Page History

Notes/ Action Items

Please find below the notes and action items [docs.google.com] from today’s call.

1. Roll Call & SOI Updates
2. Welcome

1. The first call will be spent on the pre-homework, which included reviewing the questions assigned to the legal committee and categorizing them by:
   • Who should address: legal committee or B&B?
   • If B&B, what is the priority level (low, medium, or high)?
   • How would a response to this question assist the EPDP Team in answering the questions assigned from the GNSO Council?
2. Expenses related to external counsel
   • First meeting, questions raised re: funds.
   • Because this is a shorter-term engagement, unlike Phase 1 and 2, there is no dedicated budget. Important to note that while there is budget available, these expenses will be absorbed into the core policy budget. Ultimately this means EPDP Leadership asks the group to be conservative with respect to questions forwarded to B&B.

      3. Legal vs. natural

          a. Review homework provided

• See https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit [docs.google.com]
• Proponents to explain provided rationales (why this needs to be addressed by B&B, or, conversely, how this has already been addressed)
  • Question 1: Given that a registrant is already offered the option to provide consent to publication, wouldn’t the self-designation as an Organization (with suitable advance notification of consequences) result in substantially the same issue/risk for the Contracted Party?
  • Mechanisms around consent are quite complex, and this is something CPs already have to deal with. Publishing legal information could be a less burdensome measure as this information is not protected under the GDPR.
  • If CPs required registrants to self-identify, along with implementing safeguards listed in B&B memo (such as notification of consequences in plain language, etc.) An answer to this question is to help address more of the CPs’ concerns.
  • The issue of consent is complicated by the fact that the biggest problem noted by B&B is that if you have personal information in the registrant data, that might be personal information of someone other than the person who is registering the name, completing the info, and receiving the notice.
  • The question of if the registration contains personal information is what is important, not if it’s a legal or natural person registrant.
  • If the personal information is personal info of the person registering and consenting, that would be OK, but the issue is we do not know if the personal info provided is the same as the person registering the name.
  • Separate out the two issues we’re talking about. The thrust of the question is not if a legal person can consent to publication; the question is asking whether the risk CPs are already facing in terms of how they deal with consent is in any way different in magnitude with the publishing the info of legal persons. This is a comparison question – is the risk comparable? We want to make sure that a legal registrant is not somehow providing personal information that is not its own. The EPDB has provided guidance and advice and has said that as we evaluate these policies, we should clearly instruct legal persons to avoid providing personal information of other people.
  • This is a policy question and not something our outside counsel can help with. We already have information on the challenges, risks, and how to obtain consent especially in the tricky subject of third-party consent. This is more appropriate to be discussed in plenary.
  • The risk scenario is now shifted given the NIS2 directive. In particular with respect to legal v. natural, there will be a requirement in European law that contracted parties make this distinction.
  • NIS2 does have language that would play into this quite directly, we’re still talking about a period of 18 months until it’s agreed to. There will be a few years before NIS2 comes into play.
  • Disagree with this perspective. The ICANN community was behind the eight ball in updating WHOIS policy b/c of GDP, and it would be a mistake to ignore an impending regulation again.
  • It’s not possible to make the differentiation by looking at what type of person it is. It is hard to make policies based on laws that might come to pass. Cannot implement something that is still subject to change, since this is a directive not a regulation.
  • There is nothing wrong anticipating new developments in the legal framework. The lesson to be learned post-GDPR is that we should anticipate developments and that is why this question is relevant if we want to make policy on the basis of good analysis.
  • Cannot ascertain legal risks until you see how the directive will be implemented. There is a difference b/w watching and blowing a legal budget when things are still in play. A good exercise to go through would be not that we are finally addressing legal v. natural, we need to do some risk assessment on what we’re doing to drive criminal activity. This risk assessment is not up to the legal committee to decide.
  • Chair proposal: clear that some of us interpret the question somewhat differently. Small group: Laureen, Hadia, Volker and Becky to further work on this question.
  • Question 2: Do the measures required by the Transparency and Fairness Principles (i.e., explaining that if the registrant identifies as a legal person then their data will be published) contribute to mitigating the liability risk of an inaccurate designation? Note advice given in Technical Contacts memo (1/22/19 at ¶ 11 “registrars will need to provide notice to the technical contact within the earlier of one month or first communication with the data subject.”
  • There are already principles in place that would mitigate the liability risk. The advice from B&B talks about explaining the risks if you are a legal person; B&B technical contacts memo also discusses giving notice to those who may have their info published.
  • Not entirely certain how this question is different than the technical contacts memo. That memo mentions seeking confirmation from someone who may not be the registrant.
  • This question is a cart before the horse issue b/c it presumes certain policy decisions that have not been made. If you determine that legal entity = publication, you suddenly create an issue for small legal entities that have the same data as their company and might result in other legal risks. Need to determine what this differentiation would mean in policy before asking this question.
  • There is a policy question about automatic publication is if someone is designated as a legal person. This question has been clearly answered in the legal v. natural memo. Do we already have the answer to this, which is – yes, this is one thing that could help.
  • The first legal v. natural memo addresses this question – this is one way to mitigate risk. This comes down to addressing this question as a plenary. (paragraph 18 in particular)
  • This question needs refining – agree that these are already identified as mitigating the risk. Perhaps the better question is: what is the magnitude of the risk if you follow the measures proposed by B&B – is it a de minimis risk or is it a significant risk? Would be helpful to get more pinpointed guidance on the magnitude of the risk.
  • Action: Laureen to refine question 2 to focus on the magnitude of the risk.
  • Question 3: Legal Memo 1, #25 implies that it is sufficient to send a confirmation email explaining in clear detail the implication of the Legal/Natural determination that the Registrar has made. There is no mention that this confirmation message needs to be responded to.  Phase 2 Memo #18, although on a somewhat different topic, implies a positive response is needed. Please provide clarity as to how lack of response can be interpreted. Does the situation change if paper mail is used? Note that in both cases, the registrant has an obligation to have provided accurate contact details.
  • Question should be rephrased. The importance of this question: in order to approve the accuracy of self-identification, B&B suggested sending a confirmation email to the registrant and technical contact.
  • Given that this is the consequence, does that suffice as sufficient for this requirement? For the practicality, it is not hard to implement something like that. Must first define the consequence, and until this homework is completed, it’s too early to ask a question.
  • Suggest rephrasing the question and bring it back again and meanwhile we can all think about the consequences.
  • Is the question really – can you rely on just this notice or do you need affirmative consent from an individual whose contact info is disclosed in the registration of a legal person?
  • Question: if we send out emails to individuals involved in a domain name registration and assume a response to the notification is consent to publication, isn’t coupling consent with something else? This is a non-starter b/c we would unduly combine consent with something else – this would mean it would be coupled, and therefore not freely given.
  • Not looking for providing consent with this – it’s a confirmation email, the response would be acknowledgement
  • If there is no consequence to making this differentiation, it is legal, but as soon as you attach a consequence (such as publication), the risk becomes higher, and this is a plenary discussion.

          b. Legal Committee Discussion

4. Feasibility of unique contacts

          a. Review homework provided

• See https://docs.google.com/document/d/1UCP86uPZJBA_oh_4lfa6GwisfqnXUgbi5kdq-VOQCS0/edit [docs.google.com]
• Proponents to explain provided rationales (why this needs to be addressed by B&B, or, conversely, how this has already been addressed)

1. Legal Committee Discussion

  5. Wrap and confirm action items and homework

          a. Confirm action items and homework

            i. LC members to review the Feasibility of Unique Contacts terminology table [docs.google.com] and provide edits or additional clarification, if deemed necessary, by Friday, 5 February.

            ii. Becky, Laureen, and Volker to review Question 1 [docs.google.com] in the Legal v. Natural Table and provide updates based on the Legal Committee’s discussion. The updated version is due by Monday, 8 February in time for the next Legal Committee meeting.

            iii. Laureen to review Question 2 [docs.google.com] in the Legal v. Natural Table and update the text based on the magnitude of the risk by Monday, 8 February.

            iv. LC members to revisit the questions for Legal v. Natural [docs.google.com] and Feasibility [docs.google.com] in advance of the next meeting and, taking into account the discussion from the meeting as well as the limited budget, provide additional feedback as to why outside counsel review is necessary and would assist in moving the plenary team forward on GNSO Council instructions. Additionally, LC members may wish to rephrase questions if they believe edits may provide additional clarity.

Notes/ Action Items