Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Amr Elsadr (NCSG)
49:56
Thanks, Andrea.
Julf Helsingius (NCSG)
50:25
I am in another meeting, but as we don't have alternates available, I will do my best to split myself...
Andrea Glandon
50:53
@Amr, we do not have an alternate form for Stefan or an apology for Farzaneh
Amr Elsadr (NCSG)
51:19
Thanks, Andrea. I thought that was supposed to have happened.
zzzStefan Filipovic (NCSG alternate)
52:30
yup I am Farzaneh's replacement for today's call
Andrea Glandon
52:58
The form we have expired on 22 September.
Andrea Glandon
53:25
Here is the link for the form https://docs.google.com/spreadsheets/d/1XlU_f2VTS9wc_cCdRY1w0Z-RnNA65Jz_zUrpysr9AyA/edit#gid=183259618
Caitlin Tubergen
55:15
As a reminder, there are still many outstanding action items from the F2F meeting. Please find a link to Marika’s email, highlighting the action items, here: https://mm.icann.org/pipermail/gnso-epdp-team/2019-September/002495.html
Leon Sanchez (ICANN Board Liaison)
01:01:18
Nice Porsche on the wallpaper
Leon Sanchez (ICANN Board Liaison)
01:01:47
Margie’s hand is up
Amr Elsadr (NCSG)
01:01:49
Personal disclaimer: I’m not well-prepped for today’s call. Might send more on this over email.
Volker Greimann (RrSG)
01:02:45
disagree. It relates to the requirements to be met, and those need to be enforced
Volker Greimann (RrSG)
01:02:48
objection
Amr Elsadr (NCSG)
01:02:56
Apologies…, can Margie repeat it?
Matt Serlin (RrSG)
01:04:09
Volker makes a good point…what is the point of having requirements if we don’t intend to enforce them?
Volker Greimann (RrSG)
01:04:22
I am happy with the language as is
Amr Elsadr (NCSG)
01:04:38
Right. They’re listed as requirements. No enforcement would make them more like suggestions, not requirements.
Alan Greenberg (ALAC)
01:05:26
"Enforced based on peiodic audits and reports of mis-use"
Mark Svancarek (BC)
01:07:41
Until we know more about "TBC", the concept of periodic audits is problematic. If it is a monitoring body selected during the accrediting process, that should be fine.
Chris Lewis-Evans (GAC)
01:08:05
audio just dropped
Terri Agnew
01:08:38
@Chris, let us know if a dial out would be helpful.
Alex Deacon (IPC)
01:09:08
agree with striking the bulk access parenthetical.
Ayden Ferdeline (NCSG)
01:13:47
sorry I am on audio only at the moment. if we change c) to “requestor” , would this mean if say DomainTools obtained data and then their users misused it, that would be fine?
Matt Serlin (RrSG)
01:15:13
Ayden brings up a good point…do we need to be clear that these requirements flow to any third party the requestor passes the data onto?
Marc Anderson (RySG)
01:16:39
I like Alan G's point
Alan Greenberg (ALAC)
01:17:33
@Matt, It may be implied but certainly does not hurt to say that any commitments apply to such other parties.
Amr Elsadr (NCSG)
01:19:17
@Margie: That would be a clear breach in representation, wouldn’t it?
Volker Greimann (RrSG)
01:19:23
that is what we meant
Ayden Ferdeline (NCSG)
01:19:26
the word “only” is very important
Amr Elsadr (NCSG)
01:19:33
@ayden: +1
Volker Greimann (RrSG)
01:19:35
If you want data, you musty say what you need it for
Matt Serlin (RrSG)
01:19:49
What about “consistent only…”
Chris Lewis-Evans (GAC)
01:22:32
Within GDPR The purpose limitation principle still prevents you from using personal data for new purposes if they are ‘incompatible’ with your original purpose.
Margie Milam (BC)
01:23:15
GDPR says " not further processed in a manner that is incompatible with those purposes"
Volker Greimann (RrSG)
01:23:18
not possible, since you then have the data, so the reason cannot be included in the balancing test anymore
Amr Elsadr (NCSG)
01:23:24
@Chris: My understanding is that what you are referring to are purposes of the controller, not the third party requesting disclosure of data.
Margie Milam (BC)
01:23:32
lets use the GDPR language in Article 5.b
Caitlin Tubergen
01:24:26
Note: there is a comment above from Staff asking: : d) From use case template: EPDP Team to further define / clarify who and how auditing is expected to be carried out.
