Logo

051040043 - EPDP-Phase 2 Team Call
Matt Serlin (RrSG)
24:56
Oh and apologies…Sarah is once again going to fill-in for me at the top of the hour
Terri Agnew
26:19
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en
Terri Agnew
26:30
@Matt this is noted.
Terri Agnew
28:16
Members reminder, please select all panelists and attendees in order for everyone to see chat
zzzSarah Wyld (RrSG - Alternate)
31:51
Happy with original.
Marika Konings
34:09
@Alan - the paragraph you are referring too is later in the document. This is just about paragraph 2.
Marika Konings
34:30
@Milton - legally permissible is in the paragraph above.
Thomas Rickert (ISPCP)
35:27
The CP proposal makes sense. Leaves us with more flexibility.
Marika Konings
35:51
Legally permissible is also in the next paragraph which refers to disclosure decisions.
Hadia Elminiawi (ALAC)
36:23
We could say automation of the processing including the disclosure
Matt Serlin (RrSG)
36:36
+1 Thomas…seems to provide for more flexibility not less which is what the proposed language seems to do
Milton Mueller (NCSG)
37:23
so, Marika that’s another reason why we don’t need that paragraph at all
Matt Serlin (RrSG)
38:27
Why not just “automation of processing and disclosure…”
Brian King (IPC)
38:35
Try "automated processing, including disclosure, of data in response to..."
Stephanie Perrin (NCSG)
40:17
Fully support what Milton is saying. This elision of the concept is a bridge too far
Matt Serlin (RrSG)
42:28
Supportive of the path outlined by Janis
Brian King (IPC)
43:02
woohoo for early compromise and consensus. Let's keep the train rolling
Milton Mueller (NCSG)
49:16
;-)
Brian King (IPC)
51:36
+1 to Laureen. Need to address this valid CP concern, and must make sense
Brian King (IPC)
59:43
Strawman language: replace last sentence in Footnote 43 with, "ICANN Compliance MUST review and either approve or deny Contracted Party's exemption request."
Owen Smigelski (RrSG)
01:01:54
@Brian- ICANN Compliance can tell a contracted party, who has a solid basis that they will be violating a law, that they… have to violate the law?
Brian King (IPC)
01:03:19
@Owen, I don't think Compliance could, should, or would. But let's at least pretend that ICANN Compliance is in the driver's seat vis-à-vis ICANN policy. CPs will follow the law anyway.
Matt Serlin (RrSG)
01:03:57
@Brian if that’s the case, I don’t think your language will work here with that as our understanding
Owen Smigelski (RrSG)
01:04:16
Denying an exemption request means that the CP must violate the law. Would Compliance breach a contracted party that continues with an exemption that Compliance denies?
Marika Konings
01:05:08
I think staff tried to mimic language from the Bird & Bird memo which noted that there may be different processing steps involved in automated disclosure of the data?
Brian King (IPC)
01:05:40
"Denying an exemption request means that the CP must violate the law." - not necessarily. You assume that the law actually supports the CP's request. Compliance needs to serve as a check on that.
Brian King (IPC)
01:06:43
"Consent not unreasonably withheld", "non-response within X days shall be deemed accepted", etc. are all concepts that might be helpful
Matt Serlin (RrSG)
01:07:02
+1 Marc…the “must” is really only ok if the determination is up to the contracted party as we indicated in our comment
Owen Smigelski (RrSG)
01:08:09
ICANN Compliance does not, and has not, analyzed the law and whether a contracted party is following the law. They defer to the contracted party’s analysis (as I mentioned yesterday). ICANN Legal can do legal interpretation, but I really doubt ICANN Legal will force a contracted party to take an action that the CP determines violates local law.
Milton Mueller (NCSG)
01:09:37
awwww
Owen Smigelski (RrSG)
01:10:51
+1 Alan
Stephanie Perrin (NCSG)
01:11:19
+100 Alan
Stephanie Perrin (NCSG)
01:12:47
I would like to speak to the footnote
Alan Greenberg (ALAC)
01:14:03
Without some guaranteed automated disclosure decisions, all we are building is an exceptionally expensive ticketing system.
Brian King (IPC)
01:14:14
@Alan, naww man. See my note above to Owen. We just need Compliance to serve as a check that the CP actually can show need for the exception.
