FINAL VERSION SUBMITTED (IF RATIFIED)
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
The ALAC is not in a position to provide detailed guidance on the
specific issues to be addressed during phase 2 in response to this
consultation. Our previous applicable statements still stand and the
ALAC and its representatives on the EPDP of course reserve the right
to provide input and comment as the work progresses.
There are two areas where the ALAC has specific comments:
1. Redacted Data elements: To keep the work of the EPDP at a
reasonable level, the ALAC suggests that, where applicable, instead
of dealing with redacted data on an element-by-element basis for each
class of request any category of requester, that the data elements be
grouped together based on similar characteristics and impact.
Specifically, the ALAC suggests that the EPDP group fields together
in 4 categories:
a) Registrant Name and Organization (if redacted)
b) Registrant contact fields
c) Tech name and contact fields
d) Other redacted fields (Registry Domain ID, Registry Registrant ID
2. For OCTO (Office of the Chief Technology Officer), subject to
requirements to keep data confidential, OCTO should have access to
any data it requests for research and threat analysis. If ICANN were
a typical data controller, it would automatically have such data
without any further consideration.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
Vote N/A
The ALAC is not in a position to provide detailed guidance on the
specific issues to be addressed during phase 2 in response to this
consultation. Our previous applicable statements still stand and the
ALAC and its representatives on the EPDP of course reserve the right
to provide input and comment as the work progresses.
There are two areas where the ALAC has specific comments:
1. Redacted Data elements: To keep the work of the EPDP at a
reasonable level, the ALAC suggests that, where applicable, instead
of dealing with redacted data on an element-by-element basis for each
class of request any category of requester, that the data elements be
grouped together based on similar characteristics and impact.
Specifically, the ALAC suggests that the EPDP group fields together
in 4 categories:
a) Registrant Name and Organization (if redacted)
b) Registrant contact fields
c) Tech name and contact fields
d) Other redacted fields (Registry Domain ID, Registry Registrant ID
2. For OCTO (Office of the Chief Technology Officer), subject to
requirements to keep data confidential, OCTO should have access to
any data it requests for research and threat analysis. If ICANN were
a typical data controller, it would automatically have such data
without any further consideration.
DRAFT SUBMITTED FOR DISCUSSION
The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).
19 June Alan Greenberg feedback / response to Hadia -
Hadia El Miniawi
June 12, 2019 at 1:08
With regard to recommendation #1 purpose 2, which the board did not adopt and as this purpose was initially a place holder for further review in phase 2. The ALAC would like to make a proposal in relation to the purpose, taking into consideration the board's rational for not adopting it, the European Council (EC) comments on the team's final report and the previously provided guidance by the European Data Protection Board (EDPB). We suggest replacing purpose two of recommendation one by " Serving the public interest by maintaining the security, stability and resiliency of the DNS in accordance to ICANN's mission and bylaws".
The rationale behind our proposal is that all purposes should strictly be ICANN purposes, moreover "enabling responses to lawful data disclosure requests" is not a purpose but rather a processing activity.
The aforementioned purpose will need to be analyzed just as we did with all the other purposes in order to determine the processing activities associated with it. The lawful disclosure to relevant third parties as well as to ICANN if requird would result as a processing activity required to satisfy the purpose.
1 Comment
Alan Greenberg
Although I agree with Hadia's general proposal, there was significant disagreement when it was discussed among the EPDP Members and Alternates and on the CPWG call, so I do not feel comfortable introducing it at this point, particularly since it was not a specific request in the call for community input.
The proposal made to the Members and Alternates that was strongly supported was the following:
The ALAC is not in a position to provide detailed guidance on the specific issues to be addressed during phase 2. The ALAC and its representatives on the EPDP of course reserve the right to comment as the work progresses.
There are two areas where the ALAC has specific comments:
1. Redacted Data elements: To keep the work of the EPDP at a reasonable level, the ALAC suggests that instead of dealing with redacted data on an element-by-element basis for each class of request any category of requester, that the data elements be grouped together based on similar characteristics and impact. Specifically, the ALAC suggests that the EPDP group fields together in 4 categories:
a) Registrant Name and Organization (if redacted)
b) Registrant contact fields
c) Tech name and contact fields
d) Other redacted fields (Registry Domain ID, Registry Registrant ID
2. For OCTO (Office of the Chief Technology Officer), subject to requirement to keep data confidential, OCTO should have access to any data it requests for research of threat analysis. If ICANN were a typical data controller, it would automatically have such data without any further consideration.