cc: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access To be perfectly honest, I think that Hadia & Alan's suggestions, are perilously close to going against the the very nature of the tentative agreements we have on Recommendation 12. If their point of view is that ICANN compliance must be used as a stick to beat the Contracted parties into submission/compliance, I find that exceptionally unhelpful. It is not the role of the ePDP to create new obligations for CPs outside of that which is necessary for GDPR compliance! The repeated issue of the parties is that it is nigh on impossible to set this in stone; every single request received must be considered individually, on its own merits (as the GDPR, which supersedes all our machinations, requires). The CPs are coming to the table in goodwill noting that we understand the need for predictability for 3rd party requests. We have discussed at length the impossibility of setting a strict timeline on such requests, I simply think this squanders the goodwill in this agreement in now suggesting a frankly unimplementable, or more likely a utterly ad hoc and random audit system, rather than accepting that the contracted parties are acting in good faith, and will continue to do so. For those CPs who do not act in good faith, I have a feeling that a poor audit result regarding response to disclosure requests will be the least of the issues. There are elements that are tangible and capable of ICANN review upon complaints regarding same, using existing complaints processes. Let's not reinvent the wheel here! So to be clear. The RYSG strongly opposes the ALAC addition. Alan [Donuts Inc.]<http://donuts.domains> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [http://storage.googleapis.com/signaturesatori/icons/facebook.png]<https://www.facebook.com/donutstlds> [http://storage.googleapis.com/signaturesatori/icons/twitter.png] <https://twitter.com/DonutsInc> [http://storage.googleapis.com/signaturesatori/icons/linkedin.png] <https://www.linkedin.com/company/donuts-inc> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Wed, Feb 6, 2019 at 12:10 PM Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12 " The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests. The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests. The implementation of this policy will include at a minimum " The above is to replace "The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] of these policy recommendations but will include at a minimum: " Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 06, 2019 12:32 PM To: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hi all, the below comments are on behalf of Alan G the proposal. 1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity. From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Marika Konings Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Thanks, Sarah. EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of Sarah Wyld <swyld@tucows.com<mailto:swyld@tucows.com>> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team ________________________________ [Kristina 1]see previous comment about IRT/actor _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Hopefully there is some language which properly reflects the variability of request responses while recognizing that nothing can be judged successful or improved without measuring it. For example, in our online services (1) we offer a firm SLA to our customers and reimburse them when we miss it, regardless why we missed it... but (2) internally we generate more interesting metrics to better understand the root causes, opportunities to improve, and the relative frequency of the various issues. Also, this reduces finger-pointing between teams. CPs cannot agree to language which implies (1); ALAC is requesting something like (2). /marksv -----Original Message----- From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 6, 2019 11:36 To: Alan Woods <alan@donuts.email> Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hi Alan, I am sorry that this is how you feel about our suggestion with regard to compliance, certainly there was no intention to having a stick to beat the contracted parties. Usually auditing is something that both parties benefit from. In what sense does our suggestion put new obligations on the contracted parties? It is just a means of verifying the process and this is good for the CPs as well because it ascertains the functionality of their system. Moreover how does the suggestion of having some kind of auditing contradict with the fact that every single request received must be considered individually? Additionally, we never said that existing complaints' processes can not be used we only said that you need to agree on the auditing mechanisms/means or whatever you want to call it. This is merely a suggestion to implement a sense of trust into the system, rather than having that trust something as intangible as good faith between the parties involved. Finally I invite you to put a few lines that speak about using existing complaints processes in this regard. Hadia ________________________________ From: Alan Woods <alan@donuts.email> Sent: 06 February 2019 19:01 To: Hadia Abdelsalam Mokhtar EL miniawi Cc: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access To be perfectly honest, I think that Hadia & Alan's suggestions, are perilously close to going against the the very nature of the tentative agreements we have on Recommendation 12. If their point of view is that ICANN compliance must be used as a stick to beat the Contracted parties into submission/compliance, I find that exceptionally unhelpful. It is not the role of the ePDP to create new obligations for CPs outside of that which is necessary for GDPR compliance! The repeated issue of the parties is that it is nigh on impossible to set this in stone; every