Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.

[a]t the latest 3 months after reconvening, the Chair of the EPDP Team and GNSO Council Liaison to the EPDP will report back to the GNSO Council on the status of deliberations. Based on this report, which is expected to include an update on progress made and the expected likelihood of consensus recommendations, the GNSO Council will decide on next steps, which could include providing additional time for the EPDP to finalize its recommendations or termination of the EPDP if it is clear that no progress is being made or consensus is unlikely).

make what case?

what about the possibility to extend until May? is this still an option?

Correction, Initial Report by May and continue fwd with public comment.

Brian King will be on telephone only at this time.

Correction, Initial Report by May and continue fwd with public comment.

Initial or Final report by end of May?

Initial

@kieth makes sense

thanks thought so

31st May initial report - 28th June final report

And I note an error on my summary, Final Report target is mid-august.

It's not binary indeed, the question is progress and likehood of reaching "reasonably soon" consensus

hand

@Berry thanks for the clarification

Thanks Philippe, That is quite different than the binary decision about whether we have met a somewhat arbitrary date.

Apologies for my confusion about the May date...that's the initial report deadline, as Berry is noting.

And this was in the context on the discussion of Feasbility and Web Form issues.

We should not put out a partial initial report. Not fair in terms of comment

losing Becky

Becky fading out

same here

becky is breaking

there she goes again

@Becky, audio not any better

Still breaking up

Becky we missed what you said

Maybe dial in from phone

Will dial out to Becky

https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit#

A web wire-frame is not part of the policy but helps to craft the policy in a way that is implementable.

To be clear, again, we're here to develop consensus policy and not just best practices. Showing that it can be done in practice, and how it can be done, is intended to be a helpful step in that direction.

OK, if it’s just an option, that illustrates one possible process, I am ok with it. IF as Hadi just said, it’s more than that - it is “how things SHOULD be done” - then I’m against it

Thanks for that clarification Keith.

We HAVE consensus policy, we are seeing whether we need to add to it

The flow chart helps us see all possible options and decide on how to deal with each of the options.

Correct Milton. Add to or adjust.

Yes, we do believe the consensus policy should be updated on the question of legal/natural

Um, in my mind "adjust consensus policy" = "create new consensus policy". So I don't really understand Keith's distinction

To be clear, we think it must be adjusted.

Agree Mark, it would be a change/adjustment to existing CP, so by default it would become a new CP.

Mark the distinction is this: if there is no consensus on “creating new consensus policy” then we revert to the existing one

+1 Brian we also think it must be adjusted

Also correct, Milton.

+1 Laureen

Well said, Laureen. Let's work together on this.

Appreciate your input Laureen. In my mind the path forward is to make it as easy as possible for registrants to consent to publication of their data

To my mind, the responsible action here is to ensure that registrants are fully aware of their rights and their risks if they consent to publish their personal information. Given that most people have no clue of either their rights, or the data flow ecosystem stemming from their providing their data to the registrar, it strikes me we should focus on that data flow map first…..if indeed the EPDP has an appetite to discuss data flow maps.

+1 Keith

+1 Keith +1 Stephanie

That's helpful clarification, thanks Keith.

One size fits none

The chart starts with "the registrar notifies the registrant of the OPTION to.." I see the chart as an instrument that helps us think better and not something that tells us how to do things or implement the policy

Royal we?

ok, so not “best practice” but “possible practice?”

@ Volker, aren't we all a bit royal?

+1 Melina we are not proposing a specific way to doing this - we are just putting the thoughts on the table and trying to find solutions

I'm hesitant because it sure sounds like there's an expectation that this practice (best or otherwise) will become mandatory for all

yes, that is a danger with “flagging” and we have to be very clear about that.

I understand Sarah. The mandatory element would be just to publish non-personal data of legal entities. This could only be beneficial for so many reasons and definitely in the public interest. Coupling this with privacy safeguards to protect individuals of course as you said

Apologies for needing to leave early to take some legislative meetings. Will work on the homework and see you all next week.

"At the end of the day, the real issue is whether the contact data is or is not available to requesters" -- that's not what this phase is instructed to handle, is it?

@Steve exactly

Why build the USS Enterprise and then find out we do not have a warp drive?

Lets develop the warp drive first

+1 Brian

+1 Mark. Let’s fish or cut bait

I'm definitely interested in providing guidance to CPs

I haven't seen anything that makes me think we need to update the rec

Very constructive Mark.

thx

Reaching the correct decision involves a combination of (a) default assumptions, (b) explicit expression by the registrant, and (c) rules of the jurisdiction. The policy governing registration must accommodate the full range of possibilities, as we set forth in our inout to the WG.

I think a path exists

Further, the portion of this recommendation related to determining the accuracy of the legal person’s data is out of scope here. It belongs in the accuracy section.

Good point, Steve

+1 Steve and Mark

ok, a point of agreement! I do think those two things can be put together into one thing.

Can't we just have a yes publish/no publish flag set by the RNH?

instead of a yes legal/no legal flag which results in publication?

If a registrant is asked whether they’re a legal vs a natural person and then also asked if there is any personal information, then if I am a legal person registrant but want to keep my data hidden, I might purposefully say there is personal data involved.

@Sarah, perhaps we should call it the "publish/no-publish" flag. But when a n/l distinction is made, that is one reason why the flag is set

Steve I think if we start assuming registrants are lying to us then we end up with a lot of other problems

providing consent to publish is another reason the flag is set

Mark - agreed that L/N is one of the reasons behind selecting a given flag.

