Logo

Julie Bisland's Personal Meeting Room - Shared screen with speaker view
Julf Helsingius (NCSG)
48:57
Good <time of day at local location>
Thomas Rickert (ISPCP)
49:24
Hi, I sent an apology, but can make most of the call.
Thomas Rickert (ISPCP)
49:40
I will also be able to speak to the draft proposal I sent.
Hadia Elminiawi (ALAC)
50:17
hello al
Janis Karklins (EPDP Team Chair)
50:20
Noted Thomas
Julf Helsingius (NCSG)
51:43
Out of principle, I don't think the agenda should be longer than 90 minutes. Sure, it might stretch, but we should at least aim for 90 minutes.
Farzaneh Badii (NCSG)
53:21
Julf that ship has sailed. Or putting it another way:we have drowned already.
Julf Helsingius (NCSG)
54:26
Farzaneh: I can still grumble about it...
Farzaneh Badii (NCSG)
59:23
But so many times we have been discussing whether public authority can have access without relying on a national law… we have to wrap this discussion up one way or another.
Ashley Heineman (GAC)
01:00:55
I tend to agree. A user group doesn't assume anything other than they may have a legitimate interest based on their common goals/mission.
Ashley Heineman (GAC)
01:01:31
I think we are often conflating legitimate interest, purpose and user groups as if they are one in the same and they are not.
Brian King (IPC)
01:02:02
Agree, Ashley.
Matt Serlin (RrSG)
01:02:19
Very good point Ashley
Ayden Férdeline
01:02:24
sorry to join late
Ayden Férdeline
01:02:28
And for not muting audio
James Bladel (RrSG)
01:05:27
+1 Ashely. Legitimacy/Purpose isn’t inherited by all members of a user group.
Ashley Heineman (GAC)
01:05:39
Perhaps a doc that lists user groups (with the assumption that we are considering it), with another section for each user group that lists legitimate interest (kind of what this doc is doing), then another field for purpose. So it is all there (unless I'm missing something) and we won't get wrapped around the axle regarding what we are talking about because it will all be on the same page. I know folks won't like listing user groups at the outset, but let's perhaps take it as an informed exercise that can be changed as need be.
Brian King (IPC)
01:06:06
I like how you put that, James.
Ashley Heineman (GAC)
01:07:36
But each user group *could* have similar legitimate interests and purposes, so perhaps listing them as a menu as a first step? Recognizing that they don't automatically apply, but could apply. As it will all be determined per request, correct? And must be substantiated, correct?
Alan Woods (RySG)
01:07:40
so therefore makes more sense to categorise by legal basis - not by group
Ashley Heineman (GAC)
01:08:13
I don't care what order (I don't think), whether it starts with legal basis or group.
Alan Woods (RySG)
01:08:36
(sorry Ashley that was @Hadia)
Ashley Heineman (GAC)
01:08:54
Still a good point for me to consider. :-)
Marika Konings
01:09:41
@Alan W. but who/how to determine whether a certain user group can make use of a certain legal basis? For some it is clearly defined, but for some there was disagreement during phase 1. If I recall well, in phase 1 it was left up to the controller what legal basis to apply, would it be the same here (the third party requestor determines which legal basis they want to use for their request and the controller assess whether or not it is deemed appropriate?)
Alan Woods (RySG)
01:10:40
true..... i think we are making this so much harder for ourselves. There are 6 legal bases. and we might drill down into potential groups but we must resist presupposing answers, unless the law removes the burden on the controller.
Mark Svancarek (BC)
01:10:41
haha
Ashley Heineman (GAC)
01:10:53
Amen.
Mark Svancarek (BC)
01:10:59
(laughing at Thomas' joke)
Brian King (IPC)
01:11:55
Makes sense, Alan W. Let's start from legal bases and purposes.
