[NCSG-EC] Fwd: [Gnso-epdp-legal] Notes and action items - EPDP Phase 2A Legal Committee meeting - 2 Feb 2021
Stephanie E Perrin
stephanie at digitaldiscretion.ca
Wed Feb 3 21:57:20 EET 2021
Just forwarding the notes and action items from the EPDP Legal committee
which I attended yesterday. It was painful, as expected. Some of the
questions are being reformatted. Let me know if you have any
questions. Next EPDP meeting is tomorrow 14:00 UTC
Stephanie Perrin.
-------- Forwarded Message --------
Subject: [Gnso-epdp-legal] Notes and action items - EPDP Phase 2A Legal
Committee meeting - 2 Feb 2021
Date: Tue, 2 Feb 2021 18:16:13 +0000
From: Caitlin Tubergen <caitlin.tubergen at icann.org>
To: gnso-epdp-legal at icann.org <gnso-epdp-legal at icann.org>
Dear Legal Committee Members:
Please find below the notes and action items
<https://docs.google.com/spreadsheets/d/17qLMYb3HC7qGYPQveXbUq5ZSzvedrQ3t8AdVdrRIdrw/edit#gid=0>
from today’s call.
Thank you.
Best regards,
Berry, Marika, and Caitlin
--
*EPDP Phase 2A *
*Legal Committee – Meeting #01*
*Proposed Agenda*
Tuesday 2 February 2021 at 14.00 UTC
1.Roll Call & SOI Updates
2.Welcome
1. The first call will be spent on the pre-homework, which included
reviewing the questions assigned to the legal committee and
categorizing them by:
* Who should address: legal committee or B&B?
* If B&B, what is the priority level (low, medium, or high)?
* How would a response to this question assist the EPDP Team
in answering the questions assigned from the GNSO Council?
2. Expenses related to external counsel
* First meeting, questions raised re: funds.
* Because this is a shorter-term engagement, unlike Phase 1
and 2, there is no dedicated budget. Important to note that
while there is budget available, these expenses will be
absorbed into the core policy budget. Ultimately this means
EPDP Leadership asks the group to be conservative with
respect to questions forwarded to B&B.
3.Legal vs. natural
a.Review homework provided
* See
https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit
<https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit>
* Proponents to explain provided rationales (why this needs to be
addressed by B&B, or, conversely, how this has already been addressed)
o /Question 1: Given that a registrant is already offered the
option to provide consent to publication, wouldn’t the
self-designation as an Organization (with suitable advance
notification of consequences) result in substantially the same
issue/risk for the Contracted Party?///
o Mechanisms around consent are quite complex, and this is
something CPs already have to deal with. Publishing legal
information could be a less burdensome measure as this
information is not protected under the GDPR.
o If CPs required registrants to self-identify, along with
implementing safeguards listed in B&B memo (such as notification
of consequences in plain language, etc.) An answer to this
question is to help address more of the CPs’ concerns.
o The issue of consent is complicated by the fact that the biggest
problem noted by B&B is that if you have personal information in
the registrant data, that might be personal information of
someone other than the person who is registering the name,
completing the info, and receiving the notice.
o The question of if the registration contains personal
information is what is important, not if it’s a legal or natural
person registrant.
o If the personal information is personal info of the person
registering and consenting, that would be OK, but the issue is
we do not know if the personal info provided is the same as the
person registering the name.
o Separate out the two issues we’re talking about. The thrust of
the question is not if a legal person can consent to
publication; the question is asking whether the risk CPs are
already facing in terms of how they deal with consent is in any
way different in magnitude with the publishing the info of legal
persons. This is a comparison question – is the risk comparable?
We want to make sure that a legal registrant is not somehow
providing personal information that is not its own. The EPDB has
provided guidance and advice and has said that as we evaluate
these policies, we should clearly instruct legal persons to
avoid providing personal information of other people.
o This is a policy question and not something our outside counsel
can help with. We already have information on the challenges,
risks, and how to obtain consent especially in the tricky
subject of third-party consent. This is more appropriate to be
discussed in plenary.
o The risk scenario is now shifted given the NIS2 directive. In
particular with respect to legal v. natural, there will be a
requirement in European law that contracted parties make this
distinction.
o NIS2 does have language that would play into this quite
directly, we’re still talking about a period of 18 months until
it’s agreed to. There will be a few years before NIS2 comes into
play.
o Disagree with this perspective. The ICANN community was behind
the eight ball in updating WHOIS policy b/c of GDP, and it would
be a mistake to ignore an impending regulation again.
o It’s not possible to make the differentiation by looking at what
type of person it is. It is hard to make policies based on laws
that might come to pass. Cannot implement something that is
still subject to change, since this is a directive not a
regulation.
o There is nothing wrong anticipating new developments in the
legal framework. The lesson to be learned post-GDPR is that we
should anticipate developments and that is why this question is
relevant if we want to make policy on the basis of good analysis.
o Cannot ascertain legal risks until you see how the directive
will be implemented. There is a difference b/w watching and
blowing a legal budget when things are still in play. A good
exercise to go through would be not that we are finally
addressing legal v. natural, we need to do some risk assessment
on what we’re doing to drive criminal activity. This risk
assessment is not up to the legal committee to decide.
o Chair proposal: clear that some of us interpret the question
somewhat differently. Small group: Laureen, Hadia, Volker and
Becky to further work on this question.
