2018-09-11 EPDP Team call #12

Notes/ Action Items

EPDP Team Meeting #12

Tuesday, 11 September 2018

Notes and Action Items

High-level Notes/Actions:

Action item #1: EPDP Team to review slides in relation to the updates (especially with regard to scheduling of topics going forward)  from the EPDP Team Chair and share any comments / questions with the mailing list.

Action item #2: All members, alternates and liaisons to complete the GDPR training as soon as possible but no later than 17 September.

Action item #3: GDPR session with Becky Burr scheduled for 18 September. EPDP Team members to submit questions in advance to allow for adequate preparation. The session time will be posted as soon as it is available.

Action item #4: EPDP Leadership team to submit triage report to GNSO Council.

Action item #5: EPDP Team to review outstanding action items - see https://community.icann.org/x/NwSNBQ

Action item #6: EPDP Team to review email from Kurt re. Registrar purposes (see https://mm.icann.org/pipermail/gnso-epdp-team/2018-September/000337.html) and provide input by Friday 14 September at 19.00 UTC at the latest.

Action item #7: EPDP Team to review overview of purposes table and provide input on whether this provides an accurate picture. Focus should be on the purposes for collection and other processing (Registrar, Registry and ICANN), but not access (Third party interests) as these will be considered in further detail in the context of the standardized access discussion. Also consider whether purposes are sufficiently specific? Team input to commence  now and will finishby 19.00 UTC on Friday 14 September. Thomas and Benedict will take that input to create an agenda for the Tuesday meeting.

Action item #8: Support team to put overview of purposes table into google doc to facilitate input from EPDP Team.

Action item #9: Support team to collate RySG proposal and Margie's proposal into one document.

Action item #10: EPDP Team to provide input at the latest by Friday 14 September 19.00 UTC on Margie's proposal as well as RySG proposal in relation to Appendix C in view of wrapping up this discussion during next Tuesday's meeting.

Questions for ICANN Org from the EPDP Team:

None

All Action items:

Notes & Action items

These high-level notes are designed to help the EPDP Team navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki at: https://community.icann.org/x/2IpHBQ.

1. Roll Call & SOI Updates

• Attendance will be taken from Adobe Connect
• Please remember to mute your microphones when not speaking, and state your name before speaking for transcription purposes.
• Please remember to review your SOIs on a regular basis and update as needed. Updates are required to be shared with the EPDP Team.

2. Welcome and Updates from EPDP Team Chair

Action item #1: EPDP Team to review slides in relation to the updates from the EPDP Team Chair and share any comments / questions with the mailing list.

Enhanced working methods

• Received many comments about diving into substance and deal with administrative matters over email.
• See proposed enhancements outlined in the slides. It may feel like hopping around, but the objective is to create more time for review and discussion.

Update on status of GDPR training

Action item #2: All members, alternates and liaisons to complete the GDPR training as soon as possible but no later than 17 September.

Action item #3: GDPR session with Becky Burr scheduled for 18 September. EPDP Team members to submit questions in advance to allow for adequate preparation.

Triage report

• completed and will be submitted to GNSO Council.

Action item #4: EPDP Leadership team to submit triage report to GNSO Council.

Action item #5: EPDP Team to review outstanding action items - see https://community.icann.org/x/NwSNBQ

Other updates, if applicable

• EPDP Timeline - note there are 10 meetings remaining to ICANN63. Little time remaining to come to agreement on recommendations for Initial Report.
• Any ideas / suggestions on how to expedite progress are welcome. 

