[GNSO-Accuracy-ST] Update and ask for feedback re. scenarios for EDPB

Brian Gutterman brian.gutterman at icann.org
Mon May 9 17:49:02 UTC 2022


Dear Colleagues of the Accuracy Scoping Team,


As you are aware, at ICANN73 the ICANN Board requested that ICANN org<https://mm.icann.org/pipermail/gnso-accuracy-st/2022-March/000336.html> prepare a number of specific scenarios for which it will consult the European Data Protection Board on whether or not ICANN org has a legitimate purpose that is proportionate, i.e. not outweighed by the privacy rights of the individual data subjects, to request that contracted parties provide access to registration data records. In follow-up to those discussions, my ICANN org colleagues have provided this update and request for feedback for the Accuracy Scoping Team.


ICANN org’s approach to this exercise is set out in greater detail below. Understanding that the team has identified additional input from regulators as potentially useful for its work, we request your feedback, to ensure that this exercise is seeking out information that would further your efforts.


As we’ve seen with previous engagements, we want to caution that feedback or guidance received from regulators, if any, would not be immediate. While ICANN org will pursue this as expeditiously as practicable, we would encourage the team to keep the uncertain timeline for a response in mind.


If you could please provide your feedback by 23 May that would be appreciated.


Current Status

ICANN org will be reaching out to the European Commission for help with introducing the issue of registration data accuracy and, in particular, steps that can be taken within the boundaries of the GDPR, to the level of the European Data Protection Board. The European Commission previously committed to facilitate exchanges, whereas the Belgian DPA told us our issues were better addressed at the EDPB level. We are hopeful that the Commission will help.


ICANN org has also considered steps that could be taken now, under the current agreements and policies, with regard to requesting registration data from registrars for the purposes of assessing accuracy. The Registrar Accreditation Agreement, at Section 3.3.4, states (emphasis added): “During the Term of this Agreement and for two (2) years thereafter, Registrar shall make the data, information and records specified in this Section 3.4 available for inspection and copying by ICANN upon reasonable notice. In addition, upon reasonable notice and request from ICANN, Registrar shall deliver copies of such data, information and records to ICANN in respect to limited transactions or circumstances that may be the subject of a compliance-related inquiry; provided, however, that such obligation shall not apply to requests for copies of the Registrar's entire database or transaction history.” Thus, while ICANN org can request targeted records from registrars, a registrar is not required to provide ICANN org with access to its entire registration database, irrespective of whether or not this would be acceptable under the GDPR.


As a result, ICANN org believes that any efforts in furtherance of registration data accuracy at this stage would involve evaluating (Scenario 1) publicly-available registration data (the benefits of which may be limited, given that much of the registrant contact data is now redacted), or (Scenario 2) some subset of full registration data provided by registrars. Under this Scenario 2, ICANN org would need to identify the appropriate mechanism for choosing a sample of registration data to analyze. To ensure this sampling falls within the RAA’s restrictions concerning a registrar’s provision of records to ICANN org, a sample should be related to “limited transactions or circumstances that may be the subject of a compliance-related inquiry.” One approach would be to identify a specific subset of registration data that may be of particular interest or concern. If the team has specific views on this aspect of the scenario, your feedback is welcomed.


Alternatively, as explained by Contractual Compliance’s presentation to your team, ICANN org could (Scenario 3) conduct an audit concerning registrars’ compliance with registration data validation and verification requirements in the RAA’s WHOIS Accuracy Program Specification, or (Scenario 4) conduct a voluntary survey of registrars concerning registration data accuracy. A survey, as discussed by the scoping team, could request that registrars provide information about their registration data validation and verification processes, including information about how many domains have registration data that is validated and verified, how many domains have data that is currently in the verification process, how many domains are suspended due to non-verification, and for a rate of email bounces for WHOIS Data Reminder Policy Notices sent out during a set time period.


Notably, these scenarios 3 and 4 would assess registrars’ compliance with procedures designed to ensure the contactability of registrants, but compliance with these procedures does not necessarily guarantee that all the data is “accurate.”


To summarize, the scenarios ICANN org is exploring at this stage are:

Scenario 1: Analyze publicly available registration data for syntactical and operational accuracy (as was done previously in the WHOIS ARS program).

Scenario 2: Analyze a sample of full registration data provided by registrars to ICANN org.

Scenario 3: Proactive Contractual Compliance audit of registrar compliance with registration data validation and verification requirements.

Scenario 4: Registrar registration data accuracy survey (voluntary).


In parallel to this initial outreach to the European Commission, ICANN org will assess the data protection implications of the scenarios identified above, with the aim of submitting data protection-related questions concerning any of the above scenarios to regulators for guidance.


Feedback received from the accuracy scoping team will help to inform ICANN’s outreach concerning the data protection implications of further steps ICANN org could take in furtherance of registration data accuracy, so that we can better understand the information the accuracy scoping team would find beneficial for its work. If you believe other scenarios should be considered or identify other issues that may be relevant to this analysis, please let us know.

We are requesting that you please provide your feedback no later than 23 May so that we have it available before we complete our initial analysis.

Best,
Brian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-accuracy-st/attachments/20220509/99e0216e/attachment-0001.html>


More information about the GNSO-Accuracy-ST mailing list