Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.

Hello all....

Surely Council wouldn't really pull the plug on Phase 2A before we even receive our legal advice...

Very helpful "trailer" Keith, thx.

+1

+1 Becky.

+1 Becky

We need to know which of these ccTLDS have laws/regulations ( like the one applicable to .eu) that provide a public interest basis for processing. Otherwise very hard to make sense of this.

I'd also like to know that

Thank you, Jared.

Thank you Jared!

Thank you!

good question, Steve

Answer is no

Is it worth considering/investigating the value of registrant consent vis-à-vis the various ccTLD policies on display of natural person data, either in the context of legal person registrations or actual natural person registrations?

Sorry, meant to send that to everyone.

lol

+1 Volker

+1 Volker

When I was a young bot in Bulgaria...

Why is the public interest comparison to real property records a red herring?

Steve: I mean the processes a registrar employs to allow self-ID

@Stephanie why are they a lower risk for action? Data protection laws apply to them as much as any other company operating in that country.

Apparently Facebook does not require real ID either...

Consent is not what we’re interested in exploring for the legal/natural person distinction. That’s why we’re asking the legal questions to explore non-consent options

meh

Margie - so you're completely against registrant self-identification as an option here?

No - that’s one of the non-consent options

Self identification allows the legal/natural person distinction to be made so consent is not needed

@Chris for several reasons. To varying degrees, there are government ties to the cctlds. In many cases, there has been consultation with the DPAs of the relevant country. Sometimes that advice is ignored. DPAs are under no constraints (re consultation, biting the hand that hires them etc) in the case of the private sector. Secondly, in my view although I do not have stats to back me up, more of the commercial applications are registered under gtlds.

Confirming re: the point on laws/regulations … some of these are referenced throughout the table … action item for us, we can make that its own column so it’s easier to find

Thanks all

Thanks Karen

Thanks, Karen!

Thanks for this useful resource!

https://docs.google.com/document/d/1Hf-Nt-VMznpGE4WZ7wWaHF8pXdm8qA28OW7Mjr4MH_A/edit#heading=h.gjdgxs

Thanks Berry

@Chris third point, again unbacked by stats, since many cctlds insist on residence/citizenship, the chances of a global actor who does not have detailed knowledge of the jurisdiction decreases…..so they would be more likely to understand that question about whether they are legal person/small business/individual acting as entrepreneur…..there would be less confusion.

@ Chris that last point is not a risk of enforcement point, it is more a less risk of noncompliance.

@Stephanie thanks last point is an interesting one but may also be true of some gtlds (.bank)?

@ Berry, what is contemplated as the source of this legal risk fund?

We could make the requestor pay the fines for any illegal disclosure resulting form their request...

Indeed, wherever there is local law requiring registration/incorporation etc the risk of confusion goes down. I am focusing on small and home based business, in many of my expressions of concern

Sorry, source of funding --

Who would make decisions about under what circumstances that risk fund pays out? What happens if a CP requests financial support from that fund but the controlling party disagrees?

Owen: it will certainly lead to higher fines

I'd much rather set up a policy that does not assume we're going to have legal risks to pay for...

@Owen: NO, though that's why I'd give it a different name.

I would humbly suggest that setting up a risk fund might attract complaints.....

My recollection was that the fund was not for GDPR violations but for private suits.

Thank you Berry for saying that we are trying to protect registrants. It does not happen often, and it is music to my ears

Stephanie, some parties have big pockets and they may be targets anyway. I guess the benefit of having financial cover for those affected without their wrongdoing would be a good thing to have.

An argument that a legal risk fund is not a perfect solution does not make it a bad idea. If it's tripping us up for the purposes of this conversation, let's set it aside.

We'll necessarily require some method to adjust the person type after it's been selected, right? So that means if it's provided at registration and managed after there are *two* places where it's set. Simpler for the user to have it only in one place (which would be the management location, not the registration location).

