Logo

051040043 - EPDP-Phase 2A Team Call
Terri Agnew
38:17
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Berry Cobb
42:34
[a]t the latest 3 months after reconvening, the Chair of the EPDP Team and GNSO Council Liaison to the EPDP will report back to the GNSO Council on the status of deliberations. Based on this report, which is expected to include an update on progress made and the expected likelihood of consensus recommendations, the GNSO Council will decide on next steps, which could include providing additional time for the EPDP to finalize its recommendations or termination of the EPDP if it is clear that no progress is being made or consensus is unlikely).
Milton Mueller (NCSG)
46:26
make what case?
Melina Stroungi (GAC)
47:46
what about the possibility to extend until May? is this still an option?
Berry Cobb
48:39
Correction, Initial Report by May and continue fwd with public comment.
Terri Agnew
50:22
Brian King will be on telephone only at this time.
Berry Cobb
51:49
Correction, Initial Report by May and continue fwd with public comment.
Melina Stroungi (GAC)
52:02
Initial or Final report by end of May?
Berry Cobb
52:08
Initial
Hadia Elminiawi (ALAC)
52:17
@kieth makes sense
Melina Stroungi (GAC)
52:19
thanks thought so
Hadia Elminiawi (ALAC)
54:11
31st May initial report - 28th June final report
Berry Cobb
54:47
And I note an error on my summary, Final Report target is mid-august.
Philippe Fouquart (GNSO Council Liaison )
54:49
It's not binary indeed, the question is progress and likehood of reaching "reasonably soon" consensus
Berry Cobb
55:18
hand
Hadia Elminiawi (ALAC)
55:29
@Berry thanks for the clarification
Alan Greenberg (ALAC)
56:14
Thanks Philippe, That is quite different than the binary decision about whether we have met a somewhat arbitrary date.
Keith Drazek (Verisign) (Chair)
56:45
Apologies for my confusion about the May date...that's the initial report deadline, as Berry is noting.
Berry Cobb
58:57
And this was in the context on the discussion of Feasbility and Web Form issues.
Stephanie Perrin (NCSG)
59:25
We should not put out a partial initial report. Not fair in terms of comment
Milton Mueller (NCSG)
01:01:13
losing Becky
Alan Greenberg (ALAC)
01:01:18
Becky fading out
Hadia Elminiawi (ALAC)
01:01:29
same here
Hadia Elminiawi (ALAC)
01:01:35
becky is breaking
Milton Mueller (NCSG)
01:01:59
there she goes again
Terri Agnew
01:02:02
@Becky, audio not any better
Stephanie Perrin (NCSG)
01:02:03
Still breaking up
Hadia Elminiawi (ALAC)
01:02:14
Becky we missed what you said
Mark Svancarek (BC)
01:02:19
Maybe dial in from phone
Terri Agnew
01:02:27
Will dial out to Becky
Berry Cobb
01:07:44
https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit#
Alan Greenberg (ALAC)
01:12:07
A web wire-frame is not part of the policy but helps to craft the policy in a way that is implementable.
Brian King (IPC)
01:16:50
To be clear, again, we're here to develop consensus policy and not just best practices. Showing that it can be done in practice, and how it can be done, is intended to be a helpful step in that direction.
Milton Mueller (NCSG)
01:19:52
OK, if it’s just an option, that illustrates one possible process, I am ok with it. IF as Hadi just said, it’s more than that - it is “how things SHOULD be done” - then I’m against it
Milton Mueller (NCSG)
01:21:44
Thanks for that clarification Keith.
Milton Mueller (NCSG)
01:22:03
We HAVE consensus policy, we are seeing whether we need to add to it
Hadia Elminiawi (ALAC)
01:22:10
The flow chart helps us see all possible options and decide on how to deal with each of the options.
Keith Drazek (Verisign) (Chair)
01:22:18
Correct Milton. Add to or adjust.
