There will be a GNSO Next-Gen RDS PDP Working Group teleconference on Wednesday, 24 January 2018 at 06:00 UTC for 90 minutes.
(Tuesday) 22:00 PST, (Wednesday) 01:00 EST, 06:00 London GMT, 07:00 Paris CET
For other times: https://tinyurl.com/ybz2moxq
PROPOSED AGENDA
1. Roll Call/SOI Updates
2. Deliberate on list of criteria that make purposes legitimate for processing
a. See GDPR definition of processing
b. Discuss list of criteria in handout
c. Confirm agreement on criteria with poll
3. Deliberate on list of purposes to determine which are legitimate for processing based on criteria
a. Ask which purposes (if any) do not satisfy any of these criteria
b. Confirm agreement(s) with poll
4. Confirm agreements for polling & next steps
5. Confirm next meeting: Tuesday 30 January at 17:00 UTC
BACKGROUND DOCUMENTS
Call Handout: Handout-24January-RDSWGCall.pdf and PPT
24 January Call poll (closed COB Saturday 27 January)
- Link to participate: https://www.surveymonkey.com/r/LQC2YJH
- PDF of Poll Questions: Poll-from-24January-Call.pdf
- SurveyMonkey Summary Poll Results: SummaryResults-Poll-from-24JanuaryCall.pdf
- SurveyMonkey Raw Data Poll Results: RawDataResults-Poll-from-24JanuaryCall.zip and XLS
- Annotated Poll Results: AnnotatedResults-Poll-from-24January.pdf
RECORDINGS
PARTICIPATION
Apologies: Rubens Kuhl, Nathalie Coupet, Steve Metalitz, Michael Hammer, Greg Aaron, Paul Keating, Andrew Sullivan, Michele Neylon, Mason Cole, Alan Greenberg, Daniel Nanghaka
Notes/ Action Items
These high-level notes are designed to help PDP WG members navigate through the content of the call and are not meant as a substitute for the transcript and/or recording. The MP3, transcript, and chat are provided separately and are posted on the wiki.
1. Roll Call/SOI Updates
- Roll call taken from Adobe Connect
- Please mute your microphones when not speaking
- State your name before speaking for transcription purposes
2. Deliberate on list of criteria that make purposes legitimate for processing
- Meeting Page: https://community.icann.org/x/RgByB
- Call Handout: https://community.icann.org/download/attachments/74580038/Handout-24January-RDSWGCall-v2.pdf
- GDPR definition of processing:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; - Noted that not every aspect of processing will apply to RDS - for example, disclosure by transmission may not apply if transmissions are encrypted, and transmission may involve trans-border transmission
- Question for discussion: How will we decide whether any proposed purpose is legitimate for processing registration data?
- List of criteria in handout:
a) In support of ICANN's mission
b) A legitimate interest pursued by the data controller(s)
c) Necessary for the fulfillment of a contract
d) Inherent to functionality of the DNS
e) In the public interest
f) Necessary for compliance with a legal obligation
- It will be necessary to interpret how each of these criteria apply to any possible purpose - for example, which contract and is the contract lawful, what is the public interest, etc.
- No objections to proposed agreement voiced on the call - support to be confirmed by poll
Proposed WG Agreement (to be confirmed by poll): Criteria to be used to determine whether any proposed purpose is legitimate for processing registration data are: a) In support of ICANN's mission; b) A legitimate interest pursued by the data controller; c) Necessary for the fulfillment of a contract; d) Inherent to functionality of the DNS; e) In the public interest; or f) Necessary for compliance with a legal obligation.
Action Item: Confirm agreement on criteria with poll; all WG members are encouraged to respond to the poll no later than COB Saturday 27 January.
3. Deliberate on list of purposes to determine which are legitimate for processing based on criteria
- Question: Which purposes (if any) do NOT satisfy any (i.e., at least one) of these criteria?
1) Technical Issue Resolution
2) Academic or Public Interest Research
3) Domain Name Management
4) Individual Internet Use
5) Domain Name Certification
6) Domain Name Purchase/Sale
7) ICANN Contractual Enforcement
8) Regulatory Enforcement
9) Legal Actions
10) Criminal Activity/DNS Abuse Investigation
11) Criminal Activity/DNS Abuse Notification
12) Criminal Activity/DNS Abuse Reputation
Proposed WG Agreement (to be confirmed by poll): The following purposes for processing registration data satisfy at least one of these criteria: Technical Issue Resolution; Academic or Public Interest Research; Domain Name Management; Individual Internet Use; Domain Name Certification; Domain Name Purchase/Sale; ICANN Contractual Enforcement; Regulatory Enforcement; Legal Actions; Criminal Activity/DNS Abuse Investigation; Criminal Activity/DNS Abuse Notification; or Criminal Activity/DNS Abuse Reputation (where "these criteria" refers to those listed in the other proposed WG agreement, and "processing" assumes the GDPR definition).
- Note the proposed WG Agreement refers to "processing" not just collection
- Collection of data has only been agreed to date for the purposes of Technical Issue Resolution and Domain Name Management
- We will need to examine each purpose and make recommendations about registration necessary and collection of and/or access to that data for that purpose
- For example, the GDPR says that public and academic research is a reasonable purpose for disclosure..... [but not for collection]
- Concern: If the purpose of collection were to be broadened to include all kinds of secondary processing, (e.g., law enforcement investigations, academic research, consumer protection with respect to business practices not related to the DNS), then the purpose (while contestable in court, of course) could be used to justify further collection of data and release of the same.
- How do PDP WG agreements relate to the three models put forward by ICANN as emergency contractual measures to enable GDPR compliance?
- Any model chosen for GDPR compliance is a short-term emergency measure; what the PDP WG produces will be consensus policy for a longer-term RDS
- Need to include definition of "processing" assumed by these proposed WG agreements, and to underline "processing" to make it clear the agreement is not limited to collection
- Some (but not all) of these criteria may be justification for collection - to be discussed in a future call
4. Confirm agreements for polling & next steps
Proposed WG Agreement (to be confirmed by poll): Criteria to be used to determine whether any proposed purpose is legitimate for processing registration data are: a) In support of ICANN's mission; b) A legitimate interest pursued by the data controller; c) Necessary for the fulfillment of a contract; d) Inherent to functionality of the DNS; e) In the public interest; or f) Necessary for compliance with a legal obligation.
Proposed WG Agreement (to be confirmed by poll): The following purposes for processing registration data satisfy at least one of these criteria: Technical Issue Resolution; Academic or Public Interest Research; Domain Name Management; Individual Internet Use; Domain Name Certification; Domain Name Purchase/Sale; ICANN Contractual Enforcement; Regulatory Enforcement; Legal Actions; Criminal Activity/DNS Abuse Investigation; Criminal Activity/DNS Abuse Notification; or Criminal Activity/DNS Abuse Reputation (where "these criteria" refers to those listed in the other proposed WG agreement, and "processing" assumes the GDPR definition).
Action Item: Confirm agreement on criteria with poll; all WG members are encouraged to respond to the poll no later than COB Saturday 27 January.
5. Confirm next meeting: Tuesday 30 January at 17:00 UTC
