Logo

051040043 - EPDP-Phase 2 Team Call
Thomas Rickert (ISPCP)
31:19
hi all!
Terri Agnew
31:42
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.
Volker Greimann (RrSG)
33:54
those who did their homework win the argument?
Berry Cobb
34:34
https://docs.google.com/document/d/1a3YQNGKaRnX8iE4tLJIq0SP-RBnPf2OB4_JE5PEcnOc/edit#heading=h.gjdgxs
Matt Serlin (RrSG)
44:09
That exact issue was raised on the last call and never really resolved if I recall...
James Bladel (RrSG)
45:44
Thanks, Janis. I guess I missed the “IF”
Berry Cobb
46:38
An example, automation of city field to confirm legal jurisdiction - if the request includes only a request for city field and the purpose is to confirm legal jurisdiction, it would have met the criteria.
Brian King (IPC)
47:05
Thanks, Berry.
Berry Cobb
47:16
No decision made by Central Gateway Manager, but the criteria is met for automation.
Chris Lewis-Evans (GAC)
47:39
+1 Berry
Chris Lewis-Evans (GAC)
47:58
And is covered under the joint controller agreement
Beth Bacon (RySG)
49:44
Chris- are you referring to the JCA that is mandated in Phase I reeks?
Beth Bacon (RySG)
50:09
Recs OMG the autocorrect. Sorry
Chris Lewis-Evans (GAC)
50:32
Going to say is it bad?
James Bladel (RrSG)
50:42
Good point, Marc. And are RDAP responses secure by default?
Hadia Elminiawi (ALAC)
50:43
@Marc A the how is an implementation issue and shouldn't really stop us from agreeing on the policy
Berry Cobb
51:15
We're getting into implementation, but a hybrid of sorts between web interface and RDAP. As Marc says, not RDAP alone.
James Bladel (RrSG)
52:45
If so, then we should remove references to “RDAP”, because it will constrain (and confuse) the Implementation Team.
Hadia Elminiawi (ALAC)
53:51
+1 to removing the technical means through which the data will be transferred from the CPs to the requestor
Hadia Elminiawi (ALAC)
54:41
+1 Dave
Beth Bacon (RySG)
55:47
It seems that this issue would is covered by Rec 18 is relevant here
James Bladel (RrSG)
55:57
Secure Mechanism - the CGM could receive a key from the requestor, and then relay or direct the CP to transmit an encrypted payload. Assuming the SSAD doesn’t want to be a “locker”
Brian King (IPC)
56:51
+1 James
Mark Svancarek (BC)
57:22
+1 James.
Mark Svancarek (BC)
57:32
+1 David.
Hadia Elminiawi (ALAC)
58:08
+1 james
Chris Lewis-Evans (GAC)
58:10
Is new happy to go after Volker, thanks
James Bladel (RrSG)
59:00
Honestly, in some (most?) cases, it might be cheaper/faster/more secure to use the CP’s proprietary request system first, and then only go to SSAD for problematic cases.
Mark Svancarek (BC)
01:02:39
@Stephanie, that depends a lot on the CP...
Mark Svancarek (BC)
01:02:49
Not all have same tech ability
Alan Greenberg (ALAC)
01:02:53
Shifting liability: No. But assigning liability in a joint controller agreement may well be possible.
Brian King (IPC)
01:03:32
+1 Marc
Alan Woods (RySG)
01:04:06
Alan, I'm sorry but we can assign liability till the cows come home …. that doesn't affect the factual legal liability of the situation. The DPAs, strangely, don't have to agree with our machinations.
Thomas Rickert (ISPCP)
01:05:50
Alan, we are having so much fun discussing these same questions over and over again. Given we have no deadlines, it is time worth spending :-)
Mark Svancarek (BC)
01:05:57
+1 AlanG, we should not rule it out.
Thomas Rickert (ISPCP)
01:06:14
I was responding to AlanW btw
Alan Woods (RySG)
01:06:31
noted :D
Thomas Rickert (ISPCP)
01:06:52
Haha - I just could not resist
Georgios Tselentis (GAC)
01:09:09
Similarly to what Chris mentioned I understand that as a human assesment on whether the conditions for automatic disclosure are met not the disclosure decision per se.
Mark Svancarek (BC)
01:09:41
+1 Georgios
Stephanie Perrin (NCSG)
01:10:15
Making that decision based on what, is the key question Brian.
Matt Serlin (RrSG)
01:11:19
Agreed Janis…with 5 weeks to go, I’m amazed we are having the whole centralized/decentralized discussion again…
Margie Milam (BC)
01:12:23
+
Margie Milam (BC)
01:12:28
1
James Bladel (RrSG)
01:12:30
I think it’s going to depend on the evolution of data protection laws....
Brian King (IPC)
01:13:16
+1 Alan, we never meant to create merely two options
Alan Greenberg (ALAC)
01:14:40
@Milton, so you object to full automation and now you object to human decision.