single request received must be considered individually, on its own merits (as the GDPR, which supersedes all our machinations, requires). The CPs are coming to the table in goodwill noting that we understand the need for predictability for 3rd party requests. We have discussed at length the impossibility of setting a strict timeline on such requests, I simply think this squanders the goodwill in this agreement in now suggesting a frankly unimplementable, or more likely a utterly ad hoc and random audit system, rather than accepting that the contracted parties are acting in good faith, and will continue to do so. For those CPs who do not act in good faith, I have a feeling that a poor audit result regarding response to disclosure requests will be the least of the issues. There are elements that are tangible and capable of ICANN review upon complaints regarding same, using existing complaints processes. Let's not reinvent the wheel here! So to be clear. The RYSG strongly opposes the ALAC addition. Alan [Donuts Inc.]<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdonuts.domains&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006891055&sdata=qNzaAlOZg%2FMQWGew0BAhQsiEgNSJWm93KQLay7KeXJM%3D&reserved=0> Alan Woods Senior Compliance & Policy Manager, Donuts Inc. ________________________________ The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ffacebook.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006891055&sdata=zgvRrc4%2F2R4vEiotdSdqRqyFG768vmONrHXOs1ENVoI%3D&reserved=0]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fdonutstlds&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006891055&sdata=ZeISVoj4mLSFO8K0S27Nh5xZL2%2FVm5q9pYcz1SvfphI%3D&reserved=0> [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ftwitter.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006891055&sdata=4JUZEzvlQHSFB7n7JYasT%2Byjs4cafuTysVYL%2Fn%2F7gZU%3D&reserved=0] <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FDonutsInc&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006891055&sdata=yEwpQ7m%2F%2BrcZT2rqa8zZ%2BCi6YfD3fYgz%2Fdwj0sSZp%2F0%3D&reserved=0> [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Flinkedin.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006901063&sdata=Jq7W2sADswmiY%2Bbw%2F0fQArEE6zdKO7%2FvsbAzbr494jU%3D&reserved=0] <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fdonuts-inc&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006901063&sdata=kxVuIPK4uDWls1FB8gb9gUz5lXQ58EM1yVZNavPBUyw%3D&reserved=0> Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. On Wed, Feb 6, 2019 at 12:10 PM Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg<mailto:Hadia@tra.gov.eg>> wrote: Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12 " The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests. The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests. The implementation of this policy will include at a minimum " The above is to replace "The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] of these policy recommendations but will include at a minimum: " Hadia From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 06, 2019 12:32 PM To: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hi all, the below comments are on behalf of Alan G the proposal. 1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity. From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>] On Behalf Of Marika Konings Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Thanks, Sarah. EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org<mailto:gnso-epdp-team-bounces@icann.org>> on behalf of Sarah Wyld <swyld@tucows.com<mailto:swyld@tucows.com>> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>" <gnso-epdp-team@icann.org<mailto:gnso-epdp-team@icann.org>> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006901063&sdata=ztu02eOXYqmlM6hkr5cySLY7%2B08r5qpe4L5JXi%2F%2B%2B%2Fs%3D&reserved=0 ________________________________ [Kristina 1]see previous comment about IRT/actor _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006901063&sdata=ztu02eOXYqmlM6hkr5cySLY7%2B08r5qpe4L5JXi%2F%2B%2B%2Fs%3D&reserved=0 _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ca9079d3d169b43325b3f08d68c6aa4ce%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850787006901063&sdata=ztu02eOXYqmlM6hkr5cySLY7%2B08r5qpe4L5JXi%2F%2B%2B%2Fs%3D&reserved=0
I oppose the edit put forward by our colleagues in the ALAC that seeks to expand the role of Contractual Compliance. However, if the desire is more along the lines of (2) and the tool was funded on a cost-recovery basis by those seeking to utilize it, and not indirectly or directly by registrants, I would not object to language along the following lines: -- The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that provides third party requestors with uniform statistical information on the 1) nature of submitted requests, 2) average processing time, and 3) the number of requests approved or rejected, with rationale appropriately coded for information purposes. Such a mechanism must be funded on a cost-recovery basis by those private sector third parties who make access requests and seek to have access to these records. -- Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 6, 2019 2:59 PM, Mark Svancarek \(CELA\) via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Hopefully there is some language which properly reflects the variability of request responses while recognizing that nothing can be judged successful or improved without measuring it.
For example, in our online services (1) we offer a firm SLA to our customers and reimburse them when we miss it, regardless why we missed it... but (2) internally we generate more interesting metrics to better understand the root causes, opportunities to improve, and the relative frequency of the various issues. Also, this reduces finger-pointing between teams.
