Logo

Julie Bisland's Personal Meeting Room
Ayden Férdeline (NCSG)
31:06
Hello all
Chris Disspain
31:55
Greetings all…Here for only 1 hour today as there is a board call thereafter
Julf Helsingius (NCSG)
34:57
Was this text shared over email? very hard to see on a small screen
Marc Anderson (Verisign / RySG)
36:00
@Julf - yes, Caitlyn sent it attached to the agenda for today's call
Julf Helsingius (NCSG)
36:34
@Marc Ah! Thanks!
Terri Agnew
37:12
Also located on the agenda wiki page: https://community.icann.org/x/VYEzBw
Julf Helsingius (NCSG)
38:18
Thanks, Terri!
Margie Milam (BC)
39:20
From ICO: ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
Becky Burr (ICANN Board Liaison)
39:45
How do you find out the registrant name to begin with Milton?
Milton Mueller (NCSG)
40:10
you don’t need the name, you can search for anyhing
Milton Mueller (NCSG)
40:24
domain, email address, etc.
Volker Greimann (RrSG)
40:26
I can live with the change proposed by Margie
Milton Mueller (NCSG)
40:45
agree to change invasive to intrusive
Franck Journoud (IPC)
41:08
+1 margie
Matt Serlin (RrSG)
41:13
Intrusive seems fine
stephanieperrin
42:09
With all due respect to my colleague Milton, we should not be encouraging access to data mining sites, exactly as Laureen says.
Milton Mueller (NCSG)
42:10
hey, when did we care about the legality? oops, never mind
Margie Milam (BC)
42:28
+1 Laureen
Margie Milam (BC)
42:45
yes
Margie Milam (BC)
42:55
that's what I was proposing
Milton Mueller (NCSG)
43:05
What I am saying, Stephanie, is that we needn’t set up a new system of data mining
Milton Mueller (NCSG)
44:33
What is a “reasonable” means?
Milton Mueller (NCSG)
48:28
“authorizer shall identify less intrusive means"
Thomas Rickert (ISPCP)
48:38
I am puzzled with the „less intrusive means“ concept
Milton Mueller (NCSG)
48:52
I just did that, see above
Franck Journoud (IPC)
48:54
+1 Berry! ;-)
Thomas Rickert (ISPCP)
48:54
If data can be lawfully disclosed, that is all we need.
Thomas Rickert (ISPCP)
49:13
It seems like we are adding an extra layer of complexity creating uncertainty
Thomas Rickert (ISPCP)
50:38
Feasibility is not the question. Compliance with applicable laws is, though.
Stephanie Perrin (NCSG)
50:55
+100 Thomas
Thomas Rickert (ISPCP)
51:30
I hope we will not spend resources on such a study
Alan Woods (RYSG)
52:16
NOTE: my hand is in relation to the previous one as well … so I'm happy to wait until after the discussion on Geographical.
Caitlin Tubergen
52:23
Please note the Board scorecard on the EPDP Phase 1 Final Report provides: In adopting this Recommendation, the Board notes its understanding that there wasdivergence in the EPDP about the value of a study to inform the policy, and that requestsfor such a study have been presented to the Board. The Board directs the CEO and org todiscuss with the EPDP Phase 2 Team the merits of a study to examine the feasibility andpublic interest implications of distinguishing between registrants on a geographic basisbased on the application of GDPR. Further action should be guided by the conversationswithin the EPDP Phase 2 Team.
Laureen Kapin (GAC)
52:24
Here is the proposed language: If the authorization provider does not approve the request based on " another reasonable and less intrusive way to achieve the same result" then the Authorization Provider must identify the less intrusive way to obtain the data to the requester.
Julf Helsingius (NCSG)
52:29
+1 Thomas and Milton
Stephanie Perrin (NCSG)
52:31
echoing Thomas. Furthermore, there are a myriad of laws out there, most of which are in the process of being updated to meet the GDPR standard. Total waste of money which we need for legal advice
Stephanie Perrin (NCSG)
54:05
+1 James
Thomas Rickert (ISPCP)
54:12
@Caitlin - I know the Board direction. It was not a good idea at the time and continues to be a bad idea :-)
Matt Serlin (RrSG)
54:40
+1 James…again GDPR was what drove this policy work but the end result should be uniformly applied
Volker Greimann (RrSG)
55:07
With Alan here: Re-opening legal vs. natural is not necessary. it is settled
Alan Woods (RYSG)
55:41
(who's talking about legal v natural ?)
Stephanie Perrin (NCSG)
55:45
hairsplitting is a dandy word to describe any such differentiation.
Thomas Rickert (ISPCP)
56:06
Balancing test is only for Art 6 I f.
Chris Lewis-Evans (GAC)
56:56
+1 Thomas bullet one captures this well
Thomas Rickert (ISPCP)
57:12
Why not just state that the authorization provider should check the legal basis for disclosure, which then - as a subset - would include the balancing test if disclosure shall be made based on Art. 6 I f
Alan Greenberg (ALAC)
58:03
@Thomas, I am fine with that.
Matt Serlin (RrSG)
58:11
I don’t think we should refer too much to GDPR specific clauses but keep it more general if possible
James Bladel (RrSG)
59:20
Agree with Margie, we should preserve Registrar discretion without obligation
Caitlin Tubergen
00:59:20
Please note the Board scorecard on the EPDP Phase 1 Final Report provides: In adopting this Recommendation, the Board notes its understanding that there was
divergence in the EPDP about the value of a study to inform the policy, and that requests
for such a study have been presented to the Board. The Board directs the CEO and org to
discuss with the EPDP Phase 2 Team the merits of a study to examine the feasibility and
public interest implications of distinguishing between registrants on a geographic basis
based on the application of GDPR. Further action should be guided by the conversations
within the EPDP Phase 2 Team.
Hadia Elminiawi (ALAC)
59:28
You need to look at the whole Internet ecosystem, different classes already exist. It won't do any good to the Internet ecosystem if you decide to not differentiate with regard to data privacy in relation to one set of people (in our case the registrants) and still have different classes among the other Internet elements like end users.
Alan Woods (RYSG)
01:00:21
discuss the merits … therefore setting a base policy that renders such a study moot - and indeed creates a non-gdpr specific standard - seems prudent
Volker Greimann (RrSG)
01:00:25
sorry, not able to parse the above
Milton Mueller (NCSG)
01:01:44
as noted, there was divergence in support for a study, there is no consensus on it
Volker Greimann (RrSG)
01:02:48
I just don't want to be fined ten million EUR. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwiH1tCNpqvmAhXI2aQKHYcyB4cQFjAAegQIARAB&url=https%3A%2F%2Fwww.telecompaper.com%2Fnews%2Fgerman-bfdi-fines-1and1-eur-955-mln-for-gdpr-infringement--1319213&usg=AOvVaw25AYfuA71X-0195FQFw4mS
James Bladel (RrSG)
01:03:02
Can’t hear Mark
Chris Lewis-Evans (GAC)
01:03:04
very quiet
Terri Agnew
01:03:05
@Mark, can you speak a little closer to mic?
Marc Anderson (Verisign / RySG)
01:03:14
very hard to hear Mark Sv
Hadia Elminiawi (ALAC)
01:03:17
I could not hear
Volker Greimann (RrSG)
01:03:18
hello? is someoone talking?
