Consideration of GNSO EPDP Recommendations on the Temporary Specification for gTLD Registration Data

Why is the Board addressing the issue?

On 17 May 2018, the ICANN Board adopted the Temporary Specification for gTLD Registration Data (Temporary Specification) pursuant to the procedures in the Registry Agreement and Registrar Accreditation Agreement concerning the establishment of temporary policies. Following the adoption of the Temporary Specification, and per the procedure for Temporary Policies as outlined in the Registry Agreement and Registrar Accreditation Agreement, a Consensus Policy development process as set forth in ICANN's Bylaws needs to be initiated immediately and completed within a one-year time period from the implementation effective date (25 May 2018) of the Temporary Specification.

The GNSO Council had a number of discussions about next steps to clarify issues around scope, timing and expectations, including a meeting between the GNSO Stakeholder Group and Constituency Chairs on 21 May 2018, the Council meeting on 24 May 2018, a meeting between the ICANN Board and the GNSO Council on 5 June 2018 and an extraordinary GNSO Council meeting on 12 June 2018. The GNSO Council approved the Expedited Policy Development Process (EPDP) Initiation Request (https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-s...) and the EPDP Team Charter (https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-s...) on 19 July 2018.

The EPDP Team was formed and held its first meeting on 1 August 2018, followed by the publication of the Charter-required "Triage" Report on 15 September 2018 and its Initial Report on 21 November 2018. The EPDP Team reached full consensus / consensus on the recommendations contained in the Final Report apart from two recommendations (#2 and #16).

On 4 March 2019, the GNSO Council voted to approve with the required GNSO Supermajority support all the recommendations contained in the Final Report from the Team that had been chartered to conduct an EPDP on the Temporary Specification for gTLD Registration Data. This included even those recommendations for which there was divergence within the EPDP Team. Please see the Final Report for a summary of all the approved recommendations.

The EPDP Team on the Temporary Specification for gTLD Registration Data was chartered:

to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law.
As part of its deliberations on this issue, the EPDP Team was tasked to consider, at a minimum, the specifically-identified questions related to the Temporary Specification, which were outlined in the EPDP Charter. These questions related to the different sections of the Temporary Specification, and included, for example, the purposes for processing gTLD registration data, and the collection, transfer, and publication of gTLD registration data as outlined in the Temporary Specification.

The policy recommendations, if approved by the Board, will impose obligations on contracted parties. The GNSO Council's vote in favor of these items satisfies the voting threshold required by Section 11.3(i)(xv) of the ICANN Bylaws regarding the formation of consensus policies. Under the ICANN Bylaws, the GNSO Council's Supermajority support for the EPDP recommendations obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the policy is not in the best interests of the ICANN community or ICANN org.

If the Board determines that its adoption of one or more of the Recommendations is not in the best interests of the ICANN community or ICANN, the Board shall articulate its reasons for this determination in a report to the Council. At the conclusion of the Council and Board discussions, the Council shall meet to affirm or modify its Recommendation and communicate that conclusion to the Board.

What is the proposal being considered?

The ICANN Board is considering the adoption of the Recommendations outlined in section 5 of the EPDP Team Final Report (see https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-g...), which would establish a new Consensus Policy on gTLD Registration Data.

Which stakeholders or others were consulted?

External

As mandated by the GNSO's PDP Manual, the EPDP Team reached out shortly after its initiation to ICANN's Supporting Organizations and Advisory Committees as well as the GNSO's Stakeholder Groups and Constituencies to seek their input on the Charter questions. See https://community.icann.org/display/EOTSFGRD/Request+for+Early+Input+-+1... for all the responses received (these were from the Business Constituency, the Intellectual Property Constituency, the Governmental Advisory Committee, the Non-Commercial Stakeholder Group, the Registrars Stakeholder Group, the Registries Stakeholder Group, the Security and Stability Advisory Committee, and the At-Large Advisory Committee).

Also as mandated by the GNSO's PDP Manual, the EPDP Team's Initial Report was published for public comment following its release on 21 November 2019 (see https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-...). All the public comments received were compiled into a uniform Public Comment Review Tool and reviewed by the EPDP Team (see https://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool). As required by the ICANN Bylaws, public comment was also requested prior to ICANN Board consideration (see https://www.icann.org/public-comments/epdp-recs-2019-03-04-en).

In addition, the Working Group held three face-to-face meetings: the first meeting was held in Los Angeles from 24 – 26 September 2018; the second meeting was held during the ICANN public meeting in Barcelona from 20 – 25 October 2018; and the third meeting was held in Toronto from 16 – 18 January 2019. The EPDP Team's second face-to-face meeting in Barcelona included open community sessions. Transcripts, documents, and recordings of all EPDP Team meetings can be found on the EPDP Team wiki space at: https://community.icann.org/display/EOTSFGRD/EPDP+on+the+Temporary+Speci....

