Logo

051040043 - EPDP-Phase 2A Team Call - Shared screen with speaker view
Terri Agnew
30:22
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Christian Dawson (ISPCP)
32:02
Apologies in advance, I can only be here for the first hour of the 90 minute meeting
Laureen Kapin (GAC)
34:20
Might you reshare link to this doc in chat?
Berry Cobb
34:44
A link will be sent out for this doc after the call.
Berry Cobb
35:23
….as part of homework.
Laureen Kapin (GAC)
35:40
Asking so that we can have a bigger version to look at now.
Manju Chen (NCSG)
35:56
agree, Laureen, it’s really small
Steve Crocker (SSAC)
39:52
I ask that references to SSAD be replaced by "a differentiated access system." The proposed SSAD is not the only way to achieve differentiated access, and there is substantial concern about various aspects of the SSAD proposal.
Volker Greimann (RrSG)
42:03
Fun with flags!
Mark Svancarek (BC)
42:18
+1 Steve that would be a useful clarification
Volker Greimann (RrSG)
43:02
Steve: are you trying to roll back the consensus output of phase 2?
Sarah Wyld (RrSG)
47:14
Are those necessarily flags? I'm not sure that is true for all Registrars.
Melina Stroungi (GAC)
48:24
+1 Alan
Alan Greenberg (ALAC)
49:17
@Srah, if you were referring to the varius flags I mentioned, correct. That is an internal issue for a registrar and it is of no concern to this group or ICANN.
Sarah Wyld (RrSG)
49:38
@Alan my point was that they may not be "flags", they could be entries in a db which is not the same thing
Owen Smigelski (RrSG)
50:08
Agree with Sarah- I interpret “flag” as something that sticks out rather than part of a larger DB structure.
Sarah Wyld (RrSG)
51:36
Shouldn't we be working towards an outcome which allows us to comply with the law, without needing to update the policy each time the law changes? (AKA current recommendation language)
Melina Stroungi (GAC)
52:18
@Sarah, indeed. I think that making differentiation a requirement could significantly help in the direction you suggest
Alan Greenberg (ALAC)
52:52
A flag is just a db element that generally indicates a binary or multiple value, not regular variable.
Sarah Wyld (RrSG)
53:32
@Melina I don't see it that way. E.g. Canada is creating new privacy law now, what if it conflicts?
Sarah Wyld (RrSG)
53:45
I agree with Marc
Keith Drazek (Chair) (Verisign)
54:04
Alan, I think a key question is whether the "flag" itself would be a displayed field, or whether it's an internal registrar mechanism to determine what other data is displayed.
Alan Greenberg (ALAC)
54:48
@Keith, as I said, a new RDDS field needs to be fully specified. Redaction in the public version is one of those details.
Alan Greenberg (ALAC)
55:42
I clearly have my opinion that it must be displayed and not redacted. That way the SSAD can use it.
Alan Greenberg (ALAC)
55:53
(among other reasons)
Sarah Wyld (RrSG)
59:01
+1 AlanW
Stephanie Perrin (NCSG)
01:00:09
+1 Marc and Alan
Manju Chen (NCSG)
01:00:36
+1 AlanW
Owen Smigelski (RrSG)
01:00:56
+1 Alan W
Sarah Wyld (RrSG)
01:03:19
Good question AlanW
Volker Greimann (RrSG)
01:04:15
Jan: the scope of the GDPR is the data of natural persons _wherever it may reside_, even if it hides inside the data of a legal entity.
Volker Greimann (RrSG)
01:04:30
Do we really have to have the same argument every …. Single … call…?
Manju Chen (NCSG)
01:05:22
+1 Stephanie
Sarah Wyld (RrSG)
01:05:47
Jan, we understand that. The point is that other jurisdictions can have other requirements
Sarah Wyld (RrSG)
01:05:55
We do not need a policy to tell us to follow the law; this is what the law is for.