Mark Svancarek (BC) (marksv)
01:04:02
the real question: is anyone listening? ;-)
Chris Lewis-Evans (GAC)
01:04:15
to you always :P
Mark Svancarek (BC) (marksv)
01:07:11
Not applicable if a different basis is being used
Thomas Rickert (ISPCP)
01:08:05
We should only make reference to a legal basis that needs to be applicable. In some cases that might invoke a balancing test (Art 6 I f), in some not (rest of Art 6 I), but the authorization provider should not determine the applicability of Art 6 as such
Chris Lewis-Evans (GAC)
01:08:08
+1 Mark SV
Milton Mueller (NCSG)
01:08:11
right
Thomas Rickert (ISPCP)
01:08:45
And to Matt: We can certainly camouflage the Articles in more general language without citing GDPR
Milton Mueller (NCSG)
01:09:08
ok we can specify that more precisely. Please say that more explicitly
Alan Woods (RYSG)
01:10:31
YEs. It's unfortunately suggests that the balancing test - which is GDPR specific will only apply wher GDPR applies - we need to ensure that as a baseline - the SSAD will apply "A" a balancing test - akin to the GDPR test - where the claimed basis for disclosure is 'legitimate interest of a third party"
Thomas Rickert (ISPCP)
01:10:37
The current text reads like the authorization provider makes a determination whether Art 6 is applicable (maybe unintentionally). Therefore, we should make clear that a legal basis must be present for disclosure (Art 6 I) That includes a balancing test where disclosure is based on Art 6 I f)
Alan Woods (RYSG)
01:11:00
(dropping a few vowels - apparently .. but you get the gist lol)
Thomas Rickert (ISPCP)
01:12:34
Right, Georgios“!
Volker Greimann (RrSG)
01:14:41
Chris +1
Hadia Elminiawi (ALAC)
01:17:28
+1 Georgios
Margie Milam (BC)
01:17:30
+1 Georgios
Laureen Kapin (GAC)
01:17:54
Agree w/Georgios
Hadia Elminiawi (ALAC)
01:18:01
Do we need to get in the details of the process?
Becky Burr (ICANN Board Liaison)
01:19:15
@Stephanie, fwiw, I think the market distortion is that it would favor registries and registrars in countries that have passed data protection legislation to prohibits publication. The degree of privacy you get depends on the registrar you select.
Hadia Elminiawi (ALAC)
01:19:16
the lawful basis will determine the following process , why do we need to get into the details of the following process ? I think we don't
Stephanie Perrin (NCSG)
01:19:38
It is perfectly normal to state that a given privacy policy conforms to a certain law, in this case the GDPR, regardless of jurisdictions of the various parties. This should be in our preamble, with provisions that acknowledge that different jurisdictions may have national laws that have different legal language to achieve the same operations.
Franck Journoud (IPC)
01:20:00
+1 Giorgios
Georgios Tselentis (GAC)
01:20:05
The fact that the requestor provided a legitimate interest at 5 does not mean that this should not be examined by the authorising entity
Franck Journoud (IPC)
01:20:09
Sorry, Georgios.
Stephanie Perrin (NCSG)
01:20:53
This is what I meant by my intervention. If we use that language of GDPR, it should not trigger a requirement to interrogate the jurisdiction as to whether it applies….our policy will SAY that it applies
Stephanie Perrin (NCSG)
01:21:36
Absolutely agree with Alan
Matt Serlin (RrSG)
01:22:03
That would be my understanding Alan
Milton Mueller (NCSG)
01:22:17
agree with Alan
Alan Woods (RYSG)
01:22:57
I tpotally agree... but I think the team needs to be all on the same page as that is the understanding!
Alan Woods (RYSG)
01:23:11
Sorry to be pedantic .. but we need clarity.
Alan Greenberg (ALAC)
01:24:05
"balancing test (or comparable)"
Alan Woods (RYSG)
01:25:38
So to be clear Margie . is your position that Registrants should be treated differently and we should not be making the consensus policy as agnostic to specific laws as possible.
Milton Mueller (NCSG)
01:26:08
Yes, Janis. You are right
Stephanie Perrin (NCSG)
01:26:18
+1 Janis
Franck Journoud (IPC)
01:26:34
+1 @Margie
Margie Milam (BC)
01:26:43
we have registrars that make geographic distinctions right now under the Temp Spec
Stephanie Perrin (NCSG)
01:27:35
we are trying to build a common access engine, correct? If so, we have to have a harmonized policy or it won’t work, technically or from a cost perspective.
Stephanie Perrin (NCSG)
01:27:57
This is ground hog day people, how can we break out of it?
Milton Mueller (NCSG)
01:28:07
we aim to fix that problem. Margie
James Bladel (RrSG)
01:28:14
@Margie - correct. But that’s changing…(we’re one ofhtem)
Alan Woods (RYSG)
01:28:15
and that doesn't answer my question Margie.
