Logo

Marika Konings' Personal Meeting Room - Shared screen with speaker view
Volker Greimann
05:42:41
an advisory body with voluntary adoption by data controllers
Alan Woods (RYSG)
05:42:57
+1 Volker
Stephanie Perrin (NCSG)
05:48:37
i want to thank James for taking over the Debbie Downer role from me…
Volker Greimann (RrSG)
05:51:33
Wop wop wooooop
James Bladel (RrSG)
05:51:33
Volker’s idea for a name; ICANN Privacy Council
Berry Cobb
06:02:40
CPIF = Consensus Policy Implementation Framework.
Berry Cobb
06:03:11
The last phase of it triggers an eventual review of the policy being implemented.
Stephanie Perrin (NCSG)
06:05:04
new mechanism, from NCSG perspective
James Bladel (RrSG)
06:05:27
Clarification: My intervention was for a New body to use Existing mechanisms
Berry Cobb
06:05:32
Based on what I've gathered, this Privacy Council will have other duties. Operational components, continuous improvement, general system enhancement oversight. Logging Audit oversight. Coordination with 3rd party auditors. Thomas also made a good point last night about where a disclosure is overturned or later found no longer lawful. That change would required a communication back through the Policy Council to better inform all the CPs of possible impacts to disclosure requests.
Stephanie Perrin (NCSG)
06:05:57
Did you guys have a meeting last night?
Berry Cobb
06:06:12
<< all in addition to possible consideration of automation possibilities.
Matt Serlin (RrSG)
06:06:13
Sounded like the policy review as Marika was describing was a good option for something like this
Thomas Rickert (ISPCP)
06:06:18
Stephanie yes - the welcome cocktail :-)
Volker Greimann (RrSG)
06:06:19
Just dinner with a prohibition on shop-talk
Berry Cobb
06:06:31
@Stephanie - the cocktail reception.
Volker Greimann (RrSG)
06:06:32
(CPH only)
Margie Milam (BC)
06:11:34
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/codes-of-conduct/
Brian King (IPC)
06:13:45
Also we need to let the cat out of the bag: Alex Deacon layed an Easter egg for us as he drafted the accreditation Building Block to meet the requirements of what the GDPR lays out regarding a code of conduct.
Stephanie Perrin (NCSG)
06:17:23
ICANN staff cannot write this code of conduct
Stephanie Perrin (NCSG)
06:17:40
It is an output of the advisory committee over time
Thomas Rickert (ISPCP)
06:17:42
They can ask Ruth and team to get a structure for a draft coc
Stephanie Perrin (NCSG)
06:18:05
yes Ruth can provide advice on framework
Georgios Tselentis (GAC)
06:19:06
I thought that this was what was suggested: to use the oversight committee to update the code fo conduct based on the experience gained through the implementation
Thomas Rickert (ISPCP)
06:19:36
Right Stephanie, but that exercise will force us to write up all the details
Stephanie Perrin (NCSG)
06:19:42
Exactly
Stephanie Perrin (NCSG)
06:20:01
It is a goal for the oversight committee, but we cannot wait for it to set policy is all I am saying.
Stephanie Perrin (NCSG)
06:20:18
Important to include it as a recommendation though, or we will lose all this good work
Stephanie Perrin (NCSG)
06:20:37
Diderot did not write his encyclopedia overnight....
Marika Konings
06:22:35
As a reminder, this is the document that Chris is presenting.
Mark Svancarek (BC)
06:40:40
+1 Stephanie... I had actually assumed that the Gateway would be generating those very stats
Stephanie Perrin (NCSG)
06:41:39
It should, but we need to pull it out specifically as a metric for quality management purposes, and to inform the code of conduct
Brian King (IPC)
06:42:14
+1 Stephanie. Reporting will be very important. Goes hand in hand with audit IMO
Brian King (IPC)
06:44:58
+1 Alan W. Needs to be clear.
Mark Svancarek (BC)
07:32:49
I understand Stephanie's concern and agree it must be discussed in implementation
Brian King (IPC)
07:33:09
+1 MarkSv
Mark Svancarek (BC)
07:33:17
it implemented incorrectly it would be a security hole
Stephanie Perrin (NCSG)
07:34:00
I think we are ok with that. Implementation must address this.
Mark Svancarek (BC)
08:25:22
SLAs accommodate system failures and scheduled downtime
Volker Greimann (RrSG)
08:29:55
Ppsai is pre-gdpr
Brian King (IPC)
08:32:32
You might not need this language, but we do.
Margie Milam (BC)
08:46:52
See Article 49 (e) in GDPR: (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
Stephanie Perrin (NCSG)
08:50:36
this article certainly would appear in the request.