Farzaneh Badii (NCSG)
01:11:58
legitimate interest is not really a new GDPR thing. There are even court cases about it because of the 95 directive
Georgios Tselentis (GAC)
01:13:50
Each disclosure has a clear logic thread comprising of legitimate interest/group/legal basis/data. We should not waist more time to see how they group or which gets precedence over the other and start working on concrete cases as Thomas does with his example. Then see whether we are comprehensive
Alan Woods (RySG)
01:14:14
@marika it is up to the the controller to set their legal basis for processing - we are talking about 3rd parties who are asking us to do something (disclosure to thme) which is outside of our specific purpose. (hence why Recommendation 1 purpose 2 was such a nightmare, as it is clear that people wanted to make it an 'ICANN purpose' as they knew that the law provides a limitation on disclosure to 3rd persons (balancing test - or legal obligation. Those requesting disclosure must establish their own legal basis - we cannot do it for them. My job is to register domains .... not figure out how the world and its mother can get access to the data i hold for that core purpose!
Farzaneh Badii (NCSG)
01:14:42
I agree with Thomas!
Julf Helsingius (NCSG)
01:14:59
Thomas +1
Hadia Elminiawi (ALAC)
01:16:49
@thomas if the purpose of LE is investigation then for sure it is not 6(1)f I was only saying that if public authorities could demonstrate that the processing is not part of performing your tasks as a public authority
Hadia Elminiawi (ALAC)
01:18:01
@thomas if the purpose of LE is investigation then for sure it is not 6(1)f I was only saying that if public authorities could demonstrate that the processing is not part of performing their tasks as a public authority then it could be 6(1)f
Thomas Rickert (ISPCP)
01:18:19
@Hadia - how can a LEA investigation and associated disclosure requests possibly not the core task?
Marika Konings
01:18:39
@Alan - thanks for that response. So do I understand correctly that you are suggesting that the group should be agnostic to which user group invokes which legal basis, but instead focus on what the process and steps are based on the legal basis invoked by the requestor?
Amr Elsadr (NCSG)
01:19:15
Public authorities have their own rules on how they may process data, but ICANN is not a public authority. I don’t see how the status of public authorities has any relevance, if they are 3rd parties.
Alan Woods (RySG)
01:19:21
yes. That's the starting point in my mind
Marika Konings
01:19:45
ok, thanks
Hadia Elminiawi (ALAC)
01:20:17
@Thomas A LEA investigation is for sure a core task I was only thinking if there is another task that is not core and for which they need a disclosure
Brian King (IPC)
01:23:06
Agree, Margie and Mark.
Alex Deacon (IPC)
01:23:10
+1 Margie re scope.
Hadia Elminiawi (ALAC)
01:23:13
+1 Margie The purpose of the third parties will determine the legitimate interest and thus the lawful basis
Thomas Rickert (ISPCP)
01:23:29
@Hadia, I agree in theory, but cannot think of a real-life scenario in which this would apply.
Hadia Elminiawi (ALAC)
01:23:30
It is good to start with the purposes of the third parties
Alan Woods (RySG)
01:23:50
slight reminder that i'm in the queue.........
Ashley Heineman (GAC)
01:25:07
Great points Greg
Farzaneh Badii (NCSG)
01:25:27
er? What is within ICANN scope? Non of these legitimate interests are. helping academic researchers etc? ICANN might be able to provide disclsure as a co-controller (I don’t know, have to look at it legally ) but these legitimate interests are not within ICANN scope
Alex Deacon (IPC)
01:26:07
+1 Greg - defining these is important to ensure predictability and also to ensure we address the questions in the charter.
Margie Milam (BC)
01:26:54
this is a global policy
Thomas Rickert (ISPCP)
01:27:10
Did you hear the shot? I hope everyone is fine
Farzaneh Badii (NCSG)
01:27:12
Oh now it is a global policy :)
Janis Karklins (EPDP Team Chair)
01:27:32
Blast was in GVA outside my window
Amr Elsadr (NCSG)
01:28:06
Alan W’s making a lot of sense to me today!!