Chris Lewis-Evans (GAC)
01:29:29
similar to the requirements under GDPR's
Becky Burr (ICANN Board Liaison)
01:29:38
Apologies, I need to drop now.
Milton Mueller (NCSG)
01:29:43
Chris’s wording is better
Hadia Elminiawi (ALAC)
01:29:57
+1 chris
Margie Milam (BC)
01:32:18
GDPR is one law - there are others that impact this where the balance might affect the way the data is presented
Chris Lewis-Evans (GAC)
01:33:11
keep 61f
Alan Woods (RYSG)
01:34:11
So, Margie , where a law doesn't protect a registrant, do you therefore think, as a base Internet policy, they are not deserving of a minimum level of protection , such as tp bring them in line with other data subjects who enjoy data rights?
Matthew Crossman (RySG)
01:34:39
can we just say personal data with the bracketed explanation rather than personal registration data?
Margie Milam (BC)
01:34:46
@Alan- ECommerce Directive & things like that might say the registrant needs to be public if you are engaging in commerce
James Bladel (RrSG)
01:34:49
Dan is in the Q.
Alan Woods (RYSG)
01:35:46
I'm talking about the base protection - what you point out is an exception the data rights - by way of legal due process.
Margie Milam (BC)
01:37:14
GDPR allows for exceptions based on legal requirements and its not tied to legal due process - it just depends on what the law's requirements are
Alan Woods (RYSG)
01:39:14
Yes exceptions are on a case by case basis - the ecommerce directive does not apply in all instances - we should build our system at the high water mark treating all registrants from a baseline that is homogenous - If we try and go your route - and build in potential exceptions to that policy at the baseline - then we are doomed to failure.
Stephanie Perrin (NCSG)
01:40:36
Surely acceptance of the fact that we are working on a common policy is stated in our Charter somewhere? when are we going to stop arguing about this?
Margie Milam (BC)
01:40:58
Ive been talking about a rules engine concept - Steve Crocker is building one in the barbecue proposal he talked to us about a few months ago
Alan Woods (RYSG)
01:41:25
so .. you are saying that you want to treat registrants differently as a baseline?
Stephanie Perrin (NCSG)
01:41:39
Steve’s concept appears to me unaffordable if applied only to registrant data.
Stephanie Perrin (NCSG)
01:41:59
Useful in a data mining application that wishes to comply with law though....
Milton Mueller (NCSG)
01:42:23
+1 from me
Mark Svancarek (BC) (marksv)
01:42:39
green yes-check from me
Mark Svancarek (BC) (marksv)
01:43:23
hmm, good point from Thomas
Thomas Rickert (ISPCP)
01:44:44
If data is on the website, the point of asking the SSAD is to verify whether the data on the website is accurate.
Thomas Rickert (ISPCP)
01:44:49
That is a different thing / purpose
Franck Journoud (IPC)
01:45:23
+1 Thomas
Mark Svancarek (BC) (marksv)
01:45:31
web sites are not domain names
Julf Helsingius (NCSG)
01:45:45
Apologies, but will have to drop off call.
Thomas Rickert (ISPCP)
01:45:48
Correct, Mark
Alan Woods (RYSG)
01:47:28
explanations are fine …. specific data points not so much.
Stephanie Perrin (NCSG)
01:47:45
+1 Mark SV
Thomas Rickert (ISPCP)
01:47:53
+1 Mark
Milton Mueller (NCSG)
01:48:07
both
Franck Journoud (IPC)
01:50:27
By the way: "less intrusive" doesn't mean "you can get this data from someone else" (and not just because that someone else could say the same and point back at SSAD)
Margie Milam (BC)
01:51:45
yes
Alan Woods (RYSG)
01:54:38
I agree Frank - it is not absolute - and it must be read in connection with necessity and indeed appropriateness, ore the availability of more appropriate means too. This is not an easy call for the discloser - this is why its not an easy task for us to make recommendations.
