Hi all!

Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en

Members: please select all panelists and attendees in order for everyone to see chat.

Thank you, Volker

This word doc can be found on the mailman message sent with the agenda. Links to DOCX at bottom. https://mm.icann.org/pipermail/gnso-epdp-team/2020-June/003443.html

It depends. Categories are not, rationale probably would contain inferences.

so we are still trying to turn the hybrid model into a centralized model :-(

The nature of the question is personal info

+1 Margie, rationale needed to improve recommendations

Instead of rationale, would concerns be addressed if ‘reason for denial’ is used instead?

+1 Alan G

Members: please select all panelists and attendees in order for everyone to see chat.

+1 Marika

Please note that the logs include no personal data

Unfortunately, we do not really have agreement on what the "hybrid model" that we "agreed to" really is.

What Milton says is the model is not what I thought we agreed to, and I don't think I am lone.

...alone

@Alan how is that possible at this late stage??? Have we not all been clear about how this hybrid model was meant to work??

My understanding of hybrid is not consistent with Milton’s view either

well, Alan, I don’t know where we are if we are not working with the hybrid model. Your suggestion essentially reverses 90% of the work we have done

And I think calling it a “glorified ticketing system” isn’t really accurate

If it helps inform future automation later (or doesn't), that doesn't matter. This is to help the CGM make better recommendations.

@Volker: +1

I don’t understand what the value of an automated recommendation is.

…, by the CGM, that is.

What is that supposed to achieve?

@Amr, I understood it to help CPs make a decision. They've never had to make these decisions before, and many of them don't have in-house counsel, data protection officer, etc. In any event, a recommendation is non-binding.

your voice is fading, Janis

@Brian: Thanks, but what I’m actually trying to figure out is how an automated recommendation is practically going to help CPs make those decision?!

I think I recall Thomas mentioning that the outcome of decisions to disclosed could be beneficial to other CPs in that CPs collectively can learn from the results.....in addition to stats being submitted to SSAD for reporting etc.

+1 Janis

We do not have a common understanding of what we are talking about, as is so often the case.

@Amr: "Requests from this requestor, for this purpose, receives data 3% or 97% of the time" would be helpful, IMO.

+1 to Volker's suggestion drop down menu

We need to see that drop down box in order to agree. This is a policy issue, not implementation.

@Amr, I disagree. This is about transparency and optimizing a system

Transparency and optimizing a system for the disclosure of personal information to third parties is not necessarily what OUR SG is looking for in this process. We are looking for respect for human rights and data protection

And human rights includes due process

They are not mutually exclusive

This has been in the draft for a long time

Note that the documentation of rationale is not something new or that has changed since the Initial Report - as Janis noted, this question is about what, if anything, gets shared with the CGM. There appears to be support for sharing the reason for denial with the CGM.

The SSAD will prove to be useful to everyone. Having consistent and transparent operation of the system is useful to registrants, users and ultimately the CPs as well

SSAD has no value that I can think of to registrants. Just costs us more money.

to be fair milton, this was not intended to be an automation enabler but rather a recommendation that can be followed or not. this was agreed at the f2f you could not attend

Reason

Based on how this is going, why don't we just declare failure and give ourselves a few days off for the rest of the week.This does not bode well for PDP 3.0.

@Stephanie, I agree that this must not contain any personal data. Can we add "will not contain personal data"?

@Stephanie: +1

I might be wrong, but I think you are partially talking past each other. The proposed hybrid model can move to more centralization, which does not equal automation.

+1 Thomas

+1 Thomas, and can live with the language on the screen

Thanks, Dan.

That’s an implementation detail

Note that the reference to rationale comes from other requirements where this is documented.

d. Responses where disclosure of data (in whole or in part) has been denied MUST include: rationale sufficient for the requestor to objectively understand the reasons for the decision, including, for example, an analysis and explanation of how the balancing test was applied (if applicable). Additionally, in its response, the Contracted Party MAY include information on how public registration data can be obtained.

Yup. No essays, no legal memos.

@Brian: Good catch.

Thanks Brian!

@Dan, you bet. Good catch.

So delete the extra step?

Yes

@Chris: Would you mind speaking closer to your mic?

Much better. Thanks. :-)

7.2.1

Do we just need to delete the word further?

Marika here is some proposed language for the first open question:

“In all instances when a request is approved or denied, the CP will send to the CGM a simple indicator of the reason for the decision

"

Agree that we should delete the word "further" to avoid assuming that balancing test is always required.

Marika, have you hired come crickets for the background noise on your line?

Just to give you a change from the bird sounds :-)

:-)

the Marika insect orchestra! Great concept

is required (by whom?)

@Dan: A Chinese CP determining its lawful basis is also consistent with the Policy.

@Thomas: +1

+1 Thomas

Very much agree with Thomas.

