<div dir="ltr"><div>Hi Brian,</div><div><br></div><div>I think you may be overextending the reach of section 3.4.3 a bit there. This section clearly points out: <br></div><div>"<span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><i>Registrar
shall deliver copies of such data, information and records to ICANN <b>in
respect to limited transactions or circumstances that may
be the <u>subject of a compliance-related inquiry</u></b></i>"</span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%">So in other words, this section does not apply if it is not a compliance matter. No compliance case = no data under 3.4.3</span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><br></span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%">Also note the further restrictions contained in the section that essentially note that registrars may supply redacted data if they believe data protection laws prevent them from disclosing unredacted data:</span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%">
<i>"In the event Registrar believes that the provision of
any such data, information or records to <abbr title="Internet Corporation for Assigned Names and Numbers" class="gmail-">ICANN</abbr> would violate applicable law or
any legal proceedings, <abbr title="Internet Corporation for Assigned Names and Numbers">ICANN</abbr> and Registrar agree to discuss in good faith
whether <b>appropriate limitations, protections, or alternative solutions can be
identified to allow the production of such data, information or records in
complete or redacted form</b>, as appropriate.</i>" <br></span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><abbr title="Internet Corporation for Assigned Names and Numbers" class="gmail-"><br></abbr></span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><abbr title="Internet Corporation for Assigned Names and Numbers" class="gmail-">Finally, note that ICANN is prohibited from disclosing any parts of the data obtained in this way unless required to do so, essentially rendering any data obtained useless for the purposes of this group:<br></abbr></span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><abbr title="Internet Corporation for Assigned Names and Numbers" class="gmail-">"<i>ICANN</i></abbr><i> <u><b>shall not disclose the
content of such data, information or records</b></u> except as expressly required by
applicable law, any legal proceeding or Specification or Policy.</i>"
</span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><br></span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%">In other words, 3.4.3 is a specifically tailored tool designed exclusively for ICANN compliance to investigate compliance matters and is not suited for the purpose of measuring accuracy overall.</span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%"><br></span></span></div><div><span style="font-size:10.5pt;color:black"><span style="background:white none repeat scroll 0% 0%">Best,<br></span></span>
</div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><span lang="EN-US">-- <br>Volker A. Greimann<br>General Counsel and Policy Manager<br><b>KEY-SYSTEMS GMBH</b><br><br>T: +49 6894 9396901<br>M: +49 6894 9396851<br>F: +49 6894 9396851<br>W: </span><a href="http://www.key-systems.net/" style="color:rgb(17,85,204)" target="_blank"><span lang="EN-US">www.key-systems.net</span></a><span lang="EN-US"><br><br>Key-Systems GmbH is a company registered at the local court of Saarbruecken, Germany with the registration no. HR B 18835<br>CEO: Oliver Fries and Robert Birkner<br><br>Part of the CentralNic Group PLC (LON: CNIC) a company registered in England and Wales with company number 8576358.<br><br></span><span style="font-family:Roboto,sans-serif;font-size:14px;white-space:pre-wrap;background-color:rgb(248,249,250)">This email and any files transmitted are confidential and intended only for the person(s) directly addressed. If you are not the intended recipient, any use, copying, transmission, distribution, or other forms of dissemination is strictly prohibited. If you have received this email in error, please notify the sender immediately and permanently delete this email with any files that may be attached.</span></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, May 9, 2022 at 7:49 PM Brian Gutterman <<a href="mailto:brian.gutterman@icann.org">brian.gutterman@icann.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="overflow-wrap: break-word;" lang="EN-US">
<div class="gmail-m_-4008430483204281589WordSection1">
<p style="margin:0in"><span style="font-size:10.5pt;color:black">Dear Colleagues of the Accuracy Scoping Team,<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">As you are aware, at ICANN73 the</span><span class="gmail-m_-4008430483204281589apple-converted-space"><span style="font-size:10.5pt;color:black"> </span></span><span style="font-size:10.5pt;color:black"><a href="https://mm.icann.org/pipermail/gnso-accuracy-st/2022-March/000336.html" title="https://mm.icann.org/pipermail/gnso-accuracy-st/2022-March/000336.html" target="_blank"><span style="color:rgb(17,85,204)">ICANN
