is there no sound?

There is Volker … mayhems not for you

*mayhaps

I hear nothing :-(

thanks for upgrading me to panelist

@Terri: Your audio is breaking up a little.

You’re welcome, Milton

@Marc, we will check into your link issue.

Same issue for me too…thanks Terri!

As a reminder, March webinar links are different than April webinar links. Make sure you are using your panelist join information for March.

please select all panelists and attendees in order for everyone to see chat

good question, Janis

@Janis: No temp spec expiration deadline.

Ok I lost all that - was it just me? Seems Zoom is a teensy teensy best buggy / over burdened today

@Alan, would a dial out on the telephone help?

These are all ICANN org purposes or functions, Becky. Not third parties. Does ICANN even need a SSAD to get this data?

Thanks Terri… it seems to have resolved thank you!

apologies for being late

@Amr When you say they are covered you mean those are pusporses covered in Phase one by whom?

@Georgios: by the EPDP phase 1 recommendations, which have already been adopted by the ICANN Board.

There are specific purposes in phase 1 that cover the supermajority of items listed here, no?

I am not sure why I am asking this question, but if ICANN Org wants that language to be included, is ICANN Org willing to confirm that it can be helf fullly accountable for any issues that might arise with it? #devilsadvocate

@Becky: I didn’t thank you for providing this email. Yikes!! Thanks. :-)

ICANN will need it, yes. Third parties?

the mission does not identify tasks, therefore the data elements cannot be identified from the mission. However, processing of the data to fulfil the purpose of SSR according to the mission is essential

You’re not answering my question about third parties Becky

+1 Becky

Are we talking ICANN access or third party access?

thanks

the mission does not identify tasks, therefore the data elements cannot be identified from the mission. However, processing of the data to fulfil the purpose of SSR according to the mission is essential

FWIW ICANN would not necessarily be using 6(1)f

Reminder, please select all panelists and attendees in order for everyone to see chat.

FWIW ICANN would not necessarily be using 6(1)f

Milton, this is clearly about ICANN access, otherwise we would be back in the quandary of conflation identified by the Commission

OK, thanks for finally answering that

The paper itself specifically speaks to ICANN’s processing.

SO IT IS CLEAR NOW THAT PURPOSE TWO IS EXCLUSIVELY ABOUT DISCLOSURE TO ICANN NOT THIRD PARTIES

It is about ICANN’s processing of personal information Milton

What you need to be sure of is that ICANN cannot process the data out of its mission and also the proportionality element has to be respected. So there is no reason no oppose this purpose, what are we afraid of?

As long as ICANN acknowledges its role and responsibilities under Purpose 2.

+1 to James -- this is a reasonable resolution of Purpose 2 and based upon the Bylaws.

I am still having a great deal of difficulty with this.

ICANN does not control all this data. Does this explanation make it some kind of deus ex machina which can reach in at any time and control the data?

Didn't we agree that the terms of the privacy policy was not something we were planning to make recommendations on?

I believe we did Margie

I think the clarification that this is for ICANN‘s use is very helpful.

Amr is correct, we would need to provide a disclosure to registrants, that is not a problem - and it will be on ICANN as a controller to do so

Can we get NCSG over the line if we include that as mentioned in caps by Milton in this chat?

can you repeat it, Janis

Thomas: speaking only for me, answer to your question is yes

+1 to adding the statement to the report

I was hoping we would add it to the report

I would need an extensive clarification about ICANN’s role and accountability to get this “over the line”

@Janis: Right. Thanks.

From Me to All panelists: (10:29 AM)
I would need an extensive clarification about ICANN’s role and accountability to get this “over the line”

From Me to All panelists: (10:25 AM)
ICANN does not control all this data. Does this explanation make it some kind of deus ex machina which can reach in at any time and control the data?

Link to Can't Live with items: https://docs.google.com/document/d/186a4k-ls0cjbhvWQi_HfryDN1PVjfaSKvWMDKLcVQYM/edit#

@ Janis Can you remind us please whether intermediate results are expected from the study and if yes by when?

It is one thing for this group not to dictate to ICANN the terms of its privacy policy. I have had pretty good attendance and participation on this group, and I am still remarkably unclear as to what ICANN has stated as its precise role as a controller, co-controller, or processor, and this is as I have repeated forever, a very critical issue.

Whatever that role is, it is not a carte blanche access to RNH data for vague universal purposes.

So what Alan G is saying is the ePDP will carry on for years based on that…

Doesn’t look like we’re going to reach any consensus on this.

@James: +1. We need to recognize where we’re unlikely to reach consensus on.

I think it boils down to the question whether we are willing to accept fragmentation of treatment of registration data at the global level based on these criteria. The real question is, will further work change the consensus level (or the absence thereof) in this group. If not, we should not go into overtime for that.

Have we not had this discussion both in Phase 1 and in Phase 2…agreed that consensus on this issue is very unlikely even with additional time

@Matt: =1

+1

This is not jurisdictional

This is not the geo-distinction issue.

Why are we talking about jurisdiction?

@Janis: could you ask participants not to characterize the positions, let alone motives, of other EPDP members?

