Note
Notes/ Action Items Notes & Action items These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ. EPDP Phase 2 - Meeting #38 Proposed Agenda Thursday, 9 January 2019 at 14.00 UTC Roll Call & SOI Updates (5 minutes) Confirmation of agenda (Chair) Welcome and housekeeping issues (Chair) (5 minutes) Legal committee update Legal Committee met on 7 Jan Continued to work through Priority 2 questions Endeavor to send questions to plenary team by next Thursday Hope to receive answers in advance of F2F meeting Status of draft Initial Report Updated version posted on 20 December 2019 Overview of groups that have provided input Staff developed list of topics to be covered between now and LA F2F meeting Going forward, please provide all comments in the Google Doc, so that everyone is working from the same document Proposal of how to approach work from here to the F2F: the last F2F in Montreal, there was a lot of time at the table wordsmithing and editing live documents. This is not the appropriate activity at a F2F where time is scarce. Proposal to reserve F2F time for making compromise decisions and synthesizing feedback. Drafting and editing documents on the table should be considered out of bounds and moved to the list. It is likely inevitable that wordsmithing will occur because seeing things in written form aids the approach to compromise. CPH letter: after viewing the first draft Initial Report, there was no answer on who makes the ultimate decision to disclose and which form the eventual SSAD will take. The CPH put a proposed path forward in order to make critical decisions on policy recommendations. Helpful that the CPH proposal notes standardized process, starting with accreditation, request submission, treatment of request, and response. The CPH proposal also describes a central gateway, likely operated by ICANN. Proposal notes the disclosure decision to reside with the CPs. The third question is to discuss and see whether the Team agrees. Belgian Data Protection Authority Correspondence to Proposed Unified Access Feedback from EPDP Team CPH letter edges into the next agenda topic into the Belgian DPA letter. The proposal misrepresents the Belgian letter. If the processing is not under the CP’s control, CPH letter proposes that 100% liability still remains with the CPs. This assumption should be challenged. Unlikely to get a clearer legal opinion on this. DPAs are not the EPDP Team or ICANN’s legal advisors. The assumption from the response is based on the advice received from the EPDP Team’s legal advisor, Bird & Bird. Bird & Bird is very clear that even when ICANN takes full responsibility for the decision-making, liability cannot be taken away from CPs. Focus on the elements of “under your control” – if ICANN is not collecting or storing, the data is not under its control. The EPDP Team is on the clock and waiting for clarity or epiphany from the DPA that removes all doubt for everyone on the EPDP Team, is unlikely to happen quickly (if at all). In the joint controller scenario, there is no one that is free of liability – the questions is – how do you set up the contractual relationship with manageable risk for all parties involved. If there is a JCA and proper safeguards, then everything will fall into place, but this group has failed to come up with the arrangement. The Belgian DPA does not answer the questions from the Strawberry paper. The hybrid model that doesn’t have ICANN compliance in a position to compel disclosure is the same set up that is not working today. Until there is advice against a UAM, the Team should work towards this. The hybrid model is the preferred way to go – there are some decisions that will have to be made by the contracted parties. In the building blocks on automation, decisions could be made automatically. 30-day SLA is unacceptable, and the Team will not get consensus on this. Should await further feedback from Elena. From the EC side, the Team should not jump to conclusions with respect to the three proposed models. The Team should keep working on the possible options Roles and responsibilities of the parties is a factual determination. It is paradoxical to diminish CP liability while giving them more responsibility to make the ultimate determination to disclose The CPH proposal does not rule out a centralized model but based on the preponderance of the guidance the Team has received to date points in the direction of a hybrid model. The DPA has noted it cannot determine which model ICANN should use – that is not its job From a data protection standpoint, the data subject (registrant)’s experience shouldn’t be the focus, not the third-party experience. Consider impact, if any, on deliberations, timeline and/or Initial Report Confirm next steps Preliminary Rec - Financial sustainability (see draft Initial Report) Review response provided by ICANN org Feedback from EPDP Team To date, there has not been a precise calculation of the costs of the estimates. This, however, should not prevent a policy proposal. The Team can consider making an educated guess based on the proposed models. First paragraph: Mark Sv. comment – the phrase unreasonable burden needs further clarification b/c a registrar may deem hiring one person an unreasonable burden – no alternative proposal at this time Need to determine what functions the under-resourced small operator would need to do – this could potentially be outsourced – there could be mandatory online training, etc. Friendly amendment – disproportionately high burden on smaller operators instead of “unreasonable” Disproportionately high is a lower bar than unreasonable Is this burden in reference to start-up costs vs. ongoing costs This is a “should” vs. a “must” In terms of start-up vs. ongoing costs, this will depend on the ultimate model chosen. The language needs to be clarified here. Action: Support Staff to edit the text to clarify the start-up vs. ongoing costs. Comment on cost causation: this is a concept that IPC/BC disagrees with – the users of the SSAD are responsible for the cost. As this is an integral part of the DNS, this is not agreed to. The Team has a fundamental difference here – for this system to be effective and well-designed and efficient, there has to be an economic calculus involved. Those who create costs by using the system are encouraged and incentivized to use the system for things that are necessary. If you have to pay something, you think about what it’s worth to get it; if it’s free, there isn’t as much discretion involved. This is not a system that will be free to develop or operate, and the direct beneficiaries should pay. Saying direct beneficiaries, which is not currently defined, will bear 100% of the cost is troublesome. If ICANN outsources all of SSAD, does this language preclude this? (insert “for ICANN” after profit-generating exercise There should be the ability to outsource functions at market costs “Funding should be sufficient to cover cost, including for subcontractors at market cost and to establish a legal risk fund. Application fees – this is an implementation detail and probably shouldn’t be in the policy. However, if this is included, applicants should be able to update their application. This is too prescriptive – shouldn’t this be left to the accreditation body whether to reject/refund – getting rid of the second part of the b bullet would make the IPC more comfortable. Proposal to change the “will be charged” to a “may be charged” – acceptable – approved change. Remove the discretion of the provider. Confirm next steps Maintain sentence as is – in fourth paragraph, under no circumstance should data subject be expected to pay to have its data disclosed. Proposal to note that costs should be shared Data subjects (registrants) shall not pay to have to have their data disclosed Put 4^th paragraph in square brackets – Preliminary Rec – Audit (see draft Initial Report) Review comments / suggestions provided by deadline Feedback from EPDP Team Confirm next steps Wrap and confirm next EPDP Team meeting (5 minutes): Thursday 14 January 2020 at 14.00 UTC Confirm action items Confirm questions for ICANN Org, if any

Note

Notes/ Action Items

Notes & Action items

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/ZwPVBQ.

EPDP Phase 2 - Meeting #38

Proposed Agenda

Thursday, 9 January 2019 at 14.00 UTC

Roll Call & SOI Updates (5 minutes)

Confirmation of agenda (Chair)

Welcome and housekeeping issues (Chair) (5 minutes)
1. Legal committee update

Legal Committee met on 7 Jan
Continued to work through Priority 2 questions
Endeavor to send questions to plenary team by next Thursday
Hope to receive answers in advance of F2F meeting
1. Status of draft Initial Report
  - Updated version posted on 20 December 2019
  - Overview of groups that have provided input
  - Staff developed list of topics to be covered between now and LA F2F meeting

Going forward, please provide all comments in the Google Doc, so that everyone is working from the same document
Proposal of how to approach work from here to the F2F: the last F2F in Montreal, there was a lot of time at the table wordsmithing and editing live documents. This is not the appropriate activity at a F2F where time is scarce. Proposal to reserve F2F time for making compromise decisions and synthesizing feedback. Drafting and editing documents on the table should be considered out of bounds and moved to the list.
It is likely inevitable that wordsmithing will occur because seeing things in written form aids the approach to compromise.
CPH letter: after viewing the first draft Initial Report, there was no answer on who makes the ultimate decision to disclose and which form the eventual SSAD will take. The CPH put a proposed path forward in order to make critical decisions on policy recommendations.
Helpful that the CPH proposal notes standardized process, starting with accreditation, request submission, treatment of request, and response. The CPH proposal also describes a central gateway, likely operated by ICANN. Proposal notes the disclosure decision to reside with the CPs. The third question is to discuss and see whether the Team agrees.

Belgian Data Protection Authority Correspondence to Proposed Unified Access
1. Feedback from EPDP Team

