Logo

Julie Bisland's Personal Meeting Room
Julf Helsingius (NCSG)
36:04
Did audio just die?
Julf Helsingius (NCSG)
37:05
I did have an update to my SOI, but nothing significant and I can do that over email
Marc Anderson (Verisign / RySG)
38:44
what day was team dinner?
Marc Anderson (Verisign / RySG)
38:53
thank you
Berry Cobb
38:55
Day 1
Terri Agnew
39:09
Welcome cocktails on day 0 ad team dinner day 1
James Bladel
39:12
What would we do without you, Terri? (Answer, sleep in the parks and eat at McDonalds)
Julf Helsingius (NCSG)
40:55
I guess I missed the info about being done at 2pm on the last day before I OKd the flights. :(
Becky Burr (ICANN Board Liaison)
41:27
Apologies, I need to step away and will provide the legal committee update in chat
Hadia Elminiawi (ALAC)
46:22
Thank you Becky - Caitlin provided a quick update
Volker Greimann (RrSG)
48:31
I hate to say “Told you so” to the response to the strawberry letter, but...
Hadia Elminiawi (ALAC)
50:57
@Amr but this is what we thought from the beginning - we know that roles cannot be designated
Alan Woods (RySG) (Donuts)
51:17
can't actually hear Mark very well- or is it just me
Amr Elsadr (NCSG)
52:13
@Hadia: Yup, but we have (or rather ICANN Org has) confirmation of this now, so makes our job easier provided that ICANN Org acknowledges this.
Brian King (IPC)
52:59
Let's get back to work
Amr Elsadr (NCSG)
53:03
So any form of UAM will not result in relieving responsibilities or liability from any controller or joint-controller.
Thomas Rickert (ISPCP)
53:07
I am suffering from „making the joint controller point“ fatigue. Hopefully we can now move on and just accept it as a fact :-)
Chris Disspain
53:23
Hi All, apologies for being late
Amr Elsadr (NCSG)
53:55
@Thomas: +1. My hope is the letter from the Belgian DPA will help us move along.
Berry Cobb
54:42
https://docs.google.com/document/d/1B2JHP0ue4sAu5u37NtddzmtYs--Q_jg2mfKho-YB81E/edit#
Alan Woods (RySG) (Donuts)
55:15
IN fairness - they actually asked … what is the model 1st...
Milton Mueller (NCSG)
55:32
Margie: short answer - NO
Milton Mueller (NCSG)
56:16
The message is pretty clear: make decisions about how the system works and who does what, then ask whether it is compliant
Amr Elsadr (NCSG)
56:21
Didn’t the EPDP Team already ask to provide input to the letter, which didn’t happen? How many times are we going to ask them the same questions?
Amr Elsadr (NCSG)
56:54
@Milton: +1
Margie Milam (BC)
57:24
Im not talking about asking questions - but merely provide more details on the safeguard based on what we have already agreed on in our building blocks
Amr Elsadr (NCSG)
58:44
OK…, thanks for the clarification Margie. I believe it would be ok to send these once it’s completely finalized. If I’m not mistaken, this was suggested in the response from the Belgian DPA?
Brian King (IPC)
59:14
@Amr, right. The Belgian DPA letter says they're craving detail on the safeguards. Let's give it to them.
Berry Cobb
01:00:19
@Thomas - can you paste into the chat what/who you wanted added?
Matt Serlin (RrSG)
01:00:23
Fwiw I don’t believe we have specified “who gets access to what” as part of our work to date
Hadia Elminiawi (ALAC)
01:00:28
ok then the examples are sufficient
Margie Milam (BC)
01:01:19
+1 Laureen
Matt Serlin (RrSG)
01:01:36
The list indicates “non-exhaustive” so we shouldn’t try and include any group that could be included…
Laureen Kapin (GAC)
01:01:40
consumer protection authorities as well.
Marika Konings
01:01:43
Please do note that this is a non-exhaustive list so it does not mean that something that is not mentioned is not included.
Alan Woods (RySG) (Donuts)
01:02:16
Thank you Marika (also welcome back) - the voice of reason
Marika Konings
01:02:33
:-)
Amr Elsadr (NCSG)
01:02:38
@AlanW: +1. Thanks Marika, and welcome back. :-)
Milton Mueller (NCSG)
01:02:42
That’s way too many categories
Thomas Rickert (ISPCP)
01:02:52
But pleased add Internet Service Providers
Amr Elsadr (NCSG)
01:03:09
I’m not clear why Data Protection Authorities would require disclosure of registrant personal information?
