From stephanie at digitaldiscretion.ca Wed Feb 3 21:57:20 2021 From: stephanie at digitaldiscretion.ca (Stephanie E Perrin) Date: Wed, 3 Feb 2021 14:57:20 -0500 Subject: [NCSG-EC] Fwd: [Gnso-epdp-legal] Notes and action items - EPDP Phase 2A Legal Committee meeting - 2 Feb 2021 In-Reply-To: <704C9D76-5FC8-4F39-B1EC-E4122EB39185@icann.org> References: <704C9D76-5FC8-4F39-B1EC-E4122EB39185@icann.org> Message-ID: Just forwarding the notes and action items from the EPDP Legal committee which I attended yesterday.? It was painful, as expected.? Some of the questions are being reformatted.? Let? me know if you have any questions.? Next EPDP meeting is tomorrow 14:00 UTC Stephanie Perrin. -------- Forwarded Message -------- Subject: [Gnso-epdp-legal] Notes and action items - EPDP Phase 2A Legal Committee meeting - 2 Feb 2021 Date: Tue, 2 Feb 2021 18:16:13 +0000 From: Caitlin Tubergen To: gnso-epdp-legal at icann.org Dear Legal Committee Members: Please find below the notes and action items from today?s call. Thank you. Best regards, Berry, Marika, and Caitlin -- *EPDP Phase 2A * *Legal Committee ? Meeting #01* *Proposed Agenda* Tuesday 2 February 2021 at 14.00 UTC 1.Roll Call & SOI Updates 2.Welcome 1. The first call will be spent on the pre-homework, which included reviewing the questions assigned to the legal committee and categorizing them by: * Who should address: legal committee or B&B? * If B&B, what is the priority level (low, medium, or high)? * How would a response to this question assist the EPDP Team in answering the questions assigned from the GNSO Council? 2. Expenses related to external counsel * First meeting, questions raised re: funds. * Because this is a shorter-term engagement, unlike Phase 1 and 2, there is no dedicated budget. Important to note that while there is budget available, these expenses will be absorbed into the core policy budget. Ultimately this means EPDP Leadership asks the group to be conservative with respect to questions forwarded to B&B. 3.Legal vs. natural a.Review homework provided * See https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit * Proponents to explain provided rationales (why this needs to be addressed by B&B, or, conversely, how this has already been addressed) o /Question 1: Given that a registrant is already offered the option to provide consent to publication, wouldn?t the self-designation as an Organization (with suitable advance notification of consequences) result in substantially the same issue/risk for the Contracted Party?/// o Mechanisms around consent are quite complex, and this is something CPs already have to deal with. Publishing legal information could be a less burdensome measure as this information is not protected under the GDPR. o If CPs required registrants to self-identify, along with implementing safeguards listed in B&B memo (such as notification of consequences in plain language, etc.) An answer to this question is to help address more of the CPs? concerns. o The issue of consent is complicated by the fact that the biggest problem noted by B&B is that if you have personal information in the registrant data, that might be personal information of someone other than the person who is registering the name, completing the info, and receiving the notice. o The question of if the registration contains personal information is what is important, not if it?s a legal or natural person registrant. o If the personal information is personal info of the person registering and consenting, that would be OK, but the issue is we do not know if the personal info provided is the same as the person registering the name. o Separate out the two issues we?re talking about. The thrust of the question is not if a legal person can consent to publication; the question is asking whether the risk CPs are already facing in terms of how they deal with consent is in any way different in magnitude with the publishing the info of legal persons. This is a comparison question ? is the risk comparable? We want to make sure that a legal registrant is not somehow providing personal information that is not its own. The EPDB has provided guidance and advice and has said that as we evaluate these policies, we should clearly instruct legal persons to avoid providing personal information of other people. o This is a policy question and not something our outside counsel can help with. We already have information on the challenges, risks, and how to obtain consent especially in the tricky subject of third-party consent. This is more appropriate to be discussed in plenary. o The risk scenario is now shifted given the NIS2 directive. In particular with respect to legal v. natural, there will be a requirement in European law that contracted parties make this distinction. o NIS2 does have language that would play into this quite directly, we?re still talking about a period of 18 months until it?s agreed to. There will be a few years before NIS2 comes into play. o Disagree with this perspective. The ICANN community was behind the eight ball in updating WHOIS policy b/c of GDP, and it would be a mistake to ignore an impending regulation again. o It?s not possible to make the differentiation by looking at what type of person it is. It is hard to make policies based on laws that might come to pass. Cannot implement something that is still subject to change, since this is a directive not a regulation. o There is nothing wrong anticipating new developments in the legal framework. The lesson to be learned post-GDPR is that we should anticipate developments and that is why this question is relevant if we want to make