CPs cannot agree to language which implies (1); ALAC is requesting something like (2).
/marksv
-----Original Message----- From: Gnso-epdp-team gnso-epdp-team-bounces@icann.org On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 6, 2019 11:36 To: Alan Woods alan@donuts.email Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi Alan,
I am sorry that this is how you feel about our suggestion with regard to compliance, certainly there was no intention to having a stick to beat the contracted parties. Usually auditing is something that both parties benefit from. In what sense does our suggestion put new obligations on the contracted parties? It is just a means of verifying the process and this is good for the CPs as well because it ascertains the functionality of their system. Moreover how does the suggestion of having some kind of auditing contradict with the fact that every single request received must be considered individually? Additionally, we never said that existing complaints' processes can not be used we only said that you need to agree on the auditing mechanisms/means or whatever you want to call it. This is merely a suggestion to implement a sense of trust into the system, rather than having that trust something as intangible as good faith between the parties involved.
Finally I invite you to put a few lines that speak about using existing complaints processes in this regard.
Hadia
From: Alan Woods alan@donuts.email Sent: 06 February 2019 19:01 To: Hadia Abdelsalam Mokhtar EL miniawi Cc: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
To be perfectly honest, I think that Hadia & Alan's suggestions, are perilously close to going against the the very nature of the tentative agreements we have on Recommendation 12. If their point of view is that ICANN compliance must be used as a stick to beat the Contracted parties into submission/compliance, I find that exceptionally unhelpful. It is not the role of the ePDP to create new obligations for CPs outside of that which is necessary for GDPR compliance!
The repeated issue of the parties is that it is nigh on impossible to set this in stone; every single request received must be considered individually, on its own merits (as the GDPR, which supersedes all our machinations, requires). The CPs are coming to the table in goodwill noting that we understand the need for predictability for 3rd party requests. We have discussed at length the impossibility of setting a strict timeline on such requests, I simply think this squanders the goodwill in this agreement in now suggesting a frankly unimplementable, or more likely a utterly ad hoc and random audit system, rather than accepting that the contracted parties are acting in good faith, and will continue to do so. For those CPs who do not act in good faith, I have a feeling that a poor audit result regarding response to disclosure requests will be the least of the issues.
There are elements that are tangible and capable of ICANN review upon complaints regarding same, using existing complaints processes. Let's not reinvent the wheel here!
So to be clear. The RYSG strongly opposes the ALAC addition.
Alan
[Donuts Inc.]https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdonuts.domains&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006891055&sdata=qNzaAlOZg%2FMQWGew0BAhQsiEgNSJWm93KQLay7KeXJM%3D&reserved=0 Alan Woods Senior Compliance & Policy Manager, Donuts Inc.
The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland
[https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ffacebook.png&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006891055&sdata=zgvRrc4%2F2R4vEiotdSdqRqyFG768vmONrHXOs1ENVoI%3D&reserved=0]https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fdonutstlds&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006891055&sdata=ZeISVoj4mLSFO8K0S27Nh5xZL2%2FVm5q9pYcz1SvfphI%3D&reserved=0 [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ftwitter.png&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006891055&sdata=4JUZEzvlQHSFB7n7JYasT%2Byjs4cafuTysVYL%2Fn%2F7gZU%3D&reserved=0] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FDonutsInc&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006891055&sdata=yEwpQ7m%2F%2BrcZT2rqa8zZ%2BCi6YfD3fYgz%2Fdwj0sSZp%2F0%3D&reserved=0 [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Flinkedin.png&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006901063&sdata=Jq7W2sADswmiY%2Bbw%2F0fQArEE6zdKO7%2FvsbAzbr494jU%3D&reserved=0] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fdonuts-inc&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006901063&sdata=kxVuIPK4uDWls1FB8gb9gUz5lXQ58EM1yVZNavPBUyw%3D&reserved=0
Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.
On Wed, Feb 6, 2019 at 12:10 PM Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.egmailto:Hadia@tra.gov.eg> wrote: Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12
" The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests. The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests.
The implementation of this policy will include at a minimum "
The above is to replace
"The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] of these policy recommendations but will include at a minimum: "
Hadia
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 06, 2019 12:32 PM To: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi all, the below comments are on behalf of Alan G
the proposal.
1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity.
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings
Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Thanks, Sarah.
EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly).