Margie Milam (BC)
01:22:24
Yes, we do believe the consensus policy should be updated on the question of legal/natural
Mark Svancarek (BC)
01:22:25
Um, in my mind "adjust consensus policy" = "create new consensus policy". So I don't really understand Keith's distinction
Brian King (IPC)
01:22:48
To be clear, we think it must be adjusted.
Keith Drazek (Verisign) (Chair)
01:23:18
Agree Mark, it would be a change/adjustment to existing CP, so by default it would become a new CP.
Milton Mueller (NCSG)
01:23:30
Mark the distinction is this: if there is no consensus on “creating new consensus policy” then we revert to the existing one
Hadia Elminiawi (ALAC)
01:23:34
+1 Brian we also think it must be adjusted
Keith Drazek (Verisign) (Chair)
01:23:48
Also correct, Milton.
Melina Stroungi (GAC)
01:24:32
+1 Laureen
Brian King (IPC)
01:24:36
Well said, Laureen. Let's work together on this.
Milton Mueller (NCSG)
01:25:17
Appreciate your input Laureen. In my mind the path forward is to make it as easy as possible for registrants to consent to publication of their data
Stephanie Perrin (NCSG)
01:28:08
To my mind, the responsible action here is to ensure that registrants are fully aware of their rights and their risks if they consent to publish their personal information. Given that most people have no clue of either their rights, or the data flow ecosystem stemming from their providing their data to the registrar, it strikes me we should focus on that data flow map first…..if indeed the EPDP has an appetite to discuss data flow maps.
Margie Milam (BC)
01:28:28
+1 Keith
Mark Svancarek (BC)
01:29:01
+1 Keith +1 Stephanie
Brian King (IPC)
01:29:12
That's helpful clarification, thanks Keith.
Volker Greimann (RrSG)
01:29:40
One size fits none
Hadia Elminiawi (ALAC)
01:30:17
The chart starts with "the registrar notifies the registrant of the OPTION to.." I see the chart as an instrument that helps us think better and not something that tells us how to do things or implement the policy
Volker Greimann (RrSG)
01:32:15
Royal we?
Milton Mueller (NCSG)
01:32:25
ok, so not “best practice” but “possible practice?”
Laureen Kapin (GAC)
01:32:50
@ Volker, aren't we all a bit royal?
Hadia Elminiawi (ALAC)
01:33:02
+1 Melina we are not proposing a specific way to doing this - we are just putting the thoughts on the table and trying to find solutions
Sarah Wyld (RrSG)
01:33:30
I'm hesitant because it sure sounds like there's an expectation that this practice (best or otherwise) will become mandatory for all
Milton Mueller (NCSG)
01:33:57
yes, that is a danger with “flagging” and we have to be very clear about that.
Melina Stroungi (GAC)
01:35:33
I understand Sarah. The mandatory element would be just to publish non-personal data of legal entities. This could only be beneficial for so many reasons and definitely in the public interest. Coupling this with privacy safeguards to protect individuals of course as you said
Christian Dawson (ISPCP)
01:35:47
Apologies for needing to leave early to take some legislative meetings. Will work on the homework and see you all next week.
Sarah Wyld (RrSG)
01:37:27
"At the end of the day, the real issue is whether the contact data is or is not available to requesters" -- that's not what this phase is instructed to handle, is it?
Milton Mueller (NCSG)
01:37:27
@Steve exactly
Volker Greimann (RrSG)
01:38:19
Why build the USS Enterprise and then find out we do not have a warp drive?
Volker Greimann (RrSG)
01:38:34
Lets develop the warp drive first
Melina Stroungi (GAC)
01:38:38
+1 Brian
Milton Mueller (NCSG)
01:38:54
+1 Mark. Let’s fish or cut bait
Sarah Wyld (RrSG)
01:38:59
I'm definitely interested in providing guidance to CPs
Sarah Wyld (RrSG)
01:39:14
I haven't seen anything that makes me think we need to update the rec
Stephanie Perrin (NCSG)
01:39:27
Very constructive Mark.
