EPDP on the Temporary Specification for gTLD Registration Data

Page History

Versions Compared

Old Version 3

changes.mady.by.user Andrea Glandon

Saved on Jan 09, 2019

compared with

New Version Current

changes.mady.by.user Nathalie Peregrine

Saved on Jan 11, 2019

Key

This line was added.
This line was removed.
Formatting was changed.

...

For other times: https://tinyurl.com/yc8n34vg

Recommendation #19 - Transfer Policy

Purpose 4 - Safeguarding RNH's Registration Data

As noted previously:

Small team member reps are expected to keep their respective groups informed about the deliberations. To do so, some topics discussed during the Tuesday meeting might wrap up during the Thursday meeting so that an interim consultation might take place.
The plenary is expected to grant great deference to the findings of the small teams. If a member of the plenary has an interest in a certain topic and is not included on that small team, that member is expected to contact her/his group’s small team member prior to the Tuesday meeting to provide input. [Rationale: if we re-litigate each small group conclusion, this approach will decrease our efficiency rather than the opposite.]
In reviewing the input received, EPDP Team members are expected to look at the comments in their totality and not advocate for a comment that has been submitted by his / her respective group (an EPDP Team member may explain a certain position, if asked by another team member). [Rationale: the same deference must be paid to comments made by those without representative team members.]
During the small team calls, the Chair and Vice-Chair will endeavor to represent the comments not belonging to an SO/AC or SG/C. Because these comments do not have a specific advocate within the EPDP Team, the small team members should take care to pay close attention to the comments and accompanying rationales.

BACKGROUND DOCUMENTS

VIEW ONLY ADOBE CONNECT FOR ALTERNATES AND OBSERVERS

**Exceptionally, there will not be any audio cast

View-Only Adobe Connect room for alternates and observers: https://participate.icann.org/rds-leadership/

Mp3

Adobe Connect Recording

GNSO transcripts are located on the GNSO Calendar

Attendance & AC Chat

Dial outs: Amr Elsadr, Hadia Elminiawi

Apologies: Kristina Rosette (RySG)

Alternates: Beth Bacon (RySG)

Info

PROPOSED AGENDA

Each group is expected to appoint one main representative to each small team. Other members are also welcome to join, but only the main representative is expected to do the bulk of the talking to ensure that every group has an opportunity to have their views heard. Alternates are only expected to join if they are replacing a member who is not able to attend.
Representatives (and other members joining) are expected to have reviewed the PCRTs for the topics listed for their respective small team below, with the following question in mind: “What comments/arguments provide new information / rationale, if any, that merit group discussion and possible changes / refinements? For each small team, at a minimum, 5 topics listed below are expected to be covered, so please make sure you have reviewed all assigned topics.
At the start of the meeting, the chair will ask the representatives to identify for which purposes and/or recommendations comments / arguments have been identified that merit group discussion so that the small team can deep dive into those and consider possible recommendations for EPDP Team consideration.
Small team A and B will cover:

Small Team A

Small Team B

Purpose 1 - Establish the rights of a Registered Name Holder

Purpose 3 - Enable communication with RNH

Recommendation #15 - URS / UDRP

Recommendation #16 - Instructions for RPM PDP WG

Recommendation #18 - Data processing agreements with dispute resolution providers (incl. Question #4)

Recommendation #22 - Impact on other policies

Purpose 5 - Handling Contractual Compliance

Recommendation #6 - Escrow Providers

Recommendation #10 - Email communication

Recommendation #12 - Reasonable access

Recommendation #13 - Controller Agreement

Purpose 7 - gTLD registration policy eligibility criteria

Recommendation #17 - Input from RPM PDP WG to inform subsequent access discussion

Recommendation #20 - Input to Transfer Policy review (incl. Question #5)

Purpose 6 - Resolution of DRPs

Recommendation #11 - Data retention

Recommendation #14 - Responsible parties

Info

title	RECORDINGS

Tip

title	PARTICIPATION

Small Team B

Recommendation #13 – Controller Agreement
Recommendation #20 - Input to Transfer Policy review (incl. Question #5)
Recommendation #11 - Data retention
Recommendation #21 – Data Controller Agreements - EBERO

BACKGROUND DOCUMENTS

VIEW ONLY ADOBE CONNECT FOR ALTERNATES AND OBSERVERS

**Exceptionally, there will not be any audio cast

View-Only Adobe Connect room for alternates and observers: https://participate.icann.org/rds-leadership/

Info

title	RECORDINGS

Mp3

Adobe Connect Recording

GNSO transcripts are located on the GNSO Calendar

Tip

title	PARTICIPATION

Attendance & AC Chat

Apologies: Kristina Rosette (RySG), Alex Deacon (IPC), Ashley Heineman (GAC)