Thomas Rickert (ISPCP)
01:03:09
The entire list will be subject to review, if I understand correctly.
Margie Milam (BC)
01:03:14
+1 Thomas
Brian King (IPC)
01:03:21
Also need to add trademark owners
Matt Serlin (RrSG)
01:03:22
+1 Marc
Milton Mueller (NCSG)
01:03:29
+1 Mark
Brian King (IPC)
01:03:29
Also +1 Marc, not sure what we're doing here
Matt Serlin (RrSG)
01:03:48
The shorter text seems better imo
Brian King (IPC)
01:03:50
Does a charter question ask us to answer this?
Alan Woods (RySG) (Donuts)
01:04:00
+1 Marc
Laureen Kapin (GAC)
01:04:50
I could also agree to the initial proposed language which provides the flexibility to create user groups/categories as appropriate.
Hadia Elminiawi (ALAC)
01:04:52
from a compliance point of you we need to define the users - according to the Belgian DPA letter
Amr Elsadr (NCSG)
01:04:55
@Marc: +1
James Bladel (RrSG)
01:04:59
Agree with Marc, we shouldn’t tie the hands of the accreditation authorities. The original language is future-proof.
Hadia Elminiawi (ALAC)
01:05:26
*point of view
Amr Elsadr (NCSG)
01:06:12
Adding the list creates problems, imo, not solves them. There are some user groups listed there, which likely shouldn’t be there. The flexibility Marc describes in option 1 should work without us needing to debate the specifics in option 2.
stephanieperrin
01:06:38
apologies for being late, first meeting ran over
Alan Woods (RySG) (Donuts)
01:08:02
We need to refocus on making recommendations and not making shopping lists - Hadia - please explain as to why WE must do that and not the actual accreditation or Disclosing body (depending on where It is most useful). Surely this should actual practical review of applications made and not on what we can imagine here!
Brian King (IPC)
01:08:19
Right, Milton. A user can have several purposes. Let's focus on purposes.
Alan Woods (RySG) (Donuts)
01:08:23
*should be based
Franck Journoud (IPC)
01:08:51
Let the record reflect that I agree with Milton! ;-)
Franck Journoud (IPC)
01:09:23
+1 Brian
Hadia Elminiawi (ALAC)
01:10:01
@Alan we don't necessary need to be the people defining this - but at some point someone has to identify who gets access to what
Alan Woods (RySG) (Donuts)
01:10:25
yes … the controller. Completely agree there hadia
Franck Journoud (IPC)
01:11:38
@Hadia: would you agree that it's not so much "who" but "for what purpose"? (of course requestors will be identified/accredited, but their purpose for each request is what matters?)
Hadia Elminiawi (ALAC)
01:13:28
@Frank yes it is the purposes - we are talking about user groups because we have in mind an accreditation system
Alan Greenberg (ALAC)
01:13:58
Groups will aid potential users with where to go for accreditation, and may aid controllers in their decision process. But of course no guarantees regarding access due to groupings.
Margie Milam (BC)
01:14:36
maybe create an implementation note?
Milton Mueller (NCSG)
01:15:15
Where are people getting the idea that if their name is not on the list they won’t have access to the SSAD?
Amr Elsadr (NCSG)
01:15:26
@AlanW: +1
Milton Mueller (NCSG)
01:15:35
If that’s the assumption let’s not name ANYONE and make it clear that anyone has access
James Bladel (RrSG)
01:15:43
Non-exhaustive lists are by nature exclusionary
James Bladel (RrSG)
01:15:53
It will create friction in the accreditation process
Milton Mueller (NCSG)
01:16:22
ALL lists are exclusionary, but a non-exhaustive one is by defin
Margie Milam (BC)
01:16:25
As I said - if the purposes are clear & specific - we are probably ok on less specificity here
Milton Mueller (NCSG)
01:16:41
ition does not exclude things not listed
Franck Journoud (IPC)
01:16:41
+1 Margie
Milton Mueller (NCSG)
01:17:56
Good idea Janis
Amr Elsadr (NCSG)
01:24:55
@James: Interesting idea.
Mark Svancarek (BC) (marksv)
01:25:23
Transparency is good
Amr Elsadr (NCSG)
01:27:41
Not objecting to Franck’s proposal, but don’t see a correlation between eliminating examples of user groups, and working out an agreement on purposes.
