Logo

051040043 - EPDP-Phase 2A Team Call
Terri Agnew
35:44
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Berry Cobb
36:27
NExt steps email: https://mm.icann.org/pipermail/gnso-epdp-team/2021-April/003861.html
Berry Cobb
39:16
Write up doc link: https://docs.google.com/document/d/1a7MEle3_e-iXbaiZQV5wCD4Pv0414YjLtC2yxJEqbJc/edit#heading=h.gjdgxs
Brian King (IPC)
41:28
I made comments this morning overlooking that deadline (sorry!). Happy to contribute in real time as we go today.
Laureen Kapin (GAC)
41:55
For clarity -- the GAC submitted a revised proposal.
Sarah Wyld (RrSG)
44:51
(this is a new hand, sorry)
Sarah Wyld (RrSG)
44:55
thanks
Stephanie Perrin (NCSG)
50:14
I would note that employee data is sometimes protected under labour law or agreements, not data protection law specifically
Laureen Kapin (GAC)
51:11
The document on the screen is quite small --
Sarah Wyld (RrSG)
53:19
OK
Sarah Wyld (RrSG)
53:27
My comment in the shared doc:Thanks for the input. Maybe we can keep this to the first sentence from Laureen's suggestion? "The Working Group approached its task by first considering what guidance would be useful to Registrars and Registry Operators who choose to differentiate between registrations of legal and natural persons." The second sentence changes topics (instead of describing the team's approach it describes the outcome) and so I don't think it fits here.
Brian King (IPC)
58:38
+1 Hadia
Keith Drazek (Chair) (Verisign)
01:00:03
My thought: I'm wondering if a re-write of the text to read, "Distinguishing between legal and natural REGISTRATIONS alone may not be dispositive....."
Alan Greenberg (ALAC)
01:01:37
@Keith, I am not sure there is a concept of legal or natural REGISTRATION. The terms refer to entities.
Sarah Wyld (RrSG)
01:01:43
I'm not sure about Keith's suggestion. Isn't it the contact data, not the registration itself?
Brian King (IPC)
01:01:55
That's where my head is, Sarah.
Brian King (IPC)
01:02:03
(agreeing with you)
Sarah Wyld (RrSG)
01:02:08
Thanks Brian!
Hadia Elminiawi (ALAC)
01:02:51
+1 sure Melina but never the less we need to clearly state that it is not enough when it comes to the publication of the data
Hadia Elminiawi (ALAC)
01:04:10
+1 Brian
Sarah Wyld (RrSG)
01:04:44
Brian, looking back to your comment in the doc I see you said "registrants", did you mean the full thing should read "registrants' data"?
Sarah Wyld (RrSG)
01:04:51
(The original sentence was: "Distinguishing between legal and natural person data alone")
Brian King (IPC)
01:05:26
Thanks for asking. I was suggesting to replace "data" with "registrants"
Melina Stroungi (GAC)
01:05:41
I believe it should be 'distinguishing between legal and natural person types (or registrants)'
Margie Milam (BC)
01:05:45
I’m confused by Stephanie’s comments — doesn’t that contradict Milton’s principles? Keith asked that we bring our SG/C views to help get through the issues.
Keith Drazek (Chair) (Verisign)
01:05:54
So, "Distinguishing between registrations of legal and natural persons..."
Sarah Wyld (RrSG)
01:06:00
Thanks Brian
Sarah Wyld (RrSG)
01:07:08
Agreed, Marc's suggested language sounded good to me
Laureen Kapin (GAC)
01:09:04
Just to keep in mind the language oft he GDPR: Recital 14EU GDPR(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
Keith Drazek (Chair) (Verisign)
01:09:17
No apologies needed!
Margie Milam (BC)
01:09:41
+1 Laureen
Melina Stroungi (GAC)
01:09:48
+1 Laureen
Christian Dawson (ISPCP)
01:09:56
Yes to Keith’s answer, and with the vast majority of businesses being sole proprietorships, that’s the norm. The large corporation is the anomaly, statistically.
Becky Burr (ICANN Board Liaison)
01:10:10
Or tech contract = name@co.com
Stephanie Perrin (NCSG)
01:10:58
I have a specific clarification
Christian Dawson (ISPCP)
01:11:48
According to SBA.gov, in the U.S. 50% of all businesses are home businesses.
Christian Dawson (ISPCP)
01:11:51
https://www.sba.gov/sites/default/files/advocacy/Frequently-Asked-Questions-Small-Business-2018.pdf
Christian Dawson (ISPCP)
01:12:43
2018 statistics though, post-COVID that is sure to have jumped
Keith Drazek (Chair) (Verisign)
01:15:51
All, please select "all panelists and attendees" in chat.
