Logo

051040043 - EPDP-Phase 2A Team Call
Terri Agnew
40:44
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en**Members: reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Milton Mueller (NCSG)
41:27
lol
Milton Mueller (NCSG)
41:33
don’t do that do her
Thomas Rickert (ISPCP)
41:39
Congrats, Steve!
Volker Greimann (RrSG)
41:40
I expected a cheer like the one from Stephanie in Montral
Berry Cobb
47:03
hand
Berry Cobb
50:09
I'd note from Phase 1, Admin contact is no longer a consensus requirement, Tech contact is optional for Registrars to offer, and billing contact was not in scope as it was not a requirement related to Whois querries.
Berry Cobb
51:29
This does not preclude Contract Parties from using these contacts, it's just no longer a requirement as part of RDDS once Phase 1 is implemented.
Brian King (IPC)
51:36
Am I the only one losing audio feed for a few seconds at a time? It happened with Steve a couple times and again now with Volker speaking
Keith Drazek (Chair) (Verisign)
51:43
Ok for me Brian
Berry Cobb
51:49
Only you.
Brian King (IPC)
51:54
thx
Sarah Wyld (RrSG)
52:47
I'm not sure this is in scope for this work
Margie Milam (BC)
53:54
+1 Steve— also there are remedies to the registrar if there is a breach in their registration agreements
Volker Greimann (RrSG)
54:04
I cannot follow that line of argument
Thomas Rickert (ISPCP)
54:40
I do think we have discussed the issue of obtaining information from other sources than the data subject and the information duty according to Art. 14 GDPR.
Margie Milam (BC)
55:32
Its in scope because it relates to whether to make the legal /natural person distinction
Margie Milam (BC)
56:02
+1 regarding the legal advice
Steve Crocker (SSAC)
56:53
@Sarah, the point I’ve been making is this work does not have a basis for proceeding without a workable system design. Irrespective of this working group, this weakness has to be addressed. This WG cannot fix the problem by itself. In contrast, the WG can depend on it being fixed.
Berry Cobb
01:03:56
Table: https://docs.google.com/document/d/1jzKGLeTlJFf8-HB70NmAS_fZJvZgJiwO/edit
Becky Burr (ICANN Board)
01:04:16
respectfully, the bird and bird memo said that liability is reduced by takinng reasonable steps to remove personal data from registration data associated with a legal person.
Christian Dawson (ISPCP)
01:05:27
99.9% of businesses, legal persons, are small businesses or sole proprietorships. The kinds of conversations we are having about misappropriation of data within corporations is relevant in .1% of cases, we need to be focused on what makes sense for two to twenty-five person shops - those are the statistically relevant parties here.
Melina Stroungi (GAC)
01:06:17
can we have the latest version of the document projected including the edits and comments?
Sarah Wyld (RrSG)
01:07:05
I still don't see why we're ignoring the other proposed guidance entirely :(
Berry Cobb
01:08:10
@Sarah, the write up includes the guidance the RrSG put forward.
Berry Cobb
01:08:32
If there are parts that you feel omitted or of value to the write up, please add them there.
Manju Chen (NCSG)
01:09:35
for your reference:
Manju Chen (NCSG)
01:09:37
1. The legal/natural distinction is relevant and we need to find a way make it in RDDS without compromising privacy rights.2. Registrants should be able to self-designate as legal or natural, with no burden of authentication placed on registrars or registries3. To protect small home offices or NGOs who are technically Legal persons but whose registration data may include Personal data, we need an additional check in the process.4. As long as they conform with the above 3 principles, registrars/ries (CPs) should be given maximum flexibility to choose the way to differentiate.
Sarah Wyld (RrSG)
01:09:59
Thanks Manju
Steve Crocker (SSAC)
01:10:09
Communication within small companies is usually pretty good. Before trying to involve the registrar is sorting out miscommunication or other errors within an organization, let’s first put in place simple, strong, explicit guidance to account holders and registrants informing them of their responsibility to inform each person named in a role as to the fact they have been named, what authority and responsibility they have, and how the data about them will be handled. This last part, how the data about them will be handled, is what we’re focused on, but it rests on the existence of the prior two points.
