Logo

Julie Bisland's Personal Meeting Room
Mark Svancarek (BC)
54:09
James and I are very sorry for the inconvenience.
Farzaneh Badii (NCSG)
54:17
I am wondering… why are these groups coming up with their ideal accreditation model? Why can’t they just work with others …
stephanieperrin
57:02
My apologies for being 10 minutes late
Marika Konings
57:03
@Farzaneh - as I recall, the request was mainly focused on identifying how accreditation could work for users from those respective communities (for example, security researchers). For IPC and LE there were specific proposals on the table, but for other groups it was less clear.
Farzaneh Badii (NCSG)
57:42
Thanks Marika.
Matt Serlin (RrSG)
01:01:32
I thought it was reverse searching and NOT bulk access that .it offered?
Margie Milam (BC)
01:01:54
that's what I thought too - reverse searching
Amr Elsadr (NCSG)
01:02:25
I’m still not clear on how the scoping issue is going to be handled. What I did gather is that Janis will think on it some more, but that James and Mark should proceed to work on it. I believe this topic should be on the full EPDP Team agenda as soon as practically possible.
Julf Helsingius (NCSG)
01:02:41
Amr +1
Margie Milam (BC)
01:03:18
https://static.ptbl.co/static/attachments/214511/1561364777.pdf?1561364777
Mark Svancarek (BC)
01:04:24
.DK was Kobe. .IT was Marrakech
Hadia Elminiawi (ALAC)
01:05:21
Thanks Margie for giving the link of the RDAP implementation experience of .it
Farzaneh Badii (NCSG)
01:05:56
reverse searching and bulk access? These are seriously out of scope. And Thomas and Stephanie and others said it in EPDP face to face meeting. Why are we even discussing it
Farzaneh Badii (NCSG)
01:06:27
And? If RDAP has a technical feature doesn’t mean we can come up with a policy for it to implement it
Brian King (IPC)
01:06:29
@Farzaneh we are discussing it because there is proposed language to prohibit it in the SSAD
Amr Elsadr (NCSG)
01:06:30
Agree that these are way out of scope, as are boolean searches, which is why I wanted to address the scoping issue, and get that settled soon.
Amr Elsadr (NCSG)
01:07:16
@Brian: Prohibiting them, allowing them…, both out-of-scope.
Matt Serlin (RrSG)
01:08:34
There was discussion about asking this question back to the GNSO council as well which I think we should do if we can’t come to agreement
Sarah Wyld (RrSG)
01:09:05
+1 Matt
Margie Milam (BC)
01:10:05
We are also developing a legal question for Bird & Bird on the question of the legality of these types of lookup
Hadia Elminiawi (ALAC)
01:10:11
 @Amr and Farzi this is being discussed because it is already being addressed in the initial report. If we delete this referral to reverse lookups from the initial report then probably it does not need to be discussed.
Amr Elsadr (NCSG)
01:11:30
Also a +1 to Matt’s last comment in the chat.
Farzaneh Badii (NCSG)
01:13:14
Margie, even if it’s legal it is not within our scope. And you can’t put in everything not prohibited by law that harms the registrants in the policy.
Margie Milam (BC)
01:13:34
+1 Marika
Farzaneh Badii (NCSG)
01:13:59
BULK ACCESS!
Mark Svancarek (BC)
01:14:43
Ugh, I think no one is asking for bulk access. This is unproductive.
Farzaneh Badii (NCSG)
01:15:15
Hadia just mentioned it! If you don’t then don’t mention it. She said bulk access
Brian King (IPC)
01:15:15
Indeed no one has asked for bulk access in this EPDP
Farzaneh Badii (NCSG)
01:16:10
She said bulk access was in the use cases. if no one has asked for bulk access then everyone has to be clear on that and not confuse others
Mark Svancarek (BC)
01:16:25
Hadia should clarify, but it sounded to me that she was making an observation about the existence of text in early use cae drafts - not thye same as someone asking for it mow.
Hadia Elminiawi (ALAC)
01:17:19
@Farzi I mentioned it because referral to bulk access is already in the initial report not because I am advocating for it.
Brian King (IPC)
01:17:49
I note that deleting the bullet should address Amr's concerns
Farzaneh Badii (NCSG)
01:17:56
It is? Show me where.
