Hello all,
Sarah, I think this looks good. Thank you for pulling together some edits for all of us to consider.
Best,
Beth
From:
IRT.RegDataPolicy <irt.regdatapolicy-bounces@icann.org> on behalf of Sarah Wyld via IRT.RegDataPolicy <irt.regdatapolicy@icann.org>
Date: Wednesday, July 20, 2022 at 2:46 PM
To: Dennis Chang via IRT.RegDataPolicy <irt.regdatapolicy@icann.org>
Subject: [EXTERNAL] Re: [IRT.RegDataPolicy] IRT Task 221 Review OneDoc Section 5DataProtection Agreement 20220718; RDAP Profile status
CAUTION: This email came from outside your organization. Don’t trust emails, links, or attachments from senders that seem suspicious
or you are not expecting.
Hello all
Thanks Dennis & team for the updated Section 5 text. I do find it more readable and understandable, and I appreciate that!
I would like to propose a few changes, with redline here and some notes below the text. I have not (yet) put this into the OneDoc, was hoping to discuss it on the list here.
ICANN, gTLD Registry Operators, and accredited Registrars MUST enter into required data protection agreements with each other and with relevant third party providers contemplated under
this Policy where applicable law requires. The terms may include legal bases for processing Registration Data. Where such agreements between a Registry Operator or Registrar and ICANN are required to comply with applicable law,
ICANN Registry Operator or Registrar MUST
upon request and without undue delay enter into the data protection agreement or agreements with
ICANN Registry Operator or Registrar as implemented pursuant to this Policy, as may be updated from time-to-time, or as provided for by applicable law.
The first change (swapping around ICANN and the Registry operator or Registrar) matches Recommendation 19 (“The EPDP Team recommends that ICANN Org negotiates and enters into required data protection
agreements, as appropriate, with the Contracted Parties.”)
The addition of “upon request and without undue delay” is to indicate that ICANN must enter into that agreement at the request of the Registry Operator or Registrar.
Adding “or as provided for by applicable law” is suggested to accommodate a potential standard/templated DPA provided by the relevant authority; I’m thinking about a future where the EC provides
a base DPA for use just like how they provide base SCCs now.
I think that these changes are in keeping with the text and intent of the recommendation, and look forward to the group’s feedback.
Thanks,
--
Sarah Wyld, CIPP/E
Policy & Privacy Manager
Pronouns: she/they
swyld@tucows.com
From:
Dennis Chang via IRT.RegDataPolicy
Sent: July 18, 2022 2:07 PM
To: Roger D Carney;
Dennis Chang via IRT.RegDataPolicy
Subject: Re: [IRT.RegDataPolicy] IRT Task 221 Review OneDoc Section 5DataProtection Agreement 20220718; RDAP Profile status
Dear IRT,
Thanks for supporting the IRT meeting last week.
Roger and Marc reported that the RDAP WG is adding an extra meeting to ensure their delivery in July.
Based on their rigorous review including 3 IRT members, I shared that we expected us to move quickly to Public Comment upon receipt of the two RDAP RedDocs. We are, henceforth, working towards a Public Comment
opening date of 17 August 2022.
For this one remaining OneDoc section, we received helpful inputs from the IRT including a revised language at the meeting.
Based on the suggestion that we merge the proposed languages rather than debating one vs another, we came up with a new baseline language for your review. You’ll see it in the IRT OneDoc and I post it here
for your convenience.
ICANN, gTLD Registry Operators, and accredited Registrars MUST enter into required data protection agreements with each other and with relevant third party providers contemplated under
this Policy where applicable law requires. The terms may include legal bases for processing Registration Data. Where such agreements between a Registry Operator or Registrar and ICANN are required to comply with applicable law, Registry Operator or Registrar
MUST enter into the data protection agreement or agreements with ICANN implemented pursuant to this Policy, as may be updated from time-to-time.
You’ll note that I did not change the due date and ask for your review by next Monday, 2022.07.18.
Thank you for your continued support.
Dennis Chang
From: "IRT.RegDataPolicy" <irt.regdatapolicy-bounces@icann.org> on behalf of "Dennis Chang via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org>
Reply-To: Dennis Chang <dennis.chang@icann.org>
Date: Friday, July 8, 2022 at 11:26
To: Roger D Carney <rcarney@godaddy.com>, "Dennis Chang via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org>
Subject: Re: [IRT.RegDataPolicy] IRT Task 221 Review OneDoc Section 5 DataProtection Agreement 20220718; RDAP Profile status
Thanks Roger and Sarah for the suggestion.