Melina Stroungi (GAC)
01:06:30
I believe this point of risk of legal persons providing with personal data or different definitions of legal persons, has been repeatedly addressed with adopting a 2 step approach (see GAC proposal) or Milton's 2 first principles
Sarah Wyld (RrSG)
01:06:37
+1 Thomas
Jan Janssen (IPC)
01:07:28
@ Sarah: And how does the GDPR affect those jurisdictions?
Thomas Rickert (ISPCP)
01:07:46
All: Is it possible we had exactly the same discussion like 10 times?
Stephanie Perrin (NCSG)
01:07:51
I would also add that some of us are really tired of fighting this never ending battle. Given that there is no clarity in sight on this issue, given the length of time that it will take for the NIS to pass the EU parliament, let alone the time that it takes for other jurisdictions to respond, please do not sign us up for another EPDP 2b in the immediate future. Give us a two year break please.
Sarah Wyld (RrSG)
01:07:54
To AlanG's point, not all registrars operate in the EU at all. If they are not subject to NIS2 or GDPR why should there be a policy requiring this differentiation
Steve Crocker (SSAC)
01:08:10
Agree with Alan. “Unfilled” is also required. (And “Unfilled” is actually needed broadly throughout the RDDS. The full set of possible values for Person includes {Natural, Legal, Don’t Know, Unfilled}
Sarah Wyld (RrSG)
01:08:29
If it is mandatory in the CP's jurisdiction, they will find a way to do it
Stephanie Perrin (NCSG)
01:08:38
I would also like to point out that the EU data protection supervisor has commented on the NIS. Odd that nobody but me ever mentions it, if in fact we are trying to comply with law in this EPDP process
Sarah Wyld (RrSG)
01:08:45
Hadia's sound is cutting in and out
Terri Agnew
01:09:08
@Hadia, audio is better.
Jan Janssen (IPC)
01:10:21
@ Thomas: if a natural person decides to give its personal name to a company, then that has implications. The company name must be published in publicly available registers, on letterhead, websites, etc. The data no longer falls under the GDPR as per Consideration 14 GDPR
Steve Crocker (SSAC)
01:10:32
@Sarah: I believe the wording is careful and does not require a registrar to make the differentiation. The only requirement is for the data dictionary to include this data element. The data dictionary is the list of *possible* data elements a registrar might use. The point is to have a common definition of the data element in the event a registrar uses it.
Sarah Wyld (RrSG)
01:10:42
That was not the goal of this EPDP, that was the tempspec and it did not make it to the EPDP CHarter
Alan Greenberg (ALAC)
01:11:06
@Stephanie, a pointer to rhe EU data protection supervisorwould be useful.
Sarah Wyld (RrSG)
01:11:50
The policy as it is now can be implemented across the world
Thomas Rickert (ISPCP)
01:12:13
Margie: We keep getting back to the point to stay as closely to the original Whois. That premise is legally flawed and was probably one of the most misleading statements made in ICANN’s history. We should not get back to that over and over again as this is just wrong from a legal point of view. GDPR is not about the maximum you can keep.
Sarah Wyld (RrSG)
01:12:22
Those CPs who have shared disclosure request rates indicate that security research is a vanishingly small percentage
Sarah Wyld (RrSG)
01:12:27
+1 Thomas
Mark Svancarek (BC)
01:13:01
Thomas, I don't see how "as close as possible" would be legally flawed.
Mark Svancarek (BC)
01:13:20
Lawfulness is an element of possibility
Sarah Wyld (RrSG)
01:13:36
Why is that risk not valid and sufficient? Why can the CP not determine what level of risk they want to assume? It seems inappropriate to me for a policy to suggest that a CP should consider breaking the law
Owen Smigelski (RrSG)
01:14:52
+1 Thomas
Thomas Rickert (ISPCP)
01:14:54
Mark, the GDPR starts with nothing and you need to find a purpose and a legal basis for processing. Data minimisation and privacy by default come to mind.