Berry Cobb
01:15:46
https://whois.icann.org/en/revised-icann-procedure-handling-whois-conflicts-privacy-law
Hadia Elminiawi (ALAC)
01:16:02
In all cases all CPs will need to do a DPIA
Owen Smigelski (RrSG)
01:17:08
The problem with the Whois Conflicts procedure is that it requires an actual violation. It cannot be invoked prior to a violation. That is a huge risk to a contracted party
Marc Anderson (RySG)
01:17:28
didn't we ask in phase 1, and the response was that zero compliance exemption requests had been granted.
Owen Smigelski (RrSG)
01:18:44
@Marc- it is my recollection that there have been 0 requests, specifically to my point that it requires a violation pursued by authorities.
Hadia Elminiawi (ALAC)
01:18:53
@Matt which part of this exactly requires CPs to break the law?
Brian King (IPC)
01:19:04
On the other hand, data retention exemption requests are a dime a dozen and are rubber stamped regularly https://www.icann.org/resources/pages/waiver-request-process-2013-09-13-en
Owen Smigelski (RrSG)
01:20:17
@Brian- the first rounds of data retention exemptions took awhile to approve. Subsequent ones for the same country are indeed granted faster.
Stephanie Perrin (NCSG)
01:21:25
Hadia. Once an automated decision is determined to be illegal, the CP has to request that they stop the automated decision making. Meanwhile, they break the law. Seems clear to me.
Milton Mueller (NCSG)
01:22:08
I see no feasible alternative to allowing the CP to make an initial determination as to legality. There is just no way around it
Stephanie Perrin (NCSG)
01:22:53
It is a complete repeat of the procedure under whois conflicts with law….and in that case, the procedure set up by ICANN involved actions on the part of DPIAs that were not permissible in many cases under their own data protection law. SO jokers were wild, in that particular card game and I foresee the same thing here, depending on how the DPIA requirement is configured
Milton Mueller (NCSG)
01:23:38
right, Steph we know full well that you cannot get an advance determination of illegality from the courts or DPIA.
Stephanie Perrin (NCSG)
01:23:59
Precisely. Milton
Laureen Kapin (GAC)
01:25:57
+1 to Mark SV about "technically and commercially feasible" issues should be handled separately. Re: concerns about "legally permissible" -- agree that CP should be able to respond. Nevertheless, perhaps add language that permits a challenge to be submitted to ICANN Compliance if there's a belief that the CP's concern about breaking the law is unfounded. The "halt" could be maintained for a limited time until the challenge is resolved. And details of this process could be hammered out during implementation.
Hadia Elminiawi (ALAC)
01:27:12
@Stephanie, no, it is expected that as soon as they determine the processing is not legal they should stop processing and notify ICANN
Laureen Kapin (GAC)
01:28:34
Hard to hear you Marc.
Owen Smigelski (RrSG)
01:29:03
@Laureen- ICANN Compliance cannot tell a contracted party to do something that would be technically unfeasible, and the contracted party will refuse to do so. It’s what happened with the gaining FOA post-GDPR. It was technically and legally impossible to do, and we spent a year telling ICANN we could not do it. Now we have an exemption.
Stephanie Perrin (NCSG)
01:31:43
The Bird and Bird opinion, while extremely useful, has come very late in the game. There is a world of interpretation out there. Impossible to say that we have accepted that opinion as our policy basis, when we have not explored what each stakeholder group makes of the opinion. This is. Why we asked for a fulsome legal analysis and seated legal counsel at the outset of the EPDP process.
Stephanie Perrin (NCSG)
01:33:57
Actually we do have some privacy laws that are stricter. Checkout the Graham Greenleaf latest analysis
Mark Svancarek (BC)
01:35:06
lol
Hadia Elminiawi (ALAC)
01:36:08
@Stepahnie all the unknowns are considered in the recommendation
Brian King (IPC)
01:36:45
You can stick me on a small team if CPH colleagues and others want to collaborate
Brian King (IPC)
01:36:57
Happy if staff wants to take the pen too
Matt Serlin (RrSG)
01:37:33
I’ll work on it as well
Matt Serlin (RrSG)
01:37:45
Since I even stayed to hear this conversation through :)
Brian King (IPC)
01:38:21
Great!
