2018-11-13 EPDP Team call #25

Notes/ Action Items

Action item #1: Staff to circulate clean version of the most recent draft Initial Report to the EPDP Team (Completed)

Action item #2: EPDP Team to consider whether this change (referring to personal information of natural vs. legal person instead of natural vs. legal) would be appropriate / necessary and provide feedback ahead of Thursday's meeting. Amr to propose language for Initial Report.

Action item #3: GAC Team to clarify/confirm their edit to the natural vs. legal document

Action item #4: Margie to provide language that describes the organizations supporting not redacting the “organization”  field. Benedict to provide language to explain systemic risk of not publishing organization field. 

Action item #5: Staff to update language to reflect that BC/IPC/ALAC do not support preliminary recommendation #3.

Action item #6: EPDP Team members to ask questions or make comments (within 24 hours) in relation to the documentation that Thomas provided in relation to roles and responsibilities in processing data and, in particular, the characterization of ICANN and contracted parties as joint processors.

Action item #7: Thomas to provide proposed language for inclusion in the Initial Report in relation to roles & responsibilities in time for Thursday's meeting factoring in EPDP Team’s discussion.  (The team will then weigh how to include this language in the Initial Report given the upcoming release of an ICANN memorandum on this topic,)

Action item #8: Staff to put out doodle poll to determine whether to schedule an additional meeting for either Wednesday or Friday, or extend the meeting time for Thursday. (Completed – please see https://doodle.com/poll/ytt3fuivqbyfvspi [doodle.com]) 

Questions for ICANN Org from the EPDP Team:

What is the rationale for not redacting organization field in the Temporary Specification?

When will the ICANN be released memorandum concerning the  roles and responsibilities in processing data. The EPDP team encourages ICANN to issue the memo within 48 hours so its position can be referenced in the Initial Report.

Notes & Action items

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/uQXVBQ

Proposed Agenda:

1. Roll Call & SOI Updates (5 minutes)

• Attendance will be taken from Adobe Connect
• Please remember to mute your microphones when not speaking, and state your name before speaking for transcription purposes.
• Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

2. Welcome and Updates from EPDP Team Chair (5 minutes)

a. Initial Report finalization status, incl. items remaining to be addressed and schedule for the week ahead

See latest version circulated yesterday for the EPDP to see the latest status of the Initial Report:  https://drive.google.com/file/d/1F_fQ5bEHAS543TdLOmDKxXpcJFF1qQy_/view

Includes updates reflecting recent EPDP Team work as well as input provided by EPDP Team (minor updates)

See also integrated data element workbooks that have been circulated.

Action item #1: Staff to circulate clean version of draft Initial Report to the EPDP Team

b. Confirm status and next steps in relation to natural vs. legal and geographic status

• See latest version https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000832.html
• Personal information of natural vs. legal person - considering updating this reference accordingly, instead of referring to natural vs. legal. Would that bring it more in line with EDPB advice and GDPR and make it more specific what this concerns?

Action item #2: EPDP Team to consider whether this change (referring to personal information of natural vs. legal person instead of natural vs. legal) would be appropriate / necessary and provide feedback ahead of Thursday's meeting.

Action item #3: GAC Team to clarify/confirm their edit to the natural vs. legal document

c. Review of outstanding action items

• See https://community.icann.org/x/NwSNBQ
• Note ongoing work and documents that have been circulated for review.

d. Other updates, if applicable

• Some time to be added to the agenda to discuss small group discussion that took place yesterday in relation to roles / responsibilities. See email that Thomas sent to the mailing list.

3. Data Redaction (see attached)

Objective of discussion:

1. Confirm language for inclusion in the Initial Report in relation to data redaction as well as email communication

a. Review latest version of language for inclusion in relation to data redaction

b. Consider charter questions:

2. Should standardized requirements on registrant contact mechanism be developed?

3. Under what circumstances should third parties be permitted to contact the registrant, and how should contact be facilitated in those circumstances?

And related draft recommendation:

In relation to facilitating email communication between third parties and the registrant, the EPDP Team recommends that [current requirements in the Temporary Specification that specify that a Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself, remain in place. [[[Other to be decided]]].