Separating “classes” of registrant based upon the type of entity or geographic location would appear to conflict with Becky’s SSR memo

Not jurisdictional? LOL LOL LOL

for the sake of legal universality differentiation between legal and natural persons is required.

we should end this and if the 'GNSO wants more, let it scope another pdp

No one is talking now about geographic distinction

the "e" of epdp is enough of a joke already!

We’ve already exhaustively discussed legal vs natural in phase 1 (pending the survey right now), and we’re unlikely to reach consensus on it from a policy perspective, not a legal one. Do we need to list all our reasoning again? We can, if necessary.

+1 james

I think it’s clear that privacy law -allows- us to make this distinction, but we have numerous reasons why -requiring- it is unacceptable. Thx.

I told you at the start you would be wasting your money

+1 Margie. The Bird & Bird memo provides helpful guidance on this.

+1 on moving forward via a small group and I volunteer to participate. We may yet be able to identify where we have consensus on a few key issues.

sorry, need 5 minutes

On th point of timing …. Can we also point out that the recommendation regarding the study in phase I does not state that th

..at we have to wait for the study

Only hat depending on the timing of the research, to use it if available.

one minute

.

ready now

There is no reason to delay issuing the addendum *IF* it allows us to continue talking about the issue after issuance.

Recommendation 17 - 3 - The EPDP Team will discuss the Legal vs. Natural issue in Phase 2. Depending onthe timing of the research, its discussions may inform the scope of research and/oruse its findings

All I’m getting today is that we must -

@AlanW: +1

I clearly agree with Volker on this.

+1 Volker and Alan W

Ä‘

@Volker: +1000

pls ignore the last message from me. Sent by accident.

Im dropping off and Steve is on in my place

GAC also supports work on legal /natural.

I see no reason to delay the addendum for the issue of natural vs legal. It won’t change anything.

Thanks Thomas…I was just trying to figure out what you were getting at ;-)

let's achieve closure

To be clear, we must publish today. Just say that we have not reach closure on how to address L/N.

I need to drop at the top of the hour. Thanks, all.

There are more comments in the input form than N/L - can we discuss those today?

Folks - I need to drop. Sarah Wyld will take my place on RrSG. Thanks!

an addendum to the addendum?

@MarkSV: +1

As I noted, running this small group in parallel risks affecting reviewing the comments on the Initial Report, which is part of critical path.

+1 Laureen to form a small group

No small group.

No small group.

Even if this group runs in parallel, it wont be a part of the addendum report, thus any possible outcome from the small team if it were to be included in the Final report, then it will delay it.

exactly, Berry

At huge risk ......

Did I read a different legal opinion?

No small group, This is an utterly intractable issue.

@ Berry, Janis is suggesting that we treat small group work as a comment that we consider in finalizing report. I don't think that would jeopardize critical path/deadline for final report.

I have been proposing from the get go that organizations that wish to self identify as corporations can self identify and propose a certification/accreditation method. Crooks are unlikely to sign up, but hey when did that ever stop this group from considering crazy ideas. However, this proposal has been studiously ignored.

@Laureen but it does divert already stretched resources on a timeline with zero slack where the focus of resource should be on reviewing public comments. Which btw, not all groups have submitted by yesterday's deadline.

no we may not

I don't think we all agree with that interpretation of the legal advice

I disagree with Steve

Based on this entire conversation, it seems the only way forward is to indicate we did not address the issue and reach consensus and get this back to the GNSO for their action

+1 Matt.

basically what Marc is saying :)

+1 Matt

Janis+1 lets move on

The addendum says “the EPDP Team will269 not be able to consider the findings within the timeframe that has been established for270 the delivery of the Final Report.” That is not accurate. Majority of this EPDP understands we MAY publish legal person data, but prefers that we do not. Let’s say so.

yes

The NCSG previously said that we should not go ahead with the Bird & Bird questions because it is not a legal matter but a policy matter. so from a legal point of view we do agree that it may be possible however the parties objecting to this are looking at it from a policy point of view and not a legal point of view, this is what our discussions lead to and suggest

I don't think this parallel option considers how much work we have ahead for the group to review comments.

+1 Berry

+1000 Berry

We have fundamental disagreements as to how helpful that advice is

can we circle round this for now and come back to this at the end of our call?

if reviewing legal reports will not change anything, why do we even have a budget for legal adivce?

The BC comment did not suggest a small team. We want the EPDP to state its conclusion, even if not by consensus

there is no conclusion

But the point is that this is not an issue of lack of time, it's an issue of lack of interest on the part of some members of epdp.

@Volker — we suggest the conclusion is that data for Legal Persons MAY be published but that EPDP majority do not want to publish.

we never reached a formal conclusion on this, so anything more would be a lie to serve an agenda

and personally, I think MAY is fine

I don’t believe it to be a lack of interest rather the resistance to continue to discuss issues that we have already spent countless hours on without reaching consensus

The decision not to publish for legal persons is a policy decision that some in this epdp make, not a legal question whose answer we don't know

as I said again and again, I like options on disclosure and publication

there should not be a position that it MAY NOT be published

it is entirely one-sided.