Farzaneh Badii (NCSG)
01:28:07
oh yeah. GVA is the battlefield of bureaucrats
Thomas Rickert (ISPCP)
01:28:36
Georgios, can you help with the question / proposal I mentioned?
Farzaneh Badii (NCSG)
01:28:49
I have been agreeing with Alan since the past how many meetings? He has been repeating these points all the time.
Ashley Heineman (GAC)
01:30:01
Unfortunately, I think there is alot of talking past each other going on. :-(
Alan Woods (RySG)
01:30:18
roll on the face to face ... we work better in them! :D
Margie Milam (BC)
01:30:36
See the EU Comments on the Final Report: For instance,an IPR rightholder might have a legitimate interest to gain access to WHOIS personaldata in order to ensure his/her IP right is protected and not abused. T
Ashley Heineman (GAC)
01:31:13
I think we need to do our best not to assume motivation. A huge hurdle is getting past what we think the other side is trying to do or thinking... and most of the time we are wrong in our assumptions.
Alan Woods (RySG)
01:31:15
yes ..... under 6(1)f -- do you suggest we ignore the balancing test margie?
Alex Deacon (IPC)
01:31:24
+1 Alan G - we need to get to substantive discussion - we have yet to start working on our homework -
Hadia Elminiawi (ALAC)
01:31:47
+ 1 Ashley
Margie Milam (BC)
01:32:05
No - we have to look at the legal basis - 61f is just one - per EU letter
Hadia Elminiawi (ALAC)
01:32:40
Indeed we need to get started
Thomas Rickert (ISPCP)
01:32:59
Margie, from the menu in Art 6, we are pretty much stuck with 6 I c and f for this one I am afraid
Alan Woods (RySG)
01:33:18
nope ... not you Mark! lol
Amr Elsadr (NCSG)
01:33:27
@Margie: Your statement regarding IPR protections needs to be qualified by a few things, including the balancing test in 61f, as well as limiting abuse of IPR to the domain name registered. Also, shouldn’t we be referring to Trademarks, not IP?
Margie Milam (BC)
01:33:57
Thomas - also public interest & consent
Alan Woods (RySG)
01:34:09
no it would not ... you are not the controller in our processing ... you are a requester
Alex Deacon (IPC)
01:34:29
@amr - not at all. we must not limit our discussions to only TM.
Alan Woods (RySG)
01:34:38
let's!
James Bladel (RrSG)
01:34:40
Wait….if the Registrar isn’t a party to that contract?
Alan Woods (RySG)
01:34:59
exactly james ... confused separate spheres of processing
Amr Elsadr (NCSG)
01:35:02
“Public Interest” is so vague. Better to be specific on what is being referred to.
Thomas Rickert (ISPCP)
01:35:34
@Margie - public interest would require a legal act vesting ICANN / cps with performing a task in the public interest. There does not seem to be any such legal act.
Farzaneh Badii (NCSG)
01:35:50
Yeah honestly Mark I am so confused by what you are saying. Registrars have a contract with registrants. You have another contract probably with the same domain name registrant but I don’t think that establishes 6Ib
Thomas Rickert (ISPCP)
01:35:56
On opt-in. That is an options we can build, yes.
Margie Milam (BC)
01:35:58
that's your assumption Thomas - ask Bird & Bird
Margie Milam (BC)
01:36:09
we should get legal advice on that
Amr Elsadr (NCSG)
01:36:15
@Alex: I’m unaware of any ICANN policy that provides protections to IPRs other than Trademarks (even specific types of TMs). Have I missed anything?
Thomas Rickert (ISPCP)
01:36:22
@Margie - let’s do that, yes.
Mark Svancarek (BC)
01:36:24
James, that's right - the RR is not subject to the contract under which I am requesting the data on behalf of my customer
Alan Woods (RySG)
01:36:25
which means threat to life - and of course law enforement can... as i have said a number of times now
Margie Milam (BC)
01:36:39
6(1)(e) is the public interest basis
Alan Woods (RySG)
01:36:39
*enforcement
Margie Milam (BC)
01:37:13
no-- threat to life is 6(1)(d)- vital interests of the data subject or of another natural person
James Bladel (RrSG)
01:37:24
And Mark - would you produce that contract as part of a disclosure request? I’m not clear how we would guard against those claiming they were serving a contract, but it was confidential...