Alan Woods (RySG)
01:16:59
+100 Beth - it seems we are trying to twist data protection la to fit the SSAD at this point ….. when surprisingly we should be doing the opposite.
Alan Woods (RySG)
01:17:09
*law
Mark Svancarek (BC)
01:17:19
Centralizing a human decision is a more scalable approach for CPs who elect not to add more staff who may be idle much of the time
Milton Mueller (NCSG)
01:17:51
I don’t hear the CP’s calling for that, Mark. When I do, I will take it seriously
Mark Svancarek (BC)
01:18:30
I have deliberately held back our requests for two years. When the volume ramps back up, it would be nice to have an option in the policy.
Alan Woods (RySG)
01:19:35
Mark. What does that say about the necessity of your requests?
Mark Svancarek (BC)
01:20:10
AlanW is being disingenuous. Look to the definition of "necessary" that we are using
Beth Bacon (RySG)
01:20:12
Janis I appreciate the pointer to Rec 19. I was under the impression that it was still under discussion?
Beth Bacon (RySG)
01:20:18
Happy to be corrected.
Margie Milam (BC)
01:21:54
+1 Janis
Berry Cobb
01:23:10
Link to the latest version of Rec #19 Evolution Mechanisim can be found here: https://community.icann.org/x/K4LsBw
Milton Mueller (NCSG)
01:23:25
It’s not the “mechanism” of evolution its the substantive policy that underlies it
Alan Woods (RySG)
01:23:35
Mark if you wish to accuse me of that - such is your prerogative. I merely am observing that you said you have deliberately not requested for 2 years. Yet you claim that the requests are necessary. And for the record - I always use the definition of necessity as the law sees it -
Stephanie Perrin (NCSG)
01:27:04
How can we define an evolutionary mechanism prior to using the central gateway?
Stephanie Perrin (NCSG)
01:30:52
It seems to me logical that CPS will propose types of requests that could be further processed by a central gateway when and if they tire of the volume of friction free requests. However, until we launch the gateway we can hardly anticipate where those types of requests are going to be found. No amount of quizzing the DPAs on this matter is going to be helpful, if we cannot figure it out ourselves.
Mark Svancarek (BC)
01:31:07
Alanw: " Necessary means more than desirable but less than indispensable or absolutely necessary." The fact that we can limp along in some cases at greater inefficiency does not mean that the requests would not be deemed to be "necessary".
Stephanie Perrin (NCSG)
01:32:17
Note that I used the term “further processed”. The gateway mechanism is a processor, lets keep that in mind. Give it decision making power, someone had better be certain of their templates because a processor is not the controller,
Margie Milam (BC)
01:33:01
Our legal advice allows some automation so I don’t understand the concern
Milton Mueller (NCSG)
01:35:38
agree, we only need the word "review”
Mark Svancarek (BC)
01:36:07
Only need "review"
Mark Svancarek (BC)
01:36:13
+1 Milton
Hadia Elminiawi (ALAC)
01:36:25
yes
Berry Cobb
01:38:03
Because this is a MAY, there's nothing here for Org to enforce. Perhaps this can be Implementation Guidance instead?
Brian King (IPC)
01:39:06
IPC :-)
Brian King (IPC)
01:39:25
No offense taken. BC might be offended ;-)
Stephanie Perrin (NCSG)
01:39:53
We should not punt this to the IRT
Berry Cobb
01:40:33
I think the original use case was smaller CPs would not have the resources or legal capability to do balanace test, or may be in a jurisdiction not applicable to GDPR and then MAY chose to automate.
Margie Milam (BC)
01:40:36
Good examples Chris
Milton Mueller (NCSG)
01:42:46
would to be hard to modify this language in ways that overcome our concerns
Milton Mueller (NCSG)
01:42:54
would NOT be hard...
Stephanie Perrin (NCSG)
01:43:15
It is the job of this PDP to come up with a policy that is compliant with the GDPR.
Alan Woods (RySG)
01:43:33
Mark. I'm afraid inefficiency does not trump the law. These are simple chats, so perhaps not the best place to have a distinct legal discussion. But necessity interacts with the concept of proportionality - If you can achieve the goal by alternative, and less invasive means (less invasive vis a vis the impact to the rights of the data subject), then such processing is not necessary. I don't discount that there are definite instances where disclosure will definitely be necessary - but inefficiency is not the strongest of reasons.
Milton Mueller (NCSG)
01:43:42
if they are outside of the scope of DP law then it is presumptively legal, so you can adjust the language accordingly
Stephanie Perrin (NCSG)
01:43:47
If this were a “risk assessment” we should have done that at the beginning of the exercise, not wing it now
Alan Woods (RySG)
01:44:21
I'm afraid I have to drop for an unavoidable clash. Thanks all.