Mark Svancarek (BC)
01:26:32
Bullet (e) already covers other laws
Matt Serlin (RrSG)
01:26:41
+1…I was just going to type that we need to be mindful not to be too focused on GDPR specific language
Berry Cobb
01:28:30
Just to note, I am only make text changes for demonstration purposes. Staff will edit this workbook as agreed upon after the call and release the next version.
Volker Greimann (RrSG)
01:30:44
These are obviously extreme cases, and most of the time the issue is going to minimal, but we need to cover for extremes as well
Margie Milam (BC)
01:31:15
I don't agree with Amr's position on Article 5
Margie Milam (BC)
01:31:24
its not limited to controllers - read the language
Amr Elsadr (NCSG)
01:31:28
That’s ok, Margie. I don’t agree with yours. ;-)
Margie Milam (BC)
01:31:44
please cite where it is limited to controller
Amr Elsadr (NCSG)
01:31:51
@Margie: 3rd parties don’t collect the data.
Amr Elsadr (NCSG)
01:32:02
When you cited 5b, you left out the first part of it.
Amr Elsadr (NCSG)
01:32:20
“collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”
Amr Elsadr (NCSG)
01:32:36
This has nothing to do with 3rd party purposes.
Margie Milam (BC)
01:32:38
the first part says: Personal data shall be.....
Volker Greimann (RrSG)
01:33:32
my expected outcome is that requesters can be held accountable for the content of their request, that they are making a full request and abide by the content of their request
Amr Elsadr (NCSG)
01:33:57
ICANN and Contracted Parties don’t collect (or require the collection of) data for 3rd parties to process it for purposes that they don’t declare when requesting it being disclosed to them. 5b does not apply.
Margie Milam (BC)
01:34:44
Our Phase 1 Report says otherwise Amr
Amr Elsadr (NCSG)
01:34:58
You mean purpose 2?
Margie Milam (BC)
01:35:03
Yes
Volker Greimann (RrSG)
01:35:14
Ultimately we cannot prevent anyone for using the data for other purposes
Volker Greimann (RrSG)
01:35:31
but we can clearly ensure they never get access to data again if they do
Volker Greimann (RrSG)
01:36:00
Happy with the language proposed in brackets
Amr Elsadr (NCSG)
01:36:58
@Alan G: I’m not sure what you’re referring to, but what I am objecting to is a policy recommendation that allows 3rd parties to process data for any purpose other than what was declared and agreed to at the time of disclosure.
Volker Greimann (RrSG)
01:37:43
happ[y with that change
Matt Serlin (RrSG)
01:38:11
I’m fine with that change
Alan Greenberg (ALAC)
01:39:59
@Amr, I was referring to the end of your original intervention on the issue.
Mark Svancarek (BC)
01:40:05
not a useless intervention Amr
Matt Serlin (RrSG)
01:40:11
good point Amor…disclose would be better
Matt Serlin (RrSG)
01:40:16
Amr even :)
Amr Elsadr (NCSG)
01:40:44
Again…, return vs disclose?
Amr Elsadr (NCSG)
01:40:50
For (b)?
Mark Svancarek (BC)
01:40:55
+1 Amr
Owen Smigelski (RrSG)
01:40:58
+1 Amr
Chris Lewis-Evans (GAC)
01:42:41
@Thomas isn’t this covered in a?
Mark Svancarek (BC)
01:42:58
Thomas was also referring to (a)
Thomas Rickert (ISPCP)
01:43:23
We can put it I a or be. I would just like it to be clarified somewhere :-)
Matt Serlin (RrSG)
01:44:02
I thought the system was meant only to obtain non-public data…
Margie Milam (BC)
01:45:10
+1 Greg
Alex Deacon (IPC)
01:45:11
@matt - assuming RDAP is used why wouldn’t it also return public data?
Ashley Heineman (GAC)
01:47:05
So... if the provision of public data can be done in a way that doesn't apply undue complexity or problems for the CPs, is there any other reason not to accommodate?
Georgios Tselentis (GAC)
01:47:47
can "authorised data" do the job?
Ashley Heineman (GAC)
01:48:09
+1 Georgios
Matt Serlin (RrSG)
01:48:41
While it may be technically possible via RDAP, our policy work is meant to address disclosure of the non-public data specifically. Perhaps this is more of an implementation question once the policy is finalized?