During the course of its work, the EPDP Team recognized some of the issues under discussion required the expertise of legal counsel. A sub-group of the EPDP Team, the EPDP Legal Committee, worked together to identify the preferred qualifications and experience the EPDP Team was seeking. ICANN org, in following its standard procedure which includes a conflict of interest assessment, identified Ruth Boardman of Bird & Bird as the outside legal counsel dedicated to this effort. Ruth Boardman jointly heads the International Privacy and Data Protection Group of Bird & Bird.

The full legal memos are available for review, but the topics which received further guidance from legal counsel have been provided below:

Applicability of GDPR Art. 6.1.b reference "to which the data subject is party" and "necessary for performance of a contract."
Potential liability of a registered name holder's incorrect self-identification of a natural or legal person, which ultimately results in public display of personal data.
Meaning of "informing" the data subject with respect to provision of separate administrative and technical contact.
Accuracy of data requirements under GDPR.
Is the data provided by the Registered Name Holder ("RNH") for the "City" field in the RNH's address personal data?
Applicability of territorial scope under GDPR.
Transfer of registration data from registrars to registries (Thick WHOIS).
The EPDP Team also reviewed the European Data Protection Board's ("EDPB") advice on the Temporary Specification in detail.

Lastly, the following list of resources, which includes previously received guidance on RDDS, privacy law, ICANN policies, et. al., was made available for EPDP Team review and reference.

In recognition of the EPDP Team's condensed timeline, the GNSO Council chose to invite two liaisons from ICANN org to participate directly within the EPDP Team: one liaison from ICANN's Legal Team and one liaison from ICANN's Global Domains Division. The ICANN Org liaisons attended most of the EPDP Team calls, joined the EPDP Team for its face-to-face meetings, and provided background information and answers to questions from the EPDP Team.

What concerns or issues were raised by the community?

The GNSO's Stakeholder Groups and associated Constituencies were given the opportunity to provide additional statements, which were annexed to the Final Report. Below, please find a high-level summary of the concerns noted within the statements.

The At-Large Advisory Committee noted the following concerns that it believed were not adequately addressed by the EPDP Team:

Maximizing access to RDDS information for those involved with cybersecurity and consumer protection;
Maximizing stability and resiliency of a trustworthy DNS;
Protecting and supporting individual Internet users; and
Protecting Registrants.
The Business Constituency and Intellectual Property Constituency noted their position on the importance of reasonable consideration by contracted parties of requests for lawful disclosure of non-public registration data, including requests made within the context of consumer protection, cybersecurity, intellectual property, or law enforcement within the lawful disclosure purpose (Purpose 2).

The Governmental Advisory Committee noted its concerns that the Final Report does not sufficiently recognize the benefits of the WHOIS database.

The Internet Service Providers and Connectivity Providers Constituency noted its concerns with consent being given in a compliant fashion and that the current language in the Final Report may not address consent in a GDPR-compliant manner.

The Non-Commercial Stakeholder Group also noted its concerns with Purpose 2, noting its position that disclosure to third parties is not a valid ICANN purpose for processing domain name registrants' data and could ultimately be overruled by the law. The Non-Commercial Stakeholder Group also noted its concerns with Purpose 7, as it could result in an increase to the number of data elements in the RDDS or WHOIS, some of which could contain personal information. The Non-Commercial Stakeholder Group stated that these additional data elements should not be escrowed. The Non-Commercial Stakeholder Group dissented on Recommendation 2, noting its position that ICANN's Office of the Chief Technology Officer has repeatedly stated that it does not need access to the personal information of domain name registrants to do its work. The Non-Commercial Stakeholder Group also noted its position that rules with respect to RDDS should be universally applied and uniformly applicable; therefore, Recommendation 16, which permits but does not require registrars to apply geographic differentiation to registered name holders, does not align with a uniform, global Internet.

The Registries Stakeholder Group noted its concerns with the workbooks in Annex D being incorporated by reference into the Final Report. It also noted concerns with Recommendations 7 and 27, noting its position that the language does not reflect the consensus of the EPDP Team, and additionally noted concerns with Recommendation 2, noting it is out of scope for this EPDP.

The Security and Stability Advisory Committee noted its position that, contrary to the text of Recommendations 16 and 17, registrars should be required to differentiate based on geographic location and between natural and legal persons after a suitable implementation period. This request for differentiation is based on a balancing of cost to contracted parties with the costs on the parties who rely upon domain registration data for the wide array of legitimate purposes.

Submissions to the public comment forum following GNSO Council approval of the recommendations (see https://www.icann.org/public-comments/epdp-recs-2019-03-04-en), focused on topics such as purposes for processing gTLD registration data, responsible parties, over-application of GDPR, data redaction, data accuracy, legal vs. natural persons, geographic differentiation and phase 2 of the EPDP.

The above summary represents some noted points of impact among the affected Constituencies and Stakeholder Groups. The Board understands that these issues and concerns were raised during the EPDP Team's deliberations and that, in accordance with the PDP Process defined in the GNSO PDP Manual and the ICANN Bylaws, the EPDP Team delivered a Final Report to the GNSO Council and the Council approved the report and Consensus Policy Recommendations.

Notwithstanding the concerns identified above, there was broad community support for the Recommendations, as reflected by the consensus support of the EPDP Team for 27 of the 29 Recommendations and the GNSO Council's supermajority vote to adopt all Recommendations.

Please refer to the full statements in Annex G of the Final Report for further information.

What significant materials did the Board review?

In taking this action, the Board considered:

GAC San Juan Communiqué, dated 15 March 2018;
The EPDP Team's Final Report, dated 20 February 2019;
The GNSO Council's Recommendations Report to the Board, dated 29 March 2019;
The comments and the summary of public comments received in response to the public comment period that was opened following the GNSO Council's adoption of the recommendations contained in the Final Report, and GAC advice received on the topic.
The letter from the GAC to the Board, dated 24 April 2019;
The European Commission's 3 May 2019 letter to ICANN org, which expanded upon the Commission's comment submitted during the public comment period.
Scorecard: EPDP Phase 1 Recommendations
What factors did the Board find to be significant and are there positive or negative community impacts?

The Board takes this action today to adopt, with the exceptions noted below, the Recommendations developed following the GNSO EPDP as set out in Annex A-1 of the ICANN Bylaws. These Recommendations received the required GNSO Supermajority support of the GNSO Council. As outlined in the ICANN Bylaws, the Council's supermajority support obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the recommended policy is not in the best interests of the ICANN community or ICANN. This Board action will initiate ICANN org's implementation of the Board-adopted Recommendations as a new Consensus Policy, in consultation with an Implementation Review Team.

In taking action today to adopt the Recommendations, with the exceptions noted below, the Board notes that there are a few areas where consideration should be taken during the implementation phase to ensure that the resulting policy: (a) serves ICANN's public interest mandate; (b) safeguards the security, stability, and resiliency of the DNS; and (c) protects registrants.These areas, addressed in additional detail in the EPDP Phase 1 Recommendations Scorecard, include:

Data Retention (Recommendation 15). The Board understands that this recommendation modifies existing data retention requirements. The Board understands that the EPDP Team is committed to additional work in Phase 2 on the topic of data retention. The Board directs ICANN org to undertake a review to identify instances where personal data is needed beyond the life of the registration, as recommended by the EPDP Team.
Feasibility of Study (Recommendation 16). In adopting this Recommendation, the Board notes its understanding that there was divergence in the EPDP about the value of a study to inform the policy, and that requests for such a study have been presented to the Board. The Board directs the CEO and org to discuss with the EPDP Phase 2 Team the merits of a study to examine the feasibility and public interest implications of distinguishing between registrants on a geographic basis based on the application of GDPR. Further action should be guided by the conversations within the EPDP Phase 2 Team.
Data Protection Agreements With Contracted Parties (Recommendation 19). The Board notes that the determination of the roles and responsibilities for the processing of gTLD registration data is based on a legal analysis of the law. The Board directs ICANN org to undertake this legal analysis and consult with the Data Protection Authorities as appropriate.
Data Processing Activities and Responsible Parties (Recommendation 20). The Board notes that the determination of the roles and responsibilities for the processing of gTLD registration data is based on a legal analysis of the law. The Board directs ICANN org to undertake this legal analysis and consult with the Data Protection Authorities as appropriate.
Policy Effective Date (Recommendation 28). The Board notes that the Recommendation sets an effective date for the policy. Given the complexity of the implementation, there is a possibility that this date may not be met. The Board directs ICANN org to provide regular status updates of the progress of implementation and flag any potential issues or concerns with timeline so that issues can be addressed in a timely manner.
In taking action today, the Board also notes the following:

Purposes for Processing of gTLD Registration Data (Recommendation 1). This recommendation defines seven ICANN purposes for processing gTLD registration data, six of which the Board adopts at this time. The Board notes that ICANN purposes are governed by consensus policies developed by the ICANN community and are not solely pursued by ICANN org.
Transfer of gTLD Registration Data From Registrars to Registry Operators (Recommendation 7). The Board confirms its understanding that Recommendations do not repeal or overturn existing Consensus Policy including, in this case, the Thick WHOIS Transition Policy. Consistent with Recommendation 27, the Board directs ICANN Org to work with the Implementation Review Team to examine and transparently report on the extent to which these Recommendations require modification of existing Consensus Policies. Where modification of existing Consensus Policies is required, we call upon the GNSO Council to promptly initiate a PDP to review and recommend required changes to Consensus Policies.

In adopting Recommendation 7, the Board notes that the Purposes contained in the Final Report, at Recommendation 1, provide the legal basis for processing the aggregate minimum data set under this Recommendation. