Logo

051040043 - EPDP-Phase 2A Team Call - Shared screen with speaker view
Terri Agnew
40:18
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Volker Greimann (RrSG)
40:51
Hello all....
Brian King (IPC)
46:25
Surely Council wouldn't really pull the plug on Phase 2A before we even receive our legal advice...
Laureen Kapin (GAC)
49:01
Very helpful "trailer" Keith, thx.
Brian King (IPC)
49:08
+1
Laureen Kapin (GAC)
59:08
+1 Becky.
Mark Svancarek (BC)
59:19
+1 Becky
Becky Burr (Board Liasion)
59:27
We need to know which of these ccTLDS have laws/regulations ( like the one applicable to .eu) that provide a public interest basis for processing. Otherwise very hard to make sense of this.
Brian King (IPC)
01:02:44
I'd also like to know that
Brian King (IPC)
01:03:38
Thank you, Jared.
Sarah Wyld (RrSG)
01:03:51
Thank you Jared!
Alan Woods (RYSG)
01:06:48
Thank you!
Milton Mueller (NCSG)
01:07:36
good question, Steve
Milton Mueller (NCSG)
01:07:41
Answer is no
Keith Drazek - Chair (Verisign)
01:08:09
Is it worth considering/investigating the value of registrant consent vis-à-vis the various ccTLD policies on display of natural person data, either in the context of legal person registrations or actual natural person registrations?
Keith Drazek - Chair (Verisign)
01:09:04
Sorry, meant to send that to everyone.
Mark Svancarek (BC)
01:10:01
lol
Mark Svancarek (BC)
01:11:11
+1 Volker
Stephanie Perrin (NCSG)
01:11:33
+1 Volker
Volker Greimann (RrSG)
01:12:30
When I was a young bot in Bulgaria...
Mark Svancarek (BC)
01:14:07
Why is the public interest comparison to real property records a red herring?
Volker Greimann (RrSG)
01:14:29
Steve: I mean the processes a registrar employs to allow self-ID
Chris Lewis-Evans (GAC)
01:14:50
@Stephanie why are they a lower risk for action? Data protection laws apply to them as much as any other company operating in that country.
Volker Greimann (RrSG)
01:15:50
Apparently Facebook does not require real ID either...
Margie Milam (BC)
01:16:52
Consent is not what we’re interested in exploring for the legal/natural person distinction. That’s why we’re asking the legal questions to explore non-consent options
Milton Mueller (NCSG)
01:17:04
meh
Sarah Wyld (RrSG)
01:17:52
Margie - so you're completely against registrant self-identification as an option here?
Margie Milam (BC)
01:18:17
No - that’s one of the non-consent options
Margie Milam (BC)
01:18:52
Self identification allows the legal/natural person distinction to be made so consent is not needed
Stephanie Perrin (NCSG)
01:19:33
@Chris for several reasons. To varying degrees, there are government ties to the cctlds. In many cases, there has been consultation with the DPAs of the relevant country. Sometimes that advice is ignored. DPAs are under no constraints (re consultation, biting the hand that hires them etc) in the case of the private sector. Secondly, in my view although I do not have stats to back me up, more of the commercial applications are registered under gtlds.
Karen Lentz (ICANN Org)
01:19:47
Confirming re: the point on laws/regulations … some of these are referenced throughout the table … action item for us, we can make that its own column so it’s easier to find
Karen Lentz (ICANN Org)
01:19:53
Thanks all
Sarah Wyld (RrSG)
01:19:57
Thanks Karen
Brian King (IPC)
01:19:58
Thanks, Karen!
Laureen Kapin (GAC)
01:20:19
Thanks for this useful resource!
Berry Cobb
01:20:20
https://docs.google.com/document/d/1Hf-Nt-VMznpGE4WZ7wWaHF8pXdm8qA28OW7Mjr4MH_A/edit#heading=h.gjdgxs
Sarah Wyld (RrSG)
01:20:38
Thanks Berry
Stephanie Perrin (NCSG)
01:23:03
@Chris third point, again unbacked by stats, since many cctlds insist on residence/citizenship, the chances of a global actor who does not have detailed knowledge of the jurisdiction decreases…..so they would be more likely to understand that question about whether they are legal person/small business/individual acting as entrepreneur…..there would be less confusion.
Stephanie Perrin (NCSG)
01:23:50
@ Chris that last point is not a risk of enforcement point, it is more a less risk of noncompliance.
Chris Lewis-Evans (GAC)
01:25:29
@Stephanie thanks last point is an interesting one but may also be true of some gtlds (.bank)?
Laureen Kapin (GAC)
01:26:27
@ Berry, what is contemplated as the source of this legal risk fund?
