<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<p>Hello All,</p>
For Recommendation 11, the RrSG has the following proposed new text
and comments: <br>
<p><b>New text:</b><br>
</p>
<p>1) The EPDP team recommends that ICANN, as soon as is
practicable, undertakes a review of all its active processes and
procedures so as to identify and document the instances in which
personal data are requested from a registrar beyond the period of
the 'life of the registration'. Retention periods for specific
data elements should then be identified and documented, and relied
upon to establish the required relevant and specific minimum data
retention expectations for registrars. <br>
<br>
2) In the interim, the EPDP team has recognized that the Transfer
Dispute Resolution Policy (“TDRP”) has been identified as one such
process. The EPDP team therefore recommends that ICANN should
direct registrars to retain only those data elements deemed
necessary for the purposes of the TDRP, for a period of one year
following the life of the registration. This retention is grounded
on the stated policy stipulation within the TDRP that claims under
the policy may only be raised for a period of 12 months after the
alleged breach (FN: see TDRP section 2.2) of the Transfer Policy
(FN: see Section 1.15 of TDRP). Such retained data may only be
used in relation to a specific TDRP complaint; should a Registrar
use the retained data for any other purpose, they would do so
under their own Controllership.<br>
<br>
3) The EPDP team recognizes that Contracted Parties may have needs
or requirements for different retention periods in line with local
law or other requirements. The EPDP team recommends that nothing
in this recommendation, or in separate ICANN-mandated policy,
should prohibit contracted parties from setting their own
retention periods beyond that which is expected in ICANN policy.
Similarly, should local law prevent retention for the minimum
period as set by ICANN, the ePDP team recommends that a suitable
waiver procedure is put in place that can address such situations.
In addition, the waiver procedure should be reviewed to determine
if it would be appropriate for other CPs to “join” themselves to
an existing waiver upon demonstration of being subject to the same
law or other requirement that grounded the original waiver
application. <br>
</p>
<p><b>Notes:</b></p>
<p>- incorporates suggested new text & comments from email list
discussion (thanks Alan W for your insights!)<br>
- spells out that the data can only be used for specified
retention purposes (or, if used for other purpose, that would be a
separate Controller decision)<br>
</p>
<pre class="moz-signature" cols="72">--
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392
</pre>
</body>
</html>