Happy Birthday James!

HBD James!

HBD!

Many happy returns James!

Happy birthday, James!

Yikes ! Thanks!

Happy Birthday !

Happy Birthday James

As a kid, this is exactly how I pictured it would be when I was a grown up. :)

ha

Hi all…, and happy b-day, James.

All I want for my bday is a 2 hour ePDP call :)

Indeed, we will don our party hats for this call, happy b-day James.

Happy Birthday!

I will likely need to drop off the call about 30 minutes early today.

Speaking for myself, option “b” sounds good.

Peter Kimpian says hi to everybody, by the way. Happy data protection week!

Hi all, sorry for being late!

there is no doubt about that question, Becky

accuracy is a data subject right

this has been clear even in US law for 30 years

@Milton, I understand that accuracy in the context of the FCRA has been clear in the US for quite a long time.

We are ok with removing the prohibition of reverse lookups

@Alan: +1

+1, If reverse lookups are not in scope, we shouldn't spend the money to ask the question. We could support approach b).

@Margie: Thanks, and Brian had suggested the same during the last call (I think). Seems like the sensible thing to do to me.

@Brian: +1

Seems like we are all in agreement

indeed

Wether it’s a useful tool, or not, isn’t the point. At least, not on this EPDP.

+1 Amr

Agree, Amr

Has anyone reviewed the existing advice from the data protection commissioners (dating back to 2000 and 2003) saying NOT to do reverse lookup?

CONSENSUS ALERT: looks like we're nearing consensus on approach b) for Q1. No cause for alarm.

@Brian: +1

Perhaps it would actually be useful to seek further guidance on this if it would put a stake through the heart of this issue….

If it is incompatible, we should prohibit it. If it is compatible, then the scope question remains.

@Stephanie I'd love to read that! Can you share on the list please?

I certainly don’t support punting this to an IRT to muddle through.

Sure Brian I will send you the links.

We have it in the RDS repository of documents.

Agree with Alan on that point…

Alan G that is

@Alan G - it is not a question of preference to have it dealt with in a future PDP. If it is out of scope, we MUST NOT deal with it.

+1 Thomas

+1 Thomas

Seems like we have our hands full with everything else we are trying to sort out without tackling reverse lookups…

There isn’t full consensus, but likely there is some measure of consensus.

+1 Amr

Yes to legal/natural

Amr you'll note above that we're close enough to trigger a consensus alert :-)

Isn’t it easier to actually focus on the policy issues if you know the answer to the legal questions?

+1 Becky.

Otherwise we are just fighting about whether or not it is legal, as opposed to whether the policy is a good idea or not?

+1 Becky that's what I thought is the whole exercise with the legal questions

+1 Becky

+1 Becky makes sense

This reminds me of a principle followed by healthcare practitioners (from a previous life). Sometimes, investigations like imaging studies or lab tests can be helpful in nailing down the specifics of a pathology, but will not affect the prescribed treatment, one way or the other. In cases like these, physicians are not supposed to have patients (or their insurance providers) bare these costs. Just sayin’. :-)

Actually, on the legal v. Natural issue - my understanding is that the feeling that it has been impractical to make this distinction. The questions proposed by legal committee revolve around whether and under what circumstances you can rely on representations, instructions, etc.

To me the legal v natural question is different from the territorial scope

I will once more point out that bona fide companies and corporations can set up an accreditation scheme based on their local laws (corp number, bus registration number etc) which will allow them to exercise their rights to differentiate themselvs.

There is nuance in the questions that we think can be quite helpful in our deliberations. Please read the questions closely. We're not simply reasking whether we can make a legal/natural or geographic distinction.

@Becky: Also cost - wether making the distinction between legal/natural is worth the costs incurred.

Will do - thank you, Janis.

Absent a way to authenticate companies, I thought we had agreed that the cost of differentiating is going to be crippling to this SSAD endeavour.

I have yet to see a response to the company authentication concept, despite repeating it regularly over the past seven years here. Very curious in my opinion.

it does not include third party access, Alan, cite me the part of GDPR that says that

you beat me to it Milton

Alan, you can't make up things about a written law

I don’t recall third-party access along with accuracy being a purpose?

@Stephanie, exactly. But the questions proposed to be asked specifically focus on whether and when you can rely on clear directions regarding the form and representations from third parties - which goes exactly to the burden of differentiating.

Third party use of the data is defined as "processing" and therefore is included in the need for accuracy.

@Georgios: The issue of contactibility as a purpose, and the accuracy requirements associated with it have already been addressed in phase 1.

