Logo

051040043 - EPDP-Phase 2 Team Call
Julf Helsingius (NCSG)
26:49
Public holiday here too
Terri Agnew
27:55
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en
Terri Agnew
29:39
Reminder for members to adjust your chat to all panelists and attendees
Berry Cobb
32:00
In those cases, there is NO decision at central gateway. But predefined criteria is met for the automatic disclosure whereby a flag is sent to CPs for the data to be disclosed to the Requestor.
Berry Cobb
32:17
I think it is important to be precise about "decision".
Sarah Wyld (RrSG)
32:26
I have to admit I lost track of the distinction between the two scenarios that Hadia laid out
Amr Elsadr (NCSG)
34:07
I agree that the clarification Hadia is asking for is important, but prefer the latter scenario she described: CGM confirms that the disclosure request may be automated at the discretion of the CP.
Caitlin Tubergen
34:14
Support Staff is working on an updated version of Rec. 7 and Rec. 16 and will make this clearer.
Sarah Wyld (RrSG)
34:27
I definitely support CP discretion to opt-in to autiomatoin scenarios
Sarah Wyld (RrSG)
34:37
Thank you Caitlin. I look forward to reviewing all the updated recs
Hadia Elminiawi (ALAC)
35:05
Yes the recommendation as written says that there is no decision at the center gateway
Sarah Wyld (RrSG)
36:41
Can we see the audit rec text on screen maybe, to compare? Does it say that the CP can audit (or receive info about an audit done by someone else) of the requestor's compliance with these requirements?
Mark Svancarek (BC)
37:09
Having issues, need to restart
Sarah Wyld (RrSG)
38:52
Thank you to whoever is sharing screen! Is there an audit section for the requestor? (SSAD user)
Sarah Wyld (RrSG)
42:08
I think this is specific to data that is retained
Sarah Wyld (RrSG)
42:10
by the ssad requestor
Alan Woods (RySG)
42:30
Agreed. +1 Sarah
Amr Elsadr (NCSG)
44:10
May we have examples of where applicable law may require data retention for longer periods?
Alan Woods (RySG)
45:13
+1 Sarah (I feel that I should just do a standing Sarah +1 today)
Hadia Elminiawi (ALAC)
45:36
+1 Sarah
Terri Agnew
45:53
@Mark, please let us know if a dial out on telephone would be helpful.
Mark Svancarek (BC)
46:37
Sorry, zoom decided to use a different Microsoft elsewhere on my desk
Mark Svancarek (BC)
46:47
microphone elsewhere
Sarah Wyld (RrSG)
47:02
Can you maybe zoom in the right side doc? I can't read the text on screen
Sarah Wyld (RrSG)
47:09
thank ou
Berry Cobb
47:22
DI Doc rec18: https://docs.google.com/document/d/14ctH4bAqrWTWK_XqnmvaFG7CnPcJdODQ5XaEwMwc4NA/edit
Sarah Wyld (RrSG)
47:28
Thanks Berry that's much easier :)
Hadia Elminiawi (ALAC)
48:07
Thanks Berry for the audit rec
Brian King (IPC)
50:44
@Amr a "litigation hold" might require data retention for a long period
Sarah Wyld (RrSG)
50:52
+1 Alan
Amr Elsadr (NCSG)
51:11
@Brian: Thanks for that. Helpful.
Sarah Wyld (RrSG)
51:21
So we should ensure that it's covered in the audit req', and maybe it is because it says the accredited user is audited on compliance with the policy req's
Sarah Wyld (RrSG)
51:30
we just need to ensure that the rec14 is clear
Thomas Rickert (ISPCP)
52:23
just fyi - every data processing agreement has an audit right for the controller in it
Sarah Wyld (RrSG)
52:52
That is a good idea Marc!
Thomas Rickert (ISPCP)
52:54
so it is not unusual when deawith other‘s personal data
Alan Woods (RySG)
52:55
+1 Thomas
Amr Elsadr (NCSG)
54:32
@Beth: +1
Alan Woods (RySG)
54:37
No shouting necessary - +1
Mark Svancarek (BC)
55:06
I lost audio temporarily - was there shouting?