Good point Owen

I certainly understand that there is a need to cover the costs of those who have to comply with a policy that puts them at legal risk. I have a question that I don’t believe we asked 2Birds….what legal risk Does ICANN have in publishing guidance to registrars in how to distinguish whether personal info is being disclosed when they attempt to distinguish between legal/natural? It seems to me a legal risk fund could be included in your co-controller agreements, which of course is covered under GDPR and presents less of a target

very good point about incentives Volker

Indeed I agree with what Volker is saying.

Civil society actors are looking for pots of money, and creation of a risk fund is an admission of guilt, or at least would be argued as such by those actors/

I need to drop off early today; Steve will ably carry on for SSAC. Thanks!

It seems odd to me that we'd go to all this trouble to require knowledge of the person's type and then not use that info at all?

(to Hadia's point)

Holding that data is itself a processing activity, so we are acting on it just by knowing it

Someone did not do their homework?

Also, we haven't gotten into this but the idea of setting a "flag" on a domain is a really big change and would need to be considered in depth

Sarah, can you set a "flag" on a domain for subsequent data requests if you've already disclosed the data due to it containing no personal data?

Mark - like, could that be built? or does it exist now?

we could build anything, but I don't think that would make sense in practice

Sarah - I think you are saying it can't be built?

I could speak to why flags are #problematic if that would help

@Sarah: I’m definitely interested in hearing what you have to say on this.

sorry, our replies crossed. I think you are saying that no matter how many times a record is requested, even if it's known to contain no personal data, you plan to perform a re-evaluation - every time?

Hand is raised for this topic (flags), thank you

Mark - Yes.

Got it, thanks

Time Check - 24 min remaining.

@Sarah this flagging does not put the CPs at any risk. knowing the information but not publishing it also does not put you at risk. We have all established the fact that legal persons data might include PI and thus publishing is not a clear cut.

Data minimization principle requires me to only collect the least data I need to accomplish my stated purpose. Collecting person type without acting on that information means I'm gathering data for no purpose.

nice!

To the comments of Milton and Volker, this is why the thought experiment was to build on the recommendations already passed. The concept of self-identification can be a blend of Rec #6 and Rec #12.

To Sarah's point about the location of the "flag," are we talking about a designation between legal/natural or a designation between consent to publish/not publish? Are we talking about a "person type" or a consent status?

yes, backfilling is not going to happen

@Keith I think/hope we are talking about person type

we already have the consent to publish or not :)

My hand to Keiths question

the idea I was responding to is of flagging the legal or natural person type somewhere

Thanks Sarah

Rest in peace, whois

We will of course follow our consensus policy and RAA obligations

but our Legal team finds it necessary to review each disclosure request individually

Possibly agree re person-type attributes not being PD, I see what you mean & would need to think through it more.

we are talking about a "person type" flag, like legal person, natural person, or undetermined

Actually I would argue that it is

PI that is

@Stephanie, we should discuss

Anytime Mark!

No had, we are not, actually

had=hadia

Can I speak to that?

I have a brief comment on it

I'm happy to take that homework assignment. It's a really good one.

@Volker in this case we need two flags - one that identifies the registrant as legal, natural or undetermined and a second flag that says if the data has PI or not

1A: https://docs.google.com/document/d/1Je23419t1xv7OFgD32-DmBrYknUqtbOt4wktPEj3pko/edit

RrSG proposal: https://docs.google.com/document/d/1YyiBmtcpa5PxsPnKDXZFfU0WEPVhgjN5ySv9KvQb6Tw/edit#heading=h.gjdgxs

Thanks Berry.

Are we saying anything about who gets access to non-public data?

Steve - I think that is out of scope for this phase

We tried that, Steve. Nobody gets access. You get to request, and you get to hope.

umpf

You're right, Owen. You get to ask, you get to wait, and you get to hope. ;-)

As an FYI, Council meeting is 24th of March at 17:30 UTC.

thank you Keith

Thanks for repeating that, Keith, I also found it helpful

Agree to disagree about whether our dreams were technically or legally possible. I'm much more optimistic about Phase 2A.

Thanks Keith. I think it is fair to say that from the perspective of those whose primary goal is the protection of personal information, there is little room for compromise on publishing data based on self-declaration.

Fever dreams?

ha :-)

Thanks, all.

Thanks, all

Thank you all bye