[ODP-SSAD] Response to the question asked during the Webinar #4

[Yuko Yokoyama]

Dear Mr. Palage,

As you recall, SSAD ODP team ran out of time to address your question that was asked at the end of the last SSAD ODP webinar (18 November 2021). As promised, here is our response to your question.


Your question: ​​

The term "technically and commercially feasible" is currently used in the 2013 RRA. Is ICANN stating that the term in Recommendation in 9.1 is equivalent to the RRA term.  Goran stated that it was up to Registrars to make that determination under 9.1, who makes that determination under the RAA? ICANN Compliance or the Registrar?


Our answer:

No. ICANN is not stating that the term “technically and commercially feasible” in Recommendation 9.1 is equivalent to the term used in the Registrar Accreditation Agreement. The RAA’s Transition Addendum<https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#transition>, at Section 6, set out a process for determining technical and commercial feasibility of an across-field validation requirement in the RAA’s WHOIS Accuracy Program Specification<https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en#whois-accuracy>, at Section 1(e). The EPDP Team did not reference or incorporate that process into its SSAD recommendations.


This question was asked in follow-up to a question read aloud and answered during the webinar: “How does ICANN intend to resolve ambiguity and recommendation 9.1 around who gets to determine whether it is technically and commercially feasible and legally permissible to automate responses?” (see recording<https://icann.zoom.us/rec/play/FHihm9cTRrAyV9hlrP6T1bSXmcGs4Dc5s4rzpWfFZiXQM6z8OTVaSaGD8irAX7NeyJFpxbiSlAPLLdCg.FCBfhJx6ES8UuN2Y?continueMode=true&_x_zm_rtaid=P3Jbwu9USXWbG3iKZVy2jw.1637777624084.959965feb25279afae98cd67681a8a6b&_x_zm_rhtaid=677>  at approximately 1hr:21min).


During the webinar, Göran Marby responded that, under the General Data Protection Regulation (GDPR), the contracted parties would be responsible for deciding whether or not to disclose nonpublic registration data requested via the SSAD. When a contracted party’s disclosure of registration data is subject to the GDPR, and that processing is performed pursuant to the GDPR’s “legitimate interest” legal basis (e.g. requiring the application of the GDPR’s Article 6(1)f’s “balancing test”), the contracted party (not ICANN) is responsible for applying that test and determining whether or not it may disclose the data in compliance with the GDPR). Göran also said that “the policy making process cannot change that fundamental fact because it's one of the more important parts of the actual law.”

I hope this answered your question, but if further clarification is needed, please do not hesitate to contact us at odp-ssad at icann.org<mailto:odp-ssad at icann.org>. Please note, this email is also posted on our publicly archived email<https://mm.icann.org/pipermail/odp-ssad/>.

Regards,

Yuko Yokoyama
Program Director
Strategic Initiatives, Global Domains & Strategy
Internet Corporation for Assigned Names and Numbers (ICANN)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/odp-ssad/attachments/20211130/a9f1e7cb/attachment.html>