Best regards,
Caitlin, Berry and Marika
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.commailto:swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org" <gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org>
Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hello All,
As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries
Recommendation 10 - Email communication
Recommendation 12 - Reasonable Access
Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.orgmailto:Gnso-epdp-team@icann.org
[Kristina 1]see previous comment about IRT/actor _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.orgmailto:Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006901063&sdata=ztu02eOXYqmlM6hkr5cySLY7%2B08r5qpe4L5JXi%2F%2B%2B%2Fs%3D&reserved=0
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02|01|marksv%40microsoft.com|a9079d3d169b43325b3f08d68c6aa4ce|72f988bf86f141af91ab2d7cd011db47|1|0|636850787006901063&sdata=ztu02eOXYqmlM6hkr5cySLY7%2B08r5qpe4L5JXi%2F%2B%2B%2Fs%3D&reserved=0
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
I like Ayden's verbiage, but I caveat that I don't know how the last line would be implemented... are there any examples in ICANN-land today? -----Original Message----- From: Ayden Férdeline <icann@ferdeline.com> Sent: Wednesday, February 6, 2019 12:19 To: Mark Svancarek (CELA) <marksv@microsoft.com> Cc: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg>; Alan Woods <alan@donuts.email>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access I oppose the edit put forward by our colleagues in the ALAC that seeks to expand the role of Contractual Compliance. However, if the desire is more along the lines of (2) and the tool was funded on a cost-recovery basis by those seeking to utilize it, and not indirectly or directly by registrants, I would not object to language along the following lines: -- The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that provides third party requestors with uniform statistical information on the 1) nature of submitted requests, 2) average processing time, and 3) the number of requests approved or rejected, with rationale appropriately coded for information purposes. Such a mechanism must be funded on a cost-recovery basis by those private sector third parties who make access requests and seek to have access to these records. -- Ayden ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 6, 2019 2:59 PM, Mark Svancarek \(CELA\) via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Hopefully there is some language which properly reflects the variability of request responses while recognizing that nothing can be judged successful or improved without measuring it.
For example, in our online services (1) we offer a firm SLA to our customers and reimburse them when we miss it, regardless why we missed it... but (2) internally we generate more interesting metrics to better understand the root causes, opportunities to improve, and the relative frequency of the various issues. Also, this reduces finger-pointing between teams.
CPs cannot agree to language which implies (1); ALAC is requesting something like (2).
/marksv
-----Original Message----- From: Gnso-epdp-team gnso-epdp-team-bounces@icann.org On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 6, 2019 11:36 To: Alan Woods alan@donuts.email Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi Alan,
I am sorry that this is how you feel about our suggestion with regard to compliance, certainly there was no intention to having a stick to beat the contracted parties. Usually auditing is something that both parties benefit from. In what sense does our suggestion put new obligations on the contracted parties? It is just a means of verifying the process and this is good for the CPs as well because it ascertains the functionality of their system. Moreover how does the suggestion of having some kind of auditing contradict with the fact that every single request received must be considered individually? Additionally, we never said that existing complaints' processes can not be used we only said that you need to agree on the auditing mechanisms/means or whatever you want to call it. This is merely a suggestion to implement a sense of trust into the system, rather than having that trust something as intangible as good faith between the parties involved.
Finally I invite you to put a few lines that speak about using existing complaints processes in this regard.
Hadia
From: Alan Woods alan@donuts.email Sent: 06 February 2019 19:01 To: Hadia Abdelsalam Mokhtar EL miniawi Cc: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
To be perfectly honest, I think that Hadia & Alan's suggestions, are perilously close to going against the the very nature of the tentative agreements we have on Recommendation 12. If their point of view is that ICANN compliance must be used as a stick to beat the Contracted parties into submission/compliance, I find that exceptionally unhelpful. It is not the role of the ePDP to create new obligations for CPs outside of that which is necessary for GDPR compliance!
The repeated issue of the parties is that it is nigh on impossible to set this in stone; every single request received must be considered individually, on its own merits (as the GDPR, which supersedes all our machinations, requires). The CPs are coming to the table in goodwill noting that we understand the need for predictability for 3rd party requests. We have discussed at length the impossibility of setting a strict timeline on such requests, I simply think this squanders the goodwill in this agreement in now suggesting a frankly unimplementable, or more likely a utterly ad hoc and random audit system, rather than accepting that the contracted parties are acting in good faith, and will continue to do so. For those CPs who do not act in good faith, I have a feeling that a poor audit result regarding response to disclosure requests will be the least of the issues.
There are elements that are tangible and capable of ICANN review upon complaints regarding same, using existing complaints processes. Let's not reinvent the wheel here!
So to be clear. The RYSG strongly opposes the ALAC addition.
Alan
[Donuts Inc.]https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdonuts.domains&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610658365&sdata=8ytiQnTrXVTeGO3Yj8USsvaA7yyzZ3ZBlg%2F5jMFHxqo%3D&reserved=0 Alan Woods Senior Compliance & Policy Manager, Donuts Inc.
The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland
[https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ffacebook.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610658365&sdata=Fclysgnr9pHcqW40fSOT6x83CiDvWPxP5cypayqew0E%3D&reserved=0 [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ftwitter.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=TGjhZHPurT0Gfwro3cKkbYICHzvg%2FkmKvKna9EIkf7o%3D&reserved=0] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FDonutsInc&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=n8NWSlAVm7RqQy4LEaZpw2DJ0Id%2F8SCoijOkWVNrBhI%3D&reserved=0 [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Flinkedin.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=Gz1Vj%2FMFHerZ4xUlOkl8mrXY2%2BVqd1EdDE%2BMSzF8y1o%3D&reserved=0] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fdonuts-inc&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=qoLz%2BjwXvSNo9k72TEQMt1pT2Od75H0h5d9%2FrMaODKc%3D&reserved=0
Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.
On Wed, Feb 6, 2019 at 12:10 PM Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.egmailto:Hadia@tra.gov.eg> wrote: Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12
" The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests. The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests.
The implementation of this policy will include at a minimum "
The above is to replace
"The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] of these policy recommendations but will include at a minimum: "
Hadia
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 06, 2019 12:32 PM To: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi all, the below comments are on behalf of Alan G
the proposal.
1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity.
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings
Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Thanks, Sarah.
EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly).
Best regards,
Caitlin, Berry and Marika
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.commailto:swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org" <gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org>
Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hello All,
As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries
Recommendation 10 - Email communication
Recommendation 12 - Reasonable Access
Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.orgmailto:Gnso-epdp-team@icann.org
[Kristina 1]see previous comment about IRT/actor _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.orgmailto:Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=0g3J4%2FxHuarzDCd39FzVCaVeEt%2FS3k6kXaluwTMX%2BLo%3D&reserved=0
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=0g3J4%2FxHuarzDCd39FzVCaVeEt%2FS3k6kXaluwTMX%2BLo%3D&reserved=0
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610678378&sdata=ZyKIT5vgWuQXMyJL8%2Fd5SSlYaUjGseS5U2M1qBe8Xs8%3D&reserved=0
Mark, I think there is similar language within the PPSAI, I think the IPC came with that proposal back in the day, but I could be wrong. Best, Theo Op 06-02-19 om 21:37 schreef Mark Svancarek (CELA) via Gnso-epdp-team:
I like Ayden's verbiage, but I caveat that I don't know how the last line would be implemented... are there any examples in ICANN-land today?
-----Original Message----- From: Ayden Férdeline <icann@ferdeline.com> Sent: Wednesday, February 6, 2019 12:19 To: Mark Svancarek (CELA) <marksv@microsoft.com> Cc: Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg>; Alan Woods <alan@donuts.email>; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
I oppose the edit put forward by our colleagues in the ALAC that seeks to expand the role of Contractual Compliance.
However, if the desire is more along the lines of (2) and the tool was funded on a cost-recovery basis by those seeking to utilize it, and not indirectly or directly by registrants, I would not object to language along the following lines:
-- The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that provides third party requestors with uniform statistical information on the 1) nature of submitted requests, 2) average processing time, and 3) the number of requests approved or rejected, with rationale appropriately coded for information purposes. Such a mechanism must be funded on a cost-recovery basis by those private sector third parties who make access requests and seek to have access to these records. --
Ayden
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, February 6, 2019 2:59 PM, Mark Svancarek \(CELA\) via Gnso-epdp-team <gnso-epdp-team@icann.org> wrote:
Hopefully there is some language which properly reflects the variability of request responses while recognizing that nothing can be judged successful or improved without measuring it.
For example, in our online services (1) we offer a firm SLA to our customers and reimburse them when we miss it, regardless why we missed it... but (2) internally we generate more interesting metrics to better understand the root causes, opportunities to improve, and the relative frequency of the various issues. Also, this reduces finger-pointing between teams.