Steve Crocker (SSAC)
01:16:02
It seems to me the crux here is that some of us think if the registrant says this is a business, then the data associated with the registration is ok to publish even if it happens to coincide with the registrant’s personal data. On the other hand, others in this group think if the data is personal, it cannot be published even if it is the same as the business data. The example I gave, John Jones, ESQ LLC, 123 Main Street, may be both the data related to the business and to their home.
Stephanie Perrin (NCSG)
01:16:22
https://edps.europa.eu/data-protection/our-work/publications/opinions/edps-opinion-cybersecurity-strategy-and-nis-20_en
Sarah Wyld (RrSG)
01:16:24
This letter:https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-05jul18-en.pdfreminds us that “personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the context of WHOIS”
Steve Crocker (SSAC)
01:16:37
So, the question for us is how do we say this case should be handled?
Sarah Wyld (RrSG)
01:16:41
(my quote is from page 5)
Alan Woods (RySG)
01:18:24
I don't think anybody is saying that a legal entity is not a legal entity because it is small / home business etc. l … we are only saying that legal entity registrations, may still contain natural person data. the 2 things are different. (which is anecdotally possibly much more likely in the case of a small business . home enterprise )
Steve Crocker (SSAC)
01:18:26
The issue of how data related to the other contacts, e.g. Admin, Tech or others, is also important and requires a separate discussion because it involves the question of their consent. But let’s nail down what happens in the simple case of an individual registering a business and using their personal data, e.g. name, address, email, phone instead of separate data.
Christian Dawson (ISPCP)
01:19:10
+1 Alan
Sarah Wyld (RrSG)
01:19:31
Let's remember that the Admin contact is being deprecated
Steve Crocker (SSAC)
01:20:32
Does “deprecated” mean it will no longer be collected under any circumstances or only that it will not be required? The transfer policies refer to the Admin contact if it exists?
Sarah Wyld (RrSG)
01:20:45
Steve, as per Phase 1 the Admin contact will not be used anymore
Stephanie Perrin (NCSG)
01:20:55
I posted the link to the EDPS opinion above. There are several types of personal data that “legal persons” may be submitting in a registration. Contact data, the identity of an abuse mitigation specialist, address (depending on size of the organization, obviously not that of Procter and Gamble but definitely could be in the case of a gig worker, contractor, entrepreneur. In the case of NGOs, all kinds of personal data may well be in the registration data, and the definition of legal persons in the matter of the establishment and incorporation of NGOs, charities, and interest groups can vary enormously from jurisdiction to jurisdiction
Laureen Kapin (GAC)
01:21:26
The letter and Recital 14 are not in conflict IMHO.
Brian King (IPC)
01:21:35
I was going to say that too, Laureen.
Stephanie Perrin (NCSG)
01:21:56
This is why I think we should be talking about personal data, not focusing on the registration of one type of entity or another
Hadia Elminiawi (ALAC)
01:22:27
@Sarah that is why we have the other two points, but in order to avoid confusion we need to mention what the recital says as well.
Berry Cobb
01:22:39
To be precise. Admin Contact is will no longer be a requirement to process per consensus policy. It does not preclude a contracted party from processing that data based on their own purposes. The Tech Contact is limited fields, and options for a Registrar to offer as a service. But if they do process it, it will follow the same requirements as Registrant registration data.
Sarah Wyld (RrSG)
01:23:10
There were no comments on Point A in the shared doc
Berry Cobb
01:23:22
sp....optional, not options.
Sarah Wyld (RrSG)
01:23:48
SO on item 3 in the chart ,I'm OK with Brian's suggestion of "registrants"
Melina Stroungi (GAC)
01:24:24
me too - agree with Sarah and Brian to adopt the suggestion 'registrants'
Sarah Wyld (RrSG)
01:24:41
I'm not sure I said they were inconsistent, either
Keith Drazek (Chair) (Verisign)
01:24:47
I said it!
Stephanie Perrin (NCSG)
01:26:18
Actually Milton, if the person working for a company provides the personal information of other employees as contact data, he or she has to either get consent (where that data is protected) or provide some other kind of assurance that the data is not personal. Otherwise, the contracted parties are collecting personal info without consent
Sarah Wyld (RrSG)
01:26:31
Thanks
Margie Milam (BC)
01:26:36
We should include in the text the references to the recital
Melina Stroungi (GAC)
01:26:52
@Stephani this is why the second step is proposed
Steve Crocker (SSAC)
01:27:11
It seems me the criteria for allowing data to be published is simply the data is not personal or consent has been obtained to make the data available. The only role I can see for determining whether the registrant is a natural or legal person is the following: if the registrant is a natural person, the data cannot be published unless the registrant gives consent. IF the registrant is a legal person, the data cannot be published unless the registrant declares there is no personal data or declares consent has been given.
