
33:24
Hello all

35:15
Hi, Elena

35:28
Hello everyone

37:31
Can elena provide an overview of the discussion from her point of view?

40:33
I am a bit confused about the focus on the Belgian DPA. Didn’t he say that the office was not competent on the controller issue??

44:18
Before this meeting we were standing at the precipice but now we have taken a great step forward

44:45
thank you Elena

44:52
Thanks, Elena.

45:39
@Volker - did we step forward over the precipice, or...

46:28
@MarkSV: LoL!!

46:40
Maybe we were all shoved fwd?

47:37
Not sure, do you feel the wind rushing past your face?

48:36
Here we go again: Detail detail detail

48:46
+1 Alan G

49:00
Let‘s settle on a model allocating roles and resonsibilities and flesh things out

49:18
+1 Alan give them exact cases to test the water

51:29
I personally am hearing is that they cannot pass judgment - unless of course they are 'investigating us' which is their actual power. Detail is key - but we must follow the actual legal process to engage the guidance role - Elena noted the path to the EDPB - that is helpful - we can use Art 36 'prior consultation' but again … I'm getting the clear message that we must follow the legal processes... and have we not been saying this for years now?

52:08
We have, Alan

53:01
+1 Alan W.

54:00
I wonder how they got that idea?

54:19
The way I read the letter: The don‘t want questions, but a PROPOSAL on how we think things can work. They can then assess whether we are on the right track.

55:57
That is a great question Margie. +1

56:36
+1 Margie and Alan W, let's follow whatever process we need to so we can get that guidance

58:40
+1 Thomas

58:59
Article 64 (2) of GDPR

59:29
Thanks, Georgios. That would be very helpful.

01:00:37
I guess Goran convinced them that he made policy ;-)

01:01:31
grr

01:02:30
amen, Janis!

01:05:38
thanks Elena. I had actually completely forgotten that provision existed. Very interesting. Of course, that would be if the Commission feels like it can provide such a question on this matter. I don't know if we can presume. I mean we all know how important we are …. but we're biased! :D

01:06:53
Well obviously the board knows, that is why Becky is here.

01:07:09
Part of why, anyway

01:08:38
Thank you, that is reassuring

01:10:56
Amen, Milton!

01:11:15
Yes, Alan, it is Commission that puts a question

01:12:03
Thanks Elena. We are a tough crowd

01:12:06
Thanks for chatting with us, Elena.

01:12:28
Thank you Elena

01:12:28
Thanks, Elena. And thanks as always Janis.

01:12:30
thank you all

01:16:29
Staff has started the process to investigate locations and duration for a possible F2F. As Janis noted, things are fluid regarding the Covid-19. We will need to seek approvals from the PCST, Org, & Board ultimately.

01:16:58
May 11-15 is RIPE80

01:17:05
I’m pretty sure that this kind of schedule will be impossible for me.

01:18:02
The schedule for Cancun was Priority 2 items.

01:18:22
hey I still have non refundable tickets to cancun! :D all in a room .. staff can be remote..... :D

01:19:14
Correction, the schedule for Remote 67 sessions IS Priority 2 items.

01:19:38
We are losing an F2F, but total time spread over the 2 weeks is the same.

01:19:39
@Alan w - go on a holiday for a couple of days

01:19:41
Thanks, Berry.

01:20:24
17 and 19 March are also new meetings

01:21:03
F2F meetings have a different nature that online calls do not substitute for

01:21:07
Let’s meet in Belgium!

01:21:19
@Milton that sounds great!

01:21:20
As noted, Staff is investigating options for F2F. Brussels is one possible option.

01:21:32
@Hadia .. I would love to, but alas as my work bought the tickets - it would be a bit awkward! :(

01:21:39
we can have beers with the DPA. ;-)

01:21:51
:-) :-) :-)

01:21:56
Belgian beer is the best (sorry, UK)

01:22:07
also waffles

01:22:31
Naw, do Waffle House

01:22:37
:-(

01:22:55
As Berry noted, staff is investigating F2F option but there are several factors that may impact a decision on that. As such, the group should also plan and prepare for how to get the work done if it is not possible to have another F2F.

