Good <time of day at local location>

Hi, I sent an apology, but can make most of the call.

I will also be able to speak to the draft proposal I sent.

hello al

Noted Thomas

Out of principle, I don't think the agenda should be longer than 90 minutes. Sure, it might stretch, but we should at least aim for 90 minutes.

Julf that ship has sailed. Or putting it another way:we have drowned already.

Farzaneh: I can still grumble about it...

But so many times we have been discussing whether public authority can have access without relying on a national law… we have to wrap this discussion up one way or another.

I tend to agree. A user group doesn't assume anything other than they may have a legitimate interest based on their common goals/mission.

I think we are often conflating legitimate interest, purpose and user groups as if they are one in the same and they are not.

Agree, Ashley.

Very good point Ashley

sorry to join late

And for not muting audio

+1 Ashely. Legitimacy/Purpose isn’t inherited by all members of a user group.

Perhaps a doc that lists user groups (with the assumption that we are considering it), with another section for each user group that lists legitimate interest (kind of what this doc is doing), then another field for purpose. So it is all there (unless I'm missing something) and we won't get wrapped around the axle regarding what we are talking about because it will all be on the same page. I know folks won't like listing user groups at the outset, but let's perhaps take it as an informed exercise that can be changed as need be.

I like how you put that, James.

But each user group *could* have similar legitimate interests and purposes, so perhaps listing them as a menu as a first step? Recognizing that they don't automatically apply, but could apply. As it will all be determined per request, correct? And must be substantiated, correct?

so therefore makes more sense to categorise by legal basis - not by group

I don't care what order (I don't think), whether it starts with legal basis or group.

(sorry Ashley that was @Hadia)

Still a good point for me to consider. :-)

@Alan W. but who/how to determine whether a certain user group can make use of a certain legal basis? For some it is clearly defined, but for some there was disagreement during phase 1. If I recall well, in phase 1 it was left up to the controller what legal basis to apply, would it be the same here (the third party requestor determines which legal basis they want to use for their request and the controller assess whether or not it is deemed appropriate?)

true..... i think we are making this so much harder for ourselves. There are 6 legal bases. and we might drill down into potential groups but we must resist presupposing answers, unless the law removes the burden on the controller.

haha

Amen.

(laughing at Thomas' joke)

Makes sense, Alan W. Let's start from legal bases and purposes.

legitimate interest is not really a new GDPR thing. There are even court cases about it because of the 95 directive

Each disclosure has a clear logic thread comprising of legitimate interest/group/legal basis/data. We should not waist more time to see how they group or which gets precedence over the other and start working on concrete cases as Thomas does with his example. Then see whether we are comprehensive

@marika it is up to the the controller to set their legal basis for processing - we are talking about 3rd parties who are asking us to do something (disclosure to thme) which is outside of our specific purpose. (hence why Recommendation 1 purpose 2 was such a nightmare, as it is clear that people wanted to make it an 'ICANN purpose' as they knew that the law provides a limitation on disclosure to 3rd persons (balancing test - or legal obligation. Those requesting disclosure must establish their own legal basis - we cannot do it for them. My job is to register domains .... not figure out how the world and its mother can get access to the data i hold for that core purpose!

I agree with Thomas!

Thomas +1

@thomas if the purpose of LE is investigation then for sure it is not 6(1)f I was only saying that if public authorities could demonstrate that the processing is not part of performing your tasks as a public authority

@thomas if the purpose of LE is investigation then for sure it is not 6(1)f I was only saying that if public authorities could demonstrate that the processing is not part of performing their tasks as a public authority then it could be 6(1)f

@Hadia - how can a LEA investigation and associated disclosure requests possibly not the core task?

@Alan - thanks for that response. So do I understand correctly that you are suggesting that the group should be agnostic to which user group invokes which legal basis, but instead focus on what the process and steps are based on the legal basis invoked by the requestor?