Like a 20 page TOS that no one reads?

but I don't think that should be how the flag is used/set/explained

It is much simpler to ask people directly: do you want your contact data published, or not? Legal/natural is a very indirect and confusing way to get to that

YES!!!

to @sarah

I could not agree more.

We should make this a question in the context of asking for consent for publication.

Noting support for Sarah's comments here in chat.

excellent point @Sarah

I think Sarah misunderstood my suggestion. The flag would not be optional.

Sarah, you’ve just stated the right idea, viz give the registrant clear info and a straightforward path for achieving his goals.

Oh - then that is different, yes, thanks for clarifying. Adding a mandatory flag on all domains is a huge change and a source of great concern to me

Agree with Thomas (We should make this a question in the context of asking for consent for publication.)

Yep @Alan

So, we are doe

Let me add it should be in the context of asking for consent, but I would not ask for consent where no personal data is involved. Where no consent is required, we should not give registrants the option of withdrawal.

Done not doe! ;-)

Alan is partially correct

Good point Alan

I disagree with hisconcept of transferability of that consent though

And the flag idea doesn't address the issue of risk when the domain owner sets it wrong and mistakenly publishes personal data without understanding what they've done

Why are CPs obligated to take on this risk?

Because registrar b cannot rely on consent collected by registrar A

Oh Stephanie that is a very interesting scenario.

(parent for a child)

We’re getting legal advice on the level of risks associated with making the choice

How a flag gets set is a VERY different question from whether there is a defined field in the data set.

Fine to explore the legal risks of making the choice, but that doesn’t change the fact that the only thing that really matters is whether the registrant agrees to publish, NOT whether they are legal or natural persons

+1 Alan (a point I made earlier in chat)

Each data protection regime has different rules for the protection of employees…this is an area where there is very little harmonization.

@milton, I don't agree that is the only thing that matters. As an example, I don't think gmail.com should have permission to redact.

like what would make the registrant understand consent and not understand legal vs natural

the bar SHOULD be high, and yes, clear language is required, and the legal/natural distinction is not clear

to ordinary people

Melina makes an excellent point and analysis about why consent is not the best path for our discussion re policy for non-personal data of legal entities.

Further more, as I have said umpteen times, home business (which is growing in our post COVID times) is a very grey area with respect to how Companie/legal persons/corporations are treated under DP law

@Milton, then why propose consent?

Because some people are ok with having their data published.

if language is not clear u cannot have valid consent

Many registrants, in fact

so is the language clear or not? :)

Melina, it’s very clear: Do you want your data published?

Not clear: Are you a legal or natural person, what does that mean?

The problem is the tech person may say yeah sure publish (to avoid response burden) where they have no right to do so.

there could be additional language explaining. Publishing non-personal data is less risky than publishing personal data in any case. And you can always use the consent option when for example a legal person provides personal data. Then indeed you can ask - would you like these data to be published?

@Milton obviously we would explain what a legal person is and what a natural person is and the consequences of defining one self as a legal or natural person

And that would be complicated and unclear

better than risking an unvalid consent in my view

You will get some invalid consents in either case

But you will get more invalidity with complicated legally based notions of legal-natural than you will with a simple question about whether they want their data published

Are you a person or are you a company? There are a lot of ways to think of simple easily understood language

Only if you can show the doc in bigger size, Berry. I’d be so grateful

I would be happy to present on how brand protection registrars can do this, just to cover one of the business models.

But it’s only relevant if they understand that it means their data can be published. So just get directly to the point

Are we suggesting that this group is going to provide required language to CPs ? (Melina)

of course you should warn them on the publication consequences. Fully agree there

just tried to reply to Milton's question Sarah :) Things do not have to be complicated

The challenge there Sarah is that you want flexibility, but also we're trying to address concerns that "the language" (whatever it is) is too confusing.

It seems that addressing one frustrates the other.

Right, so I want each CP to be able to determine what to say to their own customers

And so each CP can decide what they think is clear enough

That’s ridiculous Milton - we have the NIS2 proposal already exissting

It would be useful if CPs come forward with some suggestions on how it could work best for them

Right - what if Canada's new privacy law makes no distinction between legal and natural people, and so the correct implementation would be to redact both?

@Sarah I don't think anyone is trying to suggest a specific language. The point is it is possible to provide simple language that can be understood by registrants. Bird & Bird provide some suggestions in this regard

@Milton, we already have a policy that registrants can agree to publish.

This suggested exercise is a "what if. . . "? Brainstorming can be a very creative and constructive method to tackle challenging issues and I applaud the leadership for this suggestion.

@Milton ok let's assume we go for consent. This would apply only to personal data. What about non-personal data? wouldn't these be published?

Non personal data has never been redacted

that's not the information we have

To Milton's point, the RNH State and Country are not redacted because they are not personal data

gamil.com, for example

Me kicks the can

We’re clear on what you want, too Brian

Let's assume we have a registrant and in the registration details provided there are both personal and non-personal data. And you ask 'do you want your data to be published?' and then replies 'No'. what do you do? You publish nothing?Don't you have again to distinguish again?

Because you are trying to undermine that consensus

@Sarah we already have the NIS2 proposal that we do not want to look at. and just to note the proposal suggests the logic and path behind the registration data. So why do we want now to think about what other possible laws can come up with.

No one is saying to remove the last policy and not give the option to publish.

I want to oblige Google to publish the contact data for gmail.com (just one example). I don't see how Milton's proposal addresses that.

Our legal advice questions are focusing on non-consent options

LOL

That's helpful clarification Stephanie. Thanks. I need to drop for another call. Thanks all.

no

Thank you so much - Bye for today

thank you everyone