3. Next steps: Section 4, Appendix C

• Work done by Benedict and Thomas - section 4.4 to be subdivided into parts:
• Registrar purposes for processing data
• Registry purposes for processing data
• ICANN purposes for processing data
• Third-party purposes for processing data
• See also email circulated by Kurt in relation to registrar purposes. Idea is to put these into google doc so further input can be provided and hopefully can be finalized shortly.
• Document prepared by Benedict and Thomas: none should be taken as carved in stone. Should be able to revisit language in the matrix. Other teams are working on some of the sections on this list. Objective is to obtain more clarity about the purposes and whose purposes those are - who is the group / entity pursuing a certain purpose. Some may need to be further clarified and/or regrouped. This should be taken as a first step.  
• EPDP Team encouraged to speak up where they disagree so that those issues can be addressed.
• Is a registrant column needed? Shouldn't registrant at a minimum be able to verify independent of their own registrar what information is stored about them? The information right is enshrined in the GDPR so that is already a legal right. Purposes are for controllers as such, Registered Name Holder may not need to be added. 
• Aiming to group certain purposes together. 
• Being able to identify patterns of abusive registrations is a technique not a purpose, similar to the supporting a framework for research access. Consider removing it.
• Helpful starting point. 
• Concern about enabling the prevention and detection of cybercrime - revised draft language is not an ICANN purpose but a third party one. Could open the door to collect additional data which may not be supported by ICANN's mission.
• ICANN purposes broadly define the reasons for collection. Rather than to exhaustively try to list third party interests, acknowledge that those exists and ask third parties to act as controllers for the data that they access / process. In that way, they are legally responsible - probably better suited for the access model discussion. 
• Reflecting the rights of a Registered Name Holder - any objection to accepting this as a purpose pursued by Registrar, Registry and ICANN purpose? Isn't this also a purpose of the registered name holder? Consider adding an additional column. To be updated in next iteration. Agreement that this is a purpose that is pursued by Registry, Registrar, ICANN as well as Registered Name Holder.
• Providing access to accurate, reliable and uniform Registration Data consistent with GDPR - proposed to be parked until the group discusses disclosure / access.
• Need to understand what the definitive purposes / legitimate interests are. May need further guidance on the legitimate interests as otherwise it will not be possible to get clarity around this.
• Consider using a more generic term instead of referring directly to GDPR. 
• Enabling a reliable mechanism for contacting the Registered Name Holder
• Enabling a reliable mechanism for identifying the Registered Name Holder 
• Interests vs purposes - need to clarify what this means. When we talk of 'third party interests' (note the plural) that is a generic recognition that third parties have an interest in the data
• Are there situations in which RNH has contacted the Registry, for example in the case of cybersecurity, malware situation? LE and security researchers may prefer to work with registries in certain circumstances.
• Consider whether table should be in google doc or word to facilitate input and collection of comments. Support team to put table in google doc to facilitate input.

Action item #6: EPDP Team to review overview of purposes table and provide input on whether this provides an accurate picture. Focus should be on the purposes for collection and other processing (Registrar, Registry and ICANN), but not access (Third party interests) as these will be considered in further detail in the context of the standardized access discussion. Also consider whether purposes are specific enough? Input to be circulated by 19.00 UTC on Friday 14 September. 

Action item #7: Support team to put overview of purposes table into google doc to facilitate input from EPDP Team.

Appendix C

• See email circulated by Margie proposing retention of certain aspects of Appendix C. Benefit to the community that certain principles are addressed, especially where those specifically apply to WHOIS. For example, principles for disclosure. Maintain transparency and accountability in relation to certain sections. Need to add on standard terms in relation to third party access.
• Summarizing existing legislation but not using exact references is problematic. Similarly, if further updates are made in the future. This creates uncertainty and difficulties.
• Published guidance will be helpful, but this may not need to go into the agreements? This guidance could help inform implementation where details would be fleshed out.
• Need additional time to review proposed retention of certain aspects - provide further input on the list or either on a future call.
• Are terms/principles to third parties who access non-public data for consideration now or during standardized access model? Are part of Appendix C now so should be considered here. Does that mean that access is discussed prior to gating questions being answered? How to memorialize that there will be third party access without necessarily going into the details and run ahead of the standardized access model conversation. Objective here is that it confirms that there will be an access process and that contracted parties are required to adhere to it. "Requiring" contracting parties to adhere to an access model presumes that the model itself complies with the law(s).
• Should chart, in updated form, be retained? Is it helpful to have there? Mixed responses. May not be appropriate for inclusion in a contract. Could serve as an illustrative document. EPDP Team is tasked to develop a policy so its recommendations may not necessarily translate directly into contractual requirements, there may be other ways in which implementation is carried out.
• No agreement yet on a framework for access, only agreement for now for Rr and Ry to provide access as outlined in temporary specification.

Action item #8: Support team to collate RySG proposal and Margie's proposal into one document.

Action item #9: EPDP Team to provide input at the latest by Friday 14 September 19.00 UTC on Margie's proposal as well as RySG proposal in relation to Appendix C in view of wrapping up this discussion during next Tuesday's meeting.

4. Review data matrix formed from RDS work and Thomas’s chart

High-level overview of chart

Discuss proposed amendments to Chart

Agree on next steps

• Deferred to next meeting

5. Introduction to Appendix A

• Deferred to next meeting

6. Confirm action items and questions for ICANN Org, if any

7. Wrap and confirm next meeting to be scheduled for Thursday 13 September at 13.00 UTC.