Mark Svancarek (BC)
01:18:25
Does it matter. No one is asking for it now.
Farzaneh Badii (NCSG)
01:18:35
And you did mention it. So please don’t say no one asked for bulk access. Even Georgios was confused.
Amr Elsadr (NCSG)
01:18:38
Bulk access, reverse lookups, boolean searches…, all out-of-scope.
Mark Svancarek (BC)
01:19:06
If anyone is asking for it now, please raise your hand :)
Farzaneh Badii (NCSG)
01:19:35
I don’t really care. They are all out of scope. And even if legal not good practice and can take innocent people right to due process away
Hadia Elminiawi (ALAC)
01:20:58
@Farzi what I meant is that the referral to bulk access and reverse lookups in the initial report was picked up from the use cases, however the discussion was only about reverse lookups. let's try to work together
Marc Anderson (RySG)
01:23:36
@Georgios - thank you for providing that update
Marika Konings
01:31:57
As noted in the text, this language was largely derived from the EPDP Phase 1 recommendations.
Matt Serlin (RrSG)
01:33:33
should be non-controversial to add domain name to this…
Hadia Elminiawi (ALAC)
01:34:00
@ Matt sure
Farzaneh Badii (NCSG)
01:38:23
it’s “not broader”
Farzaneh Badii (NCSG)
01:38:40
I think there is a "t” missing
Farzaneh Badii (NCSG)
01:39:11
I support it
Brian King (IPC)
01:39:23
Where are the comments?
Farzaneh Badii (NCSG)
01:39:39
In the box
Brian King (IPC)
01:39:42
Oops nvm
Brian King (IPC)
01:39:44
Thanks Farzi
Alex Deacon (IPC)
01:39:49
+1 Chris
Sarah Wyld (RrSG)
01:39:57
Farzaneh I think you're right, it could say "and are not broader" or "and is no broader"
Brian King (IPC)
01:39:59
Yeah that's the wrong standard
Farzaneh Badii (NCSG)
01:40:08
It is
Stephanie Perrin (NCSG)
01:40:42
There is a different standard for law enforcement than for private sector actors, AFAIK.
Chris Lewis-Evans (GAC)
01:41:05
ico guidance”This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose.”
Stephanie Perrin (NCSG)
01:41:09
Strictly necessary would apply more to non-criminal matters
Mark Svancarek (BC)
01:41:20
Ruth commented on this topic in Toronto. I can dig that up if needed.
Farzaneh Badii (NCSG)
01:41:22
the recitals say strictly. You need to also prove it is not possible to do your task via alternatives and without access to personal info
Farzaneh Badii (NCSG)
01:43:07
well when we say you want easy access to data, please don’t get offended. Because you do. not necessarily for bad reasons.but you want easy access to personal data. You don’t want to do a strict balancing test etc. I think people should be clear about that.
Brian King (IPC)
01:44:57
We can support this building block as drafted
Brian King (IPC)
01:45:31
"including the GDPR" might be better than "such as GDPR"
Marika Konings
01:45:34
Logs are covered in other building blocks
Marika Konings
01:45:54
but I think there is an outstanding question on further details that are needed on what that entails
Amr Elsadr (NCSG)
01:45:59
@Marika: Thanks. Logs and audits.
Farzaneh Badii (NCSG)
01:46:00
How were the comments concerns addressed actually?
Farzaneh Badii (NCSG)
01:46:24
I agree with change of language from such as to including
Amr Elsadr (NCSG)
01:46:44
Sounds good, Marika. As long as we have it somewhere.
Sarah Wyld (RrSG)
01:46:59
Would "including" then mean that a requestor who is subject to other data protection laws but not the GDPR now has to follow the GDPR in this context? I think I like "such as" better
Farzaneh Badii (NCSG)
01:47:36
Oh if that is the case then I agree with Sarah
Amr Elsadr (NCSG)
01:47:51
@Sarah: +1
Farzaneh Badii (NCSG)
01:47:52
I thought it was the other way round
Volker Greimann (RrSG)
01:47:57
+1
Farzaneh Badii (NCSG)
01:48:29
+1 Sarah
Bastiaan Goslings (ALAC)
01:48:31
@Sarah: +1
Thomas Rickert (ISPCP)
01:48:32
Agreed
Sarah Wyld (RrSG)
01:48:42
sure, relevant is good for that
Stephanie Perrin (NCSG)
01:48:55
applicable is a good word here that provides focus...
Sarah Wyld (RrSG)
01:48:56
Yeah I wouldn't mind just not referring to any specific law
Sarah Wyld (RrSG)
01:49:04
applicable or relevant both seem ok to me
Matt Serlin (RrSG)
01:49:14
Yup that would work
Margie Milam (BC)
01:49:14
yes
Brian King (IPC)
01:49:19
Good catch, Sarah
Hadia Elminiawi (ALAC)
01:49:21
+1 Brian yes sure
Sarah Wyld (RrSG)
01:50:17
So we could probably finish this by just removing "such as GDPR" from the end of the sentence
Amr Elsadr (NCSG)
01:50:29
@Farzaneh: +1
Stephanie Perrin (NCSG)
01:50:32
Some of these retention requirements are covered in other laws. Not to beat a dead horse or anything, but it might be better to say “applicable law, especially data protection laws”.
Hadia Elminiawi (ALAC)
01:50:43
yes
Volker Greimann (RrSG)
01:50:49
ok
Stephanie Perrin (NCSG)
01:50:56
I believe I hammered away at this point in Los Angeles
Sarah Wyld (RrSG)
01:51:31
I don't think we can specify that here
Sarah Wyld (RrSG)
01:51:35
there are way too many factors to consider
Margie Milam (BC)
01:51:41
i have to drive but will stay on the call
Brian King (IPC)
01:51:44
Janis, no, because that will vary by jurisdiction
Sarah Wyld (RrSG)
01:51:45
drive safe Margie
Sarah Wyld (RrSG)
01:52:01
Great point Stephanie
Farzaneh Badii (NCSG)
01:52:04
I think minimum protection should apply to all the registrants— regardless of jurisdiction. GDPR can be used as a standard.
Marika Konings
01:52:05
Note that there is also a priority 2 item that deals with data retention coming out of phase 1 (but that is specifically related to ICANN purposes for retention of data)
Thomas Rickert (ISPCP)
01:52:06
We cannot put that into the policy now as we do not know enough about the setup
Sarah Wyld (RrSG)
01:52:19
Thomas can you clarify?
Sarah Wyld (RrSG)
01:52:24
can't put which part into policy
Sarah Wyld (RrSG)
01:53:10
Overcomplication is my middle name
Marika Konings
01:53:12
Isn’t that already addressed in phase 1 recommendations @Sarah?
Sarah Wyld (RrSG)
01:53:25
Thanks Marika, that is very possible. I'll defer to the lawyers in the group at this point
Matt Serlin (RrSG)
01:53:33
why not just “applicable laws”
Stephanie Perrin (NCSG)
01:53:39
Not really, data protection law is not usually determinative for retention periods.
Brian King (IPC)
01:53:50
"...in accordance with applicable law." could do the trick
Matt Serlin (RrSG)
01:53:57
And don’t call out the specific data protection law
Sarah Wyld (RrSG)
01:53:58
Yeah why not just " in accordance with applicable law"
Sarah Wyld (RrSG)
01:54:03
+1 Brian
Stephanie Perrin (NCSG)
01:54:12
Requirements is a tad vague, could be contractual arrangements, which are not determinative.
Farzaneh Badii (NCSG)
01:54:26
I guess your first name is overcomplicating Sarah :) I have to drop off. I think we need to have minimum protection for data and enforce it in the system regardless of laws…
Greg Aaron (SSAC)
01:55:59
So it should simply say: "...with any applicable legal requirements, such as in GDPR".
Amr Elsadr (NCSG)
01:56:31
To add to what Thomas said, retention of data, or at least logs, might need to factor in the length of time allowed to a data subject to request logs of how its data has been processed in the past.
Matt Serlin (RrSG)
01:56:48
I don’t think it should call out any specific law @Greg IMO
Farzaneh Badii (NCSG)
01:57:41
Whatever policy we come up with we need to have a retention policy.
Farzaneh Badii (NCSG)
01:57:59
Now I will really drop off.