Volker Greimann (RrSG)
08:50:51
Absent a legal requirement to the contrary
Stephanie Perrin (NCSG)
08:50:51
However the use of this clause could be over-broad.
James Bladel (RrSG)
08:51:11
I think what we want is: Justification for any rejections/denials. And alternative methods are not the sole justification
Mark Svancarek (BC)
08:51:34
I think James is right... thinking...
Stephanie Perrin (NCSG)
08:51:41
We mentioned earlier the benefit of reputation systems in establishing “preferred “ requestors
Margie Milam (BC)
08:51:57
Fabricio, 4:09 PMArticle 9(2)(f) permits you to process special category data if:“processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.
Stephanie Perrin (NCSG)
08:52:44
I think Fab means 49 (2) (f)
Margie Milam (BC)
08:53:16
yes
Margie Milam (BC)
08:53:24
that's right
Alan Woods (RYSG)
08:53:28
that relating to special categories of data and … also would apply to the controller not of a 3rd party surely
Volker Greimann (RrSG)
08:54:41
Alan is right here. Context matters
Alan Woods (RYSG)
08:56:04
Also necessity is key here. if a domain is breaching you TM in your opinion, surely the establishment of a case is not dependanton who the registrant is?
Alan Woods (RYSG)
08:56:16
ugh *Dependent on
Mark Svancarek (BC)
08:59:33
I think that Margie has now explained the necessity. Just include that info and AlanW's requirement is met, I think
Mark Svancarek (BC)
09:00:20
... and then watch for stats indicating whether some authorizers are simply refusing certain classes of valid requests
Alan Woods (RYSG)
09:02:35
for the record.... the issue I had was that removing a legally valid reason for denying disclosure is not good policy - . Inference as to how the CPs are "going to act' is unhelpful.
Terri Agnew
09:02:35
Reminder to clear hands in zoom if no longer needed.
Mark Svancarek (BC)
09:05:41
An example would help us understand
Georgios Tselentis (GAC)
09:06:54
Keep both "and" "or" the idea being that in any case the CP must provide the rationale: The EPDP Team recommends that if a Contracted Party determines that disclosure would be in violation of applicable laws and/or policy recommendations, Contracted Party must document the rationale and communicate this information to the requestor and ICANN Compliance (if requested).
Stephanie Perrin (NCSG)
09:09:00
I have an example
Stephanie Perrin (NCSG)
09:09:09
hand is up
Mark Svancarek (BC)
09:10:02
I want to ensure that our policy does not prevent a CP from entering into a JCA. "Authorizing entity" makes that more clear
Mark Svancarek (BC)
09:12:28
Or "Disclosing Entity"
Eleeza Agopian (ICANN Org Liaison)
09:14:16
All — my apologies, I have to step out early but will be on the phone for the next hour. My org colleague, Isabelle Colas-Adeshina has joined the room to listen in. Thanks.
Stephanie Perrin (NCSG)
09:14:54
What kind of JCA did you have in mind?
Stephanie Perrin (NCSG)
09:15:45
(latter question addressed to Marc)
Mark Svancarek (BC)
09:20:26
is "inform" a legally defined term in this context?
Mark Svancarek (BC)
09:20:55
(I naively assumed that it was, and that's why I preferred it to the previous verbiage)
Alan Woods (RYSG)
09:24:08
The transparency obligation is an obligation - we have to do it . ICANN policy doesn't trump that . This is not an issue
Mark Svancarek (BC)
09:25:06
Should we just say "controllers must meet the transparency obligation"?
James Bladel (RrSG)
09:27:01
must “...be clearly disclosed in the Registrar’s domain Regisration Agreement....blah blah”
James Bladel (RrSG)
09:27:45
(apologies if I post to you privately. The iOS chat function always opens a private channel to whomever posted the most recent chat message)
Georgios Tselentis (GAC)
09:29:38
Article 12 tat Thomas quote says "...in a concise, transparent, intelligible and easily accessible form, using clear and plain language..."
Chris Lewis-Evans (GAC)
09:30:51
+1 Georgios
Stephanie Perrin (NCSG)
09:30:53
actually that is a very useful quote and approach. +1 Thomas
Brian King (IPC)
09:32:44
+1 Georgios
Julf Helsingius (NCSG)
09:33:05
+1
Stephanie Perrin (NCSG)
09:34:37
So to be clear, the language Georgios quoted will be included in this section of text, to provide greater clarity.
Marika Konings
09:35:02
Correct @Stephanie
Stephanie Perrin (NCSG)
09:36:36
Thanks Marika!
Brian King (IPC)
09:49:37
+1 Marc
Stephanie Perrin (NCSG)
10:06:56
Just a point of clarification: who is going to pay for this indemnification, I have forgotten....