Stephanie Perrin (NCSG)
01:27:55
Milton, as a sole proprietor I may outsource my abuse contact to someone who has a clue about security issues.
Stephanie Perrin (NCSG)
01:28:12
That person is not part of my sole proprietorship
Milton Mueller (NCSG)
01:28:23
by definition an abuse contact is supposed to be available for contact by anyone
Laureen Kapin (GAC)
01:28:23
I volunteer.
Hadia Elminiawi (ALAC)
01:28:28
I would like to be with the group as well
Sarah Wyld (RrSG)
01:28:29
Always happy to
Melina Stroungi (GAC)
01:28:46
sure happy to make some suggestions
Stephanie Perrin (NCSG)
01:28:53
Just offering an example, and how it could be messed up.
Sarah Wyld (RrSG)
01:29:28
Great context Thomas, thank you
Brian King (IPC)
01:29:37
gesundheit
Keith Drazek (Chair) (Verisign)
01:29:49
Thanks Thomas
Thomas Rickert (ISPCP)
01:30:13
Sign me up for the team as a volunteer
Keith Drazek (Chair) (Verisign)
01:30:35
Thanks all
Sarah Wyld (RrSG)
01:30:36
AFK for 2 minutes
Christian Dawson (ISPCP)
01:31:00
Yes, +1 Thomas. Our solutions need to scale down. The small LLCs and legal partnerships are the norm, not the large corps. Those should be our models for whether things work. If it works for the smallest entity it should work easily for the largest.
Brian King (IPC)
01:32:57
I need to drop at the top of the hour (now). Thanks all.
Sarah Wyld (RrSG)
01:34:01
I don't disagree that the rec is difficult but it's not for us to address here
Margie Milam (BC)
01:35:01
I prefer to keep the “in other words” language
Sarah Wyld (RrSG)
01:35:12
Thanks Marika. The footnote helps but I think a better solution is to just take out the sentence entirely
Sarah Wyld (RrSG)
01:35:23
Volker has covered the points I would have made, thanks Volker.
Marika Konings ICANN Org
01:37:06
Repeating for all: We could also upgrade the footnote to the section if that makes it clearer (if there is a desire to keep some kind of explanation)?
Sarah Wyld (RrSG)
01:37:27
Thanks Marika, I still think we should instead remove the relevant sentence.
Margie Milam (BC)
01:38:36
+1 Laureen
Laureen Kapin (GAC)
01:39:52
+1 Hadia -- that is actually the foundational question -- is this Rec. even relevant and if so how?
Hadia Elminiawi (ALAC)
01:39:54
would say remove point E - why is this relevant to what we are trying to do in this phase
Marika Konings ICANN Org
01:42:04
@Hadia - this section contains all relevant recommendations that relate to distinguishing between personal / non-personal data. This recommendation is about automated disclosure via SSAD of non-personal data which seems relevant?
Alan Greenberg (ALAC)
01:43:18
We need to consider the legal advice we have on this.
Hadia Elminiawi (ALAC)
01:43:33
@Marika we are not talking about non-personal data in general. We are talking about no-personal data as it relates to legal persons
Milton Mueller (NCSG)
01:43:52
is there a legal definition in the law of "personal data?
Melina Stroungi (GAC)
01:44:59
personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Sarah Wyld (RrSG)
01:45:00
Milton:For the purposes of this Regulation:‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Stephanie Perrin (NCSG)
01:45:04
Yes Milton, each law defines it, and the Courts have clarified key issues like is an IP address personal data,
Sarah Wyld (RrSG)
01:45:06
oops Melina beat me to it
Sarah Wyld (RrSG)
01:45:23
And to Stephanie's point, we must always remember that the GDPR is not the only data protection law and personal data is not always defined the same way throughout
Melina Stroungi (GAC)
01:45:25
:)
Hadia Elminiawi (ALAC)
01:45:37
This recommendation from phase 2. addresses how to deal with registrations that include non-personal data in general. It does address the type of registrants
Milton Mueller (NCSG)
01:46:02
I think that obscures rather than clarifies, because IP addresses are published and are shared freely for packets to move
Sarah Wyld (RrSG)
01:46:20
They are indeed, Milton, but they are still (or, can be) PD
Keith Drazek (Chair) (Verisign)
01:47:20
I seem to recall that IP addresses have been deemed PII in certain circumstances.