Alex Deacon (IPC)
01:37:57
@amr - I fully understand you (and others) believe only TM in “in scope”. I don’t agree.
Alan Greenberg (ALAC)
01:37:58
+1 Janis.
Alan Woods (RySG)
01:38:15
the existence of you having a contract with the data subject is a) separate to our data processg and b) a pretty good basis for a legitimate interest .......
Mark Svancarek (BC)
01:39:11
James - I did mention that challenge in my intervention :) and its the same challenge we have in 61f - what do you know about the requestor and their circumstance
Brian King (IPC)
01:39:43
I'm happy if Thomas is available to discuss the approach
James Bladel (RrSG)
01:39:54
I don’t want to dismiss the idea Mark. As you probably know, we activate a LOT of Office365 for our customers (esp. email). But I don’t know how that separate contract would govern a disclosure request.
Brian King (IPC)
01:40:00
We'll get more into the substance in due time of course
James Bladel (RrSG)
01:40:02
Need some more work on that.
Brian King (IPC)
01:40:34
James and MarkSv, sounds like something the Birdies might be able to help clarify too.
Georgios Tselentis (GAC)
01:50:58
@ Thomas can we also forsee what is under safeguards is considered in codes of conduct as in GDPR art.40?
Hadia Elminiawi (ALAC)
01:54:23
@Thomas I like your approach and I think i could work
Hadia Elminiawi (ALAC)
01:54:29
it
Thomas Rickert (ISPCP)
01:54:55
@Georgios - I think writing this up properly, i.e. filling it with life might probably be enough.
Alex Deacon (IPC)
02:02:01
I also think i would be helpful to map the charter questions to the sections in thomas’s doc. this will ensure we end up with the answers we need at the end of the process.
Farzaneh Badii (NCSG)
02:06:47
in other words Janis we don’t agree with all of it :)
Amr Elsadr (NCSG)
02:06:50
@Janis: Great. Thanks.
Alan Greenberg (ALAC)
02:08:32
I thought that Janis was asking for volunteers to work on THIS use case.
Matt Serlin (RrSG)
02:08:38
Agree with Marc that taking this one all the way through might be a better path forward
Farzaneh Badii (NCSG)
02:08:48
In all honesty, and I am sorry to be the antagonist here but I think use cases are the wrong approach. We need to discuss principles of establishing legitimate interest
Alan Greenberg (ALAC)
02:09:05
As I said, I think this is a learning exercise and not one we can use to "boil the ocean"
Farzaneh Badii (NCSG)
02:10:06
I am all for learning. I love to learn (new things)
Amr Elsadr (NCSG)
02:10:25
Speaking for myself, I’d like to focus on one use case, at least for a while, until we understand how our work will progress. Alan G raised a concern regarding how to generalize this, which is fair.
Brian King (IPC)
02:11:24
Correct, I volunteer.
Farzaneh Badii (NCSG)
02:11:43
yeah. Speaking for myself I don’t think working on use case is a starting point.
Brian King (IPC)
02:11:45
I'll take as much help as I can get, feel free to DM me.
Alan Woods (RySG)
02:12:27
agreed Chris ... that seems very prudent!
Marika Konings
02:12:37
For those wanting to work on use cases, we will post an empty version of the template on the wiki.
Chris Lewis-Evans (GAC)
02:13:12
@Alan enough to cover all legal basis’s
Hadia Elminiawi (ALAC)
02:13:20
+1 Alan makes sense
Thomas Rickert (ISPCP)
02:14:07
Yes. The idea is to be able to group and broaden them later.
