Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.

**Reminder for members to select all panelists and attendees for chat option.

does someone have the link for the public comment wiki page handy?

https://community.icann.org/pages/viewpage.action?pageId=126430750

thank you

I think that language is originally from case law

it's verbatim here: https://www.twobirds.com/~/media/pdfs/data-protection/uk--eu-data-protection-bulletin-february-2019.pdf

Agree that DPA would be a bad arbiter for these disputes

My apologies, I have to leave our call early today. Dan is on the call. Thank you.

I don’t think the existing appeals/DRPs are good examples. A Contracted Party subject to legal liability can’t be forced to disclose data by a panel like a UDRP panel. The decision ultimately needs to stay with the Contracted Party involved, even after an appeal is filed.

@Volker: +1

+1 Amr and Volker

Good point Janis

Even if we agree on an appeals process, the decision coming out of that process can’t be binding. Has to be in more of an advisory role.

Beth makes a good point. Maybe the solution is rather a reconsideration process.

@Thomas: +1

+1 Beth. And it could prompt a legal authority to invalidate the entire SSAD

Resending to everyone Beth makes a good point. Maybe the solution is rather a reconsideration process.

Thank you Stephanie! Appreciate the honesty.

Agree, Stephane. Nobody has a right to be a Registrar

Thomas- yes perhaps that’s something to think on?

seems to me we are over-complicating the disclosure of registration data, which is but one element of a much bigger picture of accountability

Agree with Stephanie: whoever decides is liable for decision - CP, CGM/ICANN, etc.

could there be an appeals process limited to CP’s perceived as systematic offenders?

Yeah that seems different…having a CP that constantly rejects legitimate requests is different

I have concerns with the assumption that the person who makes the decision is liable. I think it’s the party that discloses is liable. Happy to be convinced otherwise however! :)

Consistently rejecting disclosure requests is not a standard to brand a Registrar as a bad actor alone. It might be receiving large numbers of requests that need to be rejected.

Beth that kind of pragmatic nuance has no place here

/s :-)

agreed Matt. And this is the difference between the decision process and the procedural process. Seems rather straightforward really.

As in any appeal we are talking about appeal about decision per se or appeal about fault at process Maybe appeals about process can be processed faster and at this level e.g. without getting to the substance of the rejection

@Beth: +1. The action of disclosure results in liability, not just the decision to disclose.

@Thomas: +1. I like this suggestion.

@Georgios it seems to me that ICANN compliance can and should handle appeals about process. I think the remaining concern to address is appeals about the decision.

It absolutely IS complicated

@Thomas request for reconsideration is a good suggestion

@Amr: either requests are repeatedly bad and the system (logging, data analysis, enforcement, accreditation) needs to deal with that, or the decisions are and the system needs to deal with that.

Thomas, you just took my words out of my mouth

@Franck: That sounds sensible, but isn’t it missing requests with lawful bases that the controller (registrar) doesn’t agree with? There’s the matter of passing/failing the balancing test.

@Thomas: Have one problem with something you were saying - Requestors have legitimate interests to registration data, not rights.

Lawsuits take months or years — that’s not a solution

@Amr. I tried to express exactly what you wrote.

Courts are fine, but in the short term, Court backlogs in my country are going to be creating rather long waiting lists....

COVID is having a real impact on the courts

Either we treat all registrants the same … or we don't.

also appeals in relation to process should be no problem

Note that the model I am proposing would also hear complaints from registrants who do not have access to a data protection authority.

@Milton: +1

I think we can agree with Milton that we should have generalized recommendations here.

I don’t see an appeals process or reconsider process for every positive disclosure decision

that is procedural again Margie.

We did develop an entire SLA for that, no? Is that not accountability?

+1 Matt

The SLA is not on disclosure rates - Im happy to consider an SLA on disclosure rates

GDPR has no provision for the data subject giving permission for each request!