01:23:10
Smothered and covered, Milton ;-)

01:23:32
I’ve heard that the ICANN Brussels office has a new meeting room large enough to accommodate us. Is this true?

01:23:41
Lets try to cover all eventualities

01:23:52
Marika is correct, alas. So many travel-related uncertainties now

01:24:32
Thank you to staff for working hard on herding cats to bring us together.

01:24:34
Janis - Paris - Brussels is almost walking distance for you, right?

01:24:36
@ALL - staff is working the issues based on capacity requirements and costs and ability to even travel. Thank you for the options. We got it.

01:25:06
this may not matter but just to let you know there is currenlty a board workshop planned for Paris on 1 though 4 May

01:25:44
Vote against three hour conference calls. Efficiency and focus plummets after 2 hours.

01:26:06
@Laureen: +1

01:26:23
Actually, it already drops off after 1 hour, but we are fighters

01:26:36
https://docs.google.com/document/d/1xlw1N7omlgPKjag_FnOy03NRvByol8IaJma5zNPkWaY/edit

01:26:41
agreed Laureen

01:26:53
I think efficiency was sacrificed before the multistakeholder god some time ago

01:27:32
https://mm.icann.org/pipermail/gnso-epdp-team/attachments/20191102/e8cd309e/15.1DataRetention_ReviewofICANNOrgProcesses-1nov19-0001.pdf

01:27:40
An enlightened dictatorship would be more efficient ;-) --

01:28:32
@Berry: Thanks for the links. :-)

01:28:53
I volunteer to be dictator, Laureen

01:28:56
Milton - stakeholder has „hold“ in it, not „run“

01:28:57
Am very enlightened

01:29:17
OK by me.

01:29:32
no

01:29:35
No

01:29:49
Don’t see any reason to think differently on this.

01:30:06
Lets go ahead and confirm the recommendation

01:30:13
Can we do the rest of our work with this speed too?

01:30:15
Hahaha.

01:32:07
sorry, if I missed this, but are we skipping agenda item 6?

01:32:11
6. Feasibility of unique contacts (priority 2) (30 minutes)a) EPDP Team to review Legal Committee proposalb) Confirm next steps

01:32:27
That item has been deferred to the next meeting as we are still awaiting the legal committee proposal

01:34:10
@Janis: What you were told is correct, and I’m getting a panic attack recalling them!! :)

01:34:30
IPC may be one of the main culprits responsible for the length of that discussion, I admit.

01:34:54
thank you for your admission, Brian :)

01:35:32
:-)

01:36:02
Can't hear Volker

01:36:05
Volker, you need to unmute

01:36:51
@Volker: +1

01:37:09
For clarity, this is nearly identical to the language used in the .eu Regulation (SSR)

01:38:21
I am bracing for 1000 hours of discussion as we each propose specificity

01:38:39
yep

01:39:05
it's tough to get specificity without conflation

01:39:17
@MarkVS: Right!! Which explains my panic attack!!

01:40:43
Thanks, Alan W. Just noting that it's the same Purpose.

01:41:00
+1000 Mark SV

01:41:03
We should probably do that on list

01:41:48
again for the record my suggestion was to rely on the purposes already as stated … what was missing?

01:41:50
Amr bringing balance to the EPDP

01:41:58
the EDPB explicitly said we must not have language like „including...“

01:42:40
"The Registry shall set up and manage, with due diligence, a WHOIS database facility for the _purpose_ of ensuring the security, stability and resilience of the .eu TLD by providing accurate and up-to-date registration information about the domain names under the .eu TLD."

01:42:44
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019R0517&from=EN

01:42:58
it would be good for Brian to answer AlanW’s question: what is missing from existing purposes?

01:43:12
Janis this is what I was going to suggest

01:43:20
As a reminder, there is already purpose 3: “Enable communication with the Registered Name Holder on matters relating to the Registered Name;”

01:43:23
note Brian that is also relating to a registry .. not ICANN

01:44:30
I would say that Emily’s suggestion is a little more specific than what purpose 3 offers. Speaks specifically to SSR, which to me, is a legitimate ICANN purpose.

01:45:03
Hadia... I couldn't possibly quantify what it means … and I have to write those policies!