Alan Greenberg (ALAC)
01:14:57
Sarah, no one is suggesting breaking the law (as Mark made clear).
Sarah Wyld (RrSG)
01:15:19
Requiring a CP to differentiate does require assumption of risk. That risk is that they would be breaking the law by publishing personal data without lawful basis.
Sarah Wyld (RrSG)
01:15:29
It's not a huge risk, I acknowledge, but it is a risk
Mark Svancarek (BC)
01:15:31
Data minimization and privacy by default are contextual based on purpose
Jan Janssen (IPC)
01:15:36
Sarah, breaking the law is not what anyone is suggesting. There is simply no reason to redact information without any reason for redacting it.
Sarah Wyld (RrSG)
01:15:55
The suggestion is that the CP must assume risk
Sarah Wyld (RrSG)
01:15:58
...
Alan Greenberg (ALAC)
01:16:49
@Sarah, requiring dif. is NOT what we are discussing at the moment. We are discussing an RDDS field that is not mandatory to use. IE NO operational impact.
Stephanie Perrin (NCSG)
01:17:07
Contracted parties represented here are generally large and extremely competent. Risk may be low, as Sarah said, for some, but not for others
Margie Milam (BC)
01:17:46
The NIS2 proposal creates more clarity on the legal bases that reduce the risks to CPH to disclose/publish WHOIS
Steve Crocker (SSAC)
01:18:22
@Alan: I think Sarah is saying augmenting the data dictionary was not included in the charter and therefore suggestions to add something to the data dictionary is out of order.
Sarah Wyld (RrSG)
01:18:28
Hadia the legal advice clearly showed there is some risk in each implementation
Sarah Wyld (RrSG)
01:19:19
I don't disagree with Steve's point above but I was not particularly talking about the data dictionary at all
Melina Stroungi (GAC)
01:19:38
what is the risk of making a requirement to merely have flags?
Sarah Wyld (RrSG)
01:20:07
But yes, I was focusing on the differentiation overall rather than flags specifically. I am not convinced that there's any benefit in requiring work to set up a flag system which may not even be used
Sarah Wyld (RrSG)
01:20:23
And I have previously spoken about the many difficulties with flags as a concept here
Alan Greenberg (ALAC)
01:20:32
@Steve, we were asked if we need to change any Phase 1 Recs. The list and details of RDDS fields are among those recommendations.
Sarah Wyld (RrSG)
01:21:04
Re the rec to be updated, the instructions to this phase clearly quote a specific recommendation; I did not take it to mean that ALL recs are up for adjustment
Jan Janssen (IPC)
01:21:18
@ Stephanie: a competitive environment leads to bad actors being pushed out and the competent ones to remain.
Steve Crocker (SSAC)
01:21:53
To be clear, I am strongly in favor of augmenting the data dictionary along the lines you’ve stated. I was trying to interpret Sarah’s comment, and I’m sure I have done so accurately.
Margie Milam (BC)
01:22:28
Bad actors need a policy to follow the law
Sarah Wyld (RrSG)
01:22:38
+1 Marc
Margie Milam (BC)
01:22:49
Bad actors need the policy so that ICANN can enforce
Volker Greimann (RrSG)
01:23:06
Hey! I wanted the last word ;-)
Melina Stroungi (GAC)
01:23:17
I believe it's important to try meeting half-way: many of us support that differentiation should be mandatory and non-protected data should be published. Other support that there is a risk in doing that; we could discuss a) solutions of mitigating that risk b) only making the flag requirement with no other attached obligations, so no liability risk for CPs and their flexibility still untouched
Sarah Wyld (RrSG)
01:23:42
I am leaving now and Theo Guerts is taking over for me, thank you.
Steve Crocker (SSAC)
01:25:18
@Sarah: Apologies if I misunderstood. I took your comment, “That was not the goal of this EPDP, that was the tempspec and it did not make it to the EPDP CHarter” to mean discussion about adding data elements is out of order.
Laureen Kapin (GAC)
01:26:32
I think the "capability for CPs to differentiate" is a useful concept to build on.