I disagree with that characterization of the EC input

Just out of curiosity, what happens to the model if lazy registrars who are not represented in this group just publish data based on poor (or non-existing) legal analysis, and there are complaints and court cases.

I disagree with everything but the first sentence

@Milton: +1

Taking my hand down. Milton said what I wanted to. The text may be accurate, but not complete. The narrative is applicable to all parties. What the BC is asking is for a narrative tilted in its favor.

Furthermore, statements about EC reps should always indicate which area in the commission they represent.

(Not that I am endorsing the inclusion of that language)

I would like to go on the record that after consultation of the ISPCP, that the ISPCP does not wish that the accuracy discussion shall further burden the EPDP work, but that it is an important topic to be addressed and further worked on in other policy work.

Also, I would point out that there is no information "contained in the SSAD"

the SSAD does not hold data, it is an avenue to request disclosure

+ all the numbers Sarah

The B&B legal memo on Accuracy says that the existing structures are sufficient, so I don't think we need to discuss it further here

Again +1 Sarah. B&B were very clear.

@Ben, can we address the "?" in the comment. Does SSAC support that statement as is?

@Sarah: +1

Berry, the sentence before should be removed as well.

All after "treated"

thanks

retracted. thx

they just want to remove the more specific reference to 6 1 f.

I am ok with the deletion

I like that Recommendation: Do nothing

Do No Harm!

@Steve: Sigh…, it’s like I said nothing. :-(

Agree with Steve here. Disclosure is the wrong word here

we all agree with the deletion as far as i can tell

+2 Steve B.

=1 Volcker

+1

so it'd be "therefore, publication of uniform masked email addresses is not currently feasible under the GDPR"

+1 Volker - add "uniform"

Preliminary Conclusion?

+1 Sarah

Agreed, Janis

hooray

sorry

It allows publication of masking emails, the issue is *uniform* masked emails

+1 Steve

For the part of BC and IPC, our rationale for disagreement on Legal Person and Accuracy were already provided.

I said that it is about ICANN’s processing of personal data about registrants. I cannot rule out the possibility that there will never be an instance in which ICANN, as a controller, shares information with a third party as part of that processing.

Thanks for that clarification Becky.

@Becky: Yes…, that’s our concern.

Disclosure is a form of processing, so vague language does not exclude it.

We're venturing into minority statements. Can all these be removed and disagreements be posted in the public comment?

@Berry: Aren’t minority statements normally included in reports?

Milton is right here

Final Reports after Consensus calls.

OK to delete it;

sorry :-)

Milton is making an important distinction.

But Milton, we agree with Becky that the purpose does NOT foreclose 3rd party disclosure as part of ICANN processing

@amr, I don’t think that distinguishes ICANN’s purpose from any other purpose. From time to time a controller may disclose information to a third party consistent with the requirements of GDPR.

@Milton it is an ICANN purpose however, ICANN may share the data with third parties

No, Hadia

But the purpose is not to disclose

exactly -

Don’t agree with Hadia

Becky: then that needs to be stated explicitly

Indeed, as Becky has stated, there may be exceptional circumstances where ICANN feels it has the authority to disclose to third parties. However, that is not the same as third parties’ purposes finding a home in ICANN’s purposes. Obviously, all stakeholders have an interest in maintaining SSR.

so given the EU advice about not conflating icann purposes with third parties, we need to add some wording to Rec 23 to say what Becky said - that the purpose is not to disclose to third parties

@Milton how can ICANN guarantee that there won't be some circumstances that would require the sharing of the data

Hadia, they don’t have to

there may be - but that is only as required for icann’s limited mission. we just need to make it clear that this is not a “we collect data with purpose to disclose

+1 Stephanie You express exactly what I wanted to say

Dropping comment is ok, but rewording Rec is not.

it does!

Milton, I’ve said repeatedly that Purpose 2 as supported by the Board articulates a purpose for ICANN’s processing of personal data about registrants. The basis of the purpose is to eliminate the conflation problem identified by the Commission.

@Becky: Understood, and not disagreeing. Just trying to explain why not being specific on this is problematic from an NCSG (registrant) perspective. I’m not even sure having a vague purpose on SSR grants the legal certainty ICANN org should be seeking.

We can add a foot note pointing back to Phase 1 report, Rec #1

Thank you for pointing that out Marc.

The way this is going, we will not be able to publish this today :-(

no one has proposed that Becky (prohibited)

just want to make it clear it’s an ICANN purpose, as Marc proposed

It still requires clarification in my view, mostly because only a few understand what it really means. Specificity as to examples, underlying reasons, likely frequency etc ought to be provided to ensure it is not abused

Sorry all … I must drop!

Thank you Becky this is clear

@Amr yes you an Becky are saying the same thing

and

+ 1 Berry

Apologies, must now move to another call

Same.

I need to drop as well

Thanks all

thanks, all

Janis — are we saying that no “minority statements” will be in this Addendum,?

no. Disagreeements to be posted in public comment.

Thanks all

minority statements are for final report.

Thank you all bye for now