Amr Elsadr (NCSG)
01:48:47
Can you clarify what “authorised data” means?
Alan Greenberg (ALAC)
01:49:16
@Matt, as long as we do not prohibit it in our present work.
Amr Elsadr (NCSG)
01:49:38
“necessary” seems to me to be consistent with the data minimization principle, no?
Alex Deacon (IPC)
01:50:09
@matt - then we should not be setting policy that artificially limits implementation options.
Volker Greimann (RrSG)
01:50:09
Disagree,
Margie Milam (BC)
01:50:23
disagree with spelling it out
Margie Milam (BC)
01:50:27
each law
Georgios Tselentis (GAC)
01:50:31
@ Amr authorised=that authorisation process has been performed for the private data (and public are authorised to be disclosed by by default)
Amr Elsadr (NCSG)
01:50:45
Thanks, Georgios. That’s helpful.
Amr Elsadr (NCSG)
01:51:15
@Margie: You mean Ayden? :-)
Margie Milam (BC)
01:51:25
sorry
Amr Elsadr (NCSG)
01:51:30
No worries. :-)
Margie Milam (BC)
01:51:33
didn't mean to confuse you :)
Amr Elsadr (NCSG)
01:51:53
I’m not confused. ;-)
Alan Greenberg (ALAC)
01:52:30
I would use provacy law. That is the focus of this entire process.
Mark Svancarek (BC)
01:52:34
Perhaps it makes sense to define somewhere what we mean by "applicable laws" and then just call back to that definition whenever it is needed
Alan Greenberg (ALAC)
01:52:37
privacy.
Ayden Férdeline (NCSG)
01:52:55
No, privacy law is not the right term, as it can differ from data protection law.
Ashley Heineman (GAC)
01:53:11
Data protection...
Matt Serlin (RrSG)
01:53:11
+1 Mark but I do agree that trying to spell out what all the applicable laws might be would be impossible
Amr Elsadr (NCSG)
01:54:17
@Alan G.: Interesting question. Might provide useful implementation guidance.
Berry Cobb
01:55:06
Apologies, we need to change shared screens. As noted, the track changes are just a visual for the call, an updated version will be distributred after the call.
Ayden Férdeline (NCSG)
01:55:08
I do not understand the right of erasure in this context either.
Amr Elsadr (NCSG)
01:56:29
The only context in which “erasure” might be useful here (that I can think of), is if the registrant discovers that a data element(s) is incorrect, or not current.
Margie Milam (BC)
01:56:48
+1 Greg
Ayden Férdeline (NCSG)
01:56:50
This is not a “veto right” - there is no guarantee that their request will be granted by the contracted party.
Margie Milam (BC)
01:58:24
+1 Ashley
Thomas Rickert (ISPCP)
01:58:26
Objection is a right the data subject must be able to exercise, so it is a legal requirement and not an over-application. Am I missing someting
Alex Deacon (IPC)
01:58:30
+1 Ashley
Thomas Rickert (ISPCP)
01:58:31
Something?
Chris Lewis-Evans (GAC)
01:58:36
+1 Ashley
Amr Elsadr (NCSG)
01:58:42
@Thomas: +1
Georgios Tselentis (GAC)
01:58:44
+1 Ashley
Amr Elsadr (NCSG)
01:59:21
@Volker: Good point.
Amr Elsadr (NCSG)
02:01:46
I’m also assuming that data requestors would like current and accurate data disclosed to them?
Volker Greimann (RrSG)
02:02:20
it may become part of the balancing test,
Margie Milam (BC)
02:03:46
gotta go offline to drive - will be on phone still
Ayden Férdeline (NCSG)
02:04:36
The concept of “over compliance” with the law - particularly in this context - is something that I am struggling to understand.
Amr Elsadr (NCSG)
02:05:55
@Thomas: +1
Georgios Tselentis (GAC)
02:06:08
I do not read the Right to object art21 as a veto
Thomas Rickert (ISPCP)
02:07:01
Correct, it is not a veto, so we should use the terminology of the GDPR and all it objection
Ayden Férdeline (NCSG)
02:07:26
It is not a veto at all, and it is likely not all objections will be valid. For instance, if it is a request for data pursuant to a legal claim, the objection could be overridden. If an objection is received from a data subject relating to the use of personal information for research purposes, issues relating to public safety, public health, or uses that are in the public interest, it may not be necessary to comply with the objection.