So let me get this straight, a vast majority of team representatives, including the entire subteam tasked with making recommendations, is in favor of, or at least not objecting strenuously to getting clarification to specific legal questions, yet we do not move forward with getting answers to these well-crafted questions? This is no way to run a railroad.

@Margie: Why is that a point of order? There is clearly no consensus.

Article 5 (c) states that Personal data shall be "adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed."

Can we use a different term that doesn’t confuse the legal meaning of “accuracy”?

“Data integrity” etc?

exactly James

@Laureen: Agree, and this was addressed in phase 1.

Underline "in relation to the purposes"

I have not spoken.

following from Alans comment - Processing you are referring to is with the 3rd party as controller (independently). The Bird and Bird memo on this noted that that the accuracy as it applies to the purpose for the data use for the Contracted parties seems to be reasonable and sufficient - if the purpose to which, released data may be used, (depending on the individual reasons provided) then, independently, that 3rd party will have to assess whether their use of that data (which is a completely separate purpose to the contracted parties ) is considered accurate enough for those purposes - given the impact in their data processing sphere . Should they think "no" then they shouldn't use it.

@Alan W: Yup.

@Brian: Thanks, but not sure it’s just one group.

sorry a bit longwinded and a bit of a typo in the middle.... but generally there ...lol

It seems that a lot of the arguments and time spent by this group are around individual group or peoples’s interpretation of legal issues and the questions posed here are largely designed to clarify areas where such differences are interfering with moving the policy questions forward. Not asking questions now only continues the cycle instead of finding out information that may end the endless debates on some issues. I note that continuing the cycle with less information likely costs us more in resources than what B&B’s costs are.

+1 Rod

Generally agree Rod. Altho the last round of legal questions didn’t resolve anything, and instead found the group micro-parsing the responses from B&B

...like it's hot

Laureen's voice is fading out

@Rod: The thing is, we see that the answers are already clear. It’s just that what we’ve heard so far isn’t as useful to everyone. Depends on what special interests each group is advocating for. So less about a lack of information, and more about seeking different information.

I see that my comment on how accuracy is usually interpreted by requesting parties as expansion of data collected is being ignored. However, I think it would balance the legal question on accuracy if you added that aspect. I cannot craft the question on the fly.

Rod, since ICANN already has a vigorous accuracy requirement, please tell me how this question will advance the policy development process?

Let me put this another way - having answers to the very specific questions the legal team has come up with would definitely influence the recommendation process of individual groups - get them to move from positions that are not legally tenable or drop objections based on faulty information.

@Milton - I am NOT saying anything about any specific question - just the overall package.

I really don't care myself whether this question gets asked. I just think it's irrelevant and a waste of time to the policy decisions we need to make

Thomas breaking up a bit for me

Thomas is breaking up

Thomas is breaking up for me, for anyone else?

ditto

@Rod: “having answers to the very specific questions the legal team has come up with would definitely influence the recommendation process of individual groups” - I wish that were the case, but no. Each group is looking for answers that will support their interests. That’s what it seems like to me, at least.

I will disconnect and then come back.

@Thomas, let us know if a telephone call would help.

I have sent a phone number to Caitlin

Thanks, Terri

Thomas is connected via telephone

Thomas is correct: this is not the forum to revisit how the entire industry works. If your goal in asking this question is to somehow try to push for expanded or changed accuracy policies, it won't work, We have an accuracy policy. What is wrong with it? If it needs fixing, it is another PDP

I’m always in favor of having more information to make decisions. Using objections to keep us from learning seems like a filibustering technique to me. I am NOT accusing anyone of that, but after a long cycle of this, that’s what it feels like and it doesn’t help to build trust regardless of motives.

@Thomas: +1

I have heard this claim that accuracy goes up after redaction, but I haven't seen any report or data which confirms this - can you point me to it?

@Rod: Have you gone through all the information already available?

Rod, I hope you did not think of me with the filibustering idea.

@Rod: It’s not like there is NO data, and we’re trying to block any from being acquired.

Mark, I need to do a bit of research, but will try to have something for you. It’s a while back since I heard that.

thx!

For clarification, I’m talking about asking the legal questions that the legal team agreed upon, not any specific questions.

If memory does not fail me, Denic also saw that when they redacted some data elements a few years back (long before GDPR kicked in), but I will try to get hard facts.

@Rod, thanks!

@Thomas - no and as I said, I’m not accusing anyone of filibustering, just saying what this never-ending process to get questions off to legal feels like to many.