Volker Greimann (RrSG)
01:26:59
We could make the requestor pay the fines for any illegal disclosure resulting form their request...
Stephanie Perrin (NCSG)
01:27:01
Indeed, wherever there is local law requiring registration/incorporation etc the risk of confusion goes down. I am focusing on small and home based business, in many of my expressions of concern
Laureen Kapin (GAC)
01:27:11
Sorry, source of funding --
Sarah Wyld (RrSG)
01:27:15
Who would make decisions about under what circumstances that risk fund pays out? What happens if a CP requests financial support from that fund but the controlling party disagrees?
Volker Greimann (RrSG)
01:27:21
Owen: it will certainly lead to higher fines
Sarah Wyld (RrSG)
01:27:27
I'd much rather set up a policy that does not assume we're going to have legal risks to pay for...
Mark Svancarek (BC)
01:27:32
@Owen: NO, though that's why I'd give it a different name.
Stephanie Perrin (NCSG)
01:28:12
I would humbly suggest that setting up a risk fund might attract complaints.....
Alan Greenberg (ALAC)
01:29:05
My recollection was that the fund was not for GDPR violations but for private suits.
Stephanie Perrin (NCSG)
01:29:12
Thank you Berry for saying that we are trying to protect registrants. It does not happen often, and it is music to my ears
Thomas Rickert (ISPCP)
01:30:48
Stephanie, some parties have big pockets and they may be targets anyway. I guess the benefit of having financial cover for those affected without their wrongdoing would be a good thing to have.
Brian King (IPC)
01:31:02
An argument that a legal risk fund is not a perfect solution does not make it a bad idea. If it's tripping us up for the purposes of this conversation, let's set it aside.
Sarah Wyld (RrSG)
01:33:19
We'll necessarily require some method to adjust the person type after it's been selected, right? So that means if it's provided at registration and managed after there are *two* places where it's set. Simpler for the user to have it only in one place (which would be the management location, not the registration location).
Sarah Wyld (RrSG)
01:33:36
Good point Owen
Stephanie Perrin (NCSG)
01:34:01
I certainly understand that there is a need to cover the costs of those who have to comply with a policy that puts them at legal risk. I have a question that I don’t believe we asked 2Birds….what legal risk Does ICANN have in publishing guidance to registrars in how to distinguish whether personal info is being disclosed when they attempt to distinguish between legal/natural? It seems to me a legal risk fund could be included in your co-controller agreements, which of course is covered under GDPR and presents less of a target
Milton Mueller (NCSG)
01:36:22
very good point about incentives Volker
Stephanie Perrin (NCSG)
01:36:29
Indeed I agree with what Volker is saying.
Stephanie Perrin (NCSG)
01:37:26
Civil society actors are looking for pots of money, and creation of a risk fund is an admission of guilt, or at least would be argued as such by those actors/
Tara Whalen (SSAC)
01:37:40
I need to drop off early today; Steve will ably carry on for SSAC. Thanks!
Sarah Wyld (RrSG)
01:37:54
It seems odd to me that we'd go to all this trouble to require knowledge of the person's type and then not use that info at all?
Sarah Wyld (RrSG)
01:38:01
(to Hadia's point)
Sarah Wyld (RrSG)
01:38:15
Holding that data is itself a processing activity, so we are acting on it just by knowing it
Volker Greimann (RrSG)
01:38:40
Someone did not do their homework?
Sarah Wyld (RrSG)
01:39:07
Also, we haven't gotten into this but the idea of setting a "flag" on a domain is a really big change and would need to be considered in depth
Mark Svancarek (BC)
01:42:00
Sarah, can you set a "flag" on a domain for subsequent data requests if you've already disclosed the data due to it containing no personal data?
Sarah Wyld (RrSG)
01:42:15
Mark - like, could that be built? or does it exist now?
Sarah Wyld (RrSG)
01:42:34
we could build anything, but I don't think that would make sense in practice
Mark Svancarek (BC)
01:42:36
Sarah - I think you are saying it can't be built?
Sarah Wyld (RrSG)
01:42:55
I could speak to why flags are #problematic if that would help
Steve Crocker (SSAC)
01:43:44
@Sarah: I’m definitely interested in hearing what you have to say on this.
Mark Svancarek (BC)
01:43:53
sorry, our replies crossed. I think you are saying that no matter how many times a record is requested, even if it's known to contain no personal data, you plan to perform a re-evaluation - every time?
Sarah Wyld (RrSG)
01:43:56
Hand is raised for this topic (flags), thank you
Sarah Wyld (RrSG)
01:44:07
Mark - Yes.
Keith Drazek - Chair (Verisign)
01:44:07
Got it, thanks
Berry Cobb
01:44:21
Time Check - 24 min remaining.