Mark Svancarek (BC)
02:11:47
I'd like the SSAD system to allow the request for confidentiality alongside the assertion of intended processing
Ayden Férdeline (NCSG)
02:11:48
@Alan G see Article 15(1)(c) of the GDPR re: your question
Ayden Férdeline (NCSG)
02:12:01
Third parties must be named
Ayden Férdeline (NCSG)
02:14:48
see also Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’
Amr Elsadr (NCSG)
02:15:21
:)
Amr Elsadr (NCSG)
02:16:37
@Ayden: +1
Alex Deacon (IPC)
02:16:45
@ayden - even if the requestor is an individual?
Marc Anderson (RySG)
02:16:49
In the interests of time, I'm lowering my hand and will just thank Georgios and Chris for the additional information.
Alan Greenberg (ALAC)
02:17:40
@Alex, presumably, but they must delete the name of the requester after the retention period is over! ;-)
Amr Elsadr (NCSG)
02:17:56
@Alex: I would assume, yes.
Amr Elsadr (NCSG)
02:18:11
…, and what Alan G. said. ;-)
Amr Elsadr (NCSG)
02:20:37
@Alex: Using “must” in this context would be problematic, no? Wouldn’t that mean that there is a requirement to differentiate between legal and natural persons?
Caitlin Tubergen
02:20:45
“Must provide [non personal] non-public data for data subjects that are legal persons or otherwise not subject to data protection laws.”
Matt Serlin (RrSG)
02:21:51
Agree with Amr…I think we’d want to take back that point H and think about the implications of it
Julf Helsingius (NCSG)
02:23:50
Indeed, I think we need to think about H a bit more
Alex Deacon (IPC)
02:24:17
FWIW I’m ok with improvements in the language here.
Amr Elsadr (NCSG)
02:24:35
Thanks, Alex.
Alan Greenberg (ALAC)
02:24:37
The otherwise clausre DOES cover the nuances but perhaps not clear enough
Alan Greenberg (ALAC)
02:25:45
Replace OR with AND/OR then includes personal data within legal person records
Volker Greimann (RrSG)
02:25:58
Otherwise not subject clearly states legal persons are not subject to the laws, this is confounded by must disclose
Volker Greimann (RrSG)
02:26:13
compoiunded
Ayden Férdeline (NCSG)
02:27:25
I will paste here for your reference
Ayden Férdeline (NCSG)
02:28:08
It is here - too long for Zoom to allow to paste unfortunately. https://mm.icann.org/pipermail/gnso-epdp-team/2019-September/002517.html
Leon Sanchez (ICANN Board Liaison)
02:30:04
need to leave the call now. apologies for not staying till the end
Amr Elsadr (NCSG)
02:30:17
@janis: Apologies if I was not clear. I was referring to Ayden’s proposal, not the current text.
Ashley Heineman (GAC)
02:32:56
+1 Alex
Chris Lewis-Evans (GAC)
02:33:17
Need to drop to audio only, Thanks
margiemilam
02:33:27
+1 Alex
Volker Greimann (RrSG)
02:34:20
Seriously? I am getting annoyed with the amount of “feedback responders” in use these days
Alex Deacon (IPC)
02:35:37
@volker - what is a feedback responder?
Margie Milam (BC)
02:36:02
We should have a separate building block on correcting erroneous data
Julf Helsingius (NCSG)
02:37:15
janis: tubes/valves rather than lamps?
Amr Elsadr (NCSG)
02:38:39
If I’m not mistaken, there were no objections expressed on the notification to the data subject part of the proposal? Did I get that wrong?
Margie Milam (BC)
02:39:05
We need to discuss it - Amr
Amr Elsadr (NCSG)
02:39:14
OK, thanks.
Amr Elsadr (NCSG)
02:43:05
Would it be fair to say that there is consensus within the EPDP Team on a “burning desire” to get clarity on the data protection agreements between ICANN and CPs?
Thomas Rickert (ISPCP)
02:43:18
ISPCP has not
Amr Elsadr (NCSG)
02:45:10
Thanks all. Bye.
Ayden Férdeline (NCSG)
02:45:10
thanks all
Alex Deacon (IPC)
02:45:11
thanks janis
Thomas Rickert (ISPCP)
02:45:19
Thanks and bye!