c. Confirm next steps, if any

• See latest version circulated to the mailing list together with the agenda
• Proposed edits from GAC: 'as they COULD contain personally identifiable information' (add 'could' to that sentence).
• Postal code was discussed, but not further recommended to be non-redacted. 
• Add to first 'add others as appropriate': ISPCP, RySG
• Need to distinguish between legal impact of personal data vs. PII. Personal data of an identifiable person may be the correct terminology. If it is referring to the legality, it should refer to personal data, although in this context it can refer to personal identifiable data. PII is American term, personal data is the European term. 
• A lot of data in the org field is identical to the registrant field. So if we redact the registrant field, how can we not redact the org field?
• Not only consider risk of contracted parties, but also consider risk of redacting this information and systemic risk to the system this may created. Consider adding this to the report. Do note that data is captures, just not published.
• Why do some propose to treat companies the same way as natural persons? Need to factor in that in certain circumstances, for example small businesses, this information could identify natural persons.
• Need to make clear in the second bullet point that there are also those that support having this information published.
• Protected organizations such as religious institutions, transgender groups, etc. could be put at risk by publishing this information.
• Web form is not sufficient, email address is important. Not able to identify trends in registration across multiple registrations with anonymized email address. Web form does not provide evidence that contact was made / presumption of delivery.
• The aim of the webform is to contact the registrant though.  If registrars are required by law, court order or some other judicial process to provide the information, then registrars would ordinarily do so.
• Input needed with regards to what should be recommended in relation to email communication.
• EDPB advice directed guidance to legal persons to not put personal information in email contact.
• Document that BC/IPC/ALAC do not support preliminary recommendation #3. 

Action item #4: Margie to provide language in relation to support for not redacting certain fields. Benedict to provide language to capture risk of not publishing organization field info.  

Action item #5: Staff to update language to reflect that BC/IPC/ALAC do not support preliminary recommendation #3.

Question for ICANN Org: What is the rationale for not redacting organization field in the Temporary Specification?

4. Commence review & discussion of comments / input received on Initial Report

Objective of discussion:

(1) Review proposed changes / comments on the Initial Report that require EPDP Team consideration

(2) Agree on if/how these proposed changes / comments are to be applied to the Initial Report

a. Commence review of proposed changes / comments on the Initial Report (see list attached)

b. Confirm approach for addressing these

c. Confirm next steps, if any

• Additional agenda item: Update on roles & responsibilities team
• See email circulated by Thomas that provides update on call that took place yesterday.
• Mapping of responsibilities determines the role that the different parties have, it is not something that parties can decide themselves. Even in a joint controller agreement, you need to document who is responsible for what, for example, informing data subjects, rectifying errors, as well as addressing indemnification. 
• If ability for EPDP Team to speak to legal issues is questioned, should EPDP just provide its perspective, or should it indicate that it is not in a position to answer this charter question. How to deal with this question time wise? If an Initial Report is put out without being able to digest ICANN Org view, it may be premature and not allow groups to formulate properly their positions.
• Urgent for ICANN Org to share this memo as soon as possible. 
• Can the group determine as a matter of policy that there should be joint controller agreements between ICANN and CP, or is this to be determined by some separate body? Should be fine for EPDP to look at GDPR and come to its own conclusions. It is not about making it as convenient as possible for parties involved, but make it as convenient for EDBP and data subjects.
• This is a factual analysis that is being made in line with the work.
• Board liaisons have stated that Board would follow EPDP recommendations, unless these would create significant issues for ICANN Org / Community.
• Charter asks EPDP Team to identify a data controller and data processer. 
• Cautious about putting forward a recommendation for a joint controller agreement to have then ICANN Org say that they are not willing to negotiate one. Need to be able to make an informed decision.  
• Consider framing the issue and inviting public comment and further legal analysis from ICANN and/or external legal advice.
• Substantive work has to proceed - controller issue does/should not affect other decisions the EPDP Team has made.
• ICANN Org position is not determining - if under law and under structure of GDPR is ICANN is deemed a controller or joint-controller is a matter of legal fact.
• No constructive purpose to delay the Initial Report. More time could be devoted to this topic during the public comment period as well as F2F
• ICANN Org input could be provided during public comment period. 
• Could also consider putting a placeholder in the report that squarely puts the ball in ICANN's court?
• Consider writing formal note to ICANN Org to ask for input to be provided as soon as possible?  
• Group could document where its current thinking is at but note that further thinking will go into it? Also refer to existence and potential impact on EPDP's recommendation.
• Temp Spec does list ICANN as controller, concern appears to be around notion of joint-controller.

Action item #6: EPDP Team members to ask any questions within 24 hours in relation to the documentation that Thomas provided.

Action item #7: Thomas to provide proposed language for inclusion in the Initial Report in time for Thursday's meeting factoring in EPDP Team’s discussion.   

5. Wrap and confirm next meeting to be scheduled for Wednesday 14 November / Thursday 15 November at 14.00 UTC (dependent on progress made).

a. Confirm action items

b. Confirm questions for ICANN Org, if any

Action item #8: Staff to put out doodle poll to determine whether to schedule an additional meeting for either Wednesday or Friday, or extend the meeting time for Thursday.