Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Brian King (IPC)
31:38
what Controller are you talking about, Becky?
Brian King (IPC)
31:40
the registrar?
Hadia Elminiawi (ALAC)
33:34
@Margie would using "automatic" disclosure instead of "automated" disclosure be more accurate
Volker Greimann
33:46
agree with Becky
Volker Greimann
34:28
however ICANNs Brussels office may make ICANN (the controller) and its policies subject to GDPR
Matthew Crossman (RySG)
35:07
Hi all - apologies for the tardiness
Volker Greimann
35:31
can't talk, am in place
Tatiana Tropina (NCSG)
35:38
I agree with Thomas
Volker Greimann (RrSG)
38:25
if it is doneby a machine, it is automated
Hadia Elminiawi (ALAC)
39:16
makes sense
Thomas Rickert (ISPCP)
39:26
I doubt that disclosure is possible in all regimes not governed by GDPR.
Becky Burr (Chair)
39:46
GDPR or a similar data protection regime Thomas
Volker Greimann (RrSG)
40:40
does hearing it from legal counsel help if that advise is going to be picked apart in the end anyway?
Volker Greimann (RrSG)
41:42
it does not even matter where the controller is located. if the processing happens in the EU, GDPR applies
Becky Burr (Chair)
42:19
Agree volker
Volker Greimann (RrSG)
42:20
so a registrar in the US dealing only with US customer buit using German registrar backend services would still be bound by GDPR
Amy Bivins (ICANN org)
42:33
Comment on part b: should we consider changing “and” to “and/or” to assess the potential impact of ICANN taking on either of these functions?
Amy Bivins (ICANN org)
43:00
(Or both)
Margie Milam (BC)
44:44
that's ok
Hadia Elminiawi (ALAC)
44:52
+1 amy
Tatiana Tropina (NCSG)
49:47
sounds reasonable
Tatiana Tropina (NCSG)
50:15
even though I am still not comfortable with the entire ask but I can live with splitting the question
Margie Milam (BC)
50:33
yes - that works for me
caitlin.tubergen
51:14
That is correct, Becky.
Becky Burr (Chair)
51:44
Brian - new hand?
Brian King (IPC)
51:57
no, thanks.
Becky Burr (Chair)
52:25
Please scroll back to the actual question
Volker Greimann (RrSG)
54:28
we can state anything. if it is true or not
Volker Greimann (RrSG)
54:50
Becky +1
caitlin.tubergen
55:55
I am taking notes, Tara.
Becky Burr (Chair)
56:27
Are data controllers entitled to rely on a statement obligating legal person registrants to obtain consent …
Brian King (IPC)
59:02
If I could add a friendly amendment to the question posed by SSAC, a follow-on question may be helpful, "What representations, if any, would be helpful for the controller to obtain from the legal person registrant in this case?"
Brian King (IPC)
59:17
Don't want to hold us up from moving on
Becky Burr (Chair)
59:26
That’s a good suggestion Brian
Becky Burr (Chair)
01:00:10
“If so, what representations, if any ….”
Brian King (IPC)
01:00:21
Right
Brian King (IPC)
01:00:23
thanks
Tara Whalen (SSAC)
01:00:51
Sure — having examples of what to use in practice seems helpful to me.
Tara Whalen (SSAC)
01:01:25
Which, after all, is what we’re trying to find here (practical assistance).
Becky Burr (Chair)
01:03:27
keep 4 and 5 on the screen please
Margie Milam (BC)
01:03:43
I agree that this is an important question
Hadia Elminiawi (ALAC)
01:05:43
we are referring to the purposes here - this is how I understand 4
Georgios Tselentis (GAC)
01:11:36
The accuracy principle is intended to serve the purposes not the processors
caitlin.tubergen
01:12:39
One of the previously-approved questions (yet to be submitted) provides: Does the accuracy principle only take into account the interests of the data subject and [a] controller (e.g., ICANN’s or the contracted parties’ interest in maintaining the security and stability of the Internet’s unique identifiers), or does the principle also consider the interests of third-parties (in this case law enforcement, IP rights holders, and others who would request the data from the controller for their own purposes)?
caitlin.tubergen
01:13:27
Additionally, this question is posed (yet to be submitted): The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23? Would detailed notice at the time of registration and ongoing renewals reduce the risk that data subjects will wrongly self-identify to a negligible level?
Laureen Kapin (GAC)
01:16:08
Do data controllers have a responsibility to take reasonable steps ensure the accuracy of the data submitted and ensure a minimum level of accuracy?
Georgios Tselentis (GAC)
01:17:48
I am fine with this
Laureen Kapin (GAC)
01:18:05
I think Caitlin's questions deal with the self-identification of legal or natural rather than data accuracy generally.
Brian King (IPC)
01:18:37
Right, @Laureen.
Georgios Tselentis (GAC)
01:18:49
we can add "having regard to the purposes for which they are processed"
Volker Greimann (RrSG)
01:20:06
need to drop now, see you all on Thursday
Becky Burr (Chair)
01:20:19
thanks Volker
caitlin.tubergen
01:20:26
Is that what you had in mind, Becky? The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. [Do data controllers have a responsibility to take reasonable steps ensure the accuracy of the data submitted and ensure a minimum level of accuracy?] How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23? Would detailed notice at the time of registration and ongoing renewals reduce the risk that data subjects will wrongly self-identify to a negligible level?
caitlin.tubergen
01:23:35
For reference, here is an excerpt from the previous Bird & Bird accuracy memo: 15. The Accuracy Principle requires controllers to take "reasonable steps" to ensure that personal data is accurate and up-to-date. In some instances, it is reasonable for a controller to rely on the person submitting the data to provide data that is accurate. In other instances, the GDPR requires controllers to take affirmative steps to ensure that the data submitted is indeed accurate. What steps are appropriate will depend on the circumstances and the nature of the risks presented to data subjects.
Matthew Crossman (RySG)
01:23:52
That is a fair point Margie
Matthew Crossman (RySG)
01:24:07
just noting that the first memo asked "a. What is the obligation to verify that personal data collected by the controller is accurate at the time of collection?"
Laureen Kapin (GAC)
01:25:22
Considering Matt's comment, perhaps the follow up question should be what steps do data controllers have a responsibility to take. . . etc. I can confer with Georgious to deal with this.
Brian King (IPC)
01:30:41
sounds good to roll it in
Margie Milam (BC)
01:31:17
I need to drop off to drive- but will stay on the call.
caitlin.tubergen
01:41:43
Yes.
caitlin.tubergen
01:43:02
I will submit the action items very shortly after this call so everyone can get started on their homework. :)
caitlin.tubergen
01:43:12
Will do, Becky.
Brian King (IPC)
01:43:32
Thanks, all.
Matthew Crossman (RySG)
01:44:18
Thanks folk - happy new year
Tara Whalen (SSAC)
01:44:24
Thanks, all!
Brian King (IPC)
01:44:27
happy new year!
Hadia Elminiawi (ALAC)
01:44:33
Thanks all