Mark Svancarek (BC)
55:29
I seem to be audio challenged today
Mark Svancarek (BC)
55:33
lol
Alan Woods (RySG)
56:28
Pretty much generally Art 24 Margie - responsibilities of the controller.
Volker Greimann (RrSG)
56:33
Milton: again?
Sarah Wyld (RrSG)
57:02
Strongly disagree with multiple CGM's per TLD. There should be one central request interface
Alan Woods (RySG)
57:04
To be clear this falls under organisational and technical measures - safeguards relating to the data entrusted to us as controller.
Margie Milam (BC)
57:39
Im pretty sure we submitted homework on this
Sarah Wyld (RrSG)
58:24
the CP should be able to trigger enforcement if they find the AUP has been violated
Amr Elsadr (NCSG)
58:58
Agree with Sarah, but am wondering what that enforcement would look like.
Sarah Wyld (RrSG)
59:17
Agree; ICANN Compliance is the right venue to address issues with adherence to this Policy
Sarah Wyld (RrSG)
59:22
e.g. AUP compliance
Sarah Wyld (RrSG)
59:33
Amr - wouldn't that get into the deaccreditation?
Amr Elsadr (NCSG)
59:36
De-accreditation of the SSAD user? Some kind of penalty?
Amr Elsadr (NCSG)
01:00:09
@Sarah: I would imagine so, but just making sure we’re all talking about the same kind of compliance measures.
Sarah Wyld (RrSG)
01:00:49
@Amr - yes ,should confirm.
Sarah Wyld (RrSG)
01:01:02
+1 Marc - the AUP, Terms of Use, Query Policy all blur together for me ...
Owen Smigelski (RrSG) (Namecheap)
01:01:20
Contactual Compliance only has authority over contracted parties
Sarah Wyld (RrSG)
01:01:32
Owen makes a good point.
Stephanie Perrin (NCSG)
01:01:45
Perhaps it is necessary to point out in the policy that if ICANN compliance finds in a dispute and enforces compliance in a way that a contracted party feels is not in compliance with the GDPR, or other relevant local DP law, they should (may, must) file a complaint with the relevant DPA.
Owen Smigelski (RrSG) (Namecheap)
01:02:02
This would be quite a big increase in their scope. Would they then also have jurisdiction over TMCH users? Could they remove CZDS users?
Stephanie Perrin (NCSG)
01:02:21
I only say this because ICANN compliance has zero experience in the interpretation of data protection law, and has a history that in fact ignores it.
Margie Milam (BC)
01:02:33
Let’s get input from Compliance
Margie Milam (BC)
01:02:49
It does seem that there’s a lot in our recommendations that would affect their work
Alan Woods (RySG)
01:03:02
Sorry to put on the spot!!!
Alan Woods (RySG)
01:03:05
Not my intention.
Eleeza Agopian (ICANN Org Liaison (MSSI)
01:03:23
No problem. :)
Sarah Wyld (RrSG)
01:03:25
This is definitely an important topic, I hadn't really considered the expansion of ICANN Contractual Compliance's purview and it's a concern
Brian King (IPC)
01:05:49
It seems this should be "accreditation authority" as opposed to "ICANN Compliance"
Brian King (IPC)
01:06:16
Accreditation authority is still perceived to be ICANN, but not Contractual Compliance in the traditional sense
Owen Smigelski (RrSG) (Namecheap)
01:06:36
@Brian- perhaps we should include that in the formal question to ICANN?
Sarah Wyld (RrSG)
01:06:44
+1 Owen
Brian King (IPC)
01:06:48
+1 Owen
Alan Greenberg (ALAC)
01:07:07
@Brian, my question is who would we expect to be investigating a complaint.
Volker Greimann (RrSG)
01:08:17
Chris +1
Milton Mueller (NCSG)
01:08:24
We always assume that ICANN won’t.
Amr Elsadr (NCSG)
01:08:36
@Chris: I think we all share your concern, but if ICANN is going to be involved as a Controller in processing of gTLD Registration Data, it needs to live up to that responsibility, doesn’t it?
Sarah Wyld (RrSG)
01:09:13
@Amr is ICANN a Controller? We should figure out the JCAs...
