
37:38
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.

40:07
**Reminder for members to select all panelists and attendees for chat option.

43:38
does someone have the link for the public comment wiki page handy?

44:44
https://community.icann.org/pages/viewpage.action?pageId=126430750

44:51
thank you

49:15
I think that language is originally from case law

49:22
it's verbatim here: https://www.twobirds.com/~/media/pdfs/data-protection/uk--eu-data-protection-bulletin-february-2019.pdf

54:38
Agree that DPA would be a bad arbiter for these disputes

55:39
My apologies, I have to leave our call early today. Dan is on the call. Thank you.

57:52
I don’t think the existing appeals/DRPs are good examples. A Contracted Party subject to legal liability can’t be forced to disclose data by a panel like a UDRP panel. The decision ultimately needs to stay with the Contracted Party involved, even after an appeal is filed.

58:25
@Volker: +1

58:39
+1 Amr and Volker

59:36
Good point Janis

01:00:30
Even if we agree on an appeals process, the decision coming out of that process can’t be binding. Has to be in more of an advisory role.

01:00:36
Beth makes a good point. Maybe the solution is rather a reconsideration process.

01:00:49
@Thomas: +1

01:01:03
+1 Beth. And it could prompt a legal authority to invalidate the entire SSAD

01:01:25
Resending to everyone Beth makes a good point. Maybe the solution is rather a reconsideration process.

01:02:51
Thank you Stephanie! Appreciate the honesty.

01:03:30
Agree, Stephane. Nobody has a right to be a Registrar

01:03:55
Thomas- yes perhaps that’s something to think on?

01:04:54
seems to me we are over-complicating the disclosure of registration data, which is but one element of a much bigger picture of accountability

01:05:34
Agree with Stephanie: whoever decides is liable for decision - CP, CGM/ICANN, etc.

01:06:26
could there be an appeals process limited to CP’s perceived as systematic offenders?

01:07:07
Yeah that seems different…having a CP that constantly rejects legitimate requests is different

01:07:32
I have concerns with the assumption that the person who makes the decision is liable. I think it’s the party that discloses is liable. Happy to be convinced otherwise however! :)

01:08:02
Consistently rejecting disclosure requests is not a standard to brand a Registrar as a bad actor alone. It might be receiving large numbers of requests that need to be rejected.

01:08:02
Beth that kind of pragmatic nuance has no place here

01:08:09
/s :-)

01:08:20
agreed Matt. And this is the difference between the decision process and the procedural process. Seems rather straightforward really.

01:08:22
As in any appeal we are talking about appeal about decision per se or appeal about fault at process Maybe appeals about process can be processed faster and at this level e.g. without getting to the substance of the rejection

01:08:50
@Beth: +1. The action of disclosure results in liability, not just the decision to disclose.

01:09:20
@Thomas: +1. I like this suggestion.

01:09:23
@Georgios it seems to me that ICANN compliance can and should handle appeals about process. I think the remaining concern to address is appeals about the decision.

01:10:08
It absolutely IS complicated

01:10:08
@Thomas request for reconsideration is a good suggestion

01:10:11
@Amr: either requests are repeatedly bad and the system (logging, data analysis, enforcement, accreditation) needs to deal with that, or the decisions are and the system needs to deal with that.

01:10:33
Thomas, you just took my words out of my mouth

01:11:17
@Franck: That sounds sensible, but isn’t it missing requests with lawful bases that the controller (registrar) doesn’t agree with? There’s the matter of passing/failing the balancing test.

01:11:58
@Thomas: Have one problem with something you were saying - Requestors have legitimate interests to registration data, not rights.

01:13:01
Lawsuits take months or years — that’s not a solution

01:13:14
@Amr. I tried to express exactly what you wrote.

01:13:35
Courts are fine, but in the short term, Court backlogs in my country are going to be creating rather long waiting lists....

01:14:01
COVID is having a real impact on the courts

01:14:22
Either we treat all registrants the same … or we don't.

01:14:35
also appeals in relation to process should be no problem

01:15:49
Note that the model I am proposing would also hear complaints from registrants who do not have access to a data protection authority.

01:16:34
@Milton: +1

01:17:40
I think we can agree with Milton that we should have generalized recommendations here.

01:17:40
I don’t see an appeals process or reconsider process for every positive disclosure decision

01:18:14
that is procedural again Margie.

01:18:54
We did develop an entire SLA for that, no? Is that not accountability?

01:19:15
+1 Matt

01:19:17
The SLA is not on disclosure rates - Im happy to consider an SLA on disclosure rates

01:21:15
GDPR has no provision for the data subject giving permission for each request!

01:21:28
Balancing tests do not require humans

01:22:01
Unfortunately - many CPH are not following

01:22:07
@Beth: +1

01:22:09
And compliance isn’t stepping in

01:22:36
But we need that Compliance WILL take action. My understanding is that they have said they will not do that.

