14,932
edits
Changes
Jump to navigation
Jump to search
Line 546:
Line 546: − + Line 554:
Line 554: + + + + + + + + + + + + − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (view source)
Revision as of 17:19, 25 January 2023
, 1 year ago→Public Comments Summary Report
====Addendum to Initial Report====
====Addendum to Initial Report====
Following the publication of the Initial Report, the EPDP team released an Addendum to the Initial Report in March 2020.<ref name="2addendum">[https://community.icann.org/download/attachments/124847621/EPDP%20Phase%202%20-%20%20Initial%20Report%20Priority%202%20Addendum%20-%2026%20March%202020.pdf EPDP Temp Spec Workspace - Addendum to Phase 2 Initial Report], March 20, 2020</ref> The addendum reported the team's deliberation of the priority 2 issues delegated to Phase 2:
Following the publication of the Initial Report, the EPDP team released an Addendum to the Initial Report in March 2020.<ref name="2addendum">[https://community.icann.org/download/attachments/124847621/EPDP%20Phase%202%20-%20%20Initial%20Report%20Priority%202%20Addendum%20-%2026%20March%202020.pdf EPDP Temp Spec Workspace - Addendum to Phase 2 Initial Report], March 20, 2020</ref> The addendum reported the team's deliberation of the priority 2 issues delegated to Phase 2:
* Display of information of affiliated vs. accredited privacy / proxy providers
* Display of information of affiliated vs. accredited privacy/proxy providers
* Legal vs. natural persons
* Legal vs. natural persons
* City field redaction
* City field redaction
* Accuracy and WHOIS Accuracy Reporting System<ref name="2addendum" />
* Accuracy and WHOIS Accuracy Reporting System<ref name="2addendum" />
The addendum included three additional recommendations and several "preliminary conclusions," with conclusions ranging from reports of significant divergence of opinion on issues to preliminary assessments that the status quo likely did not need to be changed:<ref name="2addendum" />
* Recommendation 20: In situations where an accredited privacy/proxy service is used, the registrar (and registry, if applicable) must include the full RDDS data of the service in response to an RDDS query. The data may include an anonymized email.
* Recommendation 21: "The EPDP Team confirms its recommendation from Phase 1 that registrars be required to retain only those data elements deemed necessary for the purposes of the [[TDRP]], for a period of fifteen months following the life of the registration plus three months to implement the deletion, i.e., 18 months."
* Recommendation 22: Add "contribute to the maintenance of the security, stability, and resiliency of the Domain Name System in accordance with ICANN's mission" to the "ICANN Purposes for processing gTLD registration data" listed in Recommendation 1 of the Phase 1 Final Report.
* Legal vs. natural persons: "There is a persistent divergence of opinion on if/how to address this topic within the EPDP Team." The team suggested that they confer with the GSNO Council for next steps.
* City field redaction: No changes are recommended to the Phase 1 recommendation that redaction must be applied to the city field.
* Office of Chief Technology Officer: No need to propose additional purpose(s) to facilitate ICANN's OCTO in carrying out its mission.
* Feasibility of unique contacts to have a uniform anonymized email address: EPDP team received legal guidance<ref>[https://community.icann.org/display/EOTSFGRD/EPDP+-P2+Legal+subteam?preview=/111388744/126424478/Memo%20-%20ICANN%20-%2004.02.2020.docx EPDP Workspace - Bird & Bird Memo re: "Batch 2" of questions regarding SSAD, proxies, pseudonymous emails], February 4, 2020</ref> that publication of uniform masked email addresses represents the publication of personal data under the GDPR. Therefore, this policy does not appear to be feasible.