Andrea Glandon
01:59:14
I am getting it Marika
Sarah Wyld (RrSG)
02:06:08
Is there a material difference between 'accepting full legal liability' vs 'indemnity for other controllers'? I'd like to hear from our lawyer teammates on that
Brian King (IPC)
02:06:21
Good point, Ashley. That's what prompted my question on the list yesterday. Maybe we call it the "single decisionmaker scenario"
Sarah Wyld (RrSG)
02:06:40
I think who the decisionmaker is will be an important factor in what the conditions to be met are, though?
Matt Serlin (RrSG)
02:07:01
I think this was raised in LA as well, but it’s not just legal liability that’s at stake, it’s also repetitional risk that should be considered as well
Amr Elsadr (NCSG)
02:07:18
@Matt: Right.
Amr Elsadr (NCSG)
02:07:44
@Janis: That sounds right.
Amr Elsadr (NCSG)
02:08:19
I don’t know if the decision to disclose data is necessarily the most important issue. Any liability and risk involved should be relevant.
Alex Deacon (IPC)
02:10:21
+1 Ashley
Amr Elsadr (NCSG)
02:11:20
@Ashley: If I’m not mistaken, the EDPB is working on further guidance on this very topic, so we might need to wait a few months before hearing from them. We might even need additional legal guidance following whatever guidance they publish.
Ashley Heineman (GAC)
02:12:02
The Strawberry team is planning to put a version of this question before the EDPB in late October I believe.
Sarah Wyld (RrSG)
02:13:06
If they won't indemnify, then would they accept full legal liability?
Ashley Heineman (GAC)
02:14:56
I can't speak for ICANN or any other entity, but I do know that accepting liability for something is much easier than committing to "indemnify" another party... as you have much more control over your own actions than that of another party. Make sense?
Matt Serlin (RrSG)
02:15:01
Also in LA, everyone agreed that the party who is has the liability should be the party that makes the disclosure decision…that was a principle everyone was in agreement with
Sarah Wyld (RrSG)
02:15:06
Thanks Ashley
Sarah Wyld (RrSG)
02:15:23
+1 Matt
Matt Serlin (RrSG)
02:15:33
and yes @Ashley that makes sense…thanks for writing it out
Volker Greimann (RrSG)
02:18:55
Please no
Amr Elsadr (NCSG)
02:19:01
3 more F2F meetings, or Zoom meetings?
Amr Elsadr (NCSG)
02:19:13
I hope via Zoom?
Amr Elsadr (NCSG)
02:19:46
@Janis: Thanks. Phew.
Volker Greimann (RrSG)
02:20:22
Not sure this additional time commitment can be arranged
Julf Helsingius (NCSG)
02:21:38
I know I can not free up Tuesdays
Ashley Heineman (GAC)
02:21:40
Let's give it a go
Brian King (IPC)
02:21:43
That sounds doable to me
Ashley Heineman (GAC)
02:21:51
That's why we have alternatives, right?
Ashley Heineman (GAC)
02:21:56
"alternates"
Hadia Elminiawi (ALAC)
02:22:00
doable for me too
Matt Serlin (RrSG)
02:22:00
I think we would have to look to leverage our alternatives for that...
Brian King (IPC)
02:22:21
Let's get this done
Volker Greimann (RrSG)
02:22:23
doubtful
Mark Svancarek (BC)
02:22:23
Painful but possible
Stephanie Perrin (NCSG)
02:22:24
Sorry have to run
Terri Agnew
02:22:42
We will get the invites sent out so it is on everyone’s calendars.
Brian King (IPC)
02:22:53
Thank you, Terri.
Hadia Elminiawi (ALAC)
02:23:14
alternates could get more involved
Terri Agnew
02:23:14
Most welcome
Matt Serlin (RrSG)
02:24:34
Thanks all
Rafik Dammak (GNSO Council Liaison)
02:24:38
Thanks all
Hadia Elminiawi (ALAC)
02:24:38
thank you all bye
Sarah Wyld (RrSG)
02:24:39
Thanks team
Chris Lewis-Evans (GAC)
02:24:43
thanks all
Amr Elsadr (NCSG)
02:24:46
Thanks all. Bye.
Julf Helsingius (NCSG)
02:24:47
Thanks all!
Bastiaan Goslings (ALAC)
02:24:48
thanks