Brian King (IPC)
01:09:24
Fair point, Chris, and +1 Amr.
Chris Disspain (ICANN Board Liaison)
01:09:29
yes Amr…IF ICANN is going to be involved there are res[onsibilities BUT even IF it is it is still bound by its mission and bylaws and cannot operate outside them
Milton Mueller (NCSG)
01:09:35
I don’t see how ICANN can run around the world claiming that Whois is part of its mission and then say it’s out of mission to enforce its own rules regarding disclosure?
Margie Milam (BC)
01:10:19
+1 Thomas
Milton Mueller (NCSG)
01:10:25
+1 Thomas. This is sheer hypocrisy
Amr Elsadr (NCSG)
01:10:37
@Sarah: +1
Milton Mueller (NCSG)
01:11:47
We cannot of course assume that ICANN will do things, but the implication that auditing its own SSAD is out of its mission, is an astounding twist of thinking
Stephanie Perrin (NCSG)
01:11:49
I am really confused by what Chris just said.
Margie Milam (BC)
01:11:59
Me too
Milton Mueller (NCSG)
01:12:16
Is Chris speaking for the Board and Org, or just winging it?
Amr Elsadr (NCSG)
01:12:21
@Chris: A large bucket of ICANN doing stuff? Like Purpose 2/SSR? Sorry…, I know a bit of tongue-in-cheek, but I totally agree with your last comment, and would like to see it stand on all issues. ;-)
Stephanie Perrin (NCSG)
01:12:29
Previous contracts included “compliance with law”. Were we not serious about this?
Mark Svancarek (BC)
01:13:33
In writing is always good
Amr Elsadr (NCSG)
01:16:22
@Thomas: +1. Can’t have it both ways.
Milton Mueller (NCSG)
01:17:48
ICANN has no contractual relationship with me but it manages to require me to comply with the UDRP, hmmm
Thomas Rickert (ISPCP)
01:17:56
we are talking about ICANN enforcing its own policy
Thomas Rickert (ISPCP)
01:18:08
thanks, Chris!
Amr Elsadr (NCSG)
01:18:11
Isn’t the AUP a contract? If I’m not mistaken, this is specifically clarified in the text. It isn’t a contract with ICANN, but it will be based on an ICANN Consensus Policy.
Owen Smigelski (RrSG) (Namecheap)
01:18:28
So if it is not within ICANN’s remit to take action against abusive SSAD users, is it within its remit to create an accreditation authority that can take action against SSAD users?
Milton Mueller (NCSG)
01:19:33
or is it within ICANN’s authority to create an SSAD at all?
Brian King (IPC)
01:20:54
Can we move on? We have a lot to do
Chris Disspain (ICANN Board Liaison)
01:21:16
I agree with you Hadia within the context you explained..
Hadia Elminiawi (ALAC)
01:21:32
Agree Brian let's move on
Hadia Elminiawi (ALAC)
01:21:42
Thanks Chris
Amr Elsadr (NCSG)
01:22:47
@Stephanie: +1
Chris Disspain (ICANN Board Liaison)
01:22:49
that is most assuredly not what I am suggesting Stephanie
Stephanie Perrin (NCSG)
01:23:32
As I said, I am pretty confused by what you said Chris.
Tara Whalen (SSAC)
01:24:02
Sorry all — need to drop off early for another meeting. Ben will cover for SSAC. Thanks!
Mark Svancarek (BC)
01:25:31
hand is down, Hadia made most of my points. Stephanie, I think the controllership issue is only applicable if the audit function requires inspection of the disclosed data (as opposed to the meta data of the transaction, storage, deletion) - I think we can avoid taht
Sarah Wyld (RrSG)
01:27:08
Isn't there already a Terms of Use recommendation?
Sarah Wyld (RrSG)
01:27:19
I think part of the difficulty is that we have AUP, Terms, and Query Policy...
Alan Woods (RySG)
01:28:04
I think we can clear up as to the requirements - what document is what. It is rather confusing
Amr Elsadr (NCSG)
01:28:23
@AlanW: +1
Hadia Elminiawi (ALAC)
01:31:03
@Marc A agree that is part of the accreditation
Sarah Wyld (RrSG)
01:32:25
Can you put the recommended new text also someplace where we can see it please? sorry
Sarah Wyld (RrSG)
01:32:26
maybe here in chat
Stephanie Perrin (NCSG)
01:32:32
+1 Sarah
Sarah Wyld (RrSG)
01:34:11
If you can put up Rec 10 on the right
Sarah Wyld (RrSG)
01:34:16
then we can compare it to the q5 on the left
Sarah Wyld (RrSG)
01:34:19
please
Sarah Wyld (RrSG)
01:34:44
OK here:
Sarah Wyld (RrSG)
01:34:44
The requestor:MUST only request data from the current RDS data set (no historic data);MUST, for each request for RDS data, provide representations of the corresponding purpose and lawful basis for the processing, which will be subject to auditing (see the auditing preliminary recommendation for further details);MAY request data from the SSAD for multiple purposes per request, for the same set of data requested;For each stated purpose must provide (i) representation regarding the intended use of the requested data and (ii) representation that the requestor will only process the data for the stated purpose(s). These representations will be subject to auditing (see auditing preliminary recommendation further details);MUST handle the data subject’s personal data in compliance with applicable law (see auditing preliminary recommendation for further details).
Laureen Kapin (GAC)
01:37:27
+1 Margie re: lack of clarity and practical challenges for requestors.
Alan Woods (RySG)
01:38:25
If we are being told the disclosure is required - then we need to be clear as to WHY and on what basis it is required.
Alan Woods (RySG)
01:38:39
(Required by law / powers etc)
Alan Woods (RySG)
01:39:07
RR did submit comments - I did see them Sarah
Sarah Wyld (RrSG)
01:39:27
Thanks Alan!
Margie Milam (BC)
01:39:40
That’s what I thought b was supposed to cover
Hadia Elminiawi (ALAC)
01:39:50
+1 Sarah I also think it is covered, unless the addition means something else
Laureen Kapin (GAC)
01:39:55
+1 Sarah -- seems to already be covered esp. by (b) and (e).
Amr Elsadr (NCSG)
01:39:59
@Margie: Yeah, I’d think so.
Sarah Wyld (RrSG)
01:40:08
I think the "safeguards" are the key, it's representation of how they'll protect the data, but that's in E, yeah
Mark Svancarek (BC)
01:40:12
We must have different views of the document - I see the BC and Ry comments, but not Rr - weird
Sarah Wyld (RrSG)
01:40:56
I am a bit concerned about missing RrSG comments
Sarah Wyld (RrSG)
01:41:02
I don't see them here but I remember doing them
Amr Elsadr (NCSG)
01:41:08
@Janis: +1
Sarah Wyld (RrSG)
01:41:12
Maybe I submitted our comments in the wrong doc?
Mark Svancarek (BC)
01:41:18
Sarah: I am similarly concerned!
Sarah Wyld (RrSG)
01:41:26
Thanks MarkSV!
Berry Cobb
01:43:34
I can confirm with Caitlin, but as noted at the top of the doc, at the time of homework due date, only the RySG had provided input. It takes time for staff to review and prepare the Disucssion Items document in preparation for the call.
Amr Elsadr (NCSG)
01:47:21
@Marc: +1
Mark Svancarek (BC)
01:47:28
Fully understand, Berry, sorry for making more work. Just wondering why Sarah and I have different views.
Sarah Wyld (RrSG)
01:48:38
Mark - I think we have the same view, the same info? I don't see an RrSG comment on Rec10 anywhere, my confusion is just that I remember our team reviewing these and writing up our response so I don't know if I submitted it in the wrong place or somehow managed to forget ot submit it or what. But I'm ont saying that I see info someplace wher eyou don't.
Mark Svancarek (BC)
01:49:35
OK, I am just being random, then. sorry sorry
Sarah Wyld (RrSG)
01:49:50
I do appreciate your concern :)
Berry Cobb
01:50:36
@Sarah. Yes, unfortunately, I do not see RrSG in the Rec 10 DT: https://docs.google.com/document/d/1h2179UY3KNoA3eIC1sdVR8G-GN_brLAN3h89r9fOtjE/edit
Stephanie Perrin (NCSG)
01:51:16
One of the reasons I have been promoting the development of a data trust is to address some of these issues.