I see that the language proposed is basically the Recommendation language repeated.
For implementation, shouldn’t we come up with requirements language?
For example, the baseline language in OneDoc implements recommendations language such as “as appropriate” and “where applicable”
Also, it connects the policy to the outcome of the work that negotiation team is doing.
It would be good to know why CPH is not finding the OneDoc language unacceptable as is.
Here it is duplicated for your convenience.
“This Policy does not require Registry Operators and Registrars to enter into data protection agreements with ICANN unless applicable law requires a Registry Operator or
Registrar to enter into a data protection agreement with ICANN in order for the Processing of Personal Data in Registration Data to comply with applicable law.
Where such agreements are required to comply with applicable law, Registry Operator or Registrar MUST enter into the data protection agreement or agreements with ICANN
implemented pursuant to this Policy, as may be updated from time-to-time.”
We have an IRT meeting scheduled next week Wednesday.
The only agenda item I have is this for now.
If we can resolve this before then, we can cancel the meeting but happy to discuss this at the meeting too.
Thanks
Dennis Chang
From: "IRT.RegDataPolicy" <irt.regdatapolicy-bounces@icann.org> on behalf of "Roger D Carney via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org>
Reply-To: Roger D Carney <rcarney@godaddy.com>
Date: Wednesday, July 6, 2022 at 07:32
To: "Dennis Chang via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org>
Subject: Re: [IRT.RegDataPolicy] IRT Task 221 Review OneDoc Section 5 DataProtection Agreement 20220718; RDAP Profile status
Good Morning,
+1, the text Sarah recommends seems to be easier to read and then current proposed text in the OneDoc.
Thanks
Roger
From: IRT.RegDataPolicy <irt.regdatapolicy-bounces@icann.org> on behalf of Sarah Wyld via IRT.RegDataPolicy <irt.regdatapolicy@icann.org>
Sent: Wednesday, July 6, 2022 9:10 AM
To: Dennis Chang <dennis.chang@icann.org>; Dennis Chang via IRT.RegDataPolicy <irt.regdatapolicy@icann.org>
Subject: Re: [IRT.RegDataPolicy] IRT Task 221 Review OneDoc Section 5 DataProtection Agreement 20220718; RDAP Profile status
Caution: This email is from an external sender. Please do not click links or open attachments unless you recognize the sender and know the content is safe. Forward suspicious
emails to isitbad@.
Hello team,
Back in June of 2020, the proposed language from the Staff team was:
> ICANN, gTLD Registry Operators and accredited Registrars MUST enter into and maintain in effect data processing terms and conditions concerning personal data in Registration Data with each other and relevant
third party providers, where applicable. The terms include legal bases for processing Registration Data
We had suggested a minor update:
> ICANN, gTLD Registry Operators, and accredited Registrars MUST enter into required data protection agreements, as appropriate, with each other and with relevant third party providers, where applicable.
The terms may include legal bases for processing Registration Data as applicable.
Can we consider using this text for this section, rather than the new proposed version? I think it faithfully implements the recommendation, covers the necessary items, and is straightforward.
Thanks,
--
Sarah Wyld, CIPP/E
Policy & Privacy Manager
Pronouns: she/they
swyld@tucows.com
From:
Dennis Chang via IRT.RegDataPolicy
Sent: July 6, 2022 9:06 AM
To: Dennis Chang via IRT.RegDataPolicy
Subject: [IRT.RegDataPolicy] IRT Task 221 Review OneDoc Section 5 DataProtection Agreement 20220718; RDAP Profile status
Dear IRT,
Please review the revised version for Section 5 of OneDoc.
|
221 |
20220718 |
As we prepare for the upcoming public comment,
we are nearing completion of OneDoc as you see and the RDAP Profile documents remain as the only deliverables.
Roger advised that while the WG was not able to complete the documents in June, they will deliver in July.
In fact, the WG scheduled an extra meeting to ensure their delivery to support our August opening of the Public Comment.
Stay tuned. I’ll let you all know as soon as they are ready.
--
Kind Regards,
Dennis S. Chang
GDD Programs Director
Phone: +1 213 293 7889
Sykpe: dennisSchang
www.icann.org One World – One
Internet