Content Comparison

PROPOSED AGENDA

Wednesday, 19 December 2018

1. Roll Call & SOI Updates (5 minutes)
2. Confirm EPDP-Legal Team members

• EPDP Leadership - Kurt, Rafik
• Board - Leon
• BC - Margie
• IPC - Diane
• ISPCP - Thomas
• NCSG - Tatiana
• RySG - Kristina
• RrSG - Emily
• GAC - Laureen
• ALAC – Hadia
• SSAC - TBD
• Staff - Dan, Caitlin

3. Discuss Legal Team Process and Working Methods (Thomas and Leon to provide experiential lessons from their prior legal team work)

a)       How are questions raised to this group; what is the trigger?

b)      What is this group’s role (vis-à-vis the EPDP Team) regarding “reforming” the questions?

c)       Answering questions, when to use:

1. This group’s own expertise
2. ICANN inside or outside counsel
3. EPDP retained legal counsel

d)      What’s is this group’s responsibility for checking back with and reporting to the entire Team?

e)      Working methods: what can be done via email vs, when is a meeting required?

f)        Scheduling: meeting frequency, ad hoc meetings, etc.

g)       Working with provider: do we need an introductory letter?

4. Form EPDP Questions starting from:

a)       Questions for EDPB in Initial Report

b)      draft Statement of Work

[see Appendix]

5. Wrap and confirm next meeting to be scheduled for Wednesday 2 January 2019 at 14.00 UTC

a)       Confirm action items

Appendix

        I.            EDPB Questions as Drafted in the EPDP Initial Report:

P. 33, The EPDP Team also took note of a related footnote which states, “[if contact details for persons other than the RNH are provided] it should be ensured that the individual concerned is informed”. The EPDP Team discussed whether this note implies that it is sufficient for the Registered Name Holder (RNH) to inform the individual it has designated as the technical contact, or whether the registrar may have the additional legal obligations to obtain consent. The EPDP Team agreed to request further clarification from the EDPB on this point.

P. 53, (For the EDPB) If registrars allow registrants to self-identify at the time as a natural or legal person, who will be held liable if the registrant incorrectly self-identifies and personal information is publicly displayed? Apart from self-identification, and educational materials to inform the registrant, are there any other ways in which risk of liability could be mitigated by registrars?

P. 57, As noted below, the EPDP Team disagreed about the application of Art. 6(1)b, namely, does the reference ‘to which the data subject is party’ limit the use of this lawful basis to only those entities that have a direct contractual relationship with the Registered Name Holder? Similarly, in relation to Art. 6(1)(b), questions arose regarding how to apply “necessary for the performance of a contract”; specifically, does this clause solely relate to the registration and activation of a domain, or, alternatively, could related activities such as fighting DNS abuse also be considered necessary for the performance of a contract? The EPDP Team plans to put these questions forward to the European Data Protection Board (EDPB) to obtain further clarity in order to help inform its deliberations.

      II.            EPDP Questions to Legal Counsel as drafted in the SOW, 6 Dec. 2018:

Question #1:

The GDPR's scope does not include the data of legal persons, only the personal data of natural persons, but under the Temporary Specification, within the current WHOIS service, does not distinguish between natural and legal persons.  The outstanding issue is that the EDPB and DPAs have indicated that even though legal persons are not protected under the GDPR, the data provided by legal persons in the form of contact details for technical of employees or third-party providers could include personal data.  Therefore, although certain stakeholders want to continue to access the data of legal persons without obstruction, there has been debate on this topic due to the lack of clarity if there is a risk of allowing access to data of legal persons since it could include natural person personal data, with the following specific points raised:

Advocating access to legal person data, stakeholder groups provide:

• businesses could self-declare, with business registration numbers
• legal persons could be asked to guarantee that they have obtained the consent (“informed”) of an employee or contracted party whose contact data is listed, counting on the agency relationship.
• the domain name registration can include clear instructional text (education to registrant), making clear that supplying any email or contact details for a legal entity which may include personal data is to be provided after clear consent is granted by the person whose details are in issue.

Advocating against access to legal person data, stakeholder groups express the following concerns:

• seeking consent must be clear and informed and can be withdrawn at any time and therefore the question is whether consent is practically supplied and maintained in this context
• educating registrants as to what category they fall into is difficult and expensive
• in some jurisdictions, notably the EU, certain groups (religious, political, gendered identity, etc.) are entitled to protection from persecution, which might occur if the registration data of their employees or contractors were released.

Based on the above questions and positions, please comment on the legal issues and liability risk which could result from a decision to ask registrars to make this distinction between legal and natural persons.

Question #2:

Can the information supplied-by registrants in the fields within a domain name application by relied upon by registrars and registries when registrars and registries process personal data, particularly if a registrant signs an attestation at the end of the application which states that the above information supplied is true and accurate and to the best of the registrant’s knowledge? E.g., if a registrant checks a box and identifies itself as a legal person and lists the corporate entity or organization name, will a registrar or registry be liable if the registrant made a mistake or incorrectly identified itself?

BACKGROUND DOCUMENTS

Notes/ Action Items