Hello all

Hi, Elena

Hello everyone

Can elena provide an overview of the discussion from her point of view?

I am a bit confused about the focus on the Belgian DPA. Didn’t he say that the office was not competent on the controller issue??

Before this meeting we were standing at the precipice but now we have taken a great step forward

thank you Elena

Thanks, Elena.

@Volker - did we step forward over the precipice, or...

@MarkSV: LoL!!

Maybe we were all shoved fwd?

Not sure, do you feel the wind rushing past your face?

Here we go again: Detail detail detail

+1 Alan G

Let‘s settle on a model allocating roles and resonsibilities and flesh things out

+1 Alan give them exact cases to test the water

I personally am hearing is that they cannot pass judgment - unless of course they are 'investigating us' which is their actual power. Detail is key - but we must follow the actual legal process to engage the guidance role - Elena noted the path to the EDPB - that is helpful - we can use Art 36 'prior consultation' but again … I'm getting the clear message that we must follow the legal processes... and have we not been saying this for years now?

We have, Alan

+1 Alan W.

I wonder how they got that idea?

The way I read the letter: The don‘t want questions, but a PROPOSAL on how we think things can work. They can then assess whether we are on the right track.

That is a great question Margie. +1

+1 Margie and Alan W, let's follow whatever process we need to so we can get that guidance

+1 Thomas

Article 64 (2) of GDPR

Thanks, Georgios. That would be very helpful.

I guess Goran convinced them that he made policy ;-)

grr

amen, Janis!

thanks Elena. I had actually completely forgotten that provision existed. Very interesting. Of course, that would be if the Commission feels like it can provide such a question on this matter. I don't know if we can presume. I mean we all know how important we are …. but we're biased! :D

Well obviously the board knows, that is why Becky is here.

Part of why, anyway

Thank you, that is reassuring

Amen, Milton!

Yes, Alan, it is Commission that puts a question

Thanks Elena. We are a tough crowd

Thanks for chatting with us, Elena.

Thank you Elena

Thanks, Elena. And thanks as always Janis.

thank you all

Staff has started the process to investigate locations and duration for a possible F2F. As Janis noted, things are fluid regarding the Covid-19. We will need to seek approvals from the PCST, Org, & Board ultimately.

May 11-15 is RIPE80

I’m pretty sure that this kind of schedule will be impossible for me.

The schedule for Cancun was Priority 2 items.

hey I still have non refundable tickets to cancun! :D all in a room .. staff can be remote..... :D

Correction, the schedule for Remote 67 sessions IS Priority 2 items.

We are losing an F2F, but total time spread over the 2 weeks is the same.

@Alan w - go on a holiday for a couple of days

Thanks, Berry.

17 and 19 March are also new meetings

F2F meetings have a different nature that online calls do not substitute for

Let’s meet in Belgium!

@Milton that sounds great!

As noted, Staff is investigating options for F2F. Brussels is one possible option.

@Hadia .. I would love to, but alas as my work bought the tickets - it would be a bit awkward! :(

we can have beers with the DPA. ;-)

:-) :-) :-)

Belgian beer is the best (sorry, UK)

also waffles

Naw, do Waffle House

:-(

As Berry noted, staff is investigating F2F option but there are several factors that may impact a decision on that. As such, the group should also plan and prepare for how to get the work done if it is not possible to have another F2F.

Smothered and covered, Milton ;-)

I’ve heard that the ICANN Brussels office has a new meeting room large enough to accommodate us. Is this true?

Lets try to cover all eventualities

Marika is correct, alas. So many travel-related uncertainties now

Thank you to staff for working hard on herding cats to bring us together.

Janis - Paris - Brussels is almost walking distance for you, right?

@ALL - staff is working the issues based on capacity requirements and costs and ability to even travel. Thank you for the options. We got it.

this may not matter but just to let you know there is currenlty a board workshop planned for Paris on 1 though 4 May

Vote against three hour conference calls. Efficiency and focus plummets after 2 hours.

@Laureen: +1

Actually, it already drops off after 1 hour, but we are fighters

https://docs.google.com/document/d/1xlw1N7omlgPKjag_FnOy03NRvByol8IaJma5zNPkWaY/edit

agreed Laureen

I think efficiency was sacrificed before the multistakeholder god some time ago

https://mm.icann.org/pipermail/gnso-epdp-team/attachments/20191102/e8cd309e/15.1DataRetention_ReviewofICANNOrgProcesses-1nov19-0001.pdf

An enlightened dictatorship would be more efficient ;-) --

@Berry: Thanks for the links. :-)

I volunteer to be dictator, Laureen

Milton - stakeholder has „hold“ in it, not „run“

Am very enlightened

OK by me.

no

No

Don’t see any reason to think differently on this.

Lets go ahead and confirm the recommendation

Can we do the rest of our work with this speed too?

Hahaha.

sorry, if I missed this, but are we skipping agenda item 6?

6. Feasibility of unique contacts (priority 2) (30 minutes)a) EPDP Team to review Legal Committee proposalb) Confirm next steps

That item has been deferred to the next meeting as we are still awaiting the legal committee proposal

@Janis: What you were told is correct, and I’m getting a panic attack recalling them!! :)

IPC may be one of the main culprits responsible for the length of that discussion, I admit.

thank you for your admission, Brian :)

:-)

Can't hear Volker

Volker, you need to unmute

@Volker: +1

For clarity, this is nearly identical to the language used in the .eu Regulation (SSR)

I am bracing for 1000 hours of discussion as we each propose specificity

yep

it's tough to get specificity without conflation

@MarkVS: Right!! Which explains my panic attack!!

Thanks, Alan W. Just noting that it's the same Purpose.

+1000 Mark SV

We should probably do that on list

again for the record my suggestion was to rely on the purposes already as stated … what was missing?

Amr bringing balance to the EPDP

the EDPB explicitly said we must not have language like „including...“

"The Registry shall set up and manage, with due diligence, a WHOIS database facility for the _purpose_ of ensuring the security, stability and resilience of the .eu TLD by providing accurate and up-to-date registration information about the domain names under the .eu TLD."

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0517&from=EN

it would be good for Brian to answer AlanW’s question: what is missing from existing purposes?

Janis this is what I was going to suggest

As a reminder, there is already purpose 3: “Enable communication with the Registered Name Holder on matters relating to the Registered Name;”

note Brian that is also relating to a registry .. not ICANN

I would say that Emily’s suggestion is a little more specific than what purpose 3 offers. Speaks specifically to SSR, which to me, is a legitimate ICANN purpose.

Hadia... I couldn't possibly quantify what it means … and I have to write those policies!

so we need to be careful with not just 'passing the buck' that is exactly what we need to avoid.

@Marc No what I am proposing is listing the possible processing activities associated with this purpose. I am not talking about others purposes - again I am talking about the Processing activity associated with the process

I HAD MY HAND UP AND IT GOT TAKEN DOWN!

Is ICANN access for compliance purposes covered by another purpose?

yes

@Becky: It is.

Purpose 5: i) Handle contractual compliance monitoring requests and audit activities consistent with the terms of the Registry agreement and the Registrar accreditation agreements and any applicable data processing agreements, by processing specific data only as necessary;ii) Handle compliance complaints initiated by ICANN, or third parties consistent with the terms of the Registry agreement and the Registrar accreditation agreements.

@Becky yes

thanks.

no, it was a product of them understanding very well how we work

Yes Alamn, but how.

@AlanG: I believe it was the EC, not the EDPB, that provided feedback on this. The EC is represented on this team, is it not?

Janis: welcome back to the 1000 hours you missed...

purposes are supposed to be specific - if we after a year of deliberations could not come up with additional ones then I worry that we are back to an all you can eat buffet - which is anathema to purpose limitation.

LOL Franck.

AlanG, yiu need to be specific. if you like it or not, it’s the law

@aMR, THAT MAY BE CORRECT, BUT MY POINT STILL STANDS.

Oops - sorry for caps.

Hadia's audio is cutting out for me... I'm having a hard time hearing what she's saying.

I’m afraid AlanW is right. We are back to the reason we couldn’t pass purpose 2 in the first place

...that the law should be disregarded?

@AlanG: I don’t see why the EC has the limited understanding of our work, which you suggest. No worries about the caps. :-)

This is one of the very few times where we actually got an actual advice and solution from the EU commission

Just citing SSR is too vague and possibly broad. How is ICANN supposed to implement that? Specifically? If we’re not going to have that conversation here, then we might as well just drop this purpose altogether.

by “as is,” Georgios do you mean the old purpose 2?

"To exercise its role as data controller in contributing to the SSR..."

+1 Georgios & Brian

"through the operation and processing of data within the SSAD"

?

"To exercise its role as data controller in the SSAD, contributing to the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission"

If we do recommend this, we’re basically punting this discussion off to the IRT, which will find itself in a position of needing to either develop policy, or refer this back to the GNSO.

@Marc: +1

@ Amr I agree we need to further develop what the exact role of ICANN in SSAD.. I would not let this for the IRT because I believe it is policy

We cannot punt something this complex and poorly understood to the IRT

Agree it's our job to do it, not IRT

Could Giorgios provide his suggestion in writing?

What does “SSR of the DNS in accordance with ICANN’s mission” mean?

One of the problems we had in phase 1 was that we disagreed on this.

“this” being the answer to that question. IIRC, Kurt didn’t want us to get bogged down in answering it.

Some 3rd party interests ARE in support of ICANN's purpose of protecting the DNS.

+ 1 Milton the disclosure is not the purpose - we do not need to have this in the purpose

The disclosure itself may not be the purpose, but providing the mechanism to facilitate it is.

@Brian: How is that any different? Do you mind expanding on that?

Alan - that still does not make their purposes are ICANN's purposes.

+1 Margie and support Brian's proposal.

no one has explained what is missing from existing purposes

Is that .eu language taken directly from recent trade agreements? Just checking....

@Amr it makes my brain hurt trying to elaborate in chat, but it's within ICANN's SSR remit to require whois/SSAD, even if the disclosure of the data itself is not its purpose.

that's because we knew we were going to revisit purposes later

we were told in phase one that we had to have this conflated purpose because IPC/BC and a few others didn’t trust us to create a SSAD without it. Well, we are full-on creating an SSAD, so why is this purpose needed?

@Brian: The problem is nailing down what is within scope of SSR in an ICANN context. I totally get why this might hurt you head. Hurts mine too. :-)

@Milton: +1

@AlanW: +1

Not all ICANN's purposes are covered otherwise

@Margie: Which ones aren’t?

The big question is: how can we be sure ICANN can "do SSAD" if it's not covered by a purpose? We can't risk having the SSAD being on legally shaky grounds.

999 hours and not a minute more

research, helping coordinate responses for cyber attacks etc.

Brian … because our legal advice and our agreement has said so.

do you want to finish creating an SSAD so you can get disclosure, or would you prefer to spend our remaining time debating a purpose about disclosure?

@Milton that's a false choice. The concern is that we don't establish a purpose and we create an SSAD which someone later attacks, alleging that ICANN has no purpose to do it, and then it goes away.

@Volker: +1

Can we move to the list? After listening I think I have an idea

to develop and share on list

it’s not going to go away, Brian, although its methods and rationales for disclosure will be subject to legal challenge

so we are all committed to creating an SSAD

it is perfectly lawful to disclosure the data to LEAs, third parties with legitimate interests, etc, we don’t need a broad, overreaching purpose to do that

@Stephanie: +1

Flagging the ICO guidance on formulating purposes and the importance of purpose limitation for us to consider: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/

this isn't a third party purpose discussion - its an ICANN one

other examples: implementing policies

If the argument against it is "we don't need it" and we think we do need it, why not just include it?

+1 Stephanie! very wonderfully put

because as several people have pointed out, the purpose definition offered conflates icann purposes with third party purposes, which is illegal

We removed the conflating language as the EC suggested.

nope

well said, Stephanie

move it to the legal committee for advice - don't assume its illegal Milton

we have a clear statement on that already

no we dont

Berry +1

I like it

Please don't assume our intention Milton

you misunderstand us

+1 Berry

I haven't said that

Doesn‘t the mere fact that this big group of bright people

has such a hard time coming up with a meaningful purpose indicate that there just might not be one :-)???

compliance is covered by an existing purpose

Engineering purposes is not really what we should be doing.

all of what Margie said are covered by existing purposes

@Thomas, to be fair, that was specifically requested of me on this call

Yes, Brian, and I am not against trying and understanding what is missing.

please cite exactly where its covered

HOwever, the more we talk about it, we do not seem to be able to land on purposes that are not yet covered elsewhere.

there’s a compliance purpose. There’s a udrp/contract purpose

...and I thank you for driving this, Brian

@Thomas, my pleasure :-)

I will stop sharing my screen to prep for the next call.

SSAD is not covered by an existing purpose

I have to jump off. Talk to y'all soon.

I have to jump off

I'm happy to work with Volker, thanks.

- bye all

The team is back togethr

woohoo

thank you bye

Thanks all. Bye.