CPs cannot agree to language which implies (1); ALAC is requesting something like (2).
/marksv
-----Original Message----- From: Gnso-epdp-team gnso-epdp-team-bounces@icann.org On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 6, 2019 11:36 To: Alan Woods alan@donuts.email Cc: gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi Alan,
I am sorry that this is how you feel about our suggestion with regard to compliance, certainly there was no intention to having a stick to beat the contracted parties. Usually auditing is something that both parties benefit from. In what sense does our suggestion put new obligations on the contracted parties? It is just a means of verifying the process and this is good for the CPs as well because it ascertains the functionality of their system. Moreover how does the suggestion of having some kind of auditing contradict with the fact that every single request received must be considered individually? Additionally, we never said that existing complaints' processes can not be used we only said that you need to agree on the auditing mechanisms/means or whatever you want to call it. This is merely a suggestion to implement a sense of trust into the system, rather than having that trust something as intangible as good faith between the parties involved.
Finally I invite you to put a few lines that speak about using existing complaints processes in this regard.
Hadia
From: Alan Woods alan@donuts.email Sent: 06 February 2019 19:01 To: Hadia Abdelsalam Mokhtar EL miniawi Cc: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
To be perfectly honest, I think that Hadia & Alan's suggestions, are perilously close to going against the the very nature of the tentative agreements we have on Recommendation 12. If their point of view is that ICANN compliance must be used as a stick to beat the Contracted parties into submission/compliance, I find that exceptionally unhelpful. It is not the role of the ePDP to create new obligations for CPs outside of that which is necessary for GDPR compliance!
The repeated issue of the parties is that it is nigh on impossible to set this in stone; every single request received must be considered individually, on its own merits (as the GDPR, which supersedes all our machinations, requires). The CPs are coming to the table in goodwill noting that we understand the need for predictability for 3rd party requests. We have discussed at length the impossibility of setting a strict timeline on such requests, I simply think this squanders the goodwill in this agreement in now suggesting a frankly unimplementable, or more likely a utterly ad hoc and random audit system, rather than accepting that the contracted parties are acting in good faith, and will continue to do so. For those CPs who do not act in good faith, I have a feeling that a poor audit result regarding response to disclosure requests will be the least of the issues.
There are elements that are tangible and capable of ICANN review upon complaints regarding same, using existing complaints processes. Let's not reinvent the wheel here!
So to be clear. The RYSG strongly opposes the ALAC addition.
Alan
[Donuts Inc.]https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdonuts.domains&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610658365&sdata=8ytiQnTrXVTeGO3Yj8USsvaA7yyzZ3ZBlg%2F5jMFHxqo%3D&reserved=0 Alan Woods Senior Compliance & Policy Manager, Donuts Inc.
The Victorians, 15-18 Earlsfort Terrace Dublin 2, County Dublin Ireland
[https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ffacebook.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610658365&sdata=Fclysgnr9pHcqW40fSOT6x83CiDvWPxP5cypayqew0E%3D&reserved=0 [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Ftwitter.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=TGjhZHPurT0Gfwro3cKkbYICHzvg%2FkmKvKna9EIkf7o%3D&reserved=0] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FDonutsInc&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=n8NWSlAVm7RqQy4LEaZpw2DJ0Id%2F8SCoijOkWVNrBhI%3D&reserved=0 [https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstorage.googleapis.com%2Fsignaturesatori%2Ficons%2Flinkedin.png&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=Gz1Vj%2FMFHerZ4xUlOkl8mrXY2%2BVqd1EdDE%2BMSzF8y1o%3D&reserved=0] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fdonuts-inc&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=qoLz%2BjwXvSNo9k72TEQMt1pT2Od75H0h5d9%2FrMaODKc%3D&reserved=0
Please NOTE: This electronic message, including any attachments, may include privileged, confidential and/or inside information owned by Donuts Inc. . Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you.
On Wed, Feb 6, 2019 at 12:10 PM Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.egmailto:Hadia@tra.gov.eg> wrote: Hi all , I have added a few words about compliance and the implantation of the policy and hence propose the following minor edits to recommendation number 12
" The EPDP Team recommends that ICANN org and the contracted parties develop a mechanism that allows ICANN Contractual Compliance to audit response times to the requests. The EPDP recommends that the implementation of this policy includes requirements of acknowledgement of recipient of requests and the response to such requests, criteria for a " Reasonable Request for lawful Disclosure" and a mechanism that allows ICANN Contractual Compliance to audit response time to the requests.