Sarah Wyld (RrSG)
01:47:49
I don't quite understand why we're even discussing this right now
Milton Mueller (NCSG)
01:48:36
if it is associated with an other identifer
Hadia Elminiawi (ALAC)
01:49:11
I would say adding this recommendations from phase 2 (point E) only introduces confusion. The benefit of having it is unclear to me.
Milton Mueller (NCSG)
01:49:15
so you are agreeing with my point Volker
Milton Mueller (NCSG)
01:49:50
the ip address per se is not "personal" but it's association with a particular user is what makes it a privacy issue
Hadia Elminiawi (ALAC)
01:50:15
+1 Milton the ip address per se is not "personal" but it's association with a particular user is what makes it a privacy issue
Thomas Rickert (ISPCP)
01:50:55
We need to be diligent in the legal review. 1st question is whether personal data is present. Afterwards you you check if you have a legal basis for processing. So I do not agree it is a red herring.
Melina Stroungi (GAC)
01:51:06
I agree with Hadia to remove point E
Stephanie Perrin (NCSG)
01:51:31
+1000 Thomas
Volker Greimann (RrSG)
01:51:59
The point is, Milton, that certain information can be PII, depending on the circumstances of collection and the potential uses it may be put to
Sarah Wyld (RrSG)
01:52:05
+1 Volker
Stephanie Perrin (NCSG)
01:52:29
Metadata being among the most useful PI of all....
Sarah Wyld (RrSG)
01:52:29
Agree it is not clear if he objects to the change or not.
Volker Greimann (RrSG)
01:52:31
IP-Address of a Webserver - no
Volker Greimann (RrSG)
01:52:45
IP-Address of me, visiting that Webserver - yes
Milton Mueller (NCSG)
01:52:46
Exactly my point, Volkcer we are in violent agreement. But the implication is that you have to let the registrant decide whether something is personal or not, it is not something you can deicide by looking at a record
Steve Crocker (SSAC)
01:53:27
Let me say again, no matter what decision is made, it has to be made at the time of registration, not the time of a request.
Sarah Wyld (RrSG)
01:53:32
I'd like to speak to suggestion #10
Melina Stroungi (GAC)
01:53:33
Good points. This is precisely why we need the legal/personal differentiation
Keith Drazek (Chair) (Verisign)
01:53:45
Ok Sarah, you're next
Stephanie Perrin (NCSG)
01:53:51
Milton, you have to ascertain that the “registrant” has done his/her due diligence when the entity is an organization
Sarah Wyld (RrSG)
01:53:53
Thank you Keith
Stephanie Perrin (NCSG)
01:54:10
Otherwise you are collecting personal data from a third party without consent
Sarah Wyld (RrSG)
01:55:22
I would support appending the full legal memos
Sarah Wyld (RrSG)
01:55:46
Thanks Laureen
Melina Stroungi (GAC)
01:55:48
indeed
Hadia Elminiawi (ALAC)
01:56:07
+1 Sarah, Laureen and Melina
Sarah Wyld (RrSG)
01:56:54
I'd speak to #13 when it's time
Sarah Wyld (RrSG)
02:00:05
I still just don't think the business models section should speak to the example scenarios at all
Sarah Wyld (RrSG)
02:00:21
Wait, that isn't quite what I mean, sorry.
Sarah Wyld (RrSG)
02:00:36
+1 Volker.
Sarah Wyld (RrSG)
02:01:46
I think that's a 15 day window, not 13
Sarah Wyld (RrSG)
02:02:07
and I don't think we're in agreement on that?
Hadia Elminiawi (ALAC)
02:02:57
At the time of registration should be the preference. Later is useful for existing registrations only
Melina Stroungi (GAC)
02:03:35
minor linguistic remark - depending on what we decide on wording of point B (e.g., registrants as also supported by Sarah and Brian) we should replace 'data sets' by that language under point 1
Margie Milam (BC)
02:03:56
+1 Laureen
Hadia Elminiawi (ALAC)
02:04:24
why would it be difficult for the registrant to make this determination at the time of the registration? We should only seek later in relation to existing registrations.
Alan Greenberg (ALAC)
02:06:10
I cannot agree to delaying as long as a year (for the reminder latter).
Laureen Kapin (GAC)
02:06:40
@ Marika -- the "as soon as direct contact is made" concept is useful. This of course assumes that Registrars who are resellers do in fact directly contact their registrants within a fairly quick time following registration.
Volker Greimann (RrSG)
02:07:29
Alan, we are talking voluntary here.
Volker Greimann (RrSG)
02:07:52
Yes, sorry, that was an ancient hand
Melina Stroungi (GAC)
02:09:32
thank you everyone
Sarah Wyld (RrSG)
02:09:34
Thanks, all
Hadia Elminiawi (ALAC)
02:09:37
Thank you all bye for now