01:45:25
so we need to be careful with not just 'passing the buck' that is exactly what we need to avoid.

01:47:00
@Marc No what I am proposing is listing the possible processing activities associated with this purpose. I am not talking about others purposes - again I am talking about the Processing activity associated with the process

01:47:27
I HAD MY HAND UP AND IT GOT TAKEN DOWN!

01:48:40
Is ICANN access for compliance purposes covered by another purpose?

01:48:50
yes

01:48:56
@Becky: It is.

01:48:57
Purpose 5: i) Handle contractual compliance monitoring requests and audit activities consistent with the terms of the Registry agreement and the Registrar accreditation agreements and any applicable data processing agreements, by processing specific data only as necessary;ii) Handle compliance complaints initiated by ICANN, or third parties consistent with the terms of the Registry agreement and the Registrar accreditation agreements.

01:48:59
@Becky yes

01:49:06
thanks.

01:50:56
no, it was a product of them understanding very well how we work

01:51:16
Yes Alamn, but how.

01:51:36
@AlanG: I believe it was the EC, not the EDPB, that provided feedback on this. The EC is represented on this team, is it not?

01:51:57
Janis: welcome back to the 1000 hours you missed...

01:51:59
purposes are supposed to be specific - if we after a year of deliberations could not come up with additional ones then I worry that we are back to an all you can eat buffet - which is anathema to purpose limitation.

01:52:09
LOL Franck.

01:52:26
AlanG, yiu need to be specific. if you like it or not, it’s the law

01:52:34
@aMR, THAT MAY BE CORRECT, BUT MY POINT STILL STANDS.

01:52:45
Oops - sorry for caps.

01:52:49
Hadia's audio is cutting out for me... I'm having a hard time hearing what she's saying.

01:52:57
I’m afraid AlanW is right. We are back to the reason we couldn’t pass purpose 2 in the first place

01:52:57
...that the law should be disregarded?

01:53:09
@AlanG: I don’t see why the EC has the limited understanding of our work, which you suggest. No worries about the caps. :-)

01:54:34
This is one of the very few times where we actually got an actual advice and solution from the EU commission

01:56:25
Just citing SSR is too vague and possibly broad. How is ICANN supposed to implement that? Specifically? If we’re not going to have that conversation here, then we might as well just drop this purpose altogether.

01:57:36
by “as is,” Georgios do you mean the old purpose 2?

01:57:41
"To exercise its role as data controller in contributing to the SSR..."

01:59:47
+1 Georgios & Brian

02:00:09
"through the operation and processing of data within the SSAD"

02:00:11
?

02:01:21
"To exercise its role as data controller in the SSAD, contributing to the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission"

02:01:44
If we do recommend this, we’re basically punting this discussion off to the IRT, which will find itself in a position of needing to either develop policy, or refer this back to the GNSO.

02:03:22
@Marc: +1

02:03:25
@ Amr I agree we need to further develop what the exact role of ICANN in SSAD.. I would not let this for the IRT because I believe it is policy

02:03:29
We cannot punt something this complex and poorly understood to the IRT

02:03:55
Agree it's our job to do it, not IRT

02:04:36
Could Giorgios provide his suggestion in writing?

02:05:40
What does “SSR of the DNS in accordance with ICANN’s mission” mean?

02:06:15
One of the problems we had in phase 1 was that we disagreed on this.

02:06:36
“this” being the answer to that question. IIRC, Kurt didn’t want us to get bogged down in answering it.

02:06:37
Some 3rd party interests ARE in support of ICANN's purpose of protecting the DNS.

02:06:55
+ 1 Milton the disclosure is not the purpose - we do not need to have this in the purpose

02:07:26
The disclosure itself may not be the purpose, but providing the mechanism to facilitate it is.

02:07:50
@Brian: How is that any different? Do you mind expanding on that?

02:07:52
Alan - that still does not make their purposes are ICANN's purposes.

02:08:44
+1 Margie and support Brian's proposal.

02:08:51
no one has explained what is missing from existing purposes

02:08:52
Is that .eu language taken directly from recent trade agreements? Just checking....