Precisely Thomas. This was supposed to be a global policy at the level of the GDPR. What is required here may be something like, “For greater clarity, under no circumstances would an individual lose the protection of this policy for their personal data, should they and the data controllers be operating from jurisdictions without data protection.

Dan, are you in effect proposing geographic differentiation?

Hello Milton. No, I am not.

The contract of course - would also be a legal basis - for those places not covered by a 'legislative enactment'.

@AlanW: +1

CPs *are* allowed to make geographic distinctions. I think this edit removes that discretion

As Janis likes to consistently remind us, the first “S” in SSAD is “Standardized”.

This was the whole idea. You are required by contract to meet a GDPR based policy

@Thomas: +1

@Margie @AlanG: Are we finally agreeing that the phase 1 rec is about treating registration data differently, and not only being limited to redaction? ;-)

Ala, I thought ALAC was supposed to be advocating for individual internet users, regardless of their jurisdiction

AlanG

But all registrants are individual internet users

@Volker: +1

Thanks Volker. Language like that would solve our question.

@Milton, IBM Corp is a registrant but not an indiv. Int users.

IBM corp is not an individual internet user. Amazing that I have to explain the individual basis of representation in AL to someone in ALAC

Corps and businesses are represented in constituencies/SGs. The whole point of AL was to represent individuals.

Perhaps replace proposed language with "if applicable"? MUST determine its own lawful basis, "if applicable". . .

@Milton, I was reacting to your statement that ALL REGISTRANTS ARE INDIV INT. USERS.

+1 Laureen

“From Alan Greenberg (ALAC) to All panelists: (11:20 AM)
+1 Margie.
@Stephanie, but not all registrations are subject to GDPR.” The whole point of this policy, is that all registrations will be subject to this policy, which will set the bar at the GDPR.

And AlanG I am explaining to you that you seem more concerned with IBM than with individual internet users.

Otherwise, we will be encouraging all lazy contracted parties to operate from Turks and Caicos. Or some other jurisdiction unlikely to pass DP law, or enforce it.

Apologies as I will need to drop in about 10 minutes

Or is not prohibited from disclosing?

The way I read the suggestion: If there is no privacy law, no legal check whatsoever needs to be applied. Are we really ok with potentially not having any protection for certain registrants???

@Milton: +1

Thomas, exactly. We are not OK with that

And content on a website does not always equal domain name that the registrar is limited to…

Content is relevant to UDRPs

@Matt: +1

+100 Thomas. We will never agree to this

+1 James

@James: +1

If we have already agreed that IP cannot be a blanket reason for denial, why do we need the ‘content’ phrasing? IP issues relating to content are still IP issues.

@Milton: Exactly!! +1

you already have that right under DMCA, Mark

you don’t need the SSAD

The web host does not have the RDS data

Temp spec already covers that Marc SV - disclosure is not necessary to contact the registrant.

registrars are required to forward on that message.

DCMA does not apply universally. We are not talking about right, we are talking about ability.

@MarkSV: We’re not saying that you can’t contact a website admin over infringing content. Just saying that unless there is an infringement in the domain name string itself, you need to find another way to initiate contact other than having registration data disclosed to you.

They can pursue all kinds of legal remedies without the RDS data, including takedown under DMCA

I need to drop now

That's abuse management - not IP

oh .. what james said

@James content is relevant in case of DNS abuse (Phishing)

Phishing & IP are linked

The phishers need to use the IP or copyrights to trick the consumers

No one here is suggesting we aren’t following those policies @Alan

@Volker: Exactly!!

I will also point out, this was a subject that was very strongly opposed to by members within the RrSG…

One idea: delete the rest of the recommendation starting with “…nor can the disposition …

Plus a URS/UDRP can be filed without the disclosure (again phase I) - the content does not become more relevant or less by knowing who the registrant is? Unless of course you don't communicate with your own company and it turns out to be you …. which … is bad management and policy … we can't solve for that at ICANN.

I *think* Margie’s idea is ok...

and none of that prohibits us from doing the disclosure anyway

That sounds ok to me, but thinking on my feet right now.

sounds ok

https://docs.google.com/document/d/17gGzz6K-zKuSK71FluHCowZo3p6tFEd3/edit

I appreciate Amr's motivation. But the GGP was not acceptable because of specific details of how a GGP is created and how its Recs are handled. By not having those details specified for the Standing Comm, we are left with unknowns whether it devolves into something equivalent to a GGP or is very different.

Let’s move the discussion on Rec 19 to tomorrow, we are not going to accomplish anything today

The point is that it is practically extremely difficult to block a topic being introduced to this committee.

Thanks all…same time, same place tomorrow…

Thank you all - bye for now

Without knowing HOW the output of the SC will be addressed, we do not know if it is acceptable or not.