Hadia Elminiawi (ALAC)
01:44:49
@Sarah this flagging does not put the CPs at any risk. knowing the information but not publishing it also does not put you at risk. We have all established the fact that legal persons data might include PI and thus publishing is not a clear cut.
Sarah Wyld (RrSG)
01:45:42
Data minimization principle requires me to only collect the least data I need to accomplish my stated purpose. Collecting person type without acting on that information means I'm gathering data for no purpose.
Mark Svancarek (BC)
01:46:01
nice!
Berry Cobb
01:46:46
To the comments of Milton and Volker, this is why the thought experiment was to build on the recommendations already passed. The concept of self-identification can be a blend of Rec #6 and Rec #12.
Keith Drazek - Chair (Verisign)
01:51:30
To Sarah's point about the location of the "flag," are we talking about a designation between legal/natural or a designation between consent to publish/not publish? Are we talking about a "person type" or a consent status?
Milton Mueller (NCSG)
01:51:30
yes, backfilling is not going to happen
Milton Mueller (NCSG)
01:52:29
@Keith I think/hope we are talking about person type
Sarah Wyld (RrSG)
01:52:45
we already have the consent to publish or not :)
Volker Greimann (RrSG)
01:52:58
My hand to Keiths question
Sarah Wyld (RrSG)
01:53:03
the idea I was responding to is of flagging the legal or natural person type somewhere
Keith Drazek - Chair (Verisign)
01:53:33
Thanks Sarah
Volker Greimann (RrSG)
01:54:05
Rest in peace, whois
Sarah Wyld (RrSG)
01:55:46
We will of course follow our consensus policy and RAA obligations
Sarah Wyld (RrSG)
01:56:02
but our Legal team finds it necessary to review each disclosure request individually
Sarah Wyld (RrSG)
01:56:30
Possibly agree re person-type attributes not being PD, I see what you mean & would need to think through it more.
Hadia Elminiawi (ALAC)
01:56:33
we are talking about a "person type" flag, like legal person, natural person, or undetermined
Stephanie Perrin (NCSG)
01:56:39
Actually I would argue that it is
Stephanie Perrin (NCSG)
01:56:44
PI that is
Mark Svancarek (BC)
01:57:15
@Stephanie, we should discuss
Stephanie Perrin (NCSG)
01:58:08
Anytime Mark!
Volker Greimann (RrSG)
01:58:18
No had, we are not, actually
Volker Greimann (RrSG)
01:58:48
had=hadia
Sarah Wyld (RrSG)
01:58:51
Can I speak to that?
Sarah Wyld (RrSG)
01:59:01
I have a brief comment on it
Brian King (IPC)
01:59:35
I'm happy to take that homework assignment. It's a really good one.
Hadia Elminiawi (ALAC)
02:00:07
@Volker in this case we need two flags - one that identifies the registrant as legal, natural or undetermined and a second flag that says if the data has PI or not
Berry Cobb
02:00:23
1A: https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit
Berry Cobb
02:00:34
RrSG proposal: https://docs.google.com/document/d/1YyiBmtcpa5PxsPnKDXZFfU0WEPVhgjN5ySv9KvQb6Tw/edit#heading=h.gjdgxs
Brian King (IPC)
02:00:44
Thanks Berry.
Steve Crocker (SSAC)
02:00:55
Are we saying anything about who gets access to non-public data?
Sarah Wyld (RrSG)
02:01:07
Steve - I think that is out of scope for this phase
Brian King (IPC)
02:01:43
We tried that, Steve. Nobody gets access. You get to request, and you get to hope.
Steve Crocker (SSAC)
02:02:35
umpf
Brian King (IPC)
02:04:06
You're right, Owen. You get to ask, you get to wait, and you get to hope. ;-)
Berry Cobb
02:04:21
As an FYI, Council meeting is 24th of March at 17:30 UTC.
Marc Anderson (RySG)
02:05:21
thank you Keith
Sarah Wyld (RrSG)
02:05:21
Thanks for repeating that, Keith, I also found it helpful
Brian King (IPC)
02:05:43
Agree to disagree about whether our dreams were technically or legally possible. I'm much more optimistic about Phase 2A.
Stephanie Perrin (NCSG)
02:06:57
Thanks Keith. I think it is fair to say that from the perspective of those whose primary goal is the protection of personal information, there is little room for compromise on publishing data based on self-declaration.
Volker Greimann (RrSG)
02:07:35
Fever dreams?
Brian King (IPC)
02:08:18
ha :-)
Brian King (IPC)
02:08:23
Thanks, all.
Sarah Wyld (RrSG)
02:08:27
Thanks, all
Hadia Elminiawi (ALAC)
02:08:29
Thank you all bye