The implementation of this policy will include at a minimum "
The above is to replace
"The EPDP Team recommends that criteria for a “Reasonable Request for Lawful Disclosure” and the requirements for acknowledging receipt of a request and response to such request will be defined as part of the implementation[Kristina 1] of these policy recommendations but will include at a minimum:"
Hadia
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Hadia Abdelsalam Mokhtar EL miniawi Sent: Wednesday, February 06, 2019 12:32 PM To: Marika Konings; Sarah Wyld; gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hi all, the below comments are on behalf of Alan G
the proposal.
1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity.
From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings
Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Thanks, Sarah.
EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly).
Best regards,
Caitlin, Berry and Marika
From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.orgmailto:gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.commailto:swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org" <gnso-epdp-team@icann.orgmailto:gnso-epdp-team@icann.org>
Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access
Hello All,
As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries
Recommendation 10 - Email communication
Recommendation 12 - Reasonable Access
Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
Gnso-epdp-team mailing list
Gnso-epdp-team@icann.orgmailto:Gnso-epdp-team@icann.org
[Kristina 1]see previous comment about IRT/actor _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.orgmailto:Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=0g3J4%2FxHuarzDCd39FzVCaVeEt%2FS3k6kXaluwTMX%2BLo%3D&reserved=0
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610668370&sdata=0g3J4%2FxHuarzDCd39FzVCaVeEt%2FS3k6kXaluwTMX%2BLo%3D&reserved=0
Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fgnso-epdp-team&data=02%7C01%7Cmarksv%40microsoft.com%7Ccd85137760f84d084d5108d68c705fa8%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636850811610678378&sdata=ZyKIT5vgWuQXMyJL8%2Fd5SSlYaUjGseS5U2M1qBe8Xs8%3D&reserved=0
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
Dear All- Thank you to the great work of Sarah, Kristina, Alex and others. We are looking to move this Rec forward and have worked to further clarify and edit the language - taking into account comments by all. Therefore, please find the attached proposed updated Rec. 12 for further discussion tomorrow. Sincerely, Diane Diane Plaut General Counsel and Privacy Officer [cid:image001.png@01D3CA70.18FC1D40] Direct +1 646-899-2806 diane.plaut@corsearch.com<mailto:diane.plaut@corsearch.com> 220 West 42nd Street, 11th Floor, New York, NY 10036, United States www.corsearch.com<http://www.corsearch.com/> Join Corsearch on Twitter<https://twitter.com/corsearch> Linkedin<https://www.linkedin.com/company/2593860/> Trademarks + Brands<http://trademarksandbrands.corsearch.com/> Customer Service/Platform Support: 1 800 SEARCH1™ (1 800 732 7241) Corsearch.USCustomerService@corsearch.com<mailto:Corsearch.USCustomerService@corsearch.com> Confidentiality Notice: This email and its attachments (if any) contain confidential information of the sender. The information is intended only for the use by the direct addressees of the original sender of this email. If you are not an intended recipient of the original sender (or responsible for delivering the message to such person), you are hereby notified that any review, disclosure, copying, distribution or the taking of any action in reliance of the contents of and attachments to this email is strictly prohibited. If you have received this email in error, please immediately notify the sender at the address shown herein and permanently delete any copies of this email (digital or paper) in your possession. From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Hadia Abdelsalam Mokhtar EL miniawi <Hadia@tra.gov.eg> Date: Wednesday, February 6, 2019 at 5:35 AM To: Marika Konings <marika.konings@icann.org>, Sarah Wyld <swyld@tucows.com>, "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hi all, the below comments are on behalf of Alan G the proposal. 1. still does not set an expectation that although SOME requests may take the specified limit, not all should. Nor does it seem to imply that the Contractual Compliance has any ability to audit response times. 