Marika Konings
01:28:24
I quickly checked and we do have requirements in relation to logging, but I haven’t found anything yet in relation to public reporting of that kind of information. Staff can make a suggested edit in the Initial Report and highlight that it is an item that the EPDP Team should review further?
Berry Cobb
01:29:33
https://docs.google.com/document/d/1irlBo_oE5WqxTir5URaxlpPWTn17cnjDz72L79gOjOI/edit
Brian King (IPC)
01:33:35
Janis, fine with your suggestion on h)
Amr Elsadr (NCSG)
01:35:18
@Janis: Right.
Milton Mueller (NCSG)
01:36:25
Acceptable
Milton Mueller (NCSG)
01:37:16
Should be “whenever” not “wherever”
Stephanie Perrin (NCSG)
01:37:39
Please speak louder Mark SV
Amr Elsadr (NCSG)
01:38:23
The change in “h” needs to also be made in “h” and “k” under “The entity disclosing the data” on page 4
Mark Svancarek (BC) (marksv)
01:38:30
sorry for mumbling!
Stephanie Perrin (NCSG)
01:38:46
language indicating Charter protected groups should be included. A Court will look at that as well as the GDPR
Chris Lewis-Evans (GAC)
01:38:58
+1 MarkSV
Amr Elsadr (NCSG)
01:39:12
@Berry: thanks.
Alan Woods (RySG) (Donuts)
01:39:15
not always Brian ….. good lord! e.g. prosecution for homosexuality?
Amr Elsadr (NCSG)
01:40:13
Or religious belief or lack thereof.
Alan Woods (RySG) (Donuts)
01:40:21
Amen (ironically)
Amr Elsadr (NCSG)
01:40:25
Many examples.
Brian King (IPC)
01:40:29
@Alan I stumbled on that point for precisely those kinds of cases. You're absolutely right. I tried to revise back to civil litigation e.g. the Rigas case.
Marika Konings
01:40:43
@Stephanie - do you happen to have a citation we could reference in the footnote?
Stephanie Perrin (NCSG)
01:40:50
+1 Alan G, needs to reference law enforcement agencies
Stephanie Perrin (NCSG)
01:41:02
e.g. an investigation by law enforcement agencies
Alan Woods (RySG) (Donuts)
01:41:07
Rigas is an example of where prosecution was considered to be the defining factor NOT to disclose -
Alan Woods (RySG) (Donuts)
01:41:14
the data subject was a minor
Margie Milam (BC)
01:43:02
+1 Laureen
Amr Elsadr (NCSG)
01:43:19
The decision of wether confidentiality will be provided is surely a decision on the part of the Controller, and not something that can be presumed based on a request for confidentiality, right?
Brian King (IPC)
01:43:35
Rigas held that the data must be disclosed because the balancing test came out in favor of the plaintiff's interest in civil litigation, noting that this interest was overriding
Amr Elsadr (NCSG)
01:44:07
@James: +1
Chris Lewis-Evans (GAC)
01:44:37
Cant remember where it was but thought we had agreed language
Alan Woods (RySG) (Donuts)
01:48:16
I think you need to reread Rigas Brian - CJEU ruled the disclosure was not justified.
Marika Konings
01:48:21
The small team did agree on language which was put forward to the EPDP Team but the full discussions ran into issues thinking about the different scenarios of whether a CP or someone else would be receiving the request for confidentiality, hence the placeholder suggestion at the time. But obviously if the group can agree on requirements in relation to this issue, it can be included.
James Bladel (RrSG)
01:50:04
I still think those sorts of requests need to come out of SSAD.
Alan Greenberg (ALAC)
01:51:00
Data subjects are not automatically reported. It is only on a request from data subject as James is saying.
Amr Elsadr (NCSG)
01:51:32
@AlanG: Yes, agree, and the point James raises is a good one.
Berry Cobb
01:51:39
Can those that have spoken ,please lower your hand.
James Bladel (RrSG)
01:52:12
Not sure that will be an acceptable response to a specific request from a data subject.
Brian King (IPC)
01:54:27
Thanks, Matt. It seems to me that RDAP queries to a CP could contain a binary "confidential/not confidential" flag.
Mark Svancarek (BC) (marksv)
01:55:17
lol
Chris Lewis-Evans (GAC)
01:55:35
It's just working with me isn't it james :P
James Bladel (RrSG)
01:56:32
Just like a good Hallmark Original Movie, I’m trying to "Save Christmas.”
