[Gdd-gnso-ppsai-impl] Specifics related to PP IRT discussion on data escrow/retention on 1/24 IRT call

[Mary Wong]

Hello everybody, just as a follow up to Amy’s note below, here is some information about the PDP Working Group’s discussions on the topics of data escrow and retention. Hopefully this will be helpful to those who were not members of the Working Group as well as enable Working Group members to add their insights (or corrections, as the case may be).

Basically, the staff recollection is that the Working Group discussed these topics generally in the context of recommendations concerning the definitions of privacy and proxy service providers, difficulties and distinctions as between providers affiliated with a registrar and those who are not, and concerns about data privacy and access in the event of de-accreditation of a provider. The Working Group also sought input from ICANN staff about how data escrow might work for privacy and proxy service providers (as opposed to, say, registrars) in different accreditation models. However, these discussions did not result in the development of specific language on these topics, or in a specific recommendation in either the Initial or the Final Report.

Some links and additional notes that may be of interest:

·         Much of the Working Group’s discussions on this topic occurred (as Chris Pelling noted on the call yesterday) around the time of the intensive face-to-face meeting the Working Group held at the Dublin ICANN meeting in October 2015. As posted in the Adobe Connect chat room, the transcript of that discussion can be found here, and occurs from Page 27-31: https://meetings.icann.org/en/dublin54/schedule/fri-ppsai/transcript-ppsai-3-16oct15-en.pdf.


·         Following the Dublin face-to-face session, the topic of data escrow was raised during the Working Group meeting of 10 November 2015, when ICANN staff provided input to the Working Group about how data escrow might work: https://gnso.icann.org/en/meetings/transcript-ppsa-10nov15-en.pdf.


·         The topic was also noted as a possible discussion item for the Working Group meeting of 3 November 2015, and in a couple of emails on the Working Group mailing list around that time, but no further developments or discussions took place thereafter. The Working Group was by then reviewing draft language for what would become its final consensus recommendations and Final Report, which it completed and submitted to the GNSO Council on 7 December 2015. The Council adopted all the Working Group’s consensus recommendations on 21 January 2016.

Thanks and cheers
Mary




From: <gdd-gnso-ppsai-impl-bounces at icann.org> on behalf of Amy Bivins <amy.bivins at icann.org>
Reply-To: "gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
Date: Wednesday, January 25, 2017 at 08:03
To: "gdd-gnso-ppsai-impl at icann.org" <gdd-gnso-ppsai-impl at icann.org>
Subject: [Gdd-gnso-ppsai-impl] Specifics related to PP IRT discussion on data escrow/retention on 1/24 IRT call

Hello, All,

I reviewed yesterday’s call recording to compile a full summary of the input we received from you related to the questions related to possible requirements on data escrow and retention.

At the outset of our discussion on data escrow and data retention (beginning around 25:30 on the call), there was some hesitation by some in the room to discussing potential requirements for PP service providers. However, as we got further into the discussion, there seemed to be support for exploring proposals on these topics, but only to ensure that the requirements are the same for PP service providers regardless of whether or not the provider is Affiliated with a registrar (and ensuring no duplicate requirements for registrars).

There are documented PDP WG discussions on data escrow. I have not located any WG discussion specifically on data retention. However, there are existing RAA requirements for retention of PP customer contact information. This, coupled with PDP WG discussions about ensuring that customers are protected to the extent possible if an accredited PP service is terminated or goes out of business, seems to imply that such a requirement—retaining a limited set of Customer information (name, email, address, telephone number) to ensure that these Customers can be contacted in this situation—may fall within the intent of the PDP WG recommendations. This interpretation seemed to be supported by many on the call yesterday, including Theo, Chris, Steve and Susan. As a result, based on the discussion yesterday, we will proceed with drafting proposals on these topics to be discussed with the IRT, unless there is a continuing question regarding whether this was within the intent of the PDP WG.

If anyone on the IRT wishes to comment on this, specifically on whether you believe this is within or beyond the intent of the PDP WG, please do so by replying to this thread.

The current RAA requirements are noted below.


Specification on Privacy and Proxy Registrations (expires 1 January 2018):

“2.5 Escrow of P/P Customer Information. Registrar shall include P/P Customer contact information in its Registration Data Escrow deposits required by Section 3.6 of the Agreement. P/P Customer Information escrowed pursuant to this Section 2.5 of this Specification may only be accessed by ICANN in the event of the termination of the Agreement or in the event Registrar ceases business operations.”

            Note—this requirement to escrow PP customer contact information will expire with the interim specification

            RAA

            3.6 Data Escrow. During the Term of this Agreement, on a schedule, under the terms, and in the format specified by ICANN, Registrar shall submit an electronic copy of the data described in Subsections 3.4.1.2 through 3.4.1.5 to ICANN or, at Registrar's election and at its expense, to a reputable escrow agent mutually approved by Registrar and ICANN, such approval also not to be unreasonably withheld by either party. The data shall be held under an agreement among Registrar, ICANN, and the escrow agent (if any) providing that (1) the data shall be received and held in escrow, with no use other than verification that the deposited data is complete, consistent, and in proper format, until released to ICANN; (2) the data shall be released from escrow upon expiration without renewal or termination of this Agreement; and (3) ICANN's rights under the escrow agreement shall be assigned with any assignment of this Agreement. The escrow shall  provide that in the event the escrow is released under this Subsection, ICANN (or its assignee)          shall have a non-exclusive, irrevocable, royalty-free license to exercise (only for transitional purposes) or have exercised all rights necessary to provide Registrar Services.

(NOTE—this is a data retention requirement—the same data that is required to be retained is required to be escrowed) 3.4.1.5 the name, postal address, e-mail address, and voice telephone number provided by the customer of any privacy service or licensee of any proxy registration service, in each case, offered or made available by Registrar or its Affiliates in connection with each registration. Effective on the date that ICANN fully implements a Proxy Accreditation Program established in accordance with Section 3.14, the obligations under this Section 3.4.1.5 will cease to apply as to any specific category of data (such as postal address) that is expressly required to be retained by another party in accordance with such Proxy Accreditation Program (emphasis added).

Best,
Amy

Amy E. Bivins
Registrar Policy Services Manager
Registrar Services and Industry Relations
Internet Corporation for Assigned Names and Numbers (ICANN)
Direct: +1 (202) 249-7551
Fax:  +1 (202) 789-0104
Email: amy.bivins at icann.org
www.icann.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gdd-gnso-ppsai-impl/attachments/20170125/3c72a507/attachment-0001.html>