[NCSG-PC] Fwd: [GNSO-Accuracy-ST] Update and ask for feedback re. scenarios for EDPB

[Stephanie Perrin]

Whilst heaving a big sigh, i am duty bound to say that i need to respond to this proposal in a rather fulsome manner.  It touches on the fundamental rights guaranteed in the EU Charter, the issue of delegation of authority on criminal matters, our lack of real data to support accuracy quality controls ( as required in the 2013 RAA, as modified by the temp spec), and a few other matters like how and when you should pester the EDPB.  I hope to get you a draft before our next pc meeting, but my grandchildren are coming for a long awaited visit this weekend so it might be last minute.
Note the emphatic no from Becky.  Volker provides more detail as to why, but this non-lawyer feels the need to explain WHY this is such a bad idea.
Cheers
Steph Perrin

Sent from my iPhone

Begin forwarded message:

From: Becky Burr via GNSO-Accuracy-ST <gnso-accuracy-st at icann.org>
Date: May 10, 2022 at 09:50:12 EDT
To: Volker Greimann <volker.greimann at centralnic.com>, Brian Gutterman <brian.gutterman at icann.org>
Cc: gnso-accuracy-st at icann.org, Elena Plexida <elena.plexida at icann.org>
Subject: Re: [GNSO-Accuracy-ST] Update and ask for feedback re. scenarios for EDPB
Reply-To: Becky Burr <BBurr at hwglaw.com>




IMHO (and not speaking for the Board) we should not ask the EDPB to consider scenarios that members of the Scoping team, SOs, or ACs believe will not produce reliable information about the nature and volume of inaccuracy that may exist in the data set.


J. Beckwith Burr

HARRIS, WILTSHIRE & GRANNIS LLP

1919 M Street NW/8th Floor

Washington DC 20036

202.730.1316 (P) 202.352.6367 (M)


________________________________
From: GNSO-Accuracy-ST <gnso-accuracy-st-bounces at icann.org> on behalf of Volker Greimann <volker.greimann at centralnic.com>
Sent: Tuesday, May 10, 2022 2:47:48 AM
To: Brian Gutterman
Cc: gnso-accuracy-st at icann.org; Elena Plexida
Subject: Re: [GNSO-Accuracy-ST] Update and ask for feedback re. scenarios for EDPB

Hi Brian,

I think you may be overextending the reach of section 3.4.3 a bit there. This section clearly points out:
"Registrar shall deliver copies of such data, information and records to ICANN in respect to limited transactions or circumstances that may be the subject of a compliance-related inquiry"
So in other words, this section does not apply if it is not a compliance matter. No compliance case = no data under 3.4.3

Also note the further restrictions contained in the section that essentially note that registrars may supply redacted data if they believe data protection laws prevent them from disclosing unredacted data:
"In the event Registrar believes that the provision of any such data, information or records to ICANN would violate applicable law or any legal proceedings, ICANN and Registrar agree to discuss in good faith whether appropriate limitations, protections, or alternative solutions can be identified to allow the production of such data, information or records in complete or redacted form, as appropriate."

Finally, note that ICANN is prohibited from disclosing any parts of the data obtained in this way unless required to do so, essentially rendering any data obtained useless for the purposes of this group:
"ICANN shall not disclose the content of such data, information or records except as expressly required by applicable law, any legal proceeding or Specification or Policy."

In other words, 3.4.3 is a specifically tailored tool designed exclusively for ICANN compliance to investigate compliance matters and is not suited for the purpose of measuring accuracy overall.

Best,
--
Volker A. Greimann
General Counsel and Policy Manager
KEY-SYSTEMS GMBH

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net<http://www.key-systems.net/>

Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.


On Mon, May 9, 2022 at 7:49 PM Brian Gutterman <brian.gutterman at icann.org<mailto:brian.gutterman at icann.org>> wrote:

Dear Colleagues of the Accuracy Scoping Team,


As you are aware, at ICANN73 the ICANN Board requested that ICANN org<https://mm.icann.org/pipermail/gnso-accuracy-st/2022-March/000336.html> prepare a number of specific scenarios for which it will consult the European Data Protection Board on whether or not ICANN org has a legitimate purpose that is proportionate, i.e. not outweighed by the privacy rights of the individual data subjects, to request that contracted parties provide access to registration data records. In follow-up to those discussions, my ICANN org colleagues have provided this update and request for feedback for the Accuracy Scoping Team.


ICANN org’s approach to this exercise is set out in greater detail below. Understanding that the team has identified additional input from regulators as potentially useful for its work, we request your feedback, to ensure that this exercise is seeking out information that would further your efforts.