Public authorities have their own rules on how they may process data, but ICANN is not a public authority. I don’t see how the status of public authorities has any relevance, if they are 3rd parties.

yes. That's the starting point in my mind

ok, thanks

@Thomas A LEA investigation is for sure a core task I was only thinking if there is another task that is not core and for which they need a disclosure

Agree, Margie and Mark.

+1 Margie re scope.

+1 Margie The purpose of the third parties will determine the legitimate interest and thus the lawful basis

@Hadia, I agree in theory, but cannot think of a real-life scenario in which this would apply.

It is good to start with the purposes of the third parties

slight reminder that i'm in the queue.........

Great points Greg

er? What is within ICANN scope? Non of these legitimate interests are. helping academic researchers etc? ICANN might be able to provide disclsure as a co-controller (I don’t know, have to look at it legally ) but these legitimate interests are not within ICANN scope

+1 Greg - defining these is important to ensure predictability and also to ensure we address the questions in the charter.

this is a global policy

Did you hear the shot? I hope everyone is fine

Oh now it is a global policy :)

Blast was in GVA outside my window

Alan W’s making a lot of sense to me today!!

oh yeah. GVA is the battlefield of bureaucrats

Georgios, can you help with the question / proposal I mentioned?

I have been agreeing with Alan since the past how many meetings? He has been repeating these points all the time.

Unfortunately, I think there is alot of talking past each other going on. :-(

roll on the face to face ... we work better in them! :D

See the EU Comments on the Final Report: For instance,an IPR rightholder might have a legitimate interest to gain access to WHOIS personaldata in order to ensure his/her IP right is protected and not abused. T

I think we need to do our best not to assume motivation. A huge hurdle is getting past what we think the other side is trying to do or thinking... and most of the time we are wrong in our assumptions.

yes ..... under 6(1)f -- do you suggest we ignore the balancing test margie?

+1 Alan G - we need to get to substantive discussion - we have yet to start working on our homework -

+ 1 Ashley

No - we have to look at the legal basis - 61f is just one - per EU letter

Indeed we need to get started

Margie, from the menu in Art 6, we are pretty much stuck with 6 I c and f for this one I am afraid

nope ... not you Mark! lol

@Margie: Your statement regarding IPR protections needs to be qualified by a few things, including the balancing test in 61f, as well as limiting abuse of IPR to the domain name registered. Also, shouldn’t we be referring to Trademarks, not IP?

Thomas - also public interest & consent

no it would not ... you are not the controller in our processing ... you are a requester

@amr - not at all. we must not limit our discussions to only TM.

let's!

Wait….if the Registrar isn’t a party to that contract?

exactly james ... confused separate spheres of processing

“Public Interest” is so vague. Better to be specific on what is being referred to.

@Margie - public interest would require a legal act vesting ICANN / cps with performing a task in the public interest. There does not seem to be any such legal act.

Yeah honestly Mark I am so confused by what you are saying. Registrars have a contract with registrants. You have another contract probably with the same domain name registrant but I don’t think that establishes 6Ib

On opt-in. That is an options we can build, yes.

that's your assumption Thomas - ask Bird & Bird

we should get legal advice on that

@Alex: I’m unaware of any ICANN policy that provides protections to IPRs other than Trademarks (even specific types of TMs). Have I missed anything?

@Margie - let’s do that, yes.

James, that's right - the RR is not subject to the contract under which I am requesting the data on behalf of my customer

which means threat to life - and of course law enforement can... as i have said a number of times now

6(1)(e) is the public interest basis

*enforcement

no-- threat to life is 6(1)(d)- vital interests of the data subject or of another natural person

And Mark - would you produce that contract as part of a disclosure request? I’m not clear how we would guard against those claiming they were serving a contract, but it was confidential...

@amr - I fully understand you (and others) believe only TM in “in scope”. I don’t agree.

+1 Janis.

the existence of you having a contract with the data subject is a) separate to our data processg and b) a pretty good basis for a legitimate interest .......

