Jump to content

Contractual Compliance: Difference between revisions

From ICANNWiki
JP (talk | contribs)
No edit summary
JP (talk | contribs)
No edit summary
Line 3: Line 3:
==History==
==History==
The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, [[Registry Agreement|registry agreements]] and [[Registrar Accreditation Agreement|registrar accreditation agreements]] with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.
The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, [[Registry Agreement|registry agreements]] and [[Registrar Accreditation Agreement|registrar accreditation agreements]] with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.
Periodic reporting of compliance performance was initiated by the department in July 2014.<ref name="perfstats">[https://features.icann.org/compliance/dashboard/report-list ICANN.org - Contractual Compliance Performance Reports], last visited December 2021</ref> The department also publishes annual reports of complaints, complaint processing, and formal resolutions of complaints.<ref name="perfstats" /> ICANN's Annual Report incorporates some of the contractual compliance information as well.  In 2017, the department began assembling quarterly reports of activities and performance. Quarterly reporting was discontinued in 2019.<ref name="perfstats" />
===GDPR and Registration Data Complaints===
As the EU's [[General Data Protection Regulation]] came into effect, Contractual Compliance shifted its focus around and response to complaints related to inaccuracies or misrepresentations in registration data.<ref name="gdpr">[https://www.icann.org/resources/pages/registration-data-accuracy-obligations-gdpr-2021-06-14-en ICANN.org - Registration Data Accuracy Obligations Before and After GDPR], June 14, 2021</ref> The department noted that the shifts in registrar and registry policies resulting from the implementation of GDPR resulted in changes in the number and relevance of complaints:
<blockquote>The decrease in complaint volume from a monthly average of 2,774 pre-GDPR to 1,003 post-GDPR resulted from a significant reduction in external complaints and from ICANN org no longer releasing WHOIS ARS reports beginning in June 2018.
In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.<ref name="gdpr" /></blockquote>


==Complaints==
==Complaints==

Revision as of 22:35, 7 December 2021

The Office of Contractual Compliance is an ICANN department charged with gathering information from and enforcing the contractual compliance of registries and registrars through complaint-driven informal and formal resolution processes, ICANN-initiated monitoring, and random auditing.

History[edit | edit source]

The history of ICANN's compliance enforcement runs parallel to the history of the organization's agreements with contracted parties: specifically, registry agreements and registrar accreditation agreements with registries and registrars, respectively. Contractual Compliance's role changed over time as those agreements were amended to include additional expectations, obligations, and mandates of contracted parties.

Periodic reporting of compliance performance was initiated by the department in July 2014.[1] The department also publishes annual reports of complaints, complaint processing, and formal resolutions of complaints.[1] ICANN's Annual Report incorporates some of the contractual compliance information as well. In 2017, the department began assembling quarterly reports of activities and performance. Quarterly reporting was discontinued in 2019.[1]

GDPR and Registration Data Complaints[edit | edit source]

As the EU's General Data Protection Regulation came into effect, Contractual Compliance shifted its focus around and response to complaints related to inaccuracies or misrepresentations in registration data.[2] The department noted that the shifts in registrar and registry policies resulting from the implementation of GDPR resulted in changes in the number and relevance of complaints:

The decrease in complaint volume from a monthly average of 2,774 pre-GDPR to 1,003 post-GDPR resulted from a significant reduction in external complaints and from ICANN org no longer releasing WHOIS ARS reports beginning in June 2018. In addition, the percentage of complaints received that lacked evidence of noncompliance or fell outside of ICANN org's contractual scope increased. For example, many complainants believe that the registration data is "missing" from the public Registration Data Directory Service (or WHOIS service), privacy or proxy service data are redactions, or all non-European data should be displayed. While Contractual Compliance efforts to educate complainants on contractual requirements increased, the number of actual investigations into registrars' compliance with registration data accuracy obligations decreased.[2]

Complaints[edit | edit source]

Complaints commonly handled by this office include unauthorized domain name transfers or unsuccessful transfer requests; registry violations, such as providing more favorable treatment to some registrars; renewal reminders, fees, or redemption issues; and incorrect WHOIS data or access issues.[3]

Monitoring[edit | edit source]

Auditing[edit | edit source]

The Audit Program is a continuous, ongoing activity that follows a recurring cycle. Each audit round consists of six phases:[4]

  1. Planning Phase: ICANN plans the audit scope and timeline.
  2. Request for Information Phase: ICANN issues a notice of audit to the selected contracted parties, who must compile information and respond to the audit request.
  3. Audit Phase: ICANN reviews, tests, and validates the responses to ensure compliance with the contractual obligations.
  4. Initial Report Phase: ICANN issues a confidential initial audit report to each auditee containing the initial findings and allowing the contracted party to address the findings or provide clarity.
  5. Remediation Phase: ICANN collaborates with the auditees to remediate issues.
  6. Final Report Phase: ICANN issues a confidential final audit report to each auditee. ICANN also summarizes the audit round in an overall audit report

DNS Abuse[edit | edit source]

On 6 November 2018, ICANN Contractual Compliance (Compliance) launched a Registry Operator Audit for Addressing DNS Security Threats[5]

Roles at ICANN[edit | edit source]

  • Senior Manager, Contractual Compliance Risk and Audit
  • SVP, Contractual Compliance & U.S. Government Engagement
  • Contractual Compliance Risk and Audit Senior Specialist
  • Contractual Compliance Lead
  • Sr. Manager, Contractual Compliance
  • Contractual Compliance Analyst
  • Contractual Compliance Specialist
  • Contractual Compliance Senior Specialist

References[edit | edit source]