The small team EPDP scope call will take place on Tuesday, 10 July 2018 at 12:00 UTC.

PROPOSED AGENDA

  1. Review updated scope section 

BACKGROUND DOCUMENTS


RECORDINGS

MP3

Adobe Connect Recording

PARTICIPATION

Attendance and AC chat

 

Notes/ Action Items

Action Items

 

  1. Keith to reformulate Section B and Section C questions, starting with purpose/justification questions with the addition of secondary questions regarding legality.
  2. Keith to include a question in Section G that gets at justifying why retaining registration data beyond the life of the domain registration.
  3. Paul to recast the IPC comments in section J, using more simplified language.
  4. Susan to reformulate RDAP+ language and remove any reference to RDAP+.
  5. Staff to create clean scope document once all above feedback is received.
  6. Note: all action items should be completed as soon as you are able today so that we can have a new draft for the drafting team.

 

High-level concerns with the scope:

 

  • The group did not finish the IPC comments, so the group needs to work through those.

 

  • The Team should come up with a way to look at these documents to see all of these comments. We need to avoid fighting old RDS fights, as such, the IPC’s suggested first paragraph should be omitted because it does not move the group forward.

 

  • It’s important to understand we are dealing with ICANN when we are considering this process.

 

  • Support Stephanie’s suggested edits in the opening paragraph.  Also recognize GDPR is not the only applicable privacy regulation

 

  • Disagree with Stephanie’s point, and will note that the added paragraph did not reach consensus.

 

  • At a high level, we, as a small team agreed to remove references to Phase 1 and Phase 2 – this is a significant change in response to BC and IPC to use the answers to gating questions as the pivot point to the access model, so IPC’s comments are not being unheard.  The issues do not appear to be overarching, but rather concerns about specific language

 

  • Concerned about the dismissal of IPC comments. 

 

Notes from Keith’s email:

 

  • first paragraph suggested by IPC – OK with Stephanie’s edits.

 

  • Sections B and C – questions began, “is there a legal reason why registrars should not”. This change in language sets the group up to get mired in debates over legality.  Recommendation – the questions should first ask why the data is collected and transferred in the first place outside of the law.  If we want to ask a question about legality, that question should be secondary.  We should start with justification and purpose, because legality is an undetermined question and that question could continue to evolve.

 

  • Team agreement on questions reformulation as two-part question.

 

  • ACTION: Keith to reformulate Section B, starting with purpose/justification questions with the addition of secondary questions regarding legality.

 

  • Compliance with GDPR is being done for risk reasons.  Beyond fines, there are other risks associated with the collection of data, and that is reputational risk.  We should also consider reputational risk as we go through this.

 

  • Under Section G, the scope section should include a question at justifying why retaining registration data beyond the life of the registration is justified.  Need to the group to look at data retention periods.  (No objection from the group for this inclusion.) 

 

  • ACTION: Keith to add data retention period questions.

 

  • In Section L, there is reference to the terms controller, processor, etc.  Controller and processor have significant meaning as it relates to GDPR.  The group should look at the gating questions first before it starts using those terms, as those terms may cause confusion.  (No disagreement on the call.)

 

  • In Part 3, under data processing terms as what used to be Phase 1, it’s important to not lose sight of this question as these questions need to be answered to have an appropriate contractual framework in place.

 

  • When edits are made, the scope section should be rearranged so that we have the gating questions appear first and then the follow-on questions.

 

Comments regarding IPC’s comments:

 

  • Looking at J in its entirety, the lead-in is fine (with Susan’s comments), j1 is a reasonable question.  J2 – time to respond to request for data – this will depend on access to gating questions.

 

  • There is a reference to what is contained in the annex of the important issues. Is there some way we can review the language and simplify it.

 

  • ACTION: Paul to recast the IPC comments in section J.

 

  • Object to the inclusion of the word uniform or unified.  Instead, the group can focus on the parameters for third-party access.

 

  • This will need to have variability as it relates to different requesters, jurisdictions.  The key here is to set the policies that give flexibility but also to provide predictability for contracted parties and users and make sure all of it is consistent with the law.

 

  • There needs to be variability in the model, but right now, there is no standardization of access.  Just having an “access model” would leave us with what we have today, but we need something that indicates that a registrar cannot make arbitrary decisions.

 

  • Note: Group agreed to the term standardized access model (lowercase)

 

  • Group agrees to inclusion of RDAP language.

 

  • ACTION: Susan to reformulate RDAP+ language and remove any reference to RDAP+ as that term may be confusing.

 

  • This team has reached agreement on gating questions and needs to flip the order of the questions in the scope. Standardized access model change was agreed to. Paul has agreed to recast questions in the IPC.  We’ve agreed to include the RDAP language.  It would be ideal to have the language finalized by tomorrow.  If you have made a commitment to do some drafting, if you could turn that around reasonably quickly today so that we can have a new draft for the drafting team.  We may need a fresh document as well.

 

  • No labels