Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en.

it does not really matter if we commit to meeting minimum GDPR requirements

Please note that the language in the Initial Report already says ‘at a minimum’

And this is part of the implementation guidance

then we should be fine.

we would have an issue if there were parties not willing to meet GDPR requirements

Thanks, Marc. I was confused.

Fair point Marc -- my concerns are the same for SSAD users as they would be for contracted parties.

why not make reference to Art 12 pp GDPR as a minimum

Agree- I was confused

+1 Thomas

It needs to be enforceable

But it’s applicable to SSAD in this case

ICANN Compliance shall enforce the privacy policy of the SSAD operator (also likely ICANN)?

+1 Alan.

that t he SSAD will apply to their (SSAD users) information

Seems like keeping the original language makes the most sense IMO…

+1 Matt

+1 Milton

Ahh…that makes sense Mark actually

+1 Mark SV

+1 Brian

And the registry agreements - where applicable

+1 Alan W

let's not make any amends

agree Beth. thank you for making sense of my blabbering :D

I thought so, Marc. Thanks.

I didn't recall exactly where. Thanks for your help.

I thought so too Brian, but had to look to find it

makes sense ICANN and/or CPs are controllers or joint controllers

+1 Margie. That's how I was thinking about it too.

+1 part of the terms of use of the SSAD - There is not contract between the CPs and the requestor

back at the previous question, what exactly is the chain of contractual obligations between requestor and contracted party

If you trace it back to the original still -then it remains personal data of course.

you cannot say “ it will contain no PI

Volker is correct. Log is required, hash will not work

Breyer notes that the dynamic IP address is not considered personal data by anyone who can't join the tables

Logging is not only about auditing

+1000 Beth

so... just as the disclosing body when necessary, AS thy will definitely have logs of their decision. We are reinventing the wheel here unnecessarily.

*just ask

The following has been proposed for reporting: “Data to be reported on, which is expected to include information such as: a) number of disclosure requests; b) disclosure requests per category of requestors; c) disclosure requests per requestor (for legal entities); disclosure requests granted / denied, and; response times. Please note that this is a non-exhaustive list”.

+1 Alan W

+1 Alan G

Uses of the data, yes. But I would not call tat "auditing"

+1 Janis

Logging has been part of our recommendations for a long time

Janis- I did not question the need or agreement of auditing. I am seeking clarification on the actual process and purposes of the logging so we can outline the appropriate safeguards

What are we trying to accomplish by logging?

Logging is to ensure transparency and accountability of all parties

i assume that teaching an algorithm is purely a hypothesis. some of us have expressed our disbelief in the potential fir this in strenuous terms.

how Mark - how is a central database of personal data - held just incase a complaint is made better than a query to be made If a valid complaint - that requires a review of the disclosure decision - going to float with privacy by design?

Umm, not what I said. Not remotely close

can i raise my hand please

+1 AlanG re: "but" instead of "and"

I can live with must if relev, is added.

+1 "relevant" data

relevant helps

mine was a more general point. wherever we use the teem we may need a careful read and footnote

term not teem

+1 Alan G

the data can be used in service of reporting requirements

@Milton, yup.

might want to specify "aggregate" data

yes

yup indeed!

Yes - keep as is

+1 Brian indeed because there is no escrow - and logging is a requirement

Yes

AlanW, yes I read that as "a format that is used by lots of folks" as opposed to "uniform format"

thanks

let's dump "structured"

yep

+1 Brian

I can hear Chris, but he is a bit quiet.

Isn’t that an implementation detail?

I am training an AI to recognize implementation details automatically

Milton, you'll make a fortune licensing that back to ICANN PDPs

thanks all

Thanks, Janis. Bye all.

Thanks all

thanks all

thanks all!

Thsnks all

Thanks all! See you Thursday!

Thank you all - bye

thanks all