Mark Svancarek (BC)
01:39:38
thx
Steve Crocker (SSAC)
01:39:55
Reaching the correct decision involves a combination of (a) default assumptions, (b) explicit expression by the registrant, and (c) rules of the jurisdiction. The policy governing registration must accommodate the full range of possibilities, as we set forth in our inout to the WG.
Volker Greimann (RrSG)
01:40:07
I think a path exists
Steve Crocker (SSAC)
01:40:08
Further, the portion of this recommendation related to determining the accuracy of the legal person’s data is out of scope here. It belongs in the accuracy section.
Mark Svancarek (BC)
01:41:42
Good point, Steve
Keith Drazek (Verisign) (Chair)
01:42:21
+1 Steve and Mark
Sarah Wyld (RrSG)
01:42:28
ok, a point of agreement! I do think those two things can be put together into one thing.
Sarah Wyld (RrSG)
01:43:33
Can't we just have a yes publish/no publish flag set by the RNH?
Sarah Wyld (RrSG)
01:43:41
instead of a yes legal/no legal flag which results in publication?
Steve Crocker (SSAC)
01:45:21
If a registrant is asked whether they’re a legal vs a natural person and then also asked if there is any personal information, then if I am a legal person registrant but want to keep my data hidden, I might purposefully say there is personal data involved.
Mark Svancarek (BC)
01:45:37
@Sarah, perhaps we should call it the "publish/no-publish" flag. But when a n/l distinction is made, that is one reason why the flag is set
Sarah Wyld (RrSG)
01:45:49
Steve I think if we start assuming registrants are lying to us then we end up with a lot of other problems
Mark Svancarek (BC)
01:46:00
providing consent to publish is another reason the flag is set
Sarah Wyld (RrSG)
01:46:04
Mark - agreed that L/N is one of the reasons behind selecting a given flag.
Milton Mueller (NCSG)
01:46:05
Like a 20 page TOS that no one reads?
Sarah Wyld (RrSG)
01:46:14
but I don't think that should be how the flag is used/set/explained
Milton Mueller (NCSG)
01:47:25
It is much simpler to ask people directly: do you want your contact data published, or not? Legal/natural is a very indirect and confusing way to get to that
Milton Mueller (NCSG)
01:47:47
YES!!!
Milton Mueller (NCSG)
01:47:54
to @sarah
Thomas Rickert (ISPCP)
01:48:01
I could not agree more.
Thomas Rickert (ISPCP)
01:48:17
We should make this a question in the context of asking for consent for publication.
Keith Drazek (Verisign) (Chair)
01:48:25
Noting support for Sarah's comments here in chat.
Manju Chen (NCSG)
01:48:31
excellent point @Sarah
Brian King (IPC)
01:48:38
I think Sarah misunderstood my suggestion. The flag would not be optional.
Steve Crocker (SSAC)
01:48:58
Sarah, you’ve just stated the right idea, viz give the registrant clear info and a straightforward path for achieving his goals.
Sarah Wyld (RrSG)
01:49:09
Oh - then that is different, yes, thanks for clarifying. Adding a mandatory flag on all domains is a huge change and a source of great concern to me
Sarah Wyld (RrSG)
01:49:32
Agree with Thomas (We should make this a question in the context of asking for consent for publication.)
Milton Mueller (NCSG)
01:50:15
Yep @Alan
Milton Mueller (NCSG)
01:50:29
So, we are doe
Thomas Rickert (ISPCP)
01:50:41
Let me add it should be in the context of asking for consent, but I would not ask for consent where no personal data is involved. Where no consent is required, we should not give registrants the option of withdrawal.
Milton Mueller (NCSG)
01:51:15
Done not doe! ;-)
Volker Greimann (RrSG)
01:51:22
Alan is partially correct
zzzLeón Felipe Sánchez Ambía (Board Alternate)
01:51:28
Good point Alan
Volker Greimann (RrSG)
01:52:13
I disagree with hisconcept of transferability of that consent though
Sarah Wyld (RrSG)
01:52:21
And the flag idea doesn't address the issue of risk when the domain owner sets it wrong and mistakenly publishes personal data without understanding what they've done
Sarah Wyld (RrSG)
01:52:26
Why are CPs obligated to take on this risk?
