Guidelines for Proposed Models to Address the General Data Protection Regulation (GDPR)
On 2 November 2017, the ICANN org published the Statement from Contractual Compliance regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union's General Data Protection Regulation (GDPR). Under the conditions outlined in the statement and as indicated in the Data Protection/Privacy Activity Recap published on 17 November 2017, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data on a temporary basis during this period of uncertainty.
To be eligible for deferral, a contracted party that intends to deviate from its existing obligations must first share its model with ICANN. As such, ICANN is seeking proposed implementation models from the community that we can submit to the Hamilton law firm to incorporate in their follow-up legal analysis. Ultimately, these submissions will inform the publication of models for compliance with the GDPR as well as our contracts. As a point of clarity, submission of a model does not mean that it will qualify for deferral or that any deferral granted will be permanent.
When possible, we encourage alignment of models prior to submission. Fewer models will ease the impact on end-users and operational processes for all of us.
Requirements for Submissions
Each proposal should contain the following items:
- Cover Page for Proposed Models to Address the GDPR: download and complete this form to submit with any proposed model;
- Executive Summary: provide an overview of the proposed model;
- Details of the Proposal: provide complete information according to the Details of the Proposal below.
Please submit a completed proposal to ICANN's Global Support Center by emailing firstname.lastname@example.org.
Details of the Proposal
Please ensure the proposed plan includes consideration of at least the following:
- Analysis of how the model accommodates existing contractual obligations while reconciling them with the GDPR, including:
- A description of the proposed change and how it differs from the current implementation;
- Identification of how the model impacts current ICANN contractual obligations and specification of the contract provision or policy that is impacted by the cited law;
- Identification of the applicable section(s) of the GDPR;
- A description of how this change will comply with the applicable law.
- Changes to the collection, storage, display, transfer, and retention of data.
- Who will be impacted by the change and how (for example: registrants, users of WHOIS data, other contracted parties).
- Interoperability between registry operators and registrars.
- How users with a legitimate need for data will request and obtain data if it is no longer available in public WHOIS.
- Whether data handling will be uniform or if there will be variation based on things such as "natural person" vs. an organization, physical address of a point of contact, location of the registry operator or registrar, etc.
- Whether this model has been reviewed by a data protection authority. If so, indicate which data protection authority, when, and any details of their response.
- High-level description of any changes to other agreements beyond the Registry Agreement and Registrar Accreditation Agreement (for example: Registry-Registrar Agreement, Data Escrow Agreement, Registration Agreement, Registrar Reseller Agreement, Privacy Policies, etc.).
- If applicable, how this differs from other models and whether you endorse any other model. If you endorse another model, please identify whether you endorse the entire model or specific sections.
Upon receipt of proposed models, we will conduct a completeness check and follow up with clarifying questions, if necessary. We will then publish the models on ICANN.org and submit them to Hamilton to consider in its legal analysis. Ultimately, the work by Hamilton combined with the community discussions and its proposals will inform the publication of models for compliance with the GDPR as well as with our contracts. As noted in our prior blog, we will solicit public comment on these proposed models, which ICANN org will consider before settling on a decision. As we continue to learn more, we will provide further details of next steps.
Alignment with Contractual and Consensus Policy Obligations
ICANN's agreements with registries and registrars contain certain contractual and consensus policy obligations including Registry Service Evaluation Policy and the Revised ICANN Procedure for Handling WHOIS conflicts with Privacy Law. At this time, contracted parties do not need to initiate these service requests to share a proposed model with ICANN for analysis unless they plan to imminently deploy the model. Any deviation from ICANN contractual requirements must be approved or authorized in advance of deployment.
- ICANN Data Protection/Privacy Issues Webpage
- Data Protection/Privacy Update: Guidance on Proposed Model Submissions Now Available (8 Dec 2017)
- Statement from Contractual Compliance (2 Nov 2017)
- Data Protection/Privacy Activity Recap Blog (17 Nov 2017)
- ICANN GDPR Legal Analysis Webpage
- Revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law
These guidelines are provided as a reference for the submission of proposed implementation models for review by the ICANN org and Hamilton law firm. This is for informational purposes only and should not be relied upon to provide legal advice or determine how data protection regulation may apply to you and your organization. Submission of a model does not provide any legal rights to the Contracted Parties under your current agreement with ICANN nor does it constitute approval or deferral from contractual obligations.