* Accuracy of WHOIS data and WHOIS accuracy reporting system: Per instructions from GNSO Council, the EPDP team will not pursue these issues during Phase 2. Instead, the GNSO will form a scoping team to identify what the next steps should be regarding these topics.<ref name="2addendum" />
The Addendum was published for public comment in March 2020.<ref>[https://www.icann.org/en/public-comment/proceeding/addendum-to-the-initial-report-of-the-expedited-policy-development-process-epdp-on-the-temporary-specification-for-gtld-registration-data-team--phase-2-26-03-2020 Public Comment Proceeding: EPDP Temp Spec Phase 2 - Addendum to Initial Report], last updated May 19, 2020</ref> The EPDP team again prepared an intake form for responses. Many constituencies and advisory committees expressed dismay at the lack of progress on many serious issues, and in particular those issues for which "preliminary conclusions" were reported.<ref>[https://community.icann.org/pages/viewpage.action?pageId=126430750&preview=/126430750/134513571/gnso-EPDP-P2-pcrt-Initial-Report-Addendum-Recommendations_Addendum_Issues_20200506.docx EPDP Workspace - Collated General Comments], May 6, 2020 (.docx)</ref> The decision to pass over the issues of accuracy of WHOIS data and the accuracy reporting system was met with strong disagreement.<ref>[https://community.icann.org/pages/viewpage.action?pageId=126430750&preview=/126430750/134513537/gnso-EPDP-P2-pcrt-Initial-Report-Addendum-Recommendations_Accuracy_ARS_20200506.docx EPDP Workspace - Collated Comments to Accuracy & ARS Preliminary Conclusion], May 6, 2020 (.docx)</ref> There was also strong opposition to the failure to take up the issue of legal versus natural persons. After a thorough review of current practice, legal opinion, and other factors, the GAC's comment put the matter succinctly:
<blockquote>The clear implication of this legal advice, as well as the EDPB guidance, is that there is a variety of measures to ensure that registrants accurately designate themselves as legal entities. The fact that many ccTLDs (including those based in the EU) already make certain registrant data of legal entities publicly available demonstrates that such distinction is both legally permissible and feasible.<br />
Consequently, the GAC suggests that the EPDP reconsider its position. Instead of deferring this issue, the EPDP team could focus upon the legal guidance provided to develop reasonable policies to permit the information of legal entities to remain public. The time is now to implement a policy that deals with this issue in a manner that promotes public safety and provides useful information to internet users seeking to navigate the internet safely and securely.<ref>[https://community.icann.org/pages/viewpage.action?pageId=126430750&preview=/126430750/134513453/gnso-EPDP-P2-pcrt-Initial-Report-Addendum-Recommendations_Legal_v_Natural_20200506.docx EPDP Workspace - Collated Comments Regarding Legal v. Natural Persons], May 6, 2020 (.docx)</ref></blockquote>
====Final Report====
====Final Report====
The EPDP team submitted the Phase 2 Final Report to the GNSO Council on July 31, 2020, which the GNSO council approved on September 24, 2020. As with the initial report, the EPDP Team advised the GNSO council to treat these recommendations as one package and pass them on as such to the ICANN Board.<ref name="finalrep" />
The EPDP team submitted the Phase 2 Final Report to the GNSO Council on July 31, 2020. As proposed in the initial report, the EPDP Team advised the GNSO council to treat the recommendations as one package and pass them on as such to the ICANN Board.<ref name="finalrep" />
<ref>[https://gnso.icann.org/sites/default/files/file/field-file-attach/policy-briefing-epdp-temp-spec-gtld-registration-data-phase-2-06oct20-en.pdf GNSO ICANN69 Policy Briefing]</ref>
The GNSO Council approved the Final Report at its meeting in September 2020.<ref name="gnso69">[https://gnso.icann.org/sites/default/files/file/field-file-attach/policy-briefing-epdp-temp-spec-gtld-registration-data-phase-2-06oct20-en.pdf GNSO ICANN69 Policy Briefing]</ref> The following month, at [[ICANN 69]], the GNSO provided a policy update on the Phase 2 work, including an overview of approved next steps regarding two priority 2 issues: legal versus natural persons; and feasibility of unique contacts to have a uniform anonymized email address.<ref name="2Aproposal">[https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-2-priority-2-items-10sep20-en.pdf GNSO Council Proposal - EPDP Phase 2 Priority Items], September 10, 2020</ref> The Council decision was to reconvene the EPDP to continue work on a "Phase 2A" to address those two issues.<ref name="2Aproposal" />
===EPDP Phase 2A===
Phase 2A was started in November 2020.<ref name="2Adash">[https://community.icann.org/pages/viewpage.action?pageId=150177878 GNSO Workspace - EPDP Temp Spec Phase 2A]</ref> This final phase exclusively addressed the issues of legal vs. natural persons and the feasibility of unique contacts to have a uniform anonymized email address.<ref name="2Aproposal" /> The Final Report was issued to the GNSO Council on September 13, 2021<ref>[https://community.icann.org/display/EOTSFGRD/Final+Report EPDP Workspace - Final Report, Phase 2A], last updated September 20, 2021</ref> The report made sure to highlight the limitations of the working group's consensus regarding the recommendations:
<blockquote>This Final Report constitutes a compromise that is the maximum that could be achieved by the group at this time under our currently allocated time and scope, and it should not be read as delivering results that were fully satisfactory to everyone. This underscores the importance of the minority statements in understanding the full context of the Final Report recommendations.<ref name="2areport">[https://community.icann.org/download/attachments/176619847/EPDP%20Phase%202A%20-%20%20UPDATED%20FINAL%20REPORT%20-%2013%20September%202021.pdf EPDP Temp Spec Phase 2A Final Report], as amended September 13, 2021 (PDF)</ref></blockquote>
====Legal vs. Natural Persons====
The [[GDPR]] only protects natural persons. In Phase 1 of the EPDP, the team determined that contracted parties should have the option to distinguish between registrants that are legal persons (i.e. organizations or corporate forms) and those that are natural persons. The Phase 2A team was tasked with reviewing those Phase 1 recommendations and providing any additional guidance it deemed necessary.