01:22:43
If compliance isn’t acting, that’s a different problem that needs to be addressed with ICANN org

01:22:50
well one-off or systemic, Beth, there’s a big big difference

01:23:00
That is literally the ENTIRE point of the GDPR Alan. No it doesn't say they have to give permission …. but everything about the GDPR is protecting their right to have privacy. Surely that is not lost on you.

01:23:36
Balancing tests definitely require humans. For the same reasons we don’t write algorithms to replace judges & juries.

01:23:55
@Margie: You’re making generalizations, while using an incorrect context. Registrars will be required to comply with a new policy, not what was previously called the Temp Spec. Also, wasn’t I chastised a few weeks ago for suggesting that all requestors are acting in bad faith (when I really wasn’t)?

01:24:00
I think you've really condensed the conversation well, Laureen.

01:24:45
It seems we need something for systemic compliance issues, plus something light for one-off "hey can you take another look"

01:24:46
James, balancing tests can be performed algorithmically in many cases

01:24:57
I’m not making generalizations - I said many CPH don’t comply - that’s not all — there are lots of responsible registrars and registries doing the right thing

01:26:20
Ah…, so you weren’t making a generalization, just like I wasn’t a few weeks ago? Just suggesting safeguards against the few cases, where CPs are not complying with policy?

01:29:27
Even so, there should be password or key relayed via SSAD

01:30:19
James: I *think* Domain Connect could be a good solution if we need to transmit data outside the SSAD boundary. Bonus is that GoDaddy and Microsoft already support it.

01:30:35
Apologies — I need to drop off the call early this week. Ben is covering for SSAC. Thanks!

01:30:52
Also, please never say that secure data transmission isn't a "sexy topic" that's just crazy talk

01:33:31
LOL

01:34:12
I was going to say that all the provided solutions are good ones 1) A high level system that addresses systematic abuse 2) A reconsideration path 3) A contractual provision that ensures CPs disclose the data when legally allowed

01:35:04
The above is in relation to an appeal mechanism

01:41:24
This is literally in the PPSAI as bottom-up, board-approved policy

01:41:58
And the PPSAI policy was totally innocent of any serious consideration of privacy law

01:42:41
Alan, your example does not match the concern raised

01:44:52
“…nor can approval or refusal to disclose be solely based on the fact that the request is founded on alleged IP infringement..”

01:44:53
ha tell that to the requestor I have today. I'd be happy to quote you guys on the response!

01:45:34
Sounds like the requestor was sloppy :(

01:46:35
The gateway will be checking for requests to ensure they have the appropriate information

01:47:23
LOL

01:47:27
Hahaha

01:47:37
So at least the CPH will have the appropriate form;

01:47:39
With respect, I don’t think “absent any legal requirements to the contrary satisfies my objections about lack of transparency

01:47:56
+1 Milton

01:48:05
right

01:48:14
it’s cheap price to pay!

01:49:45
no we are saying that there mere fact there is a IPR claim does not justify disclosure or refusal

01:49:49
Agree with Hadia on the relevance of 50,000 political prisoners to the issue of TM infringement. Although the figure I’ve heard is 60,000, not 50. ;-)

01:50:35
Sorry…, irrelevance, not relevance.

01:50:43
Margie, you are talking everyone out of accepting this language

01:50:45
@Amr I see no relevance

01:50:53
Neither do I, Hadia.

01:50:57
by suggesting that the mere existence of a trademark is sufficient to disclose

01:51:49
Sorry Hadia for the shortcut, I was referring to the recent and highly publicized petition to release 60K political prisoners which access now is circulating. Perhaps knowledge of this petition and the concern over the hunger strike of one of the leaders of the recent dissent [Arab spring]only circulates in the NGO community. It is all over the human rights news feeds today.

01:52:33
and you can’t ACCEPT is “solely”

01:52:49
My point was really that no-one should reject any request simply because it is IP related, political, etc

01:53:13
@Stephanie: Yeah, I’ve seen them, and for a lot of people living here, this is an ongoing issue, not just because Access have decided to bring it up. But it’s still pretty irrelevant to our discussion. We’re discussing TM/IP issues, not political ones, aren’t we?

01:53:28
it doesn’t remove anything

01:53:35
that you have a right to

01:53:46
From the data protection viewpoint it is essential to determine in very clear termswhat is the purpose of the Whois and which purpose(s) can be considered aslegitimate and compatible to the original purpose ... This is an extremely delicate matteras the purpose of the Whois directories can not be extended to other purposes justbecause they are considered desirable by some potential users of the directories.Some purposes that could raise data protection (compatibility) issues are forexample the use of the data by private sector actors in the framework of selfpolice activities related to alleged breaches of their rights e.g. in the digital rightmanagement field.