Brian King (IPC)
01:39:40
Fair point, Dan
Hadia Elminiawi (ALAC)
01:39:55
Makes sense Dan
Hadia Elminiawi (ALAC)
01:46:29
especially that the recommendation says "May"
Matt Serlin (RrSG)
01:47:00
+1 Alan…yes it does say May but no one has articulated a case where this would happen
Alan Woods (RySG)
01:48:55
1) past disclosures surely that would be in the CGM already I the log?
Alan Woods (RySG)
01:49:07
2) Surely the CGM will be aware of jurisdiction
Alan Woods (RySG)
01:49:20
Seems wholly inefficient to ask that question -
Brian King (IPC)
01:51:41
Hey AlanW. 1) Yes. CGM wouldn't have the actual data, but could get the data from CP to ensure that it's still non-personal data. 2) Another jurisdiction possibility is whether LEA has jurisdiction over the registrant (e.g. local LEA based on the city field)
Mark Svancarek (BC)
01:56:04
+1 AlanW
Matt Serlin (RrSG)
01:57:20
Makes sense Alan
Georgios Tselentis (GAC)
01:57:56
Suggestion: Replace "For clarity the determination by the Central Gateway Manager of whether..." with "For clarity the central Gateway Manager oversees whether a disclosure..."
Margie Milam (BC)
01:58:47
+1 Alan G
Alan Woods (RySG)
01:58:52
So you have an issue
Alan Woods (RySG)
01:59:12
As that was not clear. I did not hear anything that disagreed with the suggestion.
Brian King (IPC)
02:00:30
Not trying to be cheeky, I promise, but I thought CPs weren't willing to commit to distinguishing between personal data? How would they know whether they could provide the data to the CGM at automation speed? Just not sure how it would work in practice.
Milton Mueller (NCSG)
02:00:42
the change is not grammatical, need a period before MAY and a subject for the second sentence
Brian King (IPC)
02:01:07
If the CP hadn't made the distinction, would the default be that the data would not be provided to the CGM?
Alan Woods (RySG)
02:02:08
That’s literally our point Brian - if it doesn’t pass muster at the CGM - it should go. To the requester - not the disclosing entity
Alan Woods (RySG)
02:03:00
Preserve the price. Not to cause an incompatibility in the process and not try and fudge the lines in that already tricky process.
Alan Woods (RySG)
02:03:08
*process - not proce
Alan Woods (RySG)
02:03:17
Sigh typing failing ...
Hadia Elminiawi (ALAC)
02:03:58
Todays topic is a tough one
Brian King (IPC)
02:04:10
I'm sympathetic to that point, AlanW. I see how it could be helpful in theory, but it gets a little weird.
Georgios Tselentis (GAC)
02:04:35
@ Milton: correct. ...and MAY proceed to an automated review of the request solves the issue?
Stephanie Perrin (NCSG)
02:09:50
Agree with Dan that it could be ambiguous
Laureen Kapin (GAC)
02:10:36
Thx for that clarification Volker -- yes "otherwise applicable" is an important concept.
Stephanie Perrin (NCSG)
02:10:53
As always, I am very curious as to how the CGM is going to work out the more difficult law enforcement request decisions
Stephanie Perrin (NCSG)
02:11:23
Do you folks envisage a legal team backing them up?
Brian King (IPC)
02:12:26
@Stephanie, I envisage a legal team backing up everything ICANN does :-)
Stephanie Perrin (NCSG)
02:12:44
Or are you envisaging that the accreditation authority for law enforcement will in each case determine whether or not the bona fide agency actually has powers in the instant case/jurisdiction?
Stephanie Perrin (NCSG)
02:13:10
These are never easy determinations in my experience
Brian King (IPC)
02:15:11
+1 Margie
Marika Konings
02:16:47
That is correct @ Volker
Marika Konings
02:16:55
will be updated in the next iteration - we overlooked it here
Alan Greenberg (ALAC)
02:24:40
Those meetings are effectively in the middle of the night KL time
Alan Woods (RySG)
02:25:43
Yes. I’m with Alan - I understand the time constrictions but if we expect to have any proper meaningful progress - exhaustion is not going to help.
Hadia Elminiawi (ALAC)
02:25:57
Thank you
Hadia Elminiawi (ALAC)
02:26:03
bye
Chris Lewis-Evans (GAC)
02:26:11
Thank you everyone