The final report took no position on whether or not the recommendations in Phase 1 should be changed regarding the option for registrars and registries to draw distinctions between natural and legal persons. The working group did recommend that ICANN org work with technical policy groups to ensure that such distinctions could be made by contracted parties, and that systems such as [[SSAD]] would be compatible with contracted party systems.<ref name="2areport" /> The team also developed guidance for registrars and registries choosing to make the distinction between legal and natural persons.<ref name="2areport" />
====Unique Identifiers====
The team was unable to reach a consensus on the development of mandatory unique identifiers:
<blockquote>Certain stakeholders see risks and other concerns that prevent the EPDP Team from making a recommendation to require Contracted Parties to make a registrant-based or registration-based email address publicly available at this point in time. The EPDP Team does note that certain stakeholder groups have expressed the benefits of 1) a registration-based email contact for contactability purposes as concerns have been expressed with the usability of web forms and 2) a registrant-based email contact for registration correlation purposes.<ref name="2areport" /></blockquote>
==Registration Data Consensus Policy for gTLDs==
The recommendations to be implemented by the Implementation Review Team ([[IRT]]) were shared with [[ICANN Organization]] to create an ICANN Consensus Policy that complies with the GDPR and other relevant privacy and data protection laws. In August 2022, a [[Public Comment]] proceeding was opened concerning the proposed Registration Data Consensus Policy for gTLDs. ICANN Org sought feedback on:<ref>[https://www.icann.org/en/public-comment/proceeding/registration-data-consensus-policy-for-gtlds-24-08-2022 Proposed Reg Data Consensus Policy, Public Comments, ICANN]</ref>
# the collection, transfer, and publication of gTLD registration data, especially as it relates to
#* the [[WHOIS#Thick WHOIS|Thick Whois]] Transition Policy (Section 7)
#* the prohibition of personal data in the log file requirements relating to communications sent to RDDS/[[WHOIS]] Contacts (Section 11)
#* Changes to processing requirements for administrative and technical contact data elements (Section 6)
#* Standardization of the Registrant Organization data element, especially notifications to the registrant and how and when the value must be published (Sections 6 and 9, Addendum II)
#* Changes to the duration of retention requirements (Section 12)
# EPDP-TempSpec Phase 1 Recommendation 27, concerning
#* updates to existing policies and procedures that touch on Registration Data
#* ICANN Org determined that 18 of 24 existing policies and procedures would be impacted by the Registration Data Consensus Policy, including outdated provision language, high-level issues, such as the relevance or inconsistency of an existing policy or procedure with the new Registration Data Consensus Policy, and implications for existing contractual provisions.
===Public Comments Summary Report===
On January 20, 2023, ICANN Org released its summary report on the 14 submissions it received. The summary identified several key themes, including:
# the need for clarification in sections 2, 3, 5, 6, 7, 9, 10, 12, and addendums I and II.
# areas in the drafted policy language did not accurately reflect the policy recommendations, such as "processing" in sections 1, the "scope" in section 2, the entirety of section 2.2, sections 3.8-3.10, and "consent" and "personal data" as they relate to the GDPR, the timeline in section 4, updates to section 5 to reflect events that have happened in the meanwhile, the use of "must" in sections 6, 7, 8, and 9, the use of "urgent," the proposed deadlines, and the lack of explanation for circumstances under which a request must be considered in section 10, issues with the specifics of logging in section 11, and the "minimum retention period" in section 12.
# the need to correct some of the redlines in the Additional Whois information Policy, the [[ERRP]], the [[Protection of IGO and INGO Identifiers in All gTLDs Policy|Protection of IGO and INGO Identifiers]], the CL&D Policy, the Thick Whois Transition Policy, the Transfer [[FOA]] and initial authorization, the [[TDRP]], the [[Inter-Registrar Transfer Policy|Transfer Policy]], [[UDRP]]-related documents, the [[Whois Data Reminder Policy]] (WDRP) Rules, and [[RDAP]]-related documents.
ICANN Org interpreted and summarized the public comments as outlining clarifications needed on requirements for the transfer of specific registration data from registrar to registry and the impact on the Thick WHOIS Transition Policy, changes needed to processing requirements for administrative and technical contact data elements and disclosure requirements, ensuring the Registration Data Policy is consistent with amended [[RA]] and [[RAA]], and updates to reflect the November 2022 adoption of The Network and Information Security ([[NIS2]]) Directive.<ref>[https://itp.cdn.icann.org/en/files/contracted-parties/public-comment-summary-report-registration-data-consensus-policy-gtlds-20-01-2023-en.pdf Public Comment Summary Report on Proposed Reg Data Consensus Policy, ICANN]</ref>
==References==
==References==
[[Category:EPDPs]]
[[Category:EPDPs]]