Page History
For phase 1 questions and responses, please see Input from ICANN Org
Question:
A lot of the work that our group is doing cannot only be characterized as the community’s policy work, but it is in fact ICANN’s (org) compliance.
Looking at the cost of becoming compliant, the easiest way to save money is to use synergies. We have asked in the past whether ICANN has written a record of processing activities, carried out DPIAs, asked for legal advice on related aspects etc. To my knowledge, we have not been provided with any such documentation.
To be clear, it would be extremely helpful for our group to be able to review existing documents. Even though if our group might hold different views on certain questions, any existing work products would expedite our work. Maybe there are documents in the making, in which case we could build our workplan around potential delivery dates to be able to benefit from such work products. If there is actually no documentation already, it would be good to get clarity around that, too, and we could try to work so that duplicate efforts of the org and our group can be avoided, i.e. so that the org can benefit best from the legal advice we are seeking.
Either way, when looking at where the money shall come from, I think it would be fair not to consider expenditures as the community’s policy making only, but as part of ICANN’s overall compliance activities.
Response:
We agree that both ICANN org and contracted parties must be compliant with GDPR, which is the focus of the EPDP. Your point about synergies is also a good one, which is why we are following the EPDP Team’s suggestion from Phase 1 to use Bird & Bird both to advise ICANN org and to answer questions from the EPDP Team.
With regard to your comment about record of processing activities, the EPDP Team previously asked for ICANN Compliance’s record of processing. In a 20 November 2018 response, ICANN org provided an ICANN Compliance summary of processing activities. That response can be viewed here: <<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000944.html>>
Implementation of EPDP Phase 1 recommendations will require additional documentation of registration data processing activities, including activities by ICANN org, registry operators, registrars, and other third-parties. That work is underway and will be shared with the community and EPDP Team when ready.
With regard to Data Protection Impact Assessment, as previously mentioned in a response to the EPDP Team on 17 November 2018, ICANN org has not previously done a DPIA. The response stated: “In general, a DPIA is designed to (a) describe the processing and purpose of processing of personal data, including where applicable the legitimate interest pursued by the controller, (b) assess the processing necessity and proportionality, and (c) help manage the risks to the rights and freedoms of data subjects resulting from the processing. The elements of a DPIA are more fully described in Article 35(7) of the GDPR. Under Article 35(1), a DPIA is only required where a type of processing is “likely to result in a high risk to the rights and freedoms of natural persons”.
“ICANN org considered conducting a DPIA since early in the discussion of GDPR and gTLD registration data. One of the issues is when to do a DPIA that is most timely and useful--should the DPIA be conducted on the original requirements in the registry and registrar agreements, on the Temporary Specification which is temporary, or on the new requirements being discussed in the EPDP? We continue to evaluate whether that assessment should be performed and, if so, when.” A link to this response can be viewed here: <<https://mm.icann.org/pipermail/gnso-epdp-team/2018-November/000909.html>>
Question:
Is there an attorney-client relationship between ICANN Org and Bird & Bird?
...