Mark Svancarek (BC) (marksv)
01:58:08
It is a good practice for auditing
Matthew Crossman (RySG)
01:58:39
Alan G - The rest of the language is in the full building block
Margie Milam (BC)
01:58:42
"is expected" is too weak
Margie Milam (BC)
01:58:52
need an affirmative obligation
Matt Serlin (RrSG)
01:59:18
To Mark SV’s point, I don’t see how we could possibly come up with an exhaustive list of reasons for denial
Matt Serlin (RrSG)
01:59:40
which makes the discretion of the disclosing party that much more important
Mark Svancarek (BC) (marksv)
01:59:54
seek arbitration
Marc Anderson (Verisign / RySG)
02:00:00
agree @Matt - I have that same concern
Mark Svancarek (BC) (marksv)
02:00:23
if disclosing party has unrestricted discretion, there is no point in having an enumerated list
Thomas Rickert (ISPCP)
02:00:49
Need to run and will reconnect via mobile device I a few mins.
Jennifer Gore (IPC)
02:02:42
the IPC supports either ‘shall’ or ‘must’
Alan Woods (RYSG)
02:05:06
+1 James and we want to avoid this.
Alan Woods (RYSG)
02:05:34
we should ensure we can work with ICANN, and not against of course!
James Bladel (RrSG)
02:06:27
Agreed Janis, we need to recognize that Compliance isn’t a ‘regulator’ and takes a back seat to real legal authorities.
Volker Greimann (RrSG)
02:07:20
Lesson learned, do not step on rugs ;-)
James Bladel (RrSG)
02:07:45
Certainty is in short supply these days!
Alan Woods (RYSG)
02:09:29
The temp spec was an emergency policy drafted in a matter of days … hardly determinative now.
Mark Svancarek (BC) (marksv)
02:09:51
Margie is exactly right - the balancing test is where the consideration is performed
Alan Woods (RYSG)
02:10:53
And I'm OK with that Alan.
Alan Woods (RYSG)
02:11:07
some language of contingency
Jennifer Gore (IPC)
02:11:14
the temp spec was reviewed throughly by internal and external council and took the GDPR into consideration
Franck Journoud (IPC)
02:11:21
+1 Alan G
Mark Svancarek (BC) (marksv)
02:12:55
James is interpreting as I intended. MAY proposes a balancing test after the balancing test.
Alan Greenberg (ALAC)
02:13:02
The next sentence must be "THe rationale ofr approvalOR REFUSAL MUST be documented"
Hadia Elminiawi (ALAC)
02:13:22
+1 Alan
Franck Journoud (IPC)
02:13:32
+1 Alan G
James Bladel (RrSG)
02:13:49
So long as disclosing entity discretion is preserved in the first sentence, let’s call this a “breakthrough “ and move on
Alan Woods (RYSG)
02:14:04
OK... I'm sold with James' point.
Alan Woods (RYSG)
02:14:21
I hereby stand down! :D
James Bladel (RrSG)
02:15:48
If we’re going to use “SHALL” above, then let’s be consistent and use “SHALL” here too
Margie Milam (BC)
02:16:24
+1 Alan G
Alan Woods (RYSG)
02:17:26
go team!
Berry Cobb
02:21:53
https://docs.google.com/document/d/1eZBzRclRtEXPp1EScDfftnfnv9tneD7ovxmGe84BQz4/edit
Mark Svancarek (BC) (marksv)
02:23:44
Must leave early. Goodbye everyone!
Alan Greenberg (ALAC)
02:23:49
Data subjects get their own data through their registrar, not through SSAD.
Alan Greenberg (ALAC)
02:24:43
Have to leave now as well. Bye all.
Alan Woods (RYSG)
02:26:54
Alan ......... that depends on who the controller is ... sigh ...
Stephanie Perrin (NCSG)
02:28:24
There is a reason why determining the controllership issue always comes first. Then the DPIA.
Stephanie Perrin (NCSG)
02:28:34
Not to be a broken record or anything
Caitlin Tubergen
02:28:46
Response Requirements
Caitlin Tubergen
02:29:09
User groups also (if time allows)
Ayden Férdeline (NCSG)
02:29:34
Thanks all
Hadia Elminiawi (ALAC)
02:29:35
thanks all bye
Chris Lewis-Evans (GAC)
02:29:40
Thanks All