Volker Greimann (RrSG)
01:52:35
Because registrar b cannot rely on consent collected by registrar A
Sarah Wyld (RrSG)
01:53:00
Oh Stephanie that is a very interesting scenario.
Sarah Wyld (RrSG)
01:53:02
(parent for a child)
Margie Milam (BC)
01:53:05
We’re getting legal advice on the level of risks associated with making the choice
Alan Greenberg (ALAC)
01:53:09
How a flag gets set is a VERY different question from whether there is a defined field in the data set.
Milton Mueller (NCSG)
01:54:11
Fine to explore the legal risks of making the choice, but that doesn’t change the fact that the only thing that really matters is whether the registrant agrees to publish, NOT whether they are legal or natural persons
Mark Svancarek (BC)
01:54:12
+1 Alan (a point I made earlier in chat)
Stephanie Perrin (NCSG)
01:55:29
Each data protection regime has different rules for the protection of employees…this is an area where there is very little harmonization.
Mark Svancarek (BC)
01:55:38
@milton, I don't agree that is the only thing that matters. As an example, I don't think gmail.com should have permission to redact.
Hadia Elminiawi (ALAC)
01:55:40
like what would make the registrant understand consent and not understand legal vs natural
Milton Mueller (NCSG)
01:55:58
the bar SHOULD be high, and yes, clear language is required, and the legal/natural distinction is not clear
Milton Mueller (NCSG)
01:56:07
to ordinary people
Laureen Kapin (GAC)
01:57:06
Melina makes an excellent point and analysis about why consent is not the best path for our discussion re policy for non-personal data of legal entities.
Stephanie Perrin (NCSG)
01:57:34
Further more, as I have said umpteen times, home business (which is growing in our post COVID times) is a very grey area with respect to how Companie/legal persons/corporations are treated under DP law
Melina Stroungi (GAC)
01:57:35
@Milton, then why propose consent?
Milton Mueller (NCSG)
01:57:52
Because some people are ok with having their data published.
Melina Stroungi (GAC)
01:57:56
if language is not clear u cannot have valid consent
Milton Mueller (NCSG)
01:57:58
Many registrants, in fact
Melina Stroungi (GAC)
01:58:06
so is the language clear or not? :)
Milton Mueller (NCSG)
01:58:15
Melina, it’s very clear: Do you want your data published?
Milton Mueller (NCSG)
01:58:31
Not clear: Are you a legal or natural person, what does that mean?
Stephanie Perrin (NCSG)
01:59:24
The problem is the tech person may say yeah sure publish (to avoid response burden) where they have no right to do so.
Melina Stroungi (GAC)
01:59:50
there could be additional language explaining. Publishing non-personal data is less risky than publishing personal data in any case. And you can always use the consent option when for example a legal person provides personal data. Then indeed you can ask - would you like these data to be published?
Hadia Elminiawi (ALAC)
01:59:55
@Milton obviously we would explain what a legal person is and what a natural person is and the consequences of defining one self as a legal or natural person
Milton Mueller (NCSG)
02:00:29
And that would be complicated and unclear
Melina Stroungi (GAC)
02:01:12
better than risking an unvalid consent in my view
Milton Mueller (NCSG)
02:02:03
You will get some invalid consents in either case
Milton Mueller (NCSG)
02:02:30
But you will get more invalidity with complicated legally based notions of legal-natural than you will with a simple question about whether they want their data published
Melina Stroungi (GAC)
02:03:11
Are you a person or are you a company? There are a lot of ways to think of simple easily understood language
Manju Chen (NCSG)
02:03:40
Only if you can show the doc in bigger size, Berry. I’d be so grateful
Brian King (IPC)
02:03:40
I would be happy to present on how brand protection registrars can do this, just to cover one of the business models.