o Question 2: /Do the measures required by the Transparency and
Fairness Principles (i.e., explaining that if the registrant
identifies as a legal person then their data will be published)
contribute to mitigating the liability risk of an inaccurate
designation? Note advice given in Technical Contacts memo
(1/22/19 at ¶ 11 “registrars will need to provide notice to the
technical contact within the earlier of one month or first
communication with the data subject.”/
o There are already principles in place that would mitigate the
liability risk. The advice from B&B talks about explaining the
risks if you are a legal person; B&B technical contacts memo
also discusses giving notice to those who may have their info
published.
o Not entirely certain how this question is different than the
technical contacts memo. That memo mentions seeking confirmation
from someone who may not be the registrant.
o This question is a cart before the horse issue b/c it presumes
certain policy decisions that have not been made. If you
determine that legal entity = publication, you suddenly create
an issue for small legal entities that have the same data as
their company and might result in other legal risks. Need to
determine what this differentiation would mean in policy before
asking this question.
o There is a policy question about automatic publication is if
someone is designated as a legal person. This question has been
clearly answered in the legal v. natural memo. Do we already
have the answer to this, which is – yes, this is one thing that
could help.
o The first legal v. natural memo addresses this question – this
is one way to mitigate risk. This comes down to addressing this
question as a plenary. (paragraph 18 in particular)
o This question needs refining – agree that these are already
identified as mitigating the risk. Perhaps the better question
is: what is the magnitude of the risk if you follow the measures
proposed by B&B – is it a de minimis risk or is it a significant
risk? Would be helpful to get more pinpointed guidance on the
magnitude of the risk.
o Action: Laureen to refine question 2 to focus on the magnitude
of the risk.
o Question 3: /Legal Memo 1, #25 implies that it is sufficient to
send a confirmation email explaining in clear detail the
implication of the Legal/Natural determination that the
Registrar has made. There is no mention that this confirmation
message needs to be responded to. Phase 2 Memo #18, although on
a somewhat different topic, implies a positive response is
needed. Please provide clarity as to how lack of response can be
interpreted. Does the situation change if paper mail is used?
Note that in both cases, the registrant has an obligation to
have provided accurate contact details./
o Question should be rephrased. The importance of this question:
in order to approve the accuracy of self-identification, B&B
suggested sending a confirmation email to the registrant and
technical contact.
o Given that this is the consequence, does that suffice as
sufficient for this requirement? For the practicality, it is not
hard to implement something like that. Must first define the
consequence, and until this homework is completed, it’s too
early to ask a question.
o Suggest rephrasing the question and bring it back again and
meanwhile we can all think about the consequences.
o Is the question really – can you rely on just this notice or do
you need affirmative consent from an individual whose contact
info is disclosed in the registration of a legal person?
o Question: if we send out emails to individuals involved in a
domain name registration and assume a response to the
notification is consent to publication, isn’t coupling consent
with something else? This is a non-starter b/c we would unduly
combine consent with something else – this would mean it would
be coupled, and therefore not freely given.
o Not looking for providing consent with this – it’s a
confirmation email, the response would be acknowledgement
o If there is no consequence to making this differentiation, it is
legal, but as soon as you attach a consequence (such as
publication), the risk becomes higher, and this is a plenary
discussion.
b.Legal Committee Discussion
4.Feasibility of unique contacts
a.Review homework provided
·See
https://docs.google.com/document/d/1UCP86uPZJBA_oh_4lfa6GwisfqnXUgbi5kdq-VOQCS0/edit
<https://docs.google.com/document/d/1UCP86uPZJBA_oh_4lfa6GwisfqnXUgbi5kdq-VOQCS0/edit>
·Proponents to explain provided rationales (why this needs to be
addressed by B&B, or, conversely, how this has already been addressed)
2. Legal Committee Discussion
5.Wrap and confirm action items and homework
1. Confirm action items and homework
1. LC members to review the Feasibility of Unique Contacts
terminology table
<https://docs.google.com/document/d/1vofZIqnY-xCaKMte1q_tiAwAfGwkwsu1/edit>
and provide edits or additional clarification, if deemed
necessary, by Friday, 5 February. __
2. Becky, Laureen, and Volker to review Question 1
<https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit>
in the Legal v. Natural Table and provide updates based on the
Legal Committee’s discussion. The updated version is due by
Monday, 8 February in time for the next Legal Committee meeting.__
3. Laureen to review Question 2
<https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit#heading=h.gjdgxs>
in the Legal v. Natural Table and update the text based on the
magnitude of the risk by Monday, 8 February. __
4. LC members to revisit the questions for Legal v. Natural
<https://docs.google.com/document/d/156jajwvAkl1l5VsdWXpznrghkKyMUD2bhKkS20X7Xrg/edit#heading=h.gjdgxs>
and Feasibility
<https://docs.google.com/document/d/1UCP86uPZJBA_oh_4lfa6GwisfqnXUgbi5kdq-VOQCS0/edit#heading=h.gjdgxs>
in advance of the next meeting and, taking into account the
discussion from the meeting as well as the limited budget,
provide additional feedback as to why outside counsel review is
necessary and would assist in moving the plenary team forward on
GNSO Council instructions. Additionally, LC members may wish to
rephrase questions if they believe edits may provide additional
clarity.**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-ec/attachments/20210203/51c24c97/attachment.htm>
-------------- next part --------------
_______________________________________________
Gnso-epdp-legal mailing list
Gnso-epdp-legal at icann.org
https://mm.icann.org/mailman/listinfo/gnso-epdp-legal
_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
More information about the NCSG-EC
mailing list