As we’ve seen with previous engagements, we want to caution that feedback or guidance received from regulators, if any, would not be immediate. While ICANN org will pursue this as expeditiously as practicable, we would encourage the team to keep the uncertain timeline for a response in mind.


If you could please provide your feedback by 23 May that would be appreciated.


Current Status

ICANN org will be reaching out to the European Commission for help with introducing the issue of registration data accuracy and, in particular, steps that can be taken within the boundaries of the GDPR, to the level of the European Data Protection Board. The European Commission previously committed to facilitate exchanges, whereas the Belgian DPA told us our issues were better addressed at the EDPB level. We are hopeful that the Commission will help.


ICANN org has also considered steps that could be taken now, under the current agreements and policies, with regard to requesting registration data from registrars for the purposes of assessing accuracy. The Registrar Accreditation Agreement, at Section 3.3.4, states (emphasis added): “During the Term of this Agreement and for two (2) years thereafter, Registrar shall make the data, information and records specified in this Section 3.4 available for inspection and copying by ICANN upon reasonable notice. In addition, upon reasonable notice and request from ICANN, Registrar shall deliver copies of such data, information and records to ICANN in respect to limited transactions or circumstances that may be the subject of a compliance-related inquiry; provided, however, that such obligation shall not apply to requests for copies of the Registrar's entire database or transaction history.” Thus, while ICANN org can request targeted records from registrars, a registrar is not required to provide ICANN org with access to its entire registration database, irrespective of whether or not this would be acceptable under the GDPR.


As a result, ICANN org believes that any efforts in furtherance of registration data accuracy at this stage would involve evaluating (Scenario 1) publicly-available registration data (the benefits of which may be limited, given that much of the registrant contact data is now redacted), or (Scenario 2) some subset of full registration data provided by registrars. Under this Scenario 2, ICANN org would need to identify the appropriate mechanism for choosing a sample of registration data to analyze. To ensure this sampling falls within the RAA’s restrictions concerning a registrar’s provision of records to ICANN org, a sample should be related to “limited transactions or circumstances that may be the subject of a compliance-related inquiry.” One approach would be to identify a specific subset of registration data that may be of particular interest or concern. If the team has specific views on this aspect of the scenario, your feedback is welcomed.


Alternatively, as explained by Contractual Compliance’s presentation to your team, ICANN org could (Scenario 3) conduct an audit concerning registrars’ compliance with registration data validation and verification requirements in the RAA’s WHOIS Accuracy Program Specification, or (Scenario 4) conduct a voluntary survey of registrars concerning registration data accuracy. A survey, as discussed by the scoping team, could request that registrars provide information about their registration data validation and verification processes, including information about how many domains have registration data that is validated and verified, how many domains have data that is currently in the verification process, how many domains are suspended due to non-verification, and for a rate of email bounces for WHOIS Data Reminder Policy Notices sent out during a set time period.


Notably, these scenarios 3 and 4 would assess registrars’ compliance with procedures designed to ensure the contactability of registrants, but compliance with these procedures does not necessarily guarantee that all the data is “accurate.”


To summarize, the scenarios ICANN org is exploring at this stage are:

Scenario 1: Analyze publicly available registration data for syntactical and operational accuracy (as was done previously in the WHOIS ARS program).

Scenario 2: Analyze a sample of full registration data provided by registrars to ICANN org.

Scenario 3: Proactive Contractual Compliance audit of registrar compliance with registration data validation and verification requirements.

Scenario 4: Registrar registration data accuracy survey (voluntary).


In parallel to this initial outreach to the European Commission, ICANN org will assess the data protection implications of the scenarios identified above, with the aim of submitting data protection-related questions concerning any of the above scenarios to regulators for guidance.


Feedback received from the accuracy scoping team will help to inform ICANN’s outreach concerning the data protection implications of further steps ICANN org could take in furtherance of registration data accuracy, so that we can better understand the information the accuracy scoping team would find beneficial for its work. If you believe other scenarios should be considered or identify other issues that may be relevant to this analysis, please let us know.

We are requesting that you please provide your feedback no later than 23 May so that we have it available before we complete our initial analysis.

Best,
Brian

_______________________________________________
GNSO-Accuracy-ST mailing list
GNSO-Accuracy-ST at icann.org<mailto:GNSO-Accuracy-ST at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-accuracy-st

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
_______________________________________________
GNSO-Accuracy-ST mailing list
GNSO-Accuracy-ST at icann.org
https://mm.icann.org/mailman/listinfo/gnso-accuracy-st

_______________________________________________
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncsg.is/pipermail/ncsg-pc/attachments/20220511/84f2cec0/attachment.htm>