2021-03-25 EPDP Team Phase 2A - Meeting #12

Notes/ Action Items

1. Roll Call & SOI Updates (5 minutes)

      2. Welcome & Chair updates (Chair) (5 minutes)

                  a. Status update to GNSO Council – feedback and reactions

• Consistent with the message to the EPDP Team, Keith gave an update to the GNSO Council, noting that the Legal Committee has completed its work and the Team is currently awaiting feedback from Bird & Bird. Keith noted he believes there is a path to consensus on guidance to registrars who wish to differentiate; however, it’s premature to determine if there will be consensus on changes to consensus policy recommendations at this time.
• Some councilors questioned the timeline, as some believed there should have been a go/no go decision at the end of March; however, Keith pointed to the project plan.
• There is an expectation that Philippe will give an update to the Council at its April meeting.
• Reminder to please continue making progress in good faith and complete homework in a timely fashion.
• EPDP Feedback:
• There are approximately 8 meetings left. If the Team spends its time looking at non-consensus recommendations, there may not be enough time to discuss actual consensus recommendations.
• Encourage team members to speak to one another and do work outside of the plenary meetings. Also, the leadership and staff paper that was circulated is an opportunity to move things forward.
• Bird & Bird’s advice should come in next week.
• There has been progress working on the guidance and perhaps the Bird & Bird advice could assist; however, would not make any assumptions that legal advice will be determinative in the policy discussions.

       3. Legal vs. natural (60 minutes)

            i. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate          between registrations of legal and natural persons, but are not obligated to do so“);

           ii. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.

Guidance development

 a. Development of guidance proposal(s)

• See draft write up developed by leadership & staff support team (https://docs.google.com/document/d/14Fs3b_Sz1ij3Tiu58uy0C69DWFHAq1Dp/edit [docs.google.com])
• Initial reactions by EPDP Team:
  • Does this accurately capture agreed aspects from the different proposals (RrSG, proposal 1a and thought experiment)? If not, what is missing?
  • Is it sufficiently high level to allow for flexibility to accommodate different business models, while at the same time providing helpful insights to those that want to differentiate?
  • What incentives, if any, could be considered to promote any guidance agreed to by the EPDP Team?

• This document skips the legal vs. natural differentiation and, instead, looks at personal v. non-personal data. This is confusing. The registrants should first be differentiated by legal v. natural and then review if there is personal data.
• There are challenges with trying to retrofit this approach with existing registrations.
• The format of the document could be improved: for example, when the document gets to proposed guidance, it lists reminders, which is confusing. Perhaps include the reminders under  “background”.
• There are three scenarios, and it’s useful to have these here – these do not seem to be providing any guidance.
• Data protection law does not apply to legal person data; however, there are difficulties in applying the requisite protections to natural persons, not legal persons.
• GDPR exists to protect natural persons and not legal persons. Step 1 is important for compliance with the GDPR. First distinguish b/w legal and natural and then personal v. nonpersonal – indeed, this is for new registrations vs. existing registrations. Some members wish to only distinguish between personal and non-personal data – how can you distinguish only b/w personal and non-personal data – would this be done by asking the registrant or would you do it yourself? Also, would this be mandatory or voluntary?
• OK with having a differentiation between legal and natural persons, so long as the registrant is in control of this determination and does not have it made for them. If we do introduce a legal v. natural distinction, and someone checks “legal”, there needs to be assurances that this will not be abused. Surprised to hear that someone said there was no guidance in this document – the document does provide guidance. Hope to get rid of the third scenario, but the other two are acceptable.
• In terms of the person type, would not infer this as a registrar – would always have the data subject or domain owner indicate what type of person they are. In terms of required or voluntary, open to understanding the possibilities, but there is already a recommendation on this topic, and have not yet seen anything compelling indicating that this distinction should be mandatory. For example, during the last meeting, registrars explained why flags are difficult to implement.
• The last sentence is problematic, as it appears to be providing legal advice to contracted parties. This is not appropriate for a WG to be providing legal advice. This should ultimately be up to the individual entity – these recommendations should not be written or drafted in a way that sounds like legal advice or guidance.
• Cannot require manual review at the time of registration – this is not scalable
• If it is up to the registrant to determine if data is personal or not personal – this has risks that if a registrant is a natural person, you should assume that all data is personal. If you allow differentiation, this is more compliant.
• Appreciate concern for the risks we are addressing here. The domain owner can choose to publish information irrespective of person type – risk of publishing data without a proper legal basis is a greater risk of not having a legal person’s data published.
• If all information is redacted, am as protected as I can be because I am not at risk of inadvertently publishing personal data.
• Understand this point about greater risk of publishing personal data, however, this distinction could be very confusing. Encourage to further discuss with data protection officers – compare the two-step approach with the one-step approach.
• The Team is currently talking about guidance – if it is just guidance, the distinction between legal and natural in a two-step process, have trouble understanding what the resistance is to registrars if it is just guidance. Is it b/c if you agree now, you’re concerned with it becoming mandatory? Please explain. The first step may actually be clarifying. If you check “yes” to this, your rights to data protection may be less strong or your data may be published. If you are a company, are you using your home office for your registration? As long as the registrant is in control of those decisions, this would be OK.
• If there is a requirement (and there are discussions of requirements in NIS-2), this would be helpful in the future. Do not see a problem with this step being included in the guidance since it is currently optional.
• What incentives, if any, could be considered to promote any guidance agreed to by the EPDP Team?
• In Phase 1, the registrant can check a box and then the data will be published – this would likely be done by a computer rather than a person. How do you know that you should return the data? This can be called a flag or something else, but there is something informing the response to the query.
• Understand the flag concept to be an additional field in the WHOIS record. This would create consistency.
• There is a benefit in formally defining this flag – as this flag could carry on to another provider.
• If there is the disclosure of legal persons, this would reduce the number of disclosure requests that would require manual review.
• The problem is this is adding this complexity serves no benefit to the customer.
• If there is an SSAD a nicely automated request system, you can automatically and quickly get concealed data through this process, and registrars won’t be burdened very much because it will be automated.
• It’s important to distinguish between publication and disclosure through the SSAD.
• Added SSAD recommendation from the Phase 2 final report within the document because it requires disclosure for domains with no personal data. If a flag is added, the system could be configured to respond automatically to requests.
• Recommend avoiding the word “published” – what we mean is “provided in response to an RDS query” as this is more accurate.
• Have until the end of day tomorrow to provide additional comments in the document.

• Confirm next steps

• EPDP Team members have until the end of the week to provide additional feedback, and Staff will then take the input and produce the next version.

 4. Feasibility of unique contacts (10 minutes)

           i. Whether or not unique contacts to have a uniform anonymized email address is feasible, and if feasible, whether it should be a requirement.

           ii. If feasible, but not a requirement, what guidance, if any, can be provided to Contracted Parties who may want to implement uniform anonymized email addresses.

     a. Any issues that can be constructively discussed prior to receipt of legal advice?

     b. Confirm next steps

 5. Wrap and confirm next EPDP Team meeting (5 minutes):

       a. EPDP Team Meeting #13 Thursday 1 April at 14.00 UTC.

       b. Confirm action items

       c. Confirm questions for ICANN Org, if any