Board requested that ICANN org</span></a></span><span class="gmail-m_-4008430483204281589apple-converted-space"><span style="font-size:10.5pt;color:black"> </span></span><span style="font-size:10.5pt;color:black">prepare a number of specific scenarios for which it will consult the European
Data Protection Board on whether or not ICANN org has a legitimate purpose that is proportionate, i.e. not outweighed by the privacy rights of the individual data subjects, to request that contracted parties provide access to registration data records. In
follow-up to those discussions, my ICANN org colleagues have provided this update and request for feedback for the Accuracy Scoping Team. <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">ICANN org’s approach to this exercise is set out in greater detail below. Understanding that the team has identified additional input from regulators as potentially useful for its work, we request your feedback, to
ensure that this exercise is seeking out information that would further your efforts.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">As we’ve seen with previous engagements, we want to caution that feedback or guidance received from regulators, if any, would not be immediate. While ICANN org will pursue this as expeditiously as practicable, we would
encourage the team to keep the uncertain timeline for a response in mind.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">If you could please provide your feedback by 23 May that would be appreciated.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<b><span style="font-size:10.5pt;color:black">Current Status</span></b><span style="font-size:10.5pt;color:black"><u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">ICANN org will be reaching out to the European Commission for help with introducing the issue of registration data accuracy and, in particular, steps that can be taken within the boundaries of the GDPR, to the level
of the European Data Protection Board. The European Commission previously committed to facilitate exchanges, whereas the Belgian DPA told us our issues were better addressed at the EDPB level. We are hopeful that the Commission will help.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">ICANN org has also considered steps that could be taken now, under the current agreements and policies, with regard to requesting registration data from registrars for the purposes of assessing accuracy. The Registrar
Accreditation Agreement, at Section 3.3.4, states (emphasis added): “<span style="background:white none repeat scroll 0% 0%">During the Term of this Agreement and for two (2) years thereafter, Registrar shall make the data, information and records specified in this Section 3.4 available
for inspection and copying by ICANN upon reasonable notice. In addition, upon reasonable notice and request from ICANN, Registrar shall deliver copies of such data, information and records to ICANN in respect to limited transactions or circumstances that may
be the subject of a compliance-related inquiry;</span></span><span class="gmail-m_-4008430483204281589apple-converted-space"><span style="font-size:10.5pt;color:black;background:white none repeat scroll 0% 0%"> </span></span><b><span style="font-size:10.5pt;color:black;background:white none repeat scroll 0% 0%">provided, however, that
such obligation shall not apply to requests for copies of the Registrar's entire database or transaction history</span></b><span style="font-size:10.5pt;color:black;background:white none repeat scroll 0% 0%">.” Thus, while ICANN org can request targeted records from registrars, a
registrar is not required to provide ICANN org with access to its entire registration database, irrespective of whether or not this would be acceptable under the GDPR.</span><span style="font-size:10.5pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black;background:white none repeat scroll 0% 0%">As a result, ICANN org believes that any efforts in furtherance of registration data accuracy at this stage would involve evaluating (Scenario 1) publicly-available registration data (the benefits
of which may be limited, given that much of the registrant contact data is now redacted), or (Scenario 2) some subset of full registration data provided by registrars. Under this Scenario 2, ICANN org would need to identify the appropriate mechanism for choosing
a sample of registration data to analyze. To ensure this sampling falls within the RAA’s restrictions concerning a registrar’s provision of records to ICANN org, a sample should be related to “limited transactions or circumstances that may be the subject of
a compliance-related inquiry.” One approach would be to identify a specific subset of registration data that may be of particular interest or concern. If the team has specific views on this aspect of the scenario, your feedback is welcomed.</span><span style="font-size:10.5pt;color:black"><u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">Alternatively, as explained by Contractual Compliance’s presentation to your team, ICANN org could (Scenario 3) conduct an audit concerning registrars’ compliance with registration data validation and verification
requirements in the RAA’s WHOIS Accuracy Program Specification, or (Scenario 4) conduct a voluntary survey of registrars concerning registration data accuracy. A survey, as discussed by the scoping team, could request that registrars provide information about
their registration data validation and verification processes, including information about how many domains have registration data that is validated and verified, how many domains have data that is currently in the verification process, how many domains are
suspended due to non-verification, and for a rate of email bounces for WHOIS Data Reminder Policy Notices sent out during a set time period. <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">Notably, these scenarios 3 and 4 would assess registrars’ compliance with procedures designed to ensure the contactability of registrants, but compliance with these procedures does not necessarily guarantee that all
the data is “accurate.” <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">To summarize, the scenarios ICANN org is exploring at this stage are:<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:0.5in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<b><span style="font-size:10.5pt;color:black">Scenario 1:</span></b><span class="gmail-m_-4008430483204281589apple-converted-space"><b><span style="font-size:10.5pt;color:black"> </span></b></span><span style="font-size:10.5pt;color:black">Analyze publicly available registration data
for syntactical and operational accuracy (as was done previously in the WHOIS ARS program).<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:0.5in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<b><span style="font-size:10.5pt;color:black">Scenario 2:</span></b><span class="gmail-m_-4008430483204281589apple-converted-space"><b><span style="font-size:10.5pt;color:black"> </span></b></span><span style="font-size:10.5pt;color:black">Analyze a sample of full registration data provided
by registrars to ICANN org.<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:0.5in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<b><span style="font-size:10.5pt;color:black">Scenario 3:</span></b><span class="gmail-m_-4008430483204281589apple-converted-space"><b><span style="font-size:10.5pt;color:black"> </span></b></span><span style="font-size:10.5pt;color:black">Proactive Contractual Compliance audit of registrar
compliance with registration data validation and verification requirements.<u></u><u></u></span></p>
<p style="margin-right:0in;margin-bottom:0in;margin-left:0.5in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<b><span style="font-size:10.5pt;color:black">Scenario 4:</span></b><span class="gmail-m_-4008430483204281589apple-converted-space"><b><span style="font-size:10.5pt;color:black"> </span></b></span><span style="font-size:10.5pt;color:black">Registrar registration data accuracy survey (<b>voluntary</b>).<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">In parallel to this initial outreach to the European Commission, ICANN org will assess the data protection implications of the scenarios identified above, with the aim of submitting data protection-related questions
concerning any of the above scenarios to regulators for guidance. <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p style="margin:0in;font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="font-size:10.5pt;color:black">Feedback received from the accuracy scoping team will help to inform ICANN’s outreach concerning the data protection implications of further steps ICANN org could take in furtherance of registration data accuracy,
so that we can better understand the information the accuracy scoping team would find beneficial for its work. If you believe other scenarios should be considered or identify other issues that may be relevant to this analysis, please let us know. <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"><br>
We are requesting that you please provide your feedback no later th<span style="background:white none repeat scroll 0% 0%">an 23 May s</span>o that we have it available before we complete our initial analysis.<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black"> <u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Best,<u></u><u></u></span></p>
<p class="MsoNormal" style="font-variant-caps:normal;text-align:start;word-spacing:0px">
<span style="color:black">Brian<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
GNSO-Accuracy-ST mailing list<br>
<a href="mailto:GNSO-Accuracy-ST@icann.org" target="_blank">GNSO-Accuracy-ST@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/gnso-accuracy-st" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/gnso-accuracy-st</a><br>
<br>
_______________________________________________<br>
By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (<a href="https://www.icann.org/privacy/policy" rel="noreferrer" target="_blank">https://www.icann.org/privacy/policy</a>) and the website Terms of Service (<a href="https://www.icann.org/privacy/tos" rel="noreferrer" target="_blank">https://www.icann.org/privacy/tos</a>). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.</blockquote></div>