01:53:52
From WP29

01:53:58
in 2003 -

01:54:10
https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf

01:54:15
@Stephanie I still can't see the relevance of the above mentioned topic to IP infringement

01:54:26
I think our posts crossed Amr….my point is that a refusal should not be theme based, it should be fact base.

01:54:29
based

01:54:46
literally points out the fact that it is a DP concern. I'm not saying it will always be the basis for a denial … but it remains valid.

01:55:55
When did we start talking about AUTOMATED disclosure???

01:59:22
@MarkSV: You keep suggesting that we assume that requestors are “bad”, when all we’re trying to do is develop policies/processes that safeguard the rights of registrants/data subjects. The intent of the requestor is irrelevant. Safeguarding against infringement of the rights of registrants is the issue.

02:00:32
Sorry if I was unclear, that was not what I was suggesting here. I am merely pointing out that multiple interventions on this topic were in regard to incomplete requests, which is not what we are debating here

02:00:37
Hadia, I was not talking about IP infringement. I was talking about the use of specific theme based disclosure requests in a policy. Policy must be general absent specific fact based cases that deserve special treatment. If special treatment is requested, an entire case needs to be developed. Legislation has protocols in drafting to deal with these instances, policy is more loose, but the principles should be adhered to. However ICANN policy, as the product of compromise, and particularly in this instance, mixes implementation of legal requirements (or not) and specific stakeholder group treatment. This is an instance of both, in my view.

02:01:06
Isn't release to UDRP /URS provider based solely on IP/Content?

02:02:15
Suggested language if you don’t like approval: “disposition of the request”. Very common in FOI and Privacy circles….

02:02:42
Of course you would have to delete “refusal”

02:03:40
no UDRP is not based on content, it’s based on the domain name

02:03:51
@AlanG: No…, in URS/UDRP, there’s also the issue of bad faith on the part of the registrant.

02:04:20
good idea Stephanie

02:04:34
is "disposition of request" term of art here?

02:04:38
I am unfamiliar

02:04:41
@Amr, bad faith is determined (among other things) based on content.

02:06:04
thanks Brian

02:06:04
Yup. Among other things…, so not “solely”. ;-)

02:06:04
hooray thanks everyone

02:06:10
thanks y'all

02:07:42
Phase 1 was regarding Publication, not disclosure. different topics, don't conflate

02:07:55
Hey folks need to drop a bit early. Thanks!

02:08:10
drop or escape?

02:08:40
+1 Alan G

02:08:50
It was about Publication and not disclosure

02:10:30
I mean by it the phase one recommendation

02:11:09
Agree with Marc that “may” gives us flexibility for things that aren’t GDPR

02:11:28
By “applicable law…”

02:11:39
I like the language Berry's putting on the screen

02:11:46
"by applicable law"

02:11:54
I can accept Berry's text

02:12:11
Alan G's text ;-)

02:12:11
+1 for the text on the screen

02:12:13
yeah, I think that addresses my concern, and the points raised by the comments.

02:16:41
Clarifying - lots of non-personal data is redacted.

02:18:56
Isn’t the disclosure of data behind p/p a different matter?

02:19:12
Not the data BEHIND the P/P - the P/P itself

02:19:13
Me

02:20:32
@MarkSV: The p/p provider’s data is already dealt with in a recommendation in the Addendum, isn’t it?

02:20:40
@Amr no one is referring to the data behind the P/P

02:21:13
@Hadia: MarkSV mentioned P/P. Assumed he meant registrant info behind P/P, but he clarified that he meant the p/p data itself.

02:23:24
What about: Human Rights implications must be taken into account when making a decision on disclosure.

02:23:51
+1 Brian

02:24:02
+1 Brian

02:24:52
+1 Alan G

02:26:12
+1 Thomas

02:26:24
+1 Thomas

02:27:42
I will be happy to do that

02:27:54
Write the dissenting opinion, that is.

02:28:51
@Berry, I don't think that language belongs here - rather, it should go in the balancing test section

02:30:28
I don’t think that can work operationally…a flag for “human rights organizations…:”

02:30:58
It's right next to the flag for "I am a lega; person" :-)

02:32:00
use the email list...

02:33:20
I need to drop for another call…thanks all

02:33:56
I support the extra call

02:34:01
We have a lot of imp issues

02:34:49
strong preference for finishing on time and spending the time we need between now and then

02:34:50
Many of us have important family issues as well, which mitigate against availability for a second call and the speeded up review requirements

02:35:36
Thanks all. Bye.

02:35:42
I also support the extra call

02:36:13
Thank you all - bye for now

02:36:13
thanks all

02:36:13
thanks all

02:36:14
Many thanks, and bye!