Brian King (IPC)
01:26:42
+1 Laureen
Brian King (IPC)
01:26:56
I need to drop at the top of the hour (now). Thanks all.
Volker Greimann (RrSG)
01:27:21
Margie “Bad actors need a policy to follow the law”? Yes, and that policy is called _the law_!
Owen Smigelski (RrSG)
01:28:57
Agree with Volker- registrars are required to follow the law by the law (and also the RAA)
Manju Chen (NCSG)
01:28:57
i guess bad actors won’t be bad actors if they follow the law. is it that they don’t know there’re laws? I very much doubt so
Volker Greimann (RrSG)
01:29:54
I doubt they will be in business long if they continuously break the law. Unless the law has no teeth.
Stephanie Perrin (NCSG)
01:31:49
Actually, a great many companies choose to “risk manage” data protection requirements by doing nothing until someone in their business gets nailed. Some will fight through multiple courts to maintain existing practices. This is why many data protection laws have been amended to include audit rights for the oversight authorities.
Christian Dawson (ISPCP)
01:32:08
I muse depart at this time thanks to all
Stephanie Perrin (NCSG)
01:33:14
And, frankly, this is why laws permitting complaints by civil society groups have evolved….the task of finding bad behaviour on the part of industry gets outsourced to voluntary NGOS>
Stephanie Perrin (NCSG)
01:33:29
Who are poor and under resourced
Volker Greimann (RrSG)
01:34:08
Caitlin +1
Marc Anderson (RySG)
01:36:16
Hadia is cutting out again.
Marc Anderson (RySG)
01:36:19
for me
Mark Svancarek (BC)
01:37:52
+1 Laureen
Melina Stroungi (GAC)
01:38:49
+1 for best practices
Volker Greimann (RrSG)
01:39:05
I thought we did not want to discuss the name of the baby
Volker Greimann (RrSG)
01:39:19
So much for listening to our instructions ;-
Volker Greimann (RrSG)
01:39:22
)
Laureen Kapin (GAC)
01:40:08
A remark from our most compliant participant ;-)!
Alan Greenberg (ALAC)
01:40:59
@Marc, exactly!
Volker Greimann (RrSG)
01:41:11
Guilty as charged ;-)
Hadia Elminiawi (ALAC)
01:42:00
As for the expectations if the policy says that CPs need to have the capability to differentiate, then ICANN will need to make sure they implement such a capability. Best Practice holds more weight, in addition following common or best practices always help in case of mistakes.
Owen Smigelski (RrSG)
01:43:41
I do not think this group can create “best practices” for contracted parties. That can only be done by the contracted parties themselves- not by people/groups outside of their industry.
Owen Smigelski (RrSG)
01:44:41
And the term “best practices” is very loaded, and can result in bad complications later and thus should not be used. The obligations to follow “best practices” vary widely by jurisdictions and potentially could have legal consequences.
Hadia Elminiawi (ALAC)
01:45:42
+1 Volker the Best Practices/guidance should be able to evolve
Mark Svancarek (BC)
01:47:10
+1 AlanW good clarification
Marc Anderson (RySG)
01:48:21
I have to drop... thanks all
Laureen Kapin (GAC)
01:49:35
Best Practices are strengthened when created by stakeholders with varied perspectives. Indeed that's a foundation of the MSM. I'm also puzzled by arguments that Best Practices are obligatory. If the practices were mandatory we would call them something else - like "Mandatory Practices."
Mark Svancarek (BC)
01:49:49
+1 Laureen
Alan Woods (RySG)
01:54:11
I have to drop also … apologies all (and especially Caitlin as you are currently talking)
Terri Agnew
01:56:33
The GNSO Temp Spec gTLD RD EPDP – Phase 2A call is scheduled on Thursday, 13 May 2021 at 14:00 UTC for 90 minutes.
Hadia Elminiawi (ALAC)
01:57:11
Thank you all bye