2. I find the reference to "GDPR legal bases" problematic. For example, under the current proposals, a registrar who is operating full outside of the EU mat redact information for legal persons and for natural persons not subject to the GDPR. What is the GDPR legal basis for requesting information on such registrations. According to GDPR there was no need for redaction to begin with, so a registrar can refuse to provide any results with full impunity. From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces@icann.org] On Behalf Of Marika Konings Sent: Tuesday, February 05, 2019 11:43 PM To: Sarah Wyld; gnso-epdp-team@icann.org Subject: Re: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Thanks, Sarah. EPDP Team members, as this topic is included in the agenda for tomorrow’s meeting, please share any issues or concerns your group may have with the modified language prior to the meeting, if possible. Staff has taken the liberty to fix some formatting issues in the attached version (some of the sub-bullets did not appear properly). Best regards, Caitlin, Berry and Marika From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Sarah Wyld <swyld@tucows.com> Organization: Tucows Date: Tuesday, February 5, 2019 at 12:31 To: "gnso-epdp-team@icann.org" <gnso-epdp-team@icann.org> Subject: [Gnso-epdp-team] Recommendation 12 - Reasonable Access Hello All, As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you. -- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392 On 1/31/2019 11:31 PM, Kurt Pritz wrote: Hello Everyone: Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings. The Recommendations included here are: Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties [Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.] Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself. I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice. Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas. Sincerely, Kurt _______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org<mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team<https://mm.icann.org/mailman/listinfo/gnso-epdp-team>
Hi all, I think it is important to clarify that these criteria work for disclosure requests for civil claims. We should avoid the impression that and thereby manage the community’s expectations re LEA requests. These follow applicable laws and the criteria might be different from what is listed here. Also I remember from a small group discussion in Toronto that there was sympathy for this suggestion, when I made it there. I am bringing this back up as the disclosures we are discussing here will be primarily based on Art 6 I f GDPR, but that clause is blocked for public authorities in performing their core duties. That means that LEA must use a legal basis where the disclosure by the CP occurs based on 6 I c GDPR. When that is applicable, there is no choice for the CP but to disclose - which is different from disclosing according to Art 6 I f GDPR.The aforementioned is true for European LEA imho. What we do not yet know is how disclosure can be made work, if at all, to non-EU LEA. Hence, I would rather be cautious in our language. Best, Thomas
Am 05.02.2019 um 19:27 schrieb Sarah Wyld <swyld@tucows.com>:
Hello All,
As discussed on today's call, here is the proposed revised Rec. 12 from RySG/RrSG. Thank you.
-- Sarah Wyld Domains Product Team Tucows +1.416 535 0123 Ext. 1392
On 1/31/2019 11:31 PM, Kurt Pritz wrote:
Hello Everyone:
Thanks again for your perseverance. And - thank you in advance for your spirit of cooperation and compromise in considering the attached. We have spent the last few days reviewing the transcripts and other records of our recent discussions and then amending the Final Report Recommendations - taking into account the Initial Report Recommendations, the small team work, the conclusions in Toronto and these last several meetings.
The Recommendations included here are:
Recommendation 5 - Data elements to be transferred from Registrars to Registries Recommendation 10 - Email communication Recommendation 12 - Reasonable Access Recommendation 14 - Responsible Parties
[Not included are Rec. 13 (sent earlier) and Rec. 11 and the Research Purpose (to be sent tomorrow.]
Each of these documents has a brief forward containing a description of the pertinent discussion and an explanation for choosing the wording in the Recommendations. They each then contain the Recommendation as originally written and a redline of the proposed recommendation based on the most recent discussions. Please read the entire documents (they are not long), and not just the recommendation itself.
I am certainly not asking for you to stand silently by if you disagree with these Recommendations because they would negatively impact GDPR compliance. I am asking that you study the balancing that went into this and be ready to accept wording in cases where it does not match your own choice.
Please review with your groups and return to us by Monday so that we can put any of these on the Tues/Wed/Thur agendas.
Sincerely,
Kurt
_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org <mailto:Gnso-epdp-team@icann.org> https://mm.icann.org/mailman/listinfo/gnso-epdp-team <https://mm.icann.org/mailman/listinfo/gnso-epdp-team><Recommendation 12 - Updated language - 5 February 2019.doc>_______________________________________________ Gnso-epdp-team mailing list Gnso-epdp-team@icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-team
participants (14)
-
Alan Greenberg -
Alan Woods -
Alex Deacon -
Ayden Férdeline -
farzaneh badii -
Hadia Abdelsalam Mokhtar EL miniawi -
Kavouss Arasteh -
Kurt Pritz -
Marika Konings -
Mark Svancarek (CELA) -
Plaut, Diane -
Sarah Wyld -
theo -
Thomas Rickert