James - I did mention that challenge in my intervention :) and its the same challenge we have in 61f - what do you know about the requestor and their circumstance

I'm happy if Thomas is available to discuss the approach

I don’t want to dismiss the idea Mark. As you probably know, we activate a LOT of Office365 for our customers (esp. email). But I don’t know how that separate contract would govern a disclosure request.

We'll get more into the substance in due time of course

Need some more work on that.

James and MarkSv, sounds like something the Birdies might be able to help clarify too.

@ Thomas can we also forsee what is under safeguards is considered in codes of conduct as in GDPR art.40?

@Thomas I like your approach and I think i could work

it

@Georgios - I think writing this up properly, i.e. filling it with life might probably be enough.

I also think i would be helpful to map the charter questions to the sections in thomas’s doc. this will ensure we end up with the answers we need at the end of the process.

in other words Janis we don’t agree with all of it :)

@Janis: Great. Thanks.

I thought that Janis was asking for volunteers to work on THIS use case.

Agree with Marc that taking this one all the way through might be a better path forward

In all honesty, and I am sorry to be the antagonist here but I think use cases are the wrong approach. We need to discuss principles of establishing legitimate interest

As I said, I think this is a learning exercise and not one we can use to "boil the ocean"

I am all for learning. I love to learn (new things)

Speaking for myself, I’d like to focus on one use case, at least for a while, until we understand how our work will progress. Alan G raised a concern regarding how to generalize this, which is fair.

Correct, I volunteer.

yeah. Speaking for myself I don’t think working on use case is a starting point.

I'll take as much help as I can get, feel free to DM me.

agreed Chris ... that seems very prudent!

For those wanting to work on use cases, we will post an empty version of the template on the wiki.

@Alan enough to cover all legal basis’s

+1 Alan makes sense

Yes. The idea is to be able to group and broaden them later.

Agree with Amr…I don’t think tackling an unlimited number of use cases right now would be prudent

I just want to record my opinion about this approach: I don’t agree with it. We have been documenting use cases since RDS! We even have a sheetstaff provided. We need to discuss the use cases eliminate or keep them based on the principles of establishing legitimate interest

Yup. The use cases on the RDS PDP proved pretty pointless, and a ton of time was spent on them.

Note that the deadline for input is tomorrow (21 June), so far no input has been received.

For the ISPCP I can say we will need more time to provide input.

Oh tomorrow? Why did I think Monday

IPC my also need more time.

BC may need more time

NCSG too, as usual.

GAC too...

Note that this is intended to be early input - the further the EPDP Team has gone along in its deliberations, the more difficult it may be to review and factor in this input, or it may require going backwards on what was already discussed.

Our issue is getting a draft ok'd by the broader GAC. That takes time and right before an ICANN meeting is very difficult.

Yeah +1 Alan

let's maximize the value of our limited time together

Oh wow. GAC is on top of things … :)

TBQH - you are required to ask for early input. You have done that now so we can tick that off the list. I would prefer not to to provide it at this stage.

Yes, it is a required step as this EPDP is in two phases, but there is no requirement for anyone to provide input if they are of the view that their input has already been provided.

So the requirement is to ask, not for groups to provide :-)

It is very difficult to come up with comprehensive answers at this stage, this is different than the phase 1 triage. To provide full answers now to the charter questions is quite impossible, that means doing all the work now. As work proceeds those answers can be provided. General comments are possible though.

Need to catch a flight, will stay on audio. thanks all and see you in Marrakech.

So next week meeting will be in Morocco?

Correct

Amr +1

Need to drop off. Bye all!

Then I won’t be there yippie. Might appoint an alternate or be the remote participant champion. There is RP right?

+1 Amr

I think we are trying to rush through this, and results suffer.

yeah workstreams and dozens of sheets and use cases

Slowing down doesn’t necessarily mean achieving the outcome late. but we need to focus one one issue at the time.

I think it’s less about adding calls, and more about using our call time more efficiently.

Yes

Agree with James. I'd rather keep the same schedule and focus more on making progress.

+1

@james - agree. Hopefully our decision to get to work on Thomas’ template will allow us to make good progress on real issues.

Thank you all - bye

Safe travels all