Balancing tests do not require humans

Unfortunately - many CPH are not following

@Beth: +1

And compliance isn’t stepping in

But we need that Compliance WILL take action. My understanding is that they have said they will not do that.

If compliance isn’t acting, that’s a different problem that needs to be addressed with ICANN org

well one-off or systemic, Beth, there’s a big big difference

That is literally the ENTIRE point of the GDPR Alan. No it doesn't say they have to give permission …. but everything about the GDPR is protecting their right to have privacy. Surely that is not lost on you.

Balancing tests definitely require humans. For the same reasons we don’t write algorithms to replace judges & juries.

@Margie: You’re making generalizations, while using an incorrect context. Registrars will be required to comply with a new policy, not what was previously called the Temp Spec. Also, wasn’t I chastised a few weeks ago for suggesting that all requestors are acting in bad faith (when I really wasn’t)?

I think you've really condensed the conversation well, Laureen.

It seems we need something for systemic compliance issues, plus something light for one-off "hey can you take another look"

James, balancing tests can be performed algorithmically in many cases

I’m not making generalizations - I said many CPH don’t comply - that’s not all — there are lots of responsible registrars and registries doing the right thing

Ah…, so you weren’t making a generalization, just like I wasn’t a few weeks ago? Just suggesting safeguards against the few cases, where CPs are not complying with policy?

Even so, there should be password or key relayed via SSAD

James: I *think* Domain Connect could be a good solution if we need to transmit data outside the SSAD boundary. Bonus is that GoDaddy and Microsoft already support it.

Apologies — I need to drop off the call early this week. Ben is covering for SSAC. Thanks!

Also, please never say that secure data transmission isn't a "sexy topic" that's just crazy talk

LOL

I was going to say that all the provided solutions are good ones 1) A high level system that addresses systematic abuse 2) A reconsideration path 3) A contractual provision that ensures CPs disclose the data when legally allowed

The above is in relation to an appeal mechanism

This is literally in the PPSAI as bottom-up, board-approved policy

And the PPSAI policy was totally innocent of any serious consideration of privacy law

Alan, your example does not match the concern raised

“…nor can approval or refusal to disclose be solely based on the fact that the request is founded on alleged IP infringement..”

ha tell that to the requestor I have today. I'd be happy to quote you guys on the response!

Sounds like the requestor was sloppy :(

The gateway will be checking for requests to ensure they have the appropriate information

LOL

Hahaha

So at least the CPH will have the appropriate form;

With respect, I don’t think “absent any legal requirements to the contrary satisfies my objections about lack of transparency

+1 Milton

right

it’s cheap price to pay!

no we are saying that there mere fact there is a IPR claim does not justify disclosure or refusal

Agree with Hadia on the relevance of 50,000 political prisoners to the issue of TM infringement. Although the figure I’ve heard is 60,000, not 50. ;-)

Sorry…, irrelevance, not relevance.

Margie, you are talking everyone out of accepting this language

@Amr I see no relevance

Neither do I, Hadia.

by suggesting that the mere existence of a trademark is sufficient to disclose

Sorry Hadia for the shortcut, I was referring to the recent and highly publicized petition to release 60K political prisoners which access now is circulating. Perhaps knowledge of this petition and the concern over the hunger strike of one of the leaders of the recent dissent [Arab spring]only circulates in the NGO community. It is all over the human rights news feeds today.

and you can’t ACCEPT is “solely”

My point was really that no-one should reject any request simply because it is IP related, political, etc

@Stephanie: Yeah, I’ve seen them, and for a lot of people living here, this is an ongoing issue, not just because Access have decided to bring it up. But it’s still pretty irrelevant to our discussion. We’re discussing TM/IP issues, not political ones, aren’t we?

it doesn’t remove anything

that you have a right to

From the data protection viewpoint it is essential to determine in very clear termswhat is the purpose of the Whois and which purpose(s) can be considered aslegitimate and compatible to the original purpose ... This is an extremely delicate matteras the purpose of the Whois directories can not be extended to other purposes justbecause they are considered desirable by some potential users of the directories.Some purposes that could raise data protection (compatibility) issues are forexample the use of the data by private sector actors in the framework of selfpolice activities related to alleged breaches of their rights e.g. in the digital rightmanagement field.

From WP29

in 2003 -

https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf

@Stephanie I still can't see the relevance of the above mentioned topic to IP infringement

I think our posts crossed Amr….my point is that a refusal should not be theme based, it should be fact base.

based

literally points out the fact that it is a DP concern. I'm not saying it will always be the basis for a denial … but it remains valid.

When did we start talking about AUTOMATED disclosure???

@MarkSV: You keep suggesting that we assume that requestors are “bad”, when all we’re trying to do is develop policies/processes that safeguard the rights of registrants/data subjects. The intent of the requestor is irrelevant. Safeguarding against infringement of the rights of registrants is the issue.

Sorry if I was unclear, that was not what I was suggesting here. I am merely pointing out that multiple interventions on this topic were in regard to incomplete requests, which is not what we are debating here

Hadia, I was not talking about IP infringement. I was talking about the use of specific theme based disclosure requests in a policy. Policy must be general absent specific fact based cases that deserve special treatment. If special treatment is requested, an entire case needs to be developed. Legislation has protocols in drafting to deal with these instances, policy is more loose, but the principles should be adhered to. However ICANN policy, as the product of compromise, and particularly in this instance, mixes implementation of legal requirements (or not) and specific stakeholder group treatment. This is an instance of both, in my view.

Isn't release to UDRP /URS provider based solely on IP/Content?

Suggested language if you don’t like approval: “disposition of the request”. Very common in FOI and Privacy circles….

Of course you would have to delete “refusal”

no UDRP is not based on content, it’s based on the domain name

@AlanG: No…, in URS/UDRP, there’s also the issue of bad faith on the part of the registrant.

good idea Stephanie

is "disposition of request" term of art here?

I am unfamiliar

@Amr, bad faith is determined (among other things) based on content.

thanks Brian

Yup. Among other things…, so not “solely”. ;-)

hooray thanks everyone

thanks y'all

Phase 1 was regarding Publication, not disclosure. different topics, don't conflate

Hey folks need to drop a bit early. Thanks!

drop or escape?

+1 Alan G

It was about Publication and not disclosure

I mean by it the phase one recommendation

Agree with Marc that “may” gives us flexibility for things that aren’t GDPR

By “applicable law…”

I like the language Berry's putting on the screen

"by applicable law"

I can accept Berry's text

Alan G's text ;-)

+1 for the text on the screen

yeah, I think that addresses my concern, and the points raised by the comments.

Clarifying - lots of non-personal data is redacted.

Isn’t the disclosure of data behind p/p a different matter?

Not the data BEHIND the P/P - the P/P itself

Me

@MarkSV: The p/p provider’s data is already dealt with in a recommendation in the Addendum, isn’t it?

@Amr no one is referring to the data behind the P/P

@Hadia: MarkSV mentioned P/P. Assumed he meant registrant info behind P/P, but he clarified that he meant the p/p data itself.

What about: Human Rights implications must be taken into account when making a decision on disclosure.

+1 Brian

+1 Brian

+1 Alan G

+1 Thomas

+1 Thomas

I will be happy to do that

Write the dissenting opinion, that is.

@Berry, I don't think that language belongs here - rather, it should go in the balancing test section

I don’t think that can work operationally…a flag for “human rights organizations…:”

It's right next to the flag for "I am a lega; person" :-)

use the email list...

I need to drop for another call…thanks all

I support the extra call

We have a lot of imp issues

strong preference for finishing on time and spending the time we need between now and then

Many of us have important family issues as well, which mitigate against availability for a second call and the speeded up review requirements

Thanks all. Bye.

I also support the extra call

Thank you all - bye for now

thanks all

thanks all

Many thanks, and bye!