Matt Serlin (RrSG)
02:14:42
Agree with Amr…I don’t think tackling an unlimited number of use cases right now would be prudent
Farzaneh Badii (NCSG)
02:16:43
I just want to record my opinion about this approach: I don’t agree with it. We have been documenting use cases since RDS! We even have a sheetstaff provided. We need to discuss the use cases eliminate or keep them based on the principles of establishing legitimate interest
Amr Elsadr (NCSG)
02:18:20
Yup. The use cases on the RDS PDP proved pretty pointless, and a ton of time was spent on them.
Marika Konings
02:19:33
Note that the deadline for input is tomorrow (21 June), so far no input has been received.
Thomas Rickert (ISPCP)
02:19:48
For the ISPCP I can say we will need more time to provide input.
Farzaneh Badii (NCSG)
02:19:50
Oh tomorrow? Why did I think Monday
Alex Deacon (IPC)
02:20:31
IPC my also need more time.
Margie Milam (BC)
02:22:39
BC may need more time
Amr Elsadr (NCSG)
02:22:54
NCSG too, as usual.
Ashley Heineman (GAC)
02:22:54
GAC too...
Marika Konings
02:24:15
Note that this is intended to be early input - the further the EPDP Team has gone along in its deliberations, the more difficult it may be to review and factor in this input, or it may require going backwards on what was already discussed.
Ashley Heineman (GAC)
02:24:47
Our issue is getting a draft ok'd by the broader GAC. That takes time and right before an ICANN meeting is very difficult.
Brian King (IPC)
02:25:33
Yeah +1 Alan
Brian King (IPC)
02:26:08
let's maximize the value of our limited time together
Farzaneh Badii (NCSG)
02:27:16
Oh wow. GAC is on top of things … :)
Thomas Rickert (ISPCP)
02:28:44
TBQH - you are required to ask for early input. You have done that now so we can tick that off the list. I would prefer not to to provide it at this stage.
Marika Konings
02:29:09
Yes, it is a required step as this EPDP is in two phases, but there is no requirement for anyone to provide input if they are of the view that their input has already been provided.
Marika Konings
02:29:17
So the requirement is to ask, not for groups to provide :-)
Hadia Elminiawi (ALAC)
02:29:24
It is very difficult to come up with comprehensive answers at this stage, this is different than the phase 1 triage. To provide full answers now to the charter questions is quite impossible, that means doing all the work now. As work proceeds those answers can be provided. General comments are possible though.
Chris Lewis-Evans (GAC)
02:34:56
Need to catch a flight, will stay on audio. thanks all and see you in Marrakech.
Farzaneh Badii (NCSG)
02:36:02
So next week meeting will be in Morocco?
Marika Konings
02:36:29
Correct
Julf Helsingius (NCSG)
02:36:29
Amr +1
Thomas Rickert (ISPCP)
02:36:37
Need to drop off. Bye all!
Farzaneh Badii (NCSG)
02:37:10
Then I won’t be there yippie. Might appoint an alternate or be the remote participant champion. There is RP right?
Alan Woods (RySG)
02:37:11
+1 Amr
Julf Helsingius (NCSG)
02:37:12
I think we are trying to rush through this, and results suffer.
Farzaneh Badii (NCSG)
02:38:16
yeah workstreams and dozens of sheets and use cases
Farzaneh Badii (NCSG)
02:39:41
Slowing down doesn’t necessarily mean achieving the outcome late. but we need to focus one one issue at the time.
James Bladel (RrSG)
02:40:04
I think it’s less about adding calls, and more about using our call time more efficiently.
Farzaneh Badii (NCSG)
02:40:09
Yes
Ashley Heineman (GAC)
02:42:12
Agree with James. I'd rather keep the same schedule and focus more on making progress.
Brian King (IPC)
02:42:26
+1
Alex Deacon (IPC)
02:43:07
@james - agree. Hopefully our decision to get to work on Thomas’ template will allow us to make good progress on real issues.
Hadia Elminiawi (ALAC)
02:43:24
Thank you all - bye
Matt Serlin (RrSG)
02:43:24
Safe travels all