21 November 2018 23:59 UTC
21 December 2018 23:59 UTC
Staff Report Due
11 January 2019 23:59 UTC
Purpose: This public comment proceeding seeks to obtain input on the Initial Report of the EPDP on the Temporary Specification for gTLD Registration Data Team. The EPDP Team is tasked with evaluating the Temporary Specification on gTLD Registration Data (Temp Spec) and deciding whether it should become an ICANN Consensus Policy as is, or with modifications, while complying with the GDPR and other relevant privacy and data protection laws and regulations.
Current Status: This Initial Report is being posted for public comment as foreseen in the EPDP Team's charter and EPDP Manual.
Next Steps: Following review of public comments submitted, the EPDP Team will integrate public comments received as it works towards recommendations for inclusion in its Final Report.
Section I: Description and Explanation
The Initial Report outlines the core issues discussed, proposed responses to charter questions and accompanying preliminary recommendations.
This EPDP Team was chartered to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy as is, or with modifications, while complying with the GDPR and other relevant privacy and data protection laws and regulations. Additionally, the EPDP Team's charter contemplates a discussion of a standardized access model to nonpublic registration data; however, the discussion of a standardized access model will occur only after the EPDP Team has comprehensively answered a series of "gating questions", which have been specified in the EPDP Team's Charter. Specifically, the gating questions require the EPDP Team to examine (i) the validity, legitimacy and legal basis of the purposes outlined in the Temporary Specification, (ii) the legitimacy, necessity and scope of the registrar collection of registration data as outlined in the Temporary Specification, (iii) the legitimacy, necessity and scope of the transfer of data from registrars to registries as outlined in the Temporary Specification and (iv) the publication of registration data by registrars and registries as outlined in the Temporary Specification. Although compliance with GDPR was the principal reason behind the Temp Spec, the policy emerging from this EPDP is meant to be flexible enough to accommodate other privacy regimes.
In addition to the above-referenced gating questions, the EPDP Team is required to examine: (i) the transfer of data from registrars and registries to escrow providers and ICANN, (ii) the transfer of data from registries to emergency back-end registry operators ("EBERO"), (iii) the definition and framework for reasonable access to registration data, (iv) respective roles and responsibilities under the GDPR, i.e., the responsible parties, (v) applicable updates to ICANN Consensus Policies, e.g., Transfer Policy, Uniform Domain Name Dispute Resolution Policy ("UDRP"), Uniform Rapid Suspension ("URS"), et al. The EPDP Team will also consider what subsidiary recommendations it might make for future work by the GNSO which might be necessary to ensure relevant Consensus Policies, including those related to registration data, are reassessed to become consistent with applicable law.
The EPDP Team welcomes feedback from the community on any of the issues raised in this report; however, the EPDP Team is particularly interested in obtaining input on the following questions. Please note all answers should consider compliance with GDPR:
- Are the proposed purposes outlined in the Initial Report sufficiently specific and, if not, how do you propose to modify them? Please provide a rationale, keeping in mind compliance with GDPR. Should any purposes be added? If so, please identify the proposed additional purposes and provide a rationale for including them.
- Are the recommended data elements as listed in the Initial Report as required for registrar collection necessary for the purposes identified? If not, why not? Are any data elements missing that are necessary to achieve the purposes identified? If so, please provide the missing data element(s) and a rationale.
- Are there other data elements than those listed in the Initial Report that are required to be transferred between registrars and registries / escrow providers that are necessary to achieve the purposes identified? If so, please provide the relevant rationale.
- Are there other data elements than those listed in the Initial Report that are required to be transferred between registrars and registries / ICANN Compliance that are necessary to achieve the purposes identified? If so, please identify those data elements and provide the relevant rationale. Are there identified data elements that are not required to be transferred between registrars and registries / ICANN Compliance and are not necessary to achieve the purposes identified? If so, please identify those data elements and explain.
- Should the EPDP Team consider any changes in the redaction of data elements, compared to what is recommended in the Initial Report? If so, please identify those changes and provide the relevant rationale.
- Should the EPDP Team consider any changes to the recommended data retention periods compared to those recommended in the Initial Report? If so, please identify those changes and provide the relevant rationale. Do you believe the justification for retaining data beyond the term of the domain name registration is sufficient? Why or why not? Please provide a rationale for your answer.
- What other factors should the EPDP team consider about whether Contracted Parties should be permitted or required to differentiate between registrants on a geographic basis? Between natural and legal persons? Are there any other risks associated with differentiation of registrant status (as natural or legal person) or geographic location? If so, please identify those factors and/or risks and how they would affect possible recommendations. Should the community explore whether procedures would be feasible to accurately distinguish on a global scale whether registrants/contracted parties fall within jurisdiction of the GDPR or other data protection laws? Can the community point to existing examples of where such a differentiation is already made and could it apply at a global scale for purposes of registration data?
- Should the EPDP Team consider any changes to its recommendations in relation to "reasonable access" as outlined in the Initial Report? If so, please identify the proposed changes and please provide the relevant rationale.
- Are there any changes that the EPDP Team should consider in relation to the URS and UDRP that have not already been identified in the Initial Report? If so, please provide the relevant rationale, keeping in mind compliance with the GDPR.
- Are there any changes that the EPDP Team should consider in relation to the Transfer Policy that have not already been identified Initial Report? If so, please provide the relevant rationale
To provide your input, please complete the following form which is intended to facilitate your input by focusing on those aspects that the EPDP Team is looking for particular input on, as well as subsequent review by the EPDP Team: https://goo.gl/forms/ysTGEVBOBWlJ0Wqz1. To facilitate offline work, or for those who may not have access to the form, you can download an offline version of the form here: https://gnso.icann.org/en/issues/epdp-gtld-registration-data-specs-public-comment-input-form-21nov18-en.docx. Please note that similar to other public comment proceedings, all responses will be made public.
Please note that due to the overall timeline by which the EPDP Team is constrained, it will not be possible to extend the closing date of the public comment forum.
Community input will be carefully reviewed and used to support development of final responses to charter questions, as well as recommendations and implementation guidance in the form of a Final Report that is to be submitted to the GNSO for their consideration. Following approval of the proposal(s) by the GNSO, it will be submitted to the ICANN Board for its consideration.
Section II: Background
On 17 May 2018, the ICANN Board of Directors (ICANN Board) adopted the Temporary Specification for generic top-level domain (gTLD) Registration Data1 ("Temporary Specification") pursuant to the procedures for the establishment of temporary policies in ICANN's agreements with Registry Operators and Registrars ("Contracts"). The Temporary Specification provides modifications to existing requirements in the Registrar Accreditation and Registry Agreements in order to comply with the European Union's General Data Protection Regulation ("GDPR"). Following adoption of a temporary specification, the procedure for Temporary Policies as outlined in the Registrar Accreditation and Registry Agreements, provides the Board "shall immediately implement the Consensus Policy development process set forth in ICANN's Bylaws." Additionally, the procedure provides this Consensus Policy development process on the Temporary Specification must be carried out within a one-year period as the Temporary Specification can only remain in force for up to one year; from the effective date of 25 May 2018, i.e., the Temporary Specification will expire on 25 May 2019.
On 19 July 2018, the GNSO Council initiated an Expedited Policy Development Process (EPDP) and chartered the EPDP on the Temporary Specification for gTLD Registration Data team. Unlike other GNSO PDP efforts, which are open for anyone to join, the GNSO Council chose to limit the membership composition of this EPDP, primarily in recognition of the need to complete the work in a relatively short timeframe and to resource the effort responsibly. GNSO Stakeholder Groups, the Governmental Advisory Committee (GAC), the Country Code Names Supporting Organization (ccNSO), the At-Large Advisory Committee (ALAC), the Root Server System Advisory Committee (RSSAC), and the Security and Stability Advisory Committee (SSAC) were each invited to appoint up to a set number of members and alternates, as outlined in the charter. In addition, the ICANN Board and ICANN Org were invited to assign a limited number of liaisons to this effort. A call for volunteers to the aforementioned groups was issued in July and the EPDP Team held its first meeting on 1 August 2018.
1 Because the Temporary Specification is central to the EPDP Team's work, readers unfamiliar with the Temporary Specification may wish to read it before reading this Initial Report to gain a better understanding of and context for this Initial Report.