Brian King (IPC)
01:57:19
Thanks, Janis. This should be moved
Marika Konings
01:57:32
@Brian - where do you suggest this would move?
Berry Cobb
01:59:53
https://docs.google.com/document/d/1oBd7fOe7RCso-2zAQrm45WILfRHOG7LDr5Oap-gzZTE/edit
Amr Elsadr (NCSG)
02:00:58
I believe the NCSG objected to the last sentence in this paragraph.
Amr Elsadr (NCSG)
02:01:20
The drop-down menu Marika just mentioned.
Brian King (IPC)
02:02:38
@Marika, it should be Section 7 under the Building Block NEW - Authorization Providers
Brian King (IPC)
02:02:55
Bullet: Assessment of Impact
Marika Konings
02:03:16
Thanks, Brian
Brian King (IPC)
02:04:04
@Marika You're welcome! (It's pretty much already there, though less explicitly)
Franck Journoud (IPC)
02:05:36
;-) Alan W
Amr Elsadr (NCSG)
02:07:24
@AlanW: +1
Franck Journoud (IPC)
02:07:58
I don't understand Alan W's point abt profiling
Alan Woods (RySG) (Donuts)
02:09:31
A registrant, not longer gets the benefit of a balancing test, because a serial requester has made many requests relating to similar types of requests - profiling of tha registrant to provide them with diminished data protection rights... ]
Alan Woods (RySG) (Donuts)
02:09:37
*no longer
Franck Journoud (IPC)
02:13:16
profiling in GDPR isn't that I gather data about you to build a profile of you. it is that on the basis of certain criteria I make decisions about a group of individuals who match that critreria. so I don't see the relation between this and what you're talking about
Berry Cobb
02:13:38
@MarkSV - homework item over holiday break is to work on your mic volume, please. It's consistently soft. Clear, but very soft.
Brian King (IPC)
02:13:55
The data subject has a right that their data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data subjects must be told what the purposes are, and we have to list them.
Milton Mueller (NCSG)
02:13:55
Definition of put the kibosh on. informal. : to stop or end (something) : to prevent (something) from happening or continuing His mother put the kibosh on his smoking habit.
Franck Journoud (IPC)
02:14:23
@Milton: ;-)
Alan Woods (RySG) (Donuts)
02:15:08
so a preset list of 'justifications' as to why I want data relating to "a specific type of registrant" - e.g. their domain name matches my TM …. is not profiling?
Mark Svancarek (BC) (marksv)
02:17:29
Does it say "specific type of registrant"?
Amr Elsadr (NCSG)
02:17:38
If the purposes for disclosure are conflated with the justifications of requestors, then of course it creates profiling of registrants. A registrant will be profiled as someone whose personal information is fair game based on the justification of the requestor, and will apply to similar requests by other requestors.
Alan Woods (RySG) (Donuts)
02:18:24
Margie - your purposes are not our purposes - literally it's been 2 years
Mark Svancarek (BC) (marksv)
02:18:33
I do not see any language about registrants here at all.
Milton Mueller (NCSG)
02:18:40
I object to that. “Cybersecurity” is a meaningless category in isolation
Milton Mueller (NCSG)
02:20:06
I want your data because “cybersecurity” ? No. I want your data disclosed because the following domains were used in a botnet, or a phishing effort, etc.
Amr Elsadr (NCSG)
02:20:32
@Margie: The goal of this group should be the same as the goal of the GDPR or other applicable data protection regulations, which is to grant control to the data subject on how its data is processed.
Matt Serlin (RrSG)
02:21:47
In addition to the discussion of limiting CP liability as Margie pointed out, we have to be careful as to not increase the liability contracted parties would have in any policy we create which could be an unintended consequence
Alan Woods (RySG) (Donuts)
02:22:36
never said it was illegal Margie - I was just pointing out that Bird and Bird have warned against it "It would be difficult for the SSAD, as proposed, to meet the GDPR Art. 22(1)exemptions; the SSAD must therefore be structured so it doesn’t fall into the scopeof Article 22 in the first place."
Margie Milam (BC)
02:23:09
Here's what we proposed: The EPDP recognizes that third parties may submit data disclosure requests for the following specific purposes: (i) criminal law enforcement, national or public security, (ii) non law enforcement investigations and civil claims, including, intellectual property infringement and UDRP and URS claims, (iii) contacting registrants, (iv) consumer protection, abuse prevention, digital service provider (DSP) and network security, or (v) Registered name holder consent or contract.
Milton Mueller (NCSG)
02:23:41
Thanks Alan for making Alan’s point about “profiling” quite salient
Stephanie Perrin (NCSG)
02:23:59
Speaking for myself, we certainly accept that and hopefully it will be automated. However, the policy may not be the place for this kind of requirements.
Stephanie Perrin (NCSG)
02:24:20
If we were drafting a law, we would put that stuff in the regulations.
Alan Woods (RySG) (Donuts)
02:24:24
also … Margie please confirm are you saying that you are pushing for the CPs to accept increase of liability - i.e. more likely to be illegal so that you can obtain data … in a more likely illegal manner. As that seems a little at odds to small things like … due process, transparency - data subject rights.
Hadia Elminiawi (ALAC)
02:24:38
+1 alan
Milton Mueller (NCSG)
02:24:58
Identifying common elements in a REQUEST is not the same as automated disclosure
Amr Elsadr (NCSG)
02:25:13
@AlanG: I think I agree with pretty much everything you said, but don’t see how this justifies a pre-determined list of justifications by requestors, which to me encourages abuse of the SSAD.
Mark Svancarek (BC) (marksv)
02:25:34
Isn't this Building Block concerned with requests?
Milton Mueller (NCSG)
02:25:44
yep
Margie Milam (BC)
02:25:45
I put it in the chat above
Milton Mueller (NCSG)
02:26:13
Ho ho ho
Franck Journoud (IPC)
02:26:44
+1 Brian +1 Margie
Amr Elsadr (NCSG)
02:27:23
Again…, object to the list of purposes proposed by Margie to be available to requestors, and also…, again…, object to even calling them purposes.
Milton Mueller (NCSG)
02:27:30
Alan G does seem to think that, Brian
Margie Milam (BC)
02:28:07
Citing or having a purpose doesn't mean you get automatic disclosure
Alan Woods (RySG) (Donuts)
02:28:40
Again …. 3rd party purpose are not the purposes of the CPH.
Amr Elsadr (NCSG)
02:28:54
We’re happy to discuss purposes of disclosure, which are applicable to the disclosing entity/controllers, not third parties. Also happy to discuss justifications of third parties.
Alan Woods (RySG) (Donuts)
02:28:55
conflation.... small word that keeps coming up.
Brian King (IPC)
02:30:01
No confusion, no conflation: they're third-party purposes.
Margie Milam (BC)
02:30:17
we need a policy listing third party purposes
Hadia Elminiawi (ALAC)
02:30:31
I guess calling the list justifications is fine
Alan Greenberg (ALAC)
02:31:04
Justification label is fine.
Alan Woods (RySG) (Donuts)
02:31:45
agreed Margie … for you it's Facebook Privacy Policy - Mark . Microsoft - Microsoft Privacy Policy - i.e. you - a 3rd party's … purposes
Amr Elsadr (NCSG)
02:32:18
Aren’t there some comments we haven’t addressed on this building block? If we suspend discussion, that’s just for today, correct?
Margie Milam (BC)
02:32:26
it needs to be part of this ICANN policy - not the requestors
Alan Woods (RySG) (Donuts)
02:32:36
and we have conflation again
Milton Mueller (NCSG)
02:32:51
bingo
Brian King (IPC)
02:34:28
was his name-o
Matt Serlin (RrSG)
02:34:52
Quite the compelling gift there @Marika :)
Margie Milam (BC)
02:34:52
have a wonderful holiday everyone!
Thomas Rickert (ISPCP)
02:35:03
Happy holidays all!
Brian King (IPC)
02:35:08
best holiday wishes, all
Milton Mueller (NCSG)
02:35:09
Thanks, Marika, I’ll go with the lump of coal
Marc Anderson (Verisign / RySG)
02:35:10
Happy holidays all!
Stephanie Perrin (NCSG)
02:35:11
happy holidays everyone! So glad we are not trying to push this out before Christmas….
Matt Serlin (RrSG)
02:35:11
happy holidays everyone!
Julf Helsingius (NCSG)
02:35:11
Happy holidays!
Alan Woods (RySG) (Donuts)
02:35:20
Have a good one all! :)
Chris Lewis-Evans (GAC)
02:35:25
Have a good break everyone and thanks
Milton Mueller (NCSG)
02:35:26
Happy winter soltice
Laureen Kapin (GAC)
02:35:30
Happy holidays!
Amr Elsadr (NCSG)
02:35:33
Happy holidays everyone. Thanks and Bye.