Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open
Call for
Comments
Close 
Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

21 June 2019

ALAC Feedback on EPDP Phase II

Note: Not a formal ICANN public comment.

SUBMITTED

21 June 2019

EPDP Staff


Hide the information below, please click here 

FINAL VERSION SUBMITTED (IF RATIFIED)

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 

The ALAC is not in a position to provide detailed guidance on the 
specific issues to be addressed during phase 2 in response to this 
consultation.  Our previous applicable statements still stand and the 
ALAC and its representatives on the EPDP of course reserve the right 
to provide input and comment as the work progresses.

There are two areas where the ALAC has specific comments:

1. Redacted Data elements: To keep the work of the EPDP at a 
reasonable level, the ALAC suggests that, where applicable, instead 
of dealing with redacted data on an element-by-element basis for each 
class of request any category of requester, that the data elements be 
grouped together based on similar characteristics and impact. 
Specifically, the ALAC suggests that the EPDP group fields together 
in 4 categories:

a) Registrant Name and Organization (if redacted)
b) Registrant contact fields
c) Tech name and contact fields
d) Other redacted fields (Registry Domain ID, Registry Registrant ID

2. For OCTO (Office of the Chief Technology Officer), subject to 
requirements to keep data confidential, OCTO should have access to 
any data it requests for research and threat analysis. If ICANN were 
a typical data controller, it would automatically have such data 
without any further consideration.



FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

Vote N/A


The ALAC is not in a position to provide detailed guidance on the 
specific issues to be addressed during phase 2 in response to this 
consultation.  Our previous applicable statements still stand and the 
ALAC and its representatives on the EPDP of course reserve the right 
to provide input and comment as the work progresses.

There are two areas where the ALAC has specific comments:

1. Redacted Data elements: To keep the work of the EPDP at a 
reasonable level, the ALAC suggests that, where applicable, instead 
of dealing with redacted data on an element-by-element basis for each 
class of request any category of requester, that the data elements be 
grouped together based on similar characteristics and impact. 
Specifically, the ALAC suggests that the EPDP group fields together 
in 4 categories:

a) Registrant Name and Organization (if redacted)
b) Registrant contact fields
c) Tech name and contact fields
d) Other redacted fields (Registry Domain ID, Registry Registrant ID

2. For OCTO (Office of the Chief Technology Officer), subject to 
requirements to keep data confidential, OCTO should have access to 
any data it requests for research and threat analysis. If ICANN were 
a typical data controller, it would automatically have such data 
without any further consideration.



DRAFT SUBMITTED FOR DISCUSSION

The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).

19 June Alan Greenberg feedback / response to Hadia -

Hadia El Miniawi

June 12, 2019 at 1:08

With regard to recommendation #1 purpose 2, which the board did not adopt and as this purpose was initially a place holder for further review in phase 2. The ALAC would like to make a proposal in relation to the purpose, taking into consideration the board's rational for not adopting it,  the European Council (EC) comments on the team's final report and the previously provided guidance by the European Data Protection Board (EDPB). We suggest replacing purpose two of recommendation one  by " Serving the public interest by maintaining the security, stability and resiliency of the DNS in accordance to ICANN's mission and bylaws".

The rationale behind our proposal is that all purposes should strictly be ICANN purposes, moreover "enabling responses to lawful data disclosure requests" is not a purpose but rather a processing activity.

The aforementioned purpose will need to be analyzed just as we did with all the other purposes in order to determine the processing activities associated with it. The lawful disclosure to relevant third parties as well as to ICANN if requird would result as a processing activity required to satisfy the purpose.  

1 Comment

  1. Although I agree with Hadia's general proposal, there was significant disagreement when it was discussed among the EPDP Members and Alternates and on the CPWG call, so I do not feel comfortable introducing it at this point, particularly since it was not a specific request in the call for community input.

    The proposal made to the Members and Alternates that was strongly supported was the following:

    The ALAC is not in a position to provide detailed guidance on the specific issues to be addressed during phase 2.  The ALAC and its representatives on the EPDP of course reserve the right to comment as the work progresses.

    There are two areas where the ALAC has specific comments:

    1. Redacted Data elements: To keep the work of the EPDP at a reasonable level, the ALAC suggests that instead of dealing with redacted data on an element-by-element basis for each class of request any category of requester, that the data elements be grouped together based on similar characteristics and impact. Specifically, the ALAC suggests that the EPDP group fields together in 4 categories:

    a) Registrant Name and Organization (if redacted)
    b) Registrant contact fields
    c) Tech name and contact fields
    d) Other redacted fields (Registry Domain ID, Registry Registrant ID

    2. For OCTO (Office of the Chief Technology Officer), subject to requirement to keep data confidential, OCTO should have access to any data it requests for research of threat analysis. If ICANN were a typical data controller, it would automatically have such data without any further consideration.