Melina Stroungi (GAC)
01:13:08
+1 Milton
Mark Svancarek (BC)
01:13:33
Thank you, Milton.
Laureen Kapin (GAC)
01:13:34
Would be helpful to see if anyone DISAGREES with MM's 4 principles.
Milton Mueller (NCSG)
01:14:00
yes, but… ;-)
Sarah Wyld (RrSG)
01:14:42
If PD is included, it should not be published by default (not only on opt-in to non-publication)
Becky Burr (ICANN Board)
01:15:50
I don’t think that is precisely consistent with B&B advice
Christian Dawson (ISPCP)
01:15:52
77.4% of registered businesses are sole proprietorships, it isn’t an ‘if’ when it comes to personal data being published. Statistically it’ll be overwhelmingly personal data.
Milton Mueller (NCSG)
01:16:24
Christian, your point is a good one, but not all registered businesses have their own domain name.
Terri Agnew
01:18:11
Hi Alan, hope all is well with you. Reminder, when using chat, please select all panelists and attendees in order for everyone to see chat.
Berry Cobb
01:18:50
link to memos to bring up on your machine for full context: https://community.icann.org/display/EOTSFGRD/EPDP+-P2A+Legal+subteam
Stephanie Perrin (NCSG)
01:19:32
Please pardon me for repeating something posted earlier, omitting attendees…
Alan Woods (RySG)
01:19:34
Sorry Terri!!! you would think I would know better by now!
Alan Woods (RySG)
01:19:54
Can we just remember the EDPB' sage advice from 2018 "“the mere fact that a registrant is a legal person does not necessarily justify unlimited publication of personal data relating to natural persons who work for or represent that organization, such as natural persons who manage administrative or technical issues on behalf of the registrant… In light of these considerations, the EDPB considers that personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publicly available by default in the contract of WHOIS" This is the controller's obligation .. not the registrant who has employees
Becky Burr (ICANN Board)
01:20:03
thanks Brian!
Alan Woods (RySG)
01:20:07
(reposted for non panellists)
Stephanie Perrin (NCSG)
01:20:25
Communication may be good, knowledge of the law and of the implications of data disclosure is definitely not. This is why data protection law protects individuals and placed a rather heavy burden on the information CONTROLLERS to manage a lot of that work.
Stephanie Perrin (NCSG)
01:20:49
Old point
Mark Svancarek (BC)
01:24:41
Volker, is this the only area where you have language complexities related to legal arrangements with your customers?
Volker Greimann (RrSG)
01:28:28
The only one where there is potential for such fines
Mark Svancarek (BC)
01:28:55
thx
Alan Woods (RySG)
01:30:40
thank you! I'm going to the question :D
Keith Drazek (Chair) (Verisign)
01:30:48
Thanks Alan
Berry Cobb
01:34:22
Staff notes that most responses in this document were based on the "write-up" language and less to do about how the legal advice received from B&B affects or changes the writeup. Hence why we're spending time here on the agenda.
Berry Cobb
01:34:41
Also to note, that the P2A felt this advice was critical to informing the deliberations.
Becky Burr (ICANN Board)
01:35:25
I do not think 2Birds said reliance on self-certification alone is sufficient to reduce risk to low
Alan Woods (RySG)
01:36:52
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf
Tara Whalen (SSAC)
01:38:22
I need to drop at this point - handing it off to Steve C to cover for SSAC. Thanks, all!
Sarah Wyld (RrSG)
01:39:28
Definitely agreed that the registrant data subject should be able to easily correct mistakes.
Sarah Wyld (RrSG)
01:40:15
That is a good point, Alan
Becky Burr (ICANN Board)
01:46:14
only true if data subject is also data source.
Berry Cobb
01:47:13
Yes. Thank you!!!!
Laureen Kapin (GAC)
01:47:25
@ Becky which relates to Steve C's point I think.
Sarah Wyld (RrSG)
01:48:48
So, if the contact does not respond,the default would be to assume it's personal data and not publish, right?
