1. Roll Call/SOI Updates
2. Discuss list of criteria that make purposes legitimate for processing
a. See GDPR definition of processing and Q2 poll results
b. Determine next steps to reach agreement on criteria
3. Discuss list of purposes for processing based on criteria
a. See list of DT-defined possible purposes and Q3 poll results
b. Discuss legitimacy of purposes to begin fleshing out the remaining possible purposes for processing
4. Confirm agreements for polling & next steps
5. Confirm next meeting: Tuesday 13 February at 17:00 UTC
Notes/ Action Items
1. Roll Call/SOI Updates
- SOI Update from Klaus Stoll: Now also a Visiting Professor at Xi'an Jiaotong-Liverpool University, Suzhou
- Call Handout: https://icann-community.atlassian.net/wiki/download/attachments/101518727/Handout-6February-RDSWGCall.pdf
- Poll Results: https://icann-community.atlassian.net/wiki/download/attachments/101518727/AnnotatedResults-Poll-from-30JanuaryCall.pdf
2. Discuss list of criteria that make purposes legitimate for processing
a. See GDPR definition of processing and Q2 poll results
- Q2 (criteria) was discussed last week, producing a revised possible agreement polled on
- Results for all variants of that possible agreement ranged from 56-41% support or could live with
- After considering responses and comments, the leadership proposes two possible agreements for WG consideration to address main concerns
Leadership-suggested Possible agreement #1
- One main concern expressed in poll results: consistency with ICANN's mission.
- Long standing topic of discussion within community. Ultimately the board interprets ICANN's mission and will do so when considering any recommended policies
- Excerpts from ICANN's mission on slides 15-17 of Call Handout
- Given mixed poll responses that supported, opposed, and provided alternatives to this criterion, the leadership proposed this as a possible compromise:
- Any purpose for processing registration data must be consistent with ICANN's mission as it relates to RDS. Any recommended purpose must be confirmed by the board with respect to consistency with ICANN's mission.
- Comments and Questions:
- Does "as it relates to the RDS" narrow scope of what falls within ICANN's mission for the WG's deliberation?
- How do WG members interpret this possible agreement - for example, inclusion of access to registration data by law enforcement or fighting cyber-issues?
- Is the phrase "as it relates to RDS" redundant and subject to misinterpretation?
- Is the second sentence just trying to make people feel better or does it open the WG's recommendations to reconsideration?
- The Board cannot act outside of ICANN's mission so if there would be a serious concern that this WG would be recommending anything that would be outside of ICANN's mission, the Board would need to act accordingly.
- Revised Possible agreement (based on comments thus far): Any purpose for processing registration data must be consistent with ICANN's mission.
- Is processing RDS data for purposes of DNS abuse investigation (including by law enforcement) consistent with ICANN mission? This is the advantage of the "not inconsistent" language we discussed last week.
- Why was the proposed agreement phrased in the way it was, and what is lost by trimming the agreement?
- The GAC certainly thinks that allowing DNS abuse investigation is within scope of ICANN's mission. (Which includes Germany the last time I checked.) https://www.icann.org/en/system/files/files/gdpr-comments-gac-icann-proposed-compliance-models-29jan18-en.pdf
- Several chat comments express a strong preference for "not inconsistent with" instead of the proposed revised phrasing -- some do not view the change from "not inconsistent" to "consistent" as a compromise, at least without a clearer idea of how a criterion of "consistent with" would be applied.
Leadership-suggested Possible agreement #2
- Another main concern express in poll results: whether criteria will be applied using AND, OR, or AND/OR
- Given mixed poll responses on this point, the leadership proposed separating this out as a standalone criterion:
If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing.
Comments and Questions:
- If applicable data protection laws require a legal basis for processing, then any purpose must satisfy at least one legal basis for processing.
- Difference between "legal basis" and "lawful basis" - should agreement be revised to "lawful basis" ?
- Note: Art. 6 GDPR Lawfulness of processing: (1) Processing shall be lawful only if and to the extent that at least one of the following applies
- "legal basis" occurs several times in GDPR. E.g., Article 13: "Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: [...] the legal basis for the processing"
- The terms lawful and legal differ in that the former contemplates the substance of law, whereas the latter alludes to the form of law. A lawful act is authorized, sanctioned, or not forbidden by law. A legal act is performed in accordance with the forms and usages of law, or in a technical manner. Lawful legal definition of lawful - Legal Dictionary - The Free Dictionary
- Suggestion: evaluate "legal" and "lawful" as they apply to the proposed change, to be reviewed by the group for next week -- because it seems to be a substantive change with consequences
- If (b) wording is not resolved then it is not possible to go through each purpose to see if that purpose satisfies (b).
- It depends on the lawfulness in the jurisdictions applicable to the provider of the data (which includes applicability of the GDPR to foreign providers when handling EU data subjects data)
Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement.
Criterion also addressed by last week's poll: "Inherent to the functionality of the DNS"
- Should this be tested as a separate criterion in this week's poll?
- If so, how would the proposed agreement be phrased (as an AND or and OR which applied to any purpose) -- that is, would EVERY purpose be required to be inherent to the functionality of the DNS, or would SOME be legitimate because they were inherent to the functionality of the DNS
- What does “inherent to the functionality of the DNS” mean? Something required for the DNS to function at all, or to function as intended (with all the policies surrounding the DNS that have been created by ICANN)
- Here are two examples from ICANN's mission from Bylaws Annexes G-1 & G-2 that I do not believe are 'inherent to the functionality of the DNS': prohibitions on warehousing of or speculation in domain names by registries or registrars; reservation of registered names in a TLD that may not be registered initially or that may not be renewed due to reasons reasonably related to (i) avoidance of confusion among or misleading of users, (ii) intellectual property, or (iii) the technical management of the DNS or the Internet (e.g., establishment of reservations of names from registration).
- We have issues that involve the workings of the Internet which you could trace back (convoluted in some cases) to functionality of the DNS, but other issues that involve just the actual characters themselves in their relation to ability to use/not use that are completely unrelated to any technical thing. Those rights protections systems (UDRP and others) rely on RDS data for both rights holders AND registrants to protect their respective interests.
- One possible phrasing to test: One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy.
- Note that the intent of "inherent to the functionality of the DNS" was discussed at length during the 16 January call
Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy."
3. Discuss list of purposes for processing based on criteria - DEFERRED
4. Confirm agreements for polling & next steps
- Action: Denny Watson, Kathy Kleiman, Bradley Silver, Greg Shatan, Stephanie Perrin, Mason Cole, and Michael Palage all volunteer to post to the full WG their position on phrasing "lawful" vs "legal" and rationale. ALL WG members are encouraged to participate in this WG email discussion to provide a foundation for reaching agreement.
- Action: Use this week's poll to test support and rationale for statement: "One criterion the WG will consider when determining whether a purpose for processing is legitimate is whether the purpose is inherent to the functionality of the DNS. This will not be the only criterion considered and is not a requirement that all purposes must satisfy."
5. Confirm next meeting: Tuesday 13 February at 17:00 UTC