what Controller are you talking about, Becky?

the registrar?

@Margie would using "automatic" disclosure instead of "automated" disclosure be more accurate

agree with Becky

however ICANNs Brussels office may make ICANN (the controller) and its policies subject to GDPR

Hi all - apologies for the tardiness

can't talk, am in place

I agree with Thomas

if it is doneby a machine, it is automated

makes sense

I doubt that disclosure is possible in all regimes not governed by GDPR.

GDPR or a similar data protection regime Thomas

does hearing it from legal counsel help if that advise is going to be picked apart in the end anyway?

it does not even matter where the controller is located. if the processing happens in the EU, GDPR applies

Agree volker

so a registrar in the US dealing only with US customer buit using German registrar backend services would still be bound by GDPR

Comment on part b: should we consider changing “and” to “and/or” to assess the potential impact of ICANN taking on either of these functions?

(Or both)

that's ok

+1 amy

sounds reasonable

even though I am still not comfortable with the entire ask but I can live with splitting the question

yes - that works for me

That is correct, Becky.

Brian - new hand?

no, thanks.

Please scroll back to the actual question

we can state anything. if it is true or not

Becky +1

I am taking notes, Tara.

Are data controllers entitled to rely on a statement obligating legal person registrants to obtain consent …

If I could add a friendly amendment to the question posed by SSAC, a follow-on question may be helpful, "What representations, if any, would be helpful for the controller to obtain from the legal person registrant in this case?"

Don't want to hold us up from moving on

That’s a good suggestion Brian

“If so, what representations, if any ….”

Right

thanks

Sure — having examples of what to use in practice seems helpful to me.

Which, after all, is what we’re trying to find here (practical assistance).

keep 4 and 5 on the screen please

I agree that this is an important question

we are referring to the purposes here - this is how I understand 4

The accuracy principle is intended to serve the purposes not the processors

One of the previously-approved questions (yet to be submitted) provides: Does the accuracy principle only take into account the interests of the data subject and [a] controller (e.g., ICANN’s or the contracted parties’ interest in maintaining the security and stability of the Internet’s unique identifiers), or does the principle also consider the interests of third-parties (in this case law enforcement, IP rights holders, and others who would request the data from the controller for their own purposes)?

Additionally, this question is posed (yet to be submitted): The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23? Would detailed notice at the time of registration and ongoing renewals reduce the risk that data subjects will wrongly self-identify to a negligible level?

Do data controllers have a responsibility to take reasonable steps ensure the accuracy of the data submitted and ensure a minimum level of accuracy?

I am fine with this

I think Caitlin's questions deal with the self-identification of legal or natural rather than data accuracy generally.

Right, @Laureen.

we can add "having regard to the purposes for which they are processed"

need to drop now, see you all on Thursday

thanks Volker

Is that what you had in mind, Becky? The Legal vs. Natural person memo discusses a “risk of liability” if additional steps are not taken to ensure the accuracy of data. [Do data controllers have a responsibility to take reasonable steps ensure the accuracy of the data submitted and ensure a minimum level of accuracy?] How do you characterize the level of risk of liability - low, medium, or high? What is the threshold for “reason to doubt” registrant self-identification that triggers this risk of liability? Is the risk in Paragraph 17 the same or different than the risk discussed in Paragraph 23? Would detailed notice at the time of registration and ongoing renewals reduce the risk that data subjects will wrongly self-identify to a negligible level?

For reference, here is an excerpt from the previous Bird & Bird accuracy memo: 15. The Accuracy Principle requires controllers to take "reasonable steps" to ensure that personal data is accurate and up-to-date. In some instances, it is reasonable for a controller to rely on the person submitting the data to provide data that is accurate. In other instances, the GDPR requires controllers to take affirmative steps to ensure that the data submitted is indeed accurate. What steps are appropriate will depend on the circumstances and the nature of the risks presented to data subjects.

That is a fair point Margie

just noting that the first memo asked "a. What is the obligation to verify that personal data collected by the controller is accurate at the time of collection?"

Considering Matt's comment, perhaps the follow up question should be what steps do data controllers have a responsibility to take. . . etc. I can confer with Georgious to deal with this.

sounds good to roll it in

I need to drop off to drive- but will stay on the call.

Yes.

I will submit the action items very shortly after this call so everyone can get started on their homework. :)

Will do, Becky.

Thanks, all.

Thanks folk - happy new year

Thanks, all!

happy new year!

Thanks all