Sarah Wyld (RrSG)
01:51:32
Berry - Understood, thakn you
Amr Elsadr (NCSG)
01:51:41
The list is non-exhaustive, right?
Amr Elsadr (NCSG)
01:51:58
Guessing that it is also meant as some kind of implementation guidance?
Stephanie Perrin (NCSG)
01:52:15
Possibly needs a “without restricting the generality of the foregoing….”
Sarah Wyld (RrSG)
01:54:06
I'm OK with not prohibiting it by not mentioning it
Amr Elsadr (NCSG)
01:54:16
@Sarah: +1
Amr Elsadr (NCSG)
01:54:55
@AlanW: Exactly!!
Sarah Wyld (RrSG)
01:55:11
+1 AlanW
Alan Woods (RySG)
01:56:04
Agreed . Thank you Janis.
Amr Elsadr (NCSG)
01:56:13
Same here. @Janis: +1
Margie Milam (BC)
02:04:56
That’s my concern as well
Margie Milam (BC)
02:06:16
We don’t want to preclude ICANN doing non automated checks
Stephanie Perrin (NCSG)
02:13:48
Can we use the word “disclosed” instead of “shared”.
Alan Woods (RySG)
02:14:37
+1 Stephanie .. that would be very advisable
Sarah Wyld (RrSG)
02:14:54
yes
Sarah Wyld (RrSG)
02:14:57
ssad user = requestor
Stephanie Perrin (NCSG)
02:15:31
Can we constrain “according to applicable law” to mean in accordance with the exclusions, e.g. when an LEA has in law the requirement for such requests to remain anonymous? Otherwise the policy must cover all RNHs, not just those in jurisdictions with GDPR compliant DP law
Sarah Wyld (RrSG)
02:18:11
Right, "requestor" isn't a defined term here either
Sarah Wyld (RrSG)
02:18:15
don't we call them "Accredited entities" or something?
Amr Elsadr (NCSG)
02:18:46
Accredited SSAD Users?
Caitlin Tubergen
02:19:55
Note Requestor is a defined term in the updated version of Rec. 1; SSAD user is not.
Amr Elsadr (NCSG)
02:20:10
@Volker: +1
Sarah Wyld (RrSG)
02:20:16
@Volker's Child: +1.
Amr Elsadr (NCSG)
02:20:33
LOL!!
Eleeza Agopian (ICANN Org Liaison (MSSI)
02:20:39
All — apologies, I have to drop a few minutes early. Dan is still on. Thanks.
Owen Smigelski (RrSG) (Namecheap)
02:20:45
+1 Volker & Volker’s kid
Mark Svancarek (BC)
02:20:47
Destiny's Child +1
Volker Greimann (RrSG)
02:21:10
almost dinner time
Mark Svancarek (BC)
02:22:12
Janis gave the visa example
Sarah Wyld (RrSG)
02:22:30
I would imagine that Janis has been through a more intense background check than most citizens, though, and so maybe bypassed some of the process that average peole have to do for visas?
Stephanie Perrin (NCSG)
02:23:20
I understand that and recall the example. I think it is worthwhile reinforcing the reality that this tool is available to all.
Stephanie Perrin (NCSG)
02:23:48
It is in short the mechanism for accessing second tier personal data.
Amr Elsadr (NCSG)
02:24:11
Would take me a couple of months to get a Canadian visa.
Stephanie Perrin (NCSG)
02:25:06
And we like you, Amr!
Stephanie Perrin (NCSG)
02:25:18
We are a difficult country to get into.
Brian King (IPC)
02:25:20
thanks all
Brian King (IPC)
02:25:25
eid mubarak
Amr Elsadr (NCSG)
02:25:38
Thanks all. Bye. …, and thanks, Brian.
Sarah Wyld (RrSG)
02:25:41
Thanks all!
Marc Anderson (RySG)
02:25:41
thanks all
Volker Greimann (RrSG)
02:25:41
be free,
Hadia Elminiawi (ALAC)
02:27:37
thank you all - bye