policy on the basis of good analysis. o Cannot ascertain legal risks until you see how the directive will be implemented. There is a difference b/w watching and blowing a legal budget when things are still in play. A good exercise to go through would be not that we are finally addressing legal v. natural, we need to do some risk assessment on what we?re doing to drive criminal activity. This risk assessment is not up to the legal committee to decide. o Chair proposal: clear that some of us interpret the question somewhat differently. Small group: Laureen, Hadia, Volker and Becky to further work on this question. o Question 2: /Do the measures required by the Transparency and Fairness Principles (i.e., explaining that if the registrant identifies as a legal person then their data will be published) contribute to mitigating the liability risk of an inaccurate designation? Note advice given in Technical Contacts memo (1/22/19 at ? 11 ?registrars will need to provide notice to the technical contact within the earlier of one month or first communication with the data subject.?/ o There are already principles in place that would mitigate the liability risk. The advice from B&B talks about explaining the risks if you are a legal person; B&B technical contacts memo also discusses giving notice to those who may have their info published. o Not entirely certain how this question is different than the technical contacts memo. That memo mentions seeking confirmation from someone who may not be the registrant. o This question is a cart before the horse issue b/c it presumes certain policy decisions that have not been made. If you determine that legal entity = publication, you suddenly create an issue for small legal entities that have the same data as their company and might result in other legal risks. Need to determine what this differentiation would mean in policy before asking this question. o There is a policy question about automatic publication is if someone is designated as a legal person. This question has been clearly answered in the legal v. natural memo. Do we already have the answer to this, which is ? yes, this is one thing that could help. o The first legal v. natural memo addresses this question ? this is one way to mitigate risk. This comes down to addressing this question as a plenary. (paragraph 18 in particular) o This question needs refining ? agree that these are already identified as mitigating the risk. Perhaps the better question is: what is the magnitude of the risk if you follow the measures proposed by B&B ? is it a de minimis risk or is it a significant risk? Would be helpful to get more pinpointed guidance on the magnitude of the risk. o Action: Laureen to refine question 2 to focus on the magnitude of the risk. o Question 3: /Legal Memo 1, #25 implies that it is sufficient to send a confirmation email explaining in clear detail the implication of the Legal/Natural determination that the Registrar has made. There is no mention that this confirmation message needs to be responded to.? Phase 2 Memo #18, although on a somewhat different topic, implies a positive response is needed. Please provide clarity as to how lack of response can be interpreted. Does the situation change if paper mail is used? Note that in both cases, the registrant has an obligation to have provided accurate contact details./ o Question should be rephrased. The importance of this question: in order to approve the accuracy of self-identification, B&B suggested sending a confirmation email to the registrant and technical contact. o Given that this is the consequence, does that suffice as sufficient for this requirement? For the practicality, it is not hard to implement something like that. Must first define the consequence, and until this homework is completed, it?s too early to ask a question. o Suggest rephrasing the question and bring it back again and meanwhile we can all think about the consequences. o Is the question really ? can you rely on just this notice or do you need affirmative consent from an individual whose contact info is disclosed in the registration of a legal person? o Question: if we send out emails to individuals involved in a domain name registration and assume a response to the notification is consent to publication, isn?t coupling consent with something else? This is a non-starter b/c we would unduly combine consent with something else ? this would mean it would be coupled, and therefore not freely given. o Not looking for providing consent with this ? it?s a confirmation email, the response would be acknowledgement o If there is no consequence to making this differentiation, it is legal, but as soon as you attach a consequence (such as publication), the risk becomes higher, and this is a plenary discussion. b.Legal Committee Discussion 4.Feasibility of unique contacts a.Review homework provided ?See https://docs.google.com/document/d/1UCP86uPZJBA_oh_4lfa6GwisfqnXUgbi5kdq-VOQCS0/edit ?Proponents to explain provided rationales (why this needs to be addressed by B&B, or, conversely, how this has already been addressed) 2. Legal Committee Discussion 5.Wrap and confirm action items and homework 1. Confirm action items and homework 1. LC members to review the Feasibility of Unique Contacts terminology table and provide edits or additional clarification, if deemed necessary, by Friday, 5 February. __ 2. Becky, Laureen, and Volker to review Question 1 in the Legal v. Natural Table and provide updates based on the Legal Committee?s discussion. The updated version is due by Monday, 8 February in time for the next Legal Committee meeting.__ 3. Laureen to review Question 2 in the Legal v. Natural Table and update the text based on the magnitude of the risk by Monday, 8 February. __ 4. LC members to revisit the questions for Legal v. Natural and Feasibility in advance of the next meeting and, taking into account the discussion from the meeting as well as the limited budget, provide additional feedback as to why outside counsel review is necessary and would assist in moving the plenary team forward on GNSO Council instructions. Additionally, LC members may wish to rephrase questions if they believe edits may provide additional clarity.** -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- _______________________________________________ Gnso-epdp-legal mailing list Gnso-epdp-legal at icann.org https://mm.icann.org/mailman/listinfo/gnso-epdp-legal _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. From bruna.mrtns at gmail.com Fri Feb 5 16:41:17 2021 From: bruna.mrtns at gmail.com (Bruna Martins dos Santos) Date: Fri, 5 Feb 2021 12:41:17 -0200 Subject: [NCSG-EC] ICANN Training Proposal - ABR Message-ID: Hello all, Hope this email finds you well. NCSG had an ABR approved last year (we did not submit anything this year), and I have worked on proposal for this training to send to ICANN Staff - https://docs.google.com/document/d/1L0IRJHLKmlJlB_cbt09xv0KLiJ-g-e5ZwpIvt1pXcQc/edit I would deeply appreciate it if you guys could take a look and add your comments until tomorrow - and please let me know if we're going down the right approach. best, -- *Bruna Martins dos Santos * Skype ID: bruna.martinsantos @boomartins -------------- next part -------------- An HTML attachment was scrubbed... URL: From robin at ipjustice.org Sun Feb 7 00:03:59 2021 From: robin at ipjustice.org (Robin Gross) Date: Sat, 6 Feb 2021 14:03:59 -0800 Subject: [NCSG-EC] ICANN Training Proposal - ABR In-Reply-To: References: Message-ID: <7A9F81F4-00F6-4B5B-91D1-5CF38DCE8F8C@ipjustice.org> Thanks, Bruna, this proposal looks like a terrific initiative! It will contribute to the development of NCSG?s policy development team. I expect it should stand a good chance of being funded by ICANN. Best, Robin > On Feb 5, 2021, at 6:41 AM, Bruna Martins dos Santos via NCSG-EC wrote: > > Hello all, > > Hope this email finds you well. > > NCSG had an ABR approved last year (we did not submit anything this year), and I have worked on proposal for this training to send to ICANN Staff - https://docs.google.com/document/d/1L0IRJHLKmlJlB_cbt09xv0KLiJ-g-e5ZwpIvt1pXcQc/edit > > I would deeply appreciate it if you guys could take a look and add your comments until tomorrow - and please let me know if we're going down the right approach. > > > best, > -- > Bruna Martins dos Santos > > Skype ID: bruna.martinsantos > @boomartins > _______________________________________________ > NCSG-EC mailing list > NCSG-EC at lists.ncsg.is > https://lists.ncsg.is/mailman/listinfo/ncsg-ec -------------- next part -------------- An HTML attachment was scrubbed... URL: From bruna.mrtns at gmail.com Wed Feb 24 07:05:24 2021 From: bruna.mrtns at gmail.com (Bruna Martins dos Santos) Date: Wed, 24 Feb 2021 02:05:24 -0300 Subject: [NCSG-EC] NCSG Board Meeting Message-ID: Dear NCSG PC and EC, I need to provide our talking points for the NCSG meeting with the ICANN Board by Feb. 26th, the latest. On that note, I would like to ask if any of you would like to suggest and/or lead any of these discussions. For the ones not familiar with our Joint meeting with the Board at ICANN meetings, this is a 1h meeting where both the NCSG and ICANN Board will prepare their talking points for each other. We normally go with 2 to 3 talking points and its also nice to see our community leaders leading the discussions, so feel free to send your suggestions here and we can start working on the discussion agenda. For my 1:1 meeting with the CEO that happened this week I chose to ask the following questions, but I would like to hear from you whether you think its good to repeat them: *SSAD and Content Moderation* - *On a recent communication that was sent to the Board and to you, we asked a few questions regarding an "ICANN Org Comments on the Recommendations 01/2020 on Measures That Supplement Transfer Tools to Ensure Compliance With the EU Level of Protection of Personal Data". NCSGs letter was seeking clarification about an specific part of the statement that highlighted that SSAD was "instrumental for stopping and preventing the dissemination of illegal content and in order to avoid related societal harms". On that note, I would like to ask you how the development of a new System for Standardized Access/Disclosure falls within the realm of instruments for preventing the dissemination of illegal content ?* - *When the document mentions the prevention of the dissemination of illegal content and societal harm, does it relate to factors other than the access to information object of legitimate requests by legal authorities and/or related to investigations ? * *DNS Abuse and the DNS Security Facilitation Initiative Technical Study Group* - *Do you believe ICANN is not working toward security and stability and fighting with abuse as much as its mission allows? Why do you think that ?* - *NCSG would also like to know more about the DNS Security Facilitation Initiative Technical Study Group. Where does this technical study group fall within ICANNs strategy for dealing with DNS abuse? * Looking forward to hearing back from you! Best, -- *Bruna Martins dos Santos * Skype ID: bruna.martinsantos @boomartins -------------- next part -------------- An HTML attachment was scrubbed... URL: