Page History
...
Info |
---|
PROPOSED AGENDA
i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“); ii. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons. Bird & Bird Response to Question #3
Guidance write up d. Consider remaining outstanding questions: Guidance #3 - As part of the implementation, Registrars should consider using a type of Example scenarios (note, these scenarios are intended to be illustrations for how a Registrar could apply the guidance above. These scenarios are NOT to be considered guidance in and of itself).
Scenario #2 - Data subject self-identification at time when registration is updated
a. The Registrar collects Registration Data and provisionally redacts the data. b. The Registrar informs the Registrant (per guidance #3 above) and requests the Registrant (data subject) to designate legal or natural person type. The Registrar must also request the Registrant to confirm whether only non-personal data is provided for legal person type.[1] c. Registrant (data subject) indicates legal or natural person type and whether or not the registration contains personal information after registration is completed. For example, the Registrant may confirm person type at the time of initial data verification, in response to its receipt of the Whois data reminder email for existing registrations, or through a separate notice requesting self-identification.[2] d. If the data subject identifies as a legal person and confirms that the registration data does not include personal data, the Registrar should (i) contact the provided contact details to verify the Registrant claim[3] (ii) set the registration data set to automated disclosure in response to SSAD queries and (iii) publish the data.
2. The GAC has suggested that it might be helpful to add some timelines to this scenario. How could/should such a timeline look? Registrars shall not be prohibited from voluntarily utilizing a third party to verify that a registrant has correctly identified its data[4], provided that such verification is compliant with applicable data protection regulations.
3. Proposed language changes from Volker were applied to make clear that third party verification is not disallowed, but neither specifically recommended. NCSG has noted its objection to this rewrite as it would make scenario 3 ten times worse. EPDP Team to consider concerns and determine if/how these can be addressed. Note, the Bird & Bird advice specifically talks about the option to verify information provided by the registrant. 4. Homework assignments reminder (5 minutes)
5. Wrap and confirm next EPDP Team meeting (5 minutes): a. EPDP Team Meeting #21 Tuesday 11 May at 14.00 UTC b. Confirm action items c. Confirm questions for ICANN Org, if any [1] Note that the confirmation that only non-personal data is provided could also happen at a later point in time. However, until the Registrant confirms that no personal data is present in the registration data, the Registrar does not set the registration data to automated disclosure. [2] Note, the implementation of EPDP Phase 1, recommendation #12 (Organization Field) may facilitate the process of self-identification. [3] Per the guidance provided by Bird & Bird, “this verification method is advisable, and will help reduce risk. That risk reduction will be greatest if there is a reasonable grace period within which the objection can be lodged, before the data in question is published in the Registration Data” and “requiring an affirmative response to verification mailings seems over-cautious, unless and until studies show that the measures adopted are failing to keep very substantial amounts of personal data out of published Registration Data. However, if a verification email “bounces” (i.e. a Contracting Party knows it was not delivered), then it would be better if publication does not proceed”. [4] Per the guidance provided by Bird & Bird, “a company registration number may be another means of verifying legal personhood”.
BACKGROUND DOCUMENTS See email invite with zoom webinar room URL for attendees (observers) |
Info | ||
---|---|---|
| ||
GNSO transcripts are located on the GNSO Calendar |
...