
31:38
what Controller are you talking about, Becky?

31:40
the registrar?

33:34
@Margie would using "automatic" disclosure instead of "automated" disclosure be more accurate

33:46
agree with Becky

34:28
however ICANNs Brussels office may make ICANN (the controller) and its policies subject to GDPR

35:07
Hi all - apologies for the tardiness

35:31
can't talk, am in place

35:38
I agree with Thomas

38:25
if it is doneby a machine, it is automated

39:16
makes sense

39:26
I doubt that disclosure is possible in all regimes not governed by GDPR.

39:46
GDPR or a similar data protection regime Thomas

40:40
does hearing it from legal counsel help if that advise is going to be picked apart in the end anyway?

41:42
it does not even matter where the controller is located. if the processing happens in the EU, GDPR applies

42:19
Agree volker

42:20
so a registrar in the US dealing only with US customer buit using German registrar backend services would still be bound by GDPR

42:33
Comment on part b: should we consider changing “and” to “and/or” to assess the potential impact of ICANN taking on either of these functions?

43:00
(Or both)

44:44
that's ok

44:52
+1 amy

49:47
sounds reasonable

50:15
even though I am still not comfortable with the entire ask but I can live with splitting the question

50:33
yes - that works for me

51:14
That is correct, Becky.

51:44
Brian - new hand?

51:57
no, thanks.

52:25
Please scroll back to the actual question

54:28
we can state anything. if it is true or not

54:50
Becky +1

55:55
I am taking notes, Tara.

56:27
Are data controllers entitled to rely on a statement obligating legal person registrants to obtain consent …

59:02
If I could add a friendly amendment to the question posed by SSAC, a follow-on question may be helpful, "What representations, if any, would be helpful for the controller to obtain from the legal person registrant in this case?"

59:17
Don't want to hold us up from moving on

59:26
That’s a good suggestion Brian

01:00:10
“If so, what representations, if any ….”

01:00:21
Right

01:00:23
thanks

01:00:51
Sure — having examples of what to use in practice seems helpful to me.

01:01:25
Which, after all, is what we’re trying to find here (practical assistance).

01:03:27
keep 4 and 5 on the screen please

01:03:43
I agree that this is an important question

01:05:43
we are referring to the purposes here - this is how I understand 4

01:11:36
The accuracy principle is intended to serve the purposes not the processors

01:12:39
One of the previously-approved questions (yet to be submitted) provides: Does the accuracy principle only take into account the interests of the data subject and [a] controller (e.g., ICANN’s or the contracted parties’ interest in maintaining the security and stability of the Internet’s unique identifiers), or does the principle also consider the interests of third-parties (in this case law enforcement, IP rights holders, and others who would request the data from the controller for their own purposes)?

01:13:27
Additionally, this question is posed (yet to be submitted): The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23? Would detailed notice at the time of registration and ongoing renewals reduce the risk that data subjects will wrongly self-identify to a negligible level?

01:16:08
Do data controllers have a responsibility to take reasonable steps ensure the accuracy of the data submitted and ensure a minimum level of accuracy?

01:17:48
I am fine with this

01:18:05
I think Caitlin's questions deal with the self-identification of legal or natural rather than data accuracy generally.

01:18:37
Right, @Laureen.

01:18:49
we can add "having regard to the purposes for which they are processed"

01:20:06
need to drop now, see you all on Thursday

01:20:19
thanks Volker

01:20:26
Is that what you had in mind, Becky? The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. [Do data controllers have a responsibility to take reasonable steps ensure the accuracy of the data submitted and ensure a minimum level of accuracy?] How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23? Would detailed notice at the time of registration and ongoing renewals reduce the risk that data subjects will wrongly self-identify to a negligible level?

01:23:35
For reference, here is an excerpt from the previous Bird & Bird accuracy memo: 15. The Accuracy Principle requires controllers to take "reasonable steps" to ensure that personal data is accurate and up-to-date. In some instances, it is reasonable for a controller to rely on the person submitting the data to provide data that is accurate. In other instances, the GDPR requires controllers to take affirmative steps to ensure that the data submitted is indeed accurate. What steps are appropriate will depend on the circumstances and the nature of the risks presented to data subjects.

01:23:52
That is a fair point Margie

01:24:07
just noting that the first memo asked "a. What is the obligation to verify that personal data collected by the controller is accurate at the time of collection?"

01:25:22
Considering Matt's comment, perhaps the follow up question should be what steps do data controllers have a responsibility to take. . . etc. I can confer with Georgious to deal with this.

01:30:41
sounds good to roll it in

01:31:17
I need to drop off to drive- but will stay on the call.

01:41:43
Yes.

01:43:02
I will submit the action items very shortly after this call so everyone can get started on their homework. :)

01:43:12
Will do, Becky.

01:43:32
Thanks, all.

01:44:18
Thanks folk - happy new year

01:44:24
Thanks, all!

01:44:27
happy new year!

01:44:33
Thanks all