02:09:51
@Amr it makes my brain hurt trying to elaborate in chat, but it's within ICANN's SSR remit to require whois/SSAD, even if the disclosure of the data itself is not its purpose.

02:09:55
that's because we knew we were going to revisit purposes later

02:10:09
we were told in phase one that we had to have this conflated purpose because IPC/BC and a few others didn’t trust us to create a SSAD without it. Well, we are full-on creating an SSAD, so why is this purpose needed?

02:10:52
@Brian: The problem is nailing down what is within scope of SSR in an ICANN context. I totally get why this might hurt you head. Hurts mine too. :-)

02:11:15
@Milton: +1

02:11:23
@AlanW: +1

02:11:25
Not all ICANN's purposes are covered otherwise

02:11:41
@Margie: Which ones aren’t?

02:12:08
The big question is: how can we be sure ICANN can "do SSAD" if it's not covered by a purpose? We can't risk having the SSAD being on legally shaky grounds.

02:12:09
999 hours and not a minute more

02:12:27
research, helping coordinate responses for cyber attacks etc.

02:13:05
Brian … because our legal advice and our agreement has said so.

02:13:14
do you want to finish creating an SSAD so you can get disclosure, or would you prefer to spend our remaining time debating a purpose about disclosure?

02:14:26
@Milton that's a false choice. The concern is that we don't establish a purpose and we create an SSAD which someone later attacks, alleging that ICANN has no purpose to do it, and then it goes away.

02:14:52
@Volker: +1

02:15:02
Can we move to the list? After listening I think I have an idea

02:15:09
to develop and share on list

02:16:07
it’s not going to go away, Brian, although its methods and rationales for disclosure will be subject to legal challenge

02:16:25
so we are all committed to creating an SSAD

02:17:07
it is perfectly lawful to disclosure the data to LEAs, third parties with legitimate interests, etc, we don’t need a broad, overreaching purpose to do that

02:17:29
@Stephanie: +1

02:17:40
Flagging the ICO guidance on formulating purposes and the importance of purpose limitation for us to consider: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/purpose-limitation/

02:17:42
this isn't a third party purpose discussion - its an ICANN one

02:17:54
other examples: implementing policies

02:18:01
If the argument against it is "we don't need it" and we think we do need it, why not just include it?

02:18:16
+1 Stephanie! very wonderfully put

02:18:37
because as several people have pointed out, the purpose definition offered conflates icann purposes with third party purposes, which is illegal

02:18:59
We removed the conflating language as the EC suggested.

02:19:04
nope

02:19:05
well said, Stephanie

02:19:24
move it to the legal committee for advice - don't assume its illegal Milton

02:19:42
we have a clear statement on that already

02:19:47
no we dont

02:20:37
Berry +1

02:22:42
I like it

02:23:24
Please don't assume our intention Milton

02:23:30
you misunderstand us

02:23:45
+1 Berry

02:24:00
I haven't said that

02:24:27
Doesn‘t the mere fact that this big group of bright people

02:25:12
has such a hard time coming up with a meaningful purpose indicate that there just might not be one :-)???

02:25:21
compliance is covered by an existing purpose

02:25:49
Engineering purposes is not really what we should be doing.

02:26:36
all of what Margie said are covered by existing purposes

02:26:42
@Thomas, to be fair, that was specifically requested of me on this call

02:27:06
Yes, Brian, and I am not against trying and understanding what is missing.

02:27:09
please cite exactly where its covered

02:27:28
HOwever, the more we talk about it, we do not seem to be able to land on purposes that are not yet covered elsewhere.

02:27:54
there’s a compliance purpose. There’s a udrp/contract purpose

02:27:54
...and I thank you for driving this, Brian

02:28:26
@Thomas, my pleasure :-)

02:28:48
I will stop sharing my screen to prep for the next call.

02:31:10
SSAD is not covered by an existing purpose

02:32:08
I have to jump off. Talk to y'all soon.

02:32:23
I have to jump off

02:32:24
I'm happy to work with Volker, thanks.

02:32:49
- bye all

02:32:52
The team is back togethr

02:33:13
woohoo

02:33:15
thank you bye

02:33:15
Thanks all. Bye.