Alternates: Beth Bacon (RySG), Brian King (IPC), Chris Lewis-Evans (GAC)

Note
Notes/ Action Items Notes and Action Items Small Team B Participants: Benedict Addis (SSAC) Beth Bacon & Mark Anderson (RySG) Brian King (IPC) Chris Lewis Evans (GAC) James Bladel (RrSG) Mark Svancarek (BC) Milton Mueller & Amr Elsadr (NCSG) Hadia Elminiawi (ALAC) Thomas rickert (ISPCP) Daniel Halloran (ICANN Org Liaison -Legal) Rafik Dammak (GNSO Council Liaison) Actions Items: Action item #1: Small team B to review notes and proposals and respond immediately with any concerns as the findings will go to the full team next in preparation for the F2F meeting. Questions for ICANN Org from the EPDP Team: None Notes & Action items These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ 1. Roll Call Attendance will be taken from Adobe Connect Remember to mute your microphones when not speaking and state your name before speaking for transcription purposes. Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team. Review Recommendation #13 – Controller Agreement See Discussion Table - concerns have been grouped together where possible to facilitate consideration. Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation? ICANN Org is working on the memo discussed previously which is expected to be shared shortly (by Monday at the latest) RySG suggest that language is changed to not specify joint-contoller agreement but to have CPs and ICANN Org to work together to determine what type of agreement would work best. Many may be of the view that JCA is the best approach, but that may not be everyone's agreement. Important to have flexibility in the recommendation for those negotiating these agreements. RrSG comment is aligned with this perspective. BC can support this approach, allow for sufficient enough flexibility to have ICANN Org to take on responsibility for quieries by requestors. IPC can also support this approach. Not be overly presecriptive but agreements will need to outline the different roles and responsibilities. Support is conditional on ICANN assuming some formal responsibility here. CPs can't be compelled to disclose and also assume 100% of the risk exposure. Does proposed RySG language capture all possible scenarios or is it better to be more general? Note that the language refers to 'such as', which should provide sufficient flexibility. Some expressed the view that it is important to be specific here and provide guidance to ICANN Org on what is expected. How about timing? Would proposed rewording eliminate all other parties from the discussion? Could it overwrite EPDP Team recommendations? Flexibility is around the type of agreement that is put in place, not flexibility to change to policy recommendations of the working group. General agreement that recommendation should be more flexible and not prescribe the outcome, but further review may be warranted following receipt of the ICANN Org memo. EPDP Team does not support deletion of this recommendation as suggested by one of the commenters. Proposed updated language: "The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing." Recommendation #20 - Input to Transfer Policy review (incl. Question #5) See Discussion Table - concerns have been grouped together where possible to facilitate consideration. Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation? Language of recommendation is fine - comments point to specific issue sthat should be addressed in the transfer review that has been recently kicked off (see https://www.icann.org/public-comments/irtp-status-2018-11-14-en). Language is intended to instruct Council that additional work on the Transfer policy is needed as a result of GDPR. Important for all to share any concerns and specifics with the GNSO Council to help inform the review and next steps. No change needed to the recommendation. Recommendation #11 - Data retention See Discussion Table - concerns have been grouped together where possible to facilitate consideration. Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation? BC/IPC request consideration of a 3 year retention period - especially in the context of cyberinvestigations. Is 3 years arbitrary? Reference to TDRP makes one year defensible - CPs need something specific and not arbitrary to defend a retention period. Could two year period in the RAA be considered as an alternative? Any data retention period beyond 1 year needs to be defended - hard to justify based on what has been provided as this relates to what ICANN governs. Needs to be made clear that the one year is a minimum required - contracted parties may need or be required to keep data longer. Similarly, local waivers may be needed. There may be altering retention periods based on national laws / retention requirements or based on the business practice, but that would not be for ICANN to govern. Language could also be cleaned up a bit. Note, this is just how long folks can keep data to fulful an ICANN requirement. Consider extending retention based on notification? LE can request for freeze through G7 network which allows MLATs to be fired off in the tie needed. Would such a freeze also be enforceable by ICANN? Caution to write up policy language - CPs already take appropriate action in case of an active legal investigation. Regarding minimums being defensible, a CP 's retention policy would need to disclose that at the time of collection regardless whether mandated by ICANN policy, local law, or individual business needs. Parties advocating longer retention period to provide further supporting information to justify a longer data retention period. Possible rewording: The EPDP Team recommends that Registrars are required to retain the herein-specified data elements for one year following the life of the registration. This minimum retention period is consistent the requirements of the TDRP. Proposed modification: make clear that proposed period is a minimum period, or more specifically a period for ICANN required retention and that CPs can adjust as needed beyond that period in line with local law / requirements. Remove the 'statute of limitations' language. Further discussion needed on the recommended ICANN retention period. Recommendation #21 – Data Controller Agreements - EBERO See Discussion Table - concerns have been grouped together where possible to facilitate consideration. Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation? NCSG point is mooted by the words "with the non-contracted Party entities" in the Recommendation No change needed Consider further Purpose 5 - see edits overview shared by Kristina Registrars are proposing language to limit the scope of the recommendation. Current language is overly broad. Need to restrain ICANN's ability to gather data, should be limited to terms of enforcement of those agreements, only for purposes that are outlined in the agreements. Proposal: Handle contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Registrars, Registered Name Holders, and other Internet users, consistent with the terms of the registry agreement and the registrar accreditation agreements, and any applicable data processing agreements, by accessing specific data only as necessary. Perhaps "processing" as opposed to "accessing" would be better May consider splitting this up - intertwining two different thing, two different purposes that compliance pursues: handles monitoring and audits of their contracts, and separately handles compliance complaints. Important to be specific and not conflate with other purposes. Combine registrar and registry proposal - proposed rewording: 1) Handle contractual compliance monitoring requests and audit activities consistent with the terms of the registry agreement and the registrar accreditation agreements and any applicable data processing agreements, by processing specific data only as 2) Handle compliance complaints initiated by ICANN, or third parties consistent with the terms of the registry agreement and the registrar accreditation agreements. Recommendation #10 - further thoughts on how to address comments or is this to be referred to plenary? Any suggestions to be shared on the mailing list Recommendation #16 - update from Steve, Brian, James and Kristina on possible way forward. Consider remaining concerns. IPC/BC withdrawing its request for an additional recommendation, assuming that recommendation #16 will remain as is. Other concerns flagged seem to concern communication issues and URS review - may not be within scope and already addressed somewhere else. May have been covered already in deliberations and language of Initial Report. Confirm submission to plenary of Purpose 3 Recommendation #19 Next steps: Support staff will circulate notes and capture proposals made Following that, small team B outcomes will be shared with full EPDP Team for review Action item #1: small team B to review notes and proposals and respond immediately with any concerns as the output will go to the full team in preparation for the F2F meeting.
Notes/ Action Items

Note

Notes/ Action Items

Notes and Action Items

Small Team B Participants:

Benedict Addis (SSAC)
Beth Bacon & Mark Anderson (RySG)
Brian King (IPC)
Chris Lewis Evans (GAC)
James Bladel (RrSG)
Mark Svancarek (BC)
Milton Mueller & Amr Elsadr (NCSG)
Hadia Elminiawi (ALAC)
Thomas rickert (ISPCP)
Daniel Halloran (ICANN Org Liaison -Legal)
Rafik Dammak (GNSO Council Liaison)

Actions Items:

Action item #1: Small team B to review notes and proposals and respond immediately with any concerns as the findings will go to the full team next in preparation for the F2F meeting.

Questions for ICANN Org from the EPDP Team: None

Notes & Action items

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ

1. Roll Call

Attendance will be taken from Adobe Connect
Remember to mute your microphones when not speaking and state your name before speaking for transcription purposes.
Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

Review

Recommendation #13 – Controller Agreement

See Discussion Table - concerns have been grouped together where possible to facilitate consideration.
Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation?
ICANN Org is working on the memo discussed previously which is expected to be shared shortly (by Monday at the latest)
RySG suggest that language is changed to not specify joint-contoller agreement but to have CPs and ICANN Org to work together to determine what type of agreement would work best. Many may be of the view that JCA is the best approach, but that may not be everyone's agreement. Important to have flexibility in the recommendation for those negotiating these agreements. RrSG comment is aligned with this perspective.
BC can support this approach, allow for sufficient enough flexibility to have ICANN Org to take on responsibility for quieries by requestors.
IPC can also support this approach.
Not be overly presecriptive but agreements will need to outline the different roles and responsibilities.
Support is conditional on ICANN assuming *some* formal responsibility here. CPs can't be compelled to disclose and also assume 100% of the risk exposure.
Does proposed RySG language capture all possible scenarios or is it better to be more general? Note that the language refers to 'such as', which should provide sufficient flexibility.
Some expressed the view that it is important to be specific here and provide guidance to ICANN Org on what is expected. How about timing? Would proposed rewording eliminate all other parties from the discussion? Could it overwrite EPDP Team recommendations? Flexibility is around the type of agreement that is put in place, not flexibility to change to policy recommendations of the working group.
General agreement that recommendation should be more flexible and not prescribe the outcome, but further review may be warranted following receipt of the ICANN Org memo.
EPDP Team does not support deletion of this recommendation as suggested by one of the commenters.
Proposed updated language: "The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements such as a Data Processing Agreement (GDPR Art. 28) or Joint Controller Agreement (Art. 26), as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses shall ensure that the risk for certain data processing is borne by either one or multiple parties that determine the purpose and means of the processing."