We do not want this conversation to deteriorate to one side accusing the other of filibustering, and the other of asking leading questions. For the record, I agree with getting legal clarity on certain issues, I think what we are disagreeing about is t he wording of the questions, and whether we need to re-ask certain questions. Certainly, on the matter of the jurisdiction question, there was a feeling (not supported by the case in my view) among many ICANN stakeholders that the recent Google decision meant extraterritorial application of GDPR was seriously curtailed. How long have some of us been watching this battle on TBDF? oh, since 1991 when the Directive 95/46 was tabled. So forgive us for being a trifle frustrated in this search for loopholes….

There are broader questions about what is the right thing to do, regardless of whether ICANN or whoever is the controller could legally get away with something. Those are public policy objectives, where we have a fundamental disagreement about what should be paramount. i hope that we can continue to hold those different views on the paramountcy of rights in a respectful manner

There was never consensus or even majority opinion in favor of "automating as much as possible"

There is a routine way to deal with this in most governements…the Privacy Imparct assessment or PIA, usually administered by a committee and presented to the data commissioner. We also have the HRIA which ICANN has approved, arguable a better instrument in the case of automated decision making....

However we have not even been able to get a PIA for this EPDP, so the initial PIA would have to be prepared, subsequent changes would be amendments to it.

ICANN needs a privacy oversight committee. It is not like this is the only locus where privacy law raises issues.

Normal bureaucracies would have one.

@Alan G: +1 on everything so far, but tbh…, have only skimmed through rec#17.

@James: +1

+1 James

Takes a few pickets out of the picket fence ...

I agree it's important that we finish the policymaking here in this PDP

I have not heard anything that relates to what POLICY needs to be chnaged for our "evolutionary" SSAD.

I have my hand up

@james how do you see this model evolving? If we learn something and would like to add it how do we do this - especially that the policy we are setting now will allow this so from an actual point of view a PDP would have given the green line and approved this

this is a case in which policy is closely tied to implementation, Alan.

Changing the implementation de facto changes the policy

@Milton it is a learning moel

model

We should discuss this more in LA. We need some sort of group that can take decisions on how the SSAD shall react. That must not be policy, but pure implementation. But there must be a group of community reps that decide e.g. how objections are being dealt with throughout the SSAD.

we cannot afford an AI assisted learning model, so not sure what you envisage Hadia

I am not sure whether the question of automation and where to take an automated approach is just implementation. It smells like policy.

@Stephanie I was not thinking of AI

Given the precise discussion of automated decision making in the GDPR, it must be subject to policy review

I cannot stay past the top of the hour

Ok to stay on

I must drop

I can

I’m already late for another meeting. :(

@Stephanie seems good - though not sure about the actual implementation

I can only do another 10

Thanks Hadia, yes it would require some working out and it must be remembered that different issues would still be subject to relevant review by the responsible group…in the case of changes to SSAD, the GNSO Council.

But we do need one. Compliance to GDPR is a lot more than an intrusive cookie consent mechanism....

@Stephanie but my understanding was that the standing committee decisions would lead to changes to the SSAD.

Hard stop in 2 min. Thanks all!

See you next week!

+1 Chris yes this is an implementation issue that is covered through this policy

A never-ending PDP sounds more ominous than a standing PDP. Appropriately more ominous. :-)

Still need to respect the channels of the MS model Had.

Hadia, sorry for spellcheck

I need to drop. Thanks all.

Have to run thank you all and see you in a few days, safe journeys

I think everyone agrees whatever form this standing committee takes, it can not address policy work so we need to be crystal clear on what their remit would be

@Matt: +1

+1 Matt essential that we have clear policy

+1 Matt

+1 Volker

@Stephanie but recommendation 17 of this policy covers this - Thus the MS model is well respected

To the extent that we can identify these categories now, we should do it

+1 Mark

IF the contracted parties on the committee are comfortable that the decision to automate a specific query does not impact their liability, we should be fine.

+1 Mark

@Alan G: Are contracted parties the only parties affected by decisions to disclose registration data to 3rd parties? I see this as a policy decision, not something that the committee should be empowered to make. If the committee is given that authority, might even require an amendment to the ICANN Bylaws.

we are back with the egg-laying wool milk pig

I actually thought we were making progress, and not designing a chimera

The constitution of this committee is something that Milton and Alan G have mentioned. This is also something that clearly requires more thought.

No Volker, we've evolved to a carp and rabbit. It's gorgeous

I was thinking tomatoes with fish DNA….

constitution of the committee (or IRT oversight team, or whatever) is important and needs Council oversight

@Mark: +1

yes

to Mark SV

Agreed, MarkSV

Alan G, this is not just about liability although thanks for the clarity

Safe travels all

F2f meeting information will be sent after this call.

Thank you

Safe travels. See you soon"

Good luck to all at the F2F. Bye.