CPH letter edges into the next agenda topic into the Belgian DPA letter. The proposal misrepresents the Belgian letter.
If the processing is not under the CP’s control, CPH letter proposes that 100% liability still remains with the CPs. This assumption should be challenged.
Unlikely to get a clearer legal opinion on this.
DPAs are not the EPDP Team or ICANN’s legal advisors. The assumption from the response is based on the advice received from the EPDP Team’s legal advisor, Bird & Bird. Bird & Bird is very clear that even when ICANN takes full responsibility for the decision-making, liability cannot be taken away from CPs.
Focus on the elements of “under your control” – if ICANN is not collecting or storing, the data is not under its control.
The EPDP Team is on the clock and waiting for clarity or epiphany from the DPA that removes all doubt for everyone on the EPDP Team, is unlikely to happen quickly (if at all).
In the joint controller scenario, there is no one that is free of liability – the questions is – how do you set up the contractual relationship with manageable risk for all parties involved. If there is a JCA and proper safeguards, then everything will fall into place, but this group has failed to come up with the arrangement.
The Belgian DPA does not answer the questions from the Strawberry paper. The hybrid model that doesn’t have ICANN compliance in a position to compel disclosure is the same set up that is not working today. Until there is advice against a UAM, the Team should work towards this.
The hybrid model is the preferred way to go – there are some decisions that will have to be made by the contracted parties. In the building blocks on automation, decisions could be made automatically.
30-day SLA is unacceptable, and the Team will not get consensus on this.
Should await further feedback from Elena.
From the EC side, the Team should not jump to conclusions with respect to the three proposed models. The Team should keep working on the possible options
Roles and responsibilities of the parties is a factual determination. It is paradoxical to diminish CP liability while giving them more responsibility to make the ultimate determination to disclose
The CPH proposal does not rule out a centralized model but based on the preponderance of the guidance the Team has received to date points in the direction of a hybrid model.
The DPA has noted it cannot determine which model ICANN should use – that is not its job
From a data protection standpoint, the data subject (registrant)’s experience shouldn’t be the focus, not the third-party experience.

Consider impact, if any, on deliberations, timeline and/or Initial Report
Confirm next steps

Preliminary Rec - Financial sustainability (see draft Initial Report)
1. Review response provided by ICANN org
2. Feedback from EPDP Team

To date, there has not been a precise calculation of the costs of the estimates. This, however, should not prevent a policy proposal. The Team can consider making an educated guess based on the proposed models.
First paragraph: Mark Sv. comment – the phrase unreasonable burden needs further clarification b/c a registrar may deem hiring one person an unreasonable burden – no alternative proposal at this time
Need to determine what functions the under-resourced small operator would need to do – this could potentially be outsourced – there could be mandatory online training, etc.
Friendly amendment – disproportionately high burden on smaller operators instead of “unreasonable”
Disproportionately high is a lower bar than unreasonable
Is this burden in reference to start-up costs vs. ongoing costs
This is a “should” vs. a “must”
In terms of start-up vs. ongoing costs, this will depend on the ultimate model chosen.
The language needs to be clarified here.
Action: Support Staff to edit the text to clarify the start-up vs. ongoing costs.
Comment on cost causation: this is a concept that IPC/BC disagrees with – the users of the SSAD are responsible for the cost. As this is an integral part of the DNS, this is not agreed to.
The Team has a fundamental difference here – for this system to be effective and well-designed and efficient, there has to be an economic calculus involved. Those who create costs by using the system are encouraged and incentivized to use the system for things that are necessary. If you have to pay something, you think about what it’s worth to get it; if it’s free, there isn’t as much discretion involved.
This is not a system that will be free to develop or operate, and the direct beneficiaries should pay.
Saying direct beneficiaries, which is not currently defined, will bear 100% of the cost is troublesome.
If ICANN outsources all of SSAD, does this language preclude this? (insert “for ICANN” after profit-generating exercise
There should be the ability to outsource functions at market costs “Funding should be sufficient to cover cost, including for subcontractors at market cost and to establish a legal risk fund.
Application fees – this is an implementation detail and probably shouldn’t be in the policy. However, if this is included, applicants should be able to update their application.
This is too prescriptive – shouldn’t this be left to the accreditation body whether to reject/refund – getting rid of the second part of the b bullet would make the IPC more comfortable.
Proposal to change the “will be charged” to a “may be charged” – acceptable – approved change. Remove the discretion of the provider.
1. Confirm next steps
Maintain sentence as is – in fourth paragraph, under no circumstance should data subject be expected to pay to have its data disclosed.
Proposal to note that costs should be shared
Data subjects (registrants) shall not pay to have to have their data disclosed
Put 4^th paragraph in square brackets –

Preliminary Rec – Audit (see draft Initial Report)
1. Review comments / suggestions provided by deadline
2. Feedback from EPDP Team
3. Confirm next steps

Wrap and confirm next EPDP Team meeting (5 minutes):
1. Thursday 14 January 2020 at 14.00 UTC
2. Confirm action items
3. Confirm questions for ICANN Org, if any

...

Content

Space Tools

Versions Compared

Old Version 14

New Version Current

Key