Recommendation #20 - Input to Transfer Policy review (incl. Question #5)

See Discussion Table - concerns have been grouped together where possible to facilitate consideration.
Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation?
Language of recommendation is fine - comments point to specific issue sthat should be addressed in the transfer review that has been recently kicked off (see https://www.icann.org/public-comments/irtp-status-2018-11-14-en).
Language is intended to instruct Council that additional work on the Transfer policy is needed as a result of GDPR.
Important for all to share any concerns and specifics with the GNSO Council to help inform the review and next steps.
No change needed to the recommendation.

Recommendation #11 - Data retention

See Discussion Table - concerns have been grouped together where possible to facilitate consideration.
Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation?
BC/IPC request consideration of a 3 year retention period - especially in the context of cyberinvestigations. Is 3 years arbitrary? Reference to TDRP makes one year defensible - CPs need something specific and not arbitrary to defend a retention period. Could two year period in the RAA be considered as an alternative? Any data retention period beyond 1 year needs to be defended - hard to justify based on what has been provided as this relates to what ICANN governs.
Needs to be made clear that the one year is a minimum required - contracted parties may need or be required to keep data longer. Similarly, local waivers may be needed. There may be altering retention periods based on national laws / retention requirements or based on the business practice, but that would not be for ICANN to govern.
Language could also be cleaned up a bit.
Note, this is just how long folks can keep data to fulful an ICANN requirement.
Consider extending retention based on notification? LE can request for freeze through G7 network which allows MLATs to be fired off in the tie needed. Would such a freeze also be enforceable by ICANN? Caution to write up policy language - CPs already take appropriate action in case of an active legal investigation.
Regarding minimums being defensible, a CP 's retention policy would need to disclose that at the time of collection regardless whether mandated by ICANN policy, local law, or individual business needs.
Parties advocating longer retention period to provide further supporting information to justify a longer data retention period.
Possible rewording: The EPDP Team recommends that Registrars are required to retain the herein-specified data elements for one year following the life of the registration. This minimum retention period is consistent the requirements of the TDRP.
Proposed modification: make clear that proposed period is a minimum period, or more specifically a period for ICANN required retention and that CPs can adjust as needed beyond that period in line with local law / requirements. Remove the 'statute of limitations' language. Further discussion needed on the recommended ICANN retention period.

Recommendation #21 – Data Controller Agreements - EBERO

See Discussion Table - concerns have been grouped together where possible to facilitate consideration.
Question for team: which concerns merit group discussion? Specifically, do any of the concerns present new information the EPDP Team has not discussed during its formulation of this purpose or recommendation?
NCSG point is mooted by the words "with the non-contracted Party entities" in the Recommendation
No change needed

Consider further

Purpose 5 - see edits overview shared by Kristina

Registrars are proposing language to limit the scope of the recommendation. Current language is overly broad. Need to restrain ICANN's ability to gather data, should be limited to terms of enforcement of those agreements, only for purposes that are outlined in the agreements.
Proposal: Handle contractual compliance monitoring requests, audits, and complaints submitted by Registry Operators, Registrars, Registered Name Holders, and other Internet users, consistent with the terms of the registry agreement and the registrar accreditation agreements, and any applicable data processing agreements, by accessing specific data only as necessary.
Perhaps "processing" as opposed to "accessing" would be better
May consider splitting this up - intertwining two different thing, two different purposes that compliance pursues: handles monitoring and audits of their contracts, and separately handles compliance complaints.
Important to be specific and not conflate with other purposes.
Combine registrar and registry proposal - proposed rewording: 1) Handle contractual compliance monitoring requests and audit activities consistent with the terms of the registry agreement and the registrar accreditation agreements and any applicable data processing agreements, by processing specific data only as 2) Handle compliance complaints initiated by ICANN, or third parties consistent with the terms of the registry agreement and the registrar accreditation agreements.

Recommendation #10 - further thoughts on how to address comments or is this to be referred to plenary?

Any suggestions to be shared on the mailing list

Recommendation #16 - update from Steve, Brian, James and Kristina on possible way forward. Consider remaining concerns.

IPC/BC withdrawing its request for an additional recommendation, assuming that recommendation #16 will remain as is.
Other concerns flagged seem to concern communication issues and URS review - may not be within scope and already addressed somewhere else. May have been covered already in deliberations and language of Initial Report.

Confirm submission to plenary of

Purpose 3
Recommendation #19

Next steps:

Support staff will circulate notes and capture proposals made
Following that, small team B outcomes will be shared with full EPDP Team for review

Action item #1: small team B to review notes and proposals and respond immediately with any concerns as the output will go to the full team in preparation for the F2F meeting.

Note

Notes/ Action Items

Content

Space Tools

Versions Compared

Old Version 3

New Version Current

Key