[GNSO-Accuracy-ST] Update and ask for feedback re. scenarios for EDPB

Tue May 10 06:47:48 UTC 2022

Hi Brian,

I think you may be overextending the reach of section 3.4.3 a bit there.
This section clearly points out:
"*Registrar shall deliver copies of such data, information and records to
ICANN in respect to limited transactions or circumstances that may be the
subject of a compliance-related inquiry*"
So in other words, this section does not apply if it is not a compliance
matter. No compliance case = no data under 3.4.3

Also note the further restrictions contained in the section that
essentially note that registrars may supply redacted data if they believe
data protection laws prevent them from disclosing unredacted data:
*"In the event Registrar believes that the provision of any such data,
information or records to ICANN would violate applicable law or any legal
proceedings, ICANN and Registrar agree to discuss in good faith whether
appropriate limitations, protections, or alternative solutions can be
identified to allow the production of such data, information or records in
complete or redacted form, as appropriate.*"

Finally, note that ICANN is prohibited from disclosing any parts of the
data obtained in this way unless required to do so, essentially rendering
any data obtained useless for the purposes of this group:
"*ICANN** shall not disclose the content of such data, information or
records except as expressly required by applicable law, any legal
proceeding or Specification or Policy.*"

In other words, 3.4.3 is a specifically tailored tool designed exclusively
for ICANN compliance to investigate compliance matters and is not suited
for the purpose of measuring accuracy overall.

Best,
-- 
Volker A. Greimann
General Counsel and Policy Manager
*KEY-SYSTEMS GMBH*

T: +49 6894 9396901
M: +49 6894 9396851
F: +49 6894 9396851
W: www.key-systems.net

Key-Systems GmbH is a company registered at the local court of
Saarbruecken, Germany with the registration no. HR B 18835
CEO: Oliver Fries and Robert Birkner

Part of the CentralNic Group PLC (LON: CNIC) a company registered in
England and Wales with company number 8576358.

This email and any files transmitted are confidential and intended only for
the person(s) directly addressed. If you are not the intended recipient,
any use, copying, transmission, distribution, or other forms of
dissemination is strictly prohibited. If you have received this email in
error, please notify the sender immediately and permanently delete this
email with any files that may be attached.

On Mon, May 9, 2022 at 7:49 PM Brian Gutterman <brian.gutterman at icann.org>
wrote:

> Dear Colleagues of the Accuracy Scoping Team,
>
>
>
> As you are aware, at ICANN73 the ICANN Board requested that ICANN org
> <https://mm.icann.org/pipermail/gnso-accuracy-st/2022-March/000336.html> prepare
> a number of specific scenarios for which it will consult the European Data
> Protection Board on whether or not ICANN org has a legitimate purpose that
> is proportionate, i.e. not outweighed by the privacy rights of the
> individual data subjects, to request that contracted parties provide access
> to registration data records. In follow-up to those discussions, my ICANN
> org colleagues have provided this update and request for feedback for the
> Accuracy Scoping Team.
>
>
>
> ICANN org’s approach to this exercise is set out in greater detail below.
> Understanding that the team has identified additional input from regulators
> as potentially useful for its work, we request your feedback, to ensure
> that this exercise is seeking out information that would further your
> efforts.
>
>
>
> As we’ve seen with previous engagements, we want to caution that feedback
> or guidance received from regulators, if any, would not be immediate. While
> ICANN org will pursue this as expeditiously as practicable, we would
> encourage the team to keep the uncertain timeline for a response in mind.
>
>
>
> If you could please provide your feedback by 23 May that would be
> appreciated.
>
>
>
> *Current Status*
>
> ICANN org will be reaching out to the European Commission for help with
> introducing the issue of registration data accuracy and, in particular,
> steps that can be taken within the boundaries of the GDPR, to the level of
> the European Data Protection Board. The European Commission previously
> committed to facilitate exchanges, whereas the Belgian DPA told us our
> issues were better addressed at the EDPB level. We are hopeful that the
> Commission will help.
>
>
>
> ICANN org has also considered steps that could be taken now, under the
> current agreements and policies, with regard to requesting registration
> data from registrars for the purposes of assessing accuracy. The Registrar
> Accreditation Agreement, at Section 3.3.4, states (emphasis added): “During
> the Term of this Agreement and for two (2) years thereafter, Registrar
> shall make the data, information and records specified in this Section 3.4
> available for inspection and copying by ICANN upon reasonable notice. In
> addition, upon reasonable notice and request from ICANN, Registrar shall
> deliver copies of such data, information and records to ICANN in respect to
> limited transactions or circumstances that may be the subject of a
> compliance-related inquiry; *provided, however, that such obligation
> shall not apply to requests for copies of the Registrar's entire database
> or transaction history*.” Thus, while ICANN org can request targeted
> records from registrars, a registrar is not required to provide ICANN org
> with access to its entire registration database, irrespective of whether or
> not this would be acceptable under the GDPR.
>
>
>
> As a result, ICANN org believes that any efforts in furtherance of
> registration data accuracy at this stage would involve evaluating (Scenario
> 1) publicly-available registration data (the benefits of which may be
> limited, given that much of the registrant contact data is now redacted),
> or (Scenario 2) some subset of full registration data provided by
> registrars. Under this Scenario 2, ICANN org would need to identify the
> appropriate mechanism for choosing a sample of registration data to
> analyze. To ensure this sampling falls within the RAA’s restrictions
> concerning a registrar’s provision of records to ICANN org, a sample should
> be related to “limited transactions or circumstances that may be the
> subject of a compliance-related inquiry.” One approach would be to identify
> a specific subset of registration data that may be of particular interest
> or concern. If the team has specific views on this aspect of the scenario,
> your feedback is welcomed.
>
>
>
> Alternatively, as explained by Contractual Compliance’s presentation to
> your team, ICANN org could (Scenario 3) conduct an audit concerning
> registrars’ compliance with registration data validation and verification
> requirements in the RAA’s WHOIS Accuracy Program Specification, or
> (Scenario 4) conduct a voluntary survey of registrars concerning
> registration data accuracy. A survey, as discussed by the scoping team,
> could request that registrars provide information about their registration
> data validation and verification processes, including information about how
> many domains have registration data that is validated and verified, how
> many domains have data that is currently in the verification process, how
> many domains are suspended due to non-verification, and for a rate of email
> bounces for WHOIS Data Reminder Policy Notices sent out during a set time
> period.
>
>
>
> Notably, these scenarios 3 and 4 would assess registrars’ compliance with
> procedures designed to ensure the contactability of registrants, but
> compliance with these procedures does not necessarily guarantee that all
> the data is “accurate.”
>
>
>
> To summarize, the scenarios ICANN org is exploring at this stage are:
>
> *Scenario 1:* Analyze publicly available registration data for
> syntactical and operational accuracy (as was done previously in the WHOIS
> ARS program).
>
> *Scenario 2:* Analyze a sample of full registration data provided by
> registrars to ICANN org.
>
> *Scenario 3:* Proactive Contractual Compliance audit of registrar
> compliance with registration data validation and verification requirements.
>
> *Scenario 4:* Registrar registration data accuracy survey (*voluntary*).
>
>
>
> In parallel to this initial outreach to the European Commission, ICANN org
> will assess the data protection implications of the scenarios identified
> above, with the aim of submitting data protection-related questions
> concerning any of the above scenarios to regulators for guidance.
>
>
>
> Feedback received from the accuracy scoping team will help to inform
> ICANN’s outreach concerning the data protection implications of further
> steps ICANN org could take in furtherance of registration data accuracy, so
> that we can better understand the information the accuracy scoping team
> would find beneficial for its work. If you believe other scenarios should
> be considered or identify other issues that may be relevant to this
> analysis, please let us know.
>
>
> We are requesting that you please provide your feedback no later than 23
> May so that we have it available before we complete our initial analysis.
>
>
>
> Best,
>
> Brian
>
>
> _______________________________________________
> GNSO-Accuracy-ST mailing list
> GNSO-Accuracy-ST at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-accuracy-st
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-accuracy-st/attachments/20220510/5e604890/attachment-0001.html>