Margie Milam (BC)
01:45:42
The BC approves this language too
Brian King (IPC)
01:47:05
Fine by us
Margie Milam (BC)
01:47:15
Ok with that change
Stephanie Perrin (NCSG)
01:48:48
Keep in mind that the simplest response to automate is NO.
Thomas Rickert (ISPCP)
01:52:45
Suggestion: international transfers need to be secured according to Art. 44 pp GDPR
Thomas Rickert (ISPCP)
01:55:05
Hadia and Becky, my suggestion would cover things.
Hadia Elminiawi (ALAC)
01:55:37
+1 Thomas
Thomas Rickert (ISPCP)
01:55:55
Matt, we have made explicit reference to GDPR in other parts of the report, so I think we can do that here, too.
Hadia Elminiawi (ALAC)
01:56:11
we do not want to mention one thing and drop some others
Marc Anderson (RySG)
02:00:27
Can someone link the document on the screen?
Caitlin Tubergen
02:02:21
https://community.icann.org/pages/viewpage.action?pageId=126430750&preview=/126430750/134514763/Recommendation%204%20-%20Discussion%20items%20-%2013%20May%202020.pdf
Marc Anderson (RySG)
02:04:15
thank you Caitlin
Berry Cobb
02:04:37
This is NOT a part of Purpose 2 recommendation.
Brian King (IPC)
02:05:03
Right, Berry. This is separate.
Hadia Elminiawi (ALAC)
02:05:18
+1 Berry this is not part of purpose 2
Hadia Elminiawi (ALAC)
02:07:52
+1 Margie
Georgios Tselentis (GAC)
02:08:42
Delete justifications?
Margie Milam (BC)
02:08:59
Its ok
Brian King (IPC)
02:09:05
Ok
Franck Journoud (IPC)
02:09:06
That's ok.
Margie Milam (BC)
02:12:40
SSL certs
Margie Milam (BC)
02:12:43
As an example
Margie Milam (BC)
02:13:16
Escrow in a domain sale transaction
Berry Cobb
02:14:55
In those examples, though should we be clear why they would need to go through SSAD though?
Mark Svancarek (BC)
02:16:36
+1 James but actually different than publication - RNH indicates that they are consenting to DISCLOSURE sometimes
Brian King (IPC)
02:16:37
Sorry to be a bit cheeky, but do CPs really want to have more flags to build, consent to obtain, and features to implement? SSAD seems to be a better home for that.
Margie Milam (BC)
02:18:32
No - I don’t agree
James Bladel (RrSG)
02:18:57
Need to drop in 2 minutes. Thanks all.
Marc Anderson (RySG)
02:19:10
The data subject isn't a third party.
Mark Svancarek (BC)
02:19:28
+1 MarcA
Mark Svancarek (BC)
02:19:41
Maybe not such an edge case
Brian King (IPC)
02:19:44
+1 MarcA, it is confusing b/c this would be the RNH's purpose, but the third-party's accessing the data
Matt Serlin (RrSG)
02:20:42
Yeah this doesn’t seem like a good use of the SSAD to have the registered name holder interact with the SSAD regarding their data and who it could be disclosed to
Berry Cobb
02:21:14
The SSAD does not contain data, at best only the log that a request contained the domain name. So how could the SSAD know that the RNH is the actual and real RNH of the domain name without having it disclosed.
Matt Serlin (RrSG)
02:21:31
And all of the cases mentioned earlier (domain name sale, cert issuance, etc.) have been addressed by parties who deal in those services
Marc Anderson (RySG)
02:21:56
good point @Berry
Stephanie Perrin (NCSG)
02:22:52
Sorry I have to dash to another call
Margie Milam (BC)
02:23:26
We won’t even touch it in IRT if it isn’t in the recommendation
Milton Mueller (NCSG)
02:24:29
registrants right of access is not a third party purpose
Margie Milam (BC)
02:26:45
+1. Mark SV - lots of use cases like that
Milton Mueller (NCSG)
02:26:46
come to think of it, if there is a contract it’s not third party either
Chris Lewis-Evans (GAC)
02:26:52
Have to sign off see you all Thursday
Volker Greimann (RrSG)
02:27:19
how would we validate that though?
Berry Cobb
02:27:50
But in these use cases it means that all these 3rd parties are accredidited. Not to mention that is the SSAD even the right store of RNH consent?
Berry Cobb
02:28:20
Staff will need more information on the use cases for it to make sense.
Berry Cobb
02:28:42
We're stumped on #4 and hence why Q3 was listed here.
Brian King (IPC)
02:29:25
I would be happy to chat with Staff offline
Brian King (IPC)
02:29:56
thanks all
Marc Anderson (RySG)
02:29:57
thanks all
Hadia Elminiawi (ALAC)
02:29:59
Thank you all - bye
Margie Milam (BC)
02:30:02
Bye!