Laureen Kapin (GAC)
01:49:12
Agree with MM -- I don't understand q 3.
Stephanie Perrin (NCSG)
01:50:44
It might be worth developing a sample script/attestation, e.g. in the registration of the domain name xyz, it has been stated that no personal information that is protected in law will be disclosed if we publish the following data elements.
Stephanie Perrin (NCSG)
01:51:07
Please confirm
Berry Cobb
01:51:18
B & B language: Contracted Parties may therefore wish to consider a combination of mechanisms: ask the individual completing the registration, whether the data they are providing is personal data. If they say no, then verify this claim by contacting the provided contact details (VSC). If they instead say yes, then ask them whether the personal data relates to them, and if so, whether they would be happy for those details to be published.
Becky Burr (ICANN Board)
01:51:40
I agree @laureen. I understand his point that data protection law shouldn’t impose liability on contracted parties for inter-corporate communications. just don’t think GDPR supports that outcome.
Becky Burr (ICANN Board)
01:51:56
)(
Brian King (IPC)
01:52:18
Verify:the email address of the Registered Name Holder (and, if different, the Account Holder) by sending an email requiring an affirmative response through a tool-based authentication method such as providing a unique code that must be returned in a manner designated by the Registrar, or … (phone call)
Brian King (IPC)
01:52:23
from WAPS
Becky Burr (ICANN Board)
01:52:31
(no liability for inter-corporate communication failures)
Steve Crocker (SSAC)
01:54:15
@Becky, did you mean intra-company communications?
Berry Cobb
01:55:07
Whois Data Reminder Policy
Brian King (IPC)
01:55:12
thanks Berry :-)
Marc Anderson (RySG)
01:55:40
https://www.icann.org/resources/pages/registrars/consensus-policies/wdrp-en
Becky Burr (ICANN Board)
01:55:58
yes. @steve
Becky Burr (ICANN Board)
01:56:15
typing on small keyboard
Sarah Wyld (RrSG)
01:56:43
Alan W is getting to what I was trying to type out! +1 Alan
Berry Cobb
01:56:50
FYI @AlanW - your mic is just a hint faint.
Mark Svancarek (BC)
01:56:54
@Laureen: "if applicable"
Laureen Kapin (GAC)
01:57:02
Fair point Alan re: feasibility of what Rgr has to do with such corpo ID 3s.
Stephanie Perrin (NCSG)
01:57:03
Corporate identifiers work for large global corporations. They don’t work well for small business
Laureen Kapin (GAC)
01:57:12
ID #'s
Alan Woods (RySG)
01:57:36
apologies … was speaking to the wrong mic ...! :D I got a new inbuilt webcam mic - and it's on the other side of the desk! :D
Berry Cobb
01:57:54
https://docs.google.com/document/d/1gMV29jRPQEFGv2psZ2py2_F8cr93OeeA/edit
Brian King (IPC)
01:58:14
We heard you well, Alan. It's clearly a good mic!
Berry Cobb
02:02:21
hand
Berry Cobb
02:06:41
The Legal Committee placeholder invitation has been sent out for the 20th. Thank you Terri.
Sarah Wyld (RrSG)
02:07:20
sorry would that Tuesday be at the same time as this meeting?
Berry Cobb
02:07:28
14 UTC
Thomas Rickert (ISPCP)
02:07:55
Thanks, Keith and all!
Sarah Wyld (RrSG)
02:07:56
Thanks Berry
Sarah Wyld (RrSG)
02:07:59
and that's as of the 27th?
Laureen Kapin (GAC)
02:08:07
Thanks folks!
Berry Cobb
02:08:09
@Sarah, yes
Sarah Wyld (RrSG)
02:08:13
Thanks again Berry
Brian King (IPC)
02:08:15
Clear homework instructions from Caitlin and Berry continue to be most welcome.
Brian King (IPC)
02:08:16
Thank you
Sarah Wyld (RrSG)
02:08:16
And thanks, all
hadia Elminiawi (ALAC)
02:08:38
thank you