Milton Mueller (NCSG)
02:03:42
But it’s only relevant if they understand that it means their data can be published. So just get directly to the point
Sarah Wyld (RrSG)
02:03:50
Are we suggesting that this group is going to provide required language to CPs ? (Melina)
Melina Stroungi (GAC)
02:04:26
of course you should warn them on the publication consequences. Fully agree there
Melina Stroungi (GAC)
02:05:08
just tried to reply to Milton's question Sarah :) Things do not have to be complicated
Brian King (IPC)
02:05:20
The challenge there Sarah is that you want flexibility, but also we're trying to address concerns that "the language" (whatever it is) is too confusing.
Brian King (IPC)
02:05:29
It seems that addressing one frustrates the other.
Sarah Wyld (RrSG)
02:05:35
Right, so I want each CP to be able to determine what to say to their own customers
Sarah Wyld (RrSG)
02:05:49
And so each CP can decide what they think is clear enough
Margie Milam (BC)
02:06:37
That’s ridiculous Milton - we have the NIS2 proposal already exissting
Melina Stroungi (GAC)
02:06:51
It would be useful if CPs come forward with some suggestions on how it could work best for them
Sarah Wyld (RrSG)
02:06:52
Right - what if Canada's new privacy law makes no distinction between legal and natural people, and so the correct implementation would be to redact both?
Hadia Elminiawi (ALAC)
02:07:05
@Sarah I don't think anyone is trying to suggest a specific language. The point is it is possible to provide simple language that can be understood by registrants. Bird & Bird provide some suggestions in this regard
Alan Greenberg (ALAC)
02:07:41
@Milton, we already have a policy that registrants can agree to publish.
Laureen Kapin (GAC)
02:08:15
This suggested exercise is a "what if. . . "? Brainstorming can be a very creative and constructive method to tackle challenging issues and I applaud the leadership for this suggestion.
Melina Stroungi (GAC)
02:08:20
@Milton ok let's assume we go for consent. This would apply only to personal data. What about non-personal data? wouldn't these be published?
Milton Mueller (NCSG)
02:08:42
Non personal data has never been redacted
Melina Stroungi (GAC)
02:08:52
that's not the information we have
Sarah Wyld (RrSG)
02:09:22
To Milton's point, the RNH State and Country are not redacted because they are not personal data
Mark Svancarek (BC)
02:09:26
gamil.com, for example
Volker Greimann (RrSG)
02:10:25
Me kicks the can
Milton Mueller (NCSG)
02:10:39
We’re clear on what you want, too Brian
Melina Stroungi (GAC)
02:11:00
Let's assume we have a registrant and in the registration details provided there are both personal and non-personal data. And you ask 'do you want your data to be published?' and then replies 'No'. what do you do? You publish nothing?Don't you have again to distinguish again?
Milton Mueller (NCSG)
02:11:06
Because you are trying to undermine that consensus
Hadia Elminiawi (ALAC)
02:11:48
@Sarah we already have the NIS2 proposal that we do not want to look at. and just to note the proposal suggests the logic and path behind the registration data. So why do we want now to think about what other possible laws can come up with.
Alan Greenberg (ALAC)
02:12:02
No one is saying to remove the last policy and not give the option to publish.
Mark Svancarek (BC)
02:12:08
I want to oblige Google to publish the contact data for gmail.com (just one example). I don't see how Milton's proposal addresses that.
Margie Milam (BC)
02:13:06
Our legal advice questions are focusing on non-consent options
Milton Mueller (NCSG)
02:13:11
LOL
Brian King (IPC)
02:15:00
That's helpful clarification Stephanie. Thanks. I need to drop for another call. Thanks all.
Volker Greimann (RrSG)
02:15:03
no
Hadia Elminiawi (ALAC)
02:15:31
Thank you so much - Bye for today
Melina Stroungi (GAC)
02:15:37
thank you everyone