[Gnso-epdp-team] Recommendation 11 - Data Retention

Thu Feb 7 00:38:57 UTC 2019

Dear EPDP Team,

Following up on some noted issues during last week’s discussion of Recommendation 11 (data retention), please find updated language below for your consideration. We will discuss the below language tomorrow, but if you would like to flag any concerns in advance of tomorrow’s meeting, please do so.

Updating language is italicized and bolded for emphasis.

Recommendation 11

The EPDP team recommends that ICANN Org, as soon as is practicable, undertakes a review of all its active processes and procedures so as to identify and document the instances in which personal data is requested from a registrar beyond the period of the 'life of the registration'. Retention periods for specific data elements should then be identified, documented, and relied upon to establish the required relevant and specific minimum data retention expectations for registrars. In addition, community members should be invited to contribute to this data gathering exercise by providing input on other legitimate purposes for which different retention purposes may be applicable. These contributions could help inform the deliberations foreseen during phase 2 of the EPDP Team’s work. 

In the interim, the EPDP team has recognized that the Transfer Dispute Resolution Policy (“TDRP”) has been identified as having the longest specified retention period of one year and has therefore recommended registrars be required to retain only those data elements deemed necessary for the purposes of the TDRP, for a period of one year following the life of the registration. This retention is grounded on the stated policy stipulation within the TDRP that claims under the policy may only be raised for a period of 12 months after the alleged breach (FN: see TDRP section 2.2) of the Transfer Policy (FN: see Section 1.15 of TDRP). This retention period does not restrict the ability of registries and registrars to retain data elements provided in Recommendations 4 -7 for other purposes specified in Recommendation 1 for shorter periods.

The EPDP team recognizes that Contracted Parties may have needs or requirements for different retention periods in line with local law or other requirements. The EPDP team recommends that nothing in this recommendation, or in separate ICANN-mandated policy, should prohibit contracted parties from setting their own retention periods beyond that which is expected in ICANN policy. Similarly, should local law prevent retention for the minimum period as set by ICANN, the EPDP team recommends that a suitable waiver procedure is put in place that can address such situations. In addition, the waiver procedure should be reviewed to determine if it would be appropriate for other Contracted Parties to “join” themselves to an existing waiver upon demonstration of being subject to the same law or other requirement that grounded the original waiver application.

Thank you. 

Best regards,

Marika, Berry, and Caitlin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190207/0cf2c9d2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4621 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190207/0cf2c9d2/smime-0001.p7s>