Page History

Notes/ Action Items

 These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki here.

1. Roll Call/SOI Updates

• No SOI updates identified

2. Apply results from last week’s poll to working document

• https://community.icann.org/download/attachments/66086765/AnnotatedResults-Poll-from-26SeptCall.pdf
• 22 members participated in poll
• 77% still don't think Original Registration Date should be a new data element
• Record in working document as tentative agreement

WG Agreement: There is no requirement for the Original Registration Date as proposed by the EWG Final Report

Action Item: Staff to incorporate WG agreement in working draft.

3. General questions about WSGR memo

• https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf
• Leadership in consultation with legal advisors within WG have been working to extract principles from WSGR memo and also answers previously supplied by senior EU privacy experts, to be applied to our work going forward
• How was the law firm selected? Several candidates with expertise identified by staff and augmented with suggestions from legal advisors within WG. Using that input, candidates were evaluated and chosen based on experience, reputation, etc. Selection was ultimately made by leadership team not advisory group, with group's input on two finalists.
• Do we intend to go back to the law firm to ask for more typical legal advice - that is, tell them what we propose doing, and ask for advice on legal risks associated with proposal? Yes, we can seek legal advice in the future, from this firm or another firm, at appropriate points in our work - that will incur additional cost to seek answers to new questions.
• Were discussions with law firm recorded, or can a transcript be provided? The leadership team and legal advisors reviewed a confidential draft for the purpose of identifying any items required clarification, enabling finalization of the memo.
• The law firm explicitly asked that draft not be shared and be treated as confidential; they prefer to share only final work product. In some cases, they asked for clarification of the questions that were asked by WG. We can share questions that were asked, but those questions focused on clarification and not questioning views or opinions expressed by WSGR.
• How much did the advisory team feedback impact the ultimate questions? Not at all. The questions were developed by the WG prior to ICANN58 meeting, and then presented to full WG for review/edit/approval. Those questions were then published and asked of senior EU privacy experts in CPH. We intentionally gave WSGR the same questions (exactly) as were given to experts at CPH.
• Now it's time to take inputs received from two sources and use it to address work outlined in our charter...

4. Introduce methodology to be used to apply memo to our work

• Charter questions: Users/Purposes, Gated Access, Data Accuracy, Data Elements, and Privacy - fundamental questions to be addressed in Phase 1
• We have already examined all but Accuracy to some degree, mostly for MPDS
• What we're going to do today is to start with Charter question on Privacy and look at how inputs from senior EU privacy experts AND WSGR help us answer or move forward in addressing that question/sub-questions

5. Starting with charter question on Privacy for deliberation

    a. Introduce DP/Privacy principles related to the charter question on Privacy

• https://community.icann.org/download/attachments/66086765/Handout-RDS-WG-Call-3Oct2017.pdf
• Copied extracted principles in handout, mapped to the charter question on privacy and associated sub-questions, to facilitate reference during deliberation on those questions
• Note that at end of handout there appears the one WG agreement thus far under the Privacy charter question, which was limited to MPDS: 14. [For MPDS] Existing gTLD RDS policies do NOT sufficiently address compliance with applicable data protection, privacy, and free speech laws about purpose
• Review of principles mapped to this charter question/sub question:
• 5.1 Do existing gTLD registration directory services policies sufficiently address compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?

b. Starting with Privacy sub-question 5.1, discuss impact on WG agreements

• We are not restricted to EU focus of this input; the input does provide guidance with respect to that jurisdiction. Our task is to provide requirements for RDS that takes into consideration all jurisdictions.
• “Within each jurisdiction” = within ALL jurisdictions of the world
• Re: 3.e. The GDPR applies to all personal data, comments that GDPR does NOT apply to all personal data
• Answer could be "yes" if taking into account procedure for dealing with conflicts with local law
• Conflating two different issues: policy and implementation. Reading RAA it matches up with GDPR, but the way it's been implemented does not (e.g., purpose, consent). Need to ask whether policies address compliance or whether implementation of those policies do or do not
• Comment: The policy as it is written is tightly bound to the extreme limitations of whois-the-protocol, which is part of the problem
• For example, from RAA: 3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating:3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended;3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator);3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and 3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4.
• Is data escrow within the RDS's scope?
• Do questions not line up with existing policy, producing answers that are not useful? This is why people are concerned about questions - if you ask the wrong question, you don't get helpful answers
• Maybe the question should be "Do the existing implementations of gTLD policy sufficient address compliance....?
• Comment: Current policies violate GDPR for EU citizens - example CL&D
• Need to distinguish policies from implementation, which is informed by decisions about who the data controller is
• Note that WSGR did not respond to the questions that are in this document - these are questions that the WG identified as sub-questions to help address the overarching charter questions. The principles that you see were derived from the memo as aiming to assist in responding to these questions.
• Possible reframing of sub-question 5.1: Do existing gTLD registration directory services policies and/or implementations PREVENT compliance with applicable data protection, privacy, and free speech laws within each jurisdiction?
• Would re-applying existing policy, using RDAP instead of WHOIS, shed any light on whether it's the policy or the implementation that prevent compliance with applicable laws?

Action Item: WG leadership team to consider input received during today's meeting and consider how to move forward as today's meeting did not achieve the goal of moving forward on these questions.

6. Confirm action items and proposed decision points

• WG Agreement: There is no requirement for the Original Registration Date as proposed by the EWG Final Report
• Action Item: Staff to incorporate WG agreement in working draft.
• Action Item: WG leadership team to consider input received during today's meeting and consider how to move forward as today's meeting did not achieve the goal of moving forward on these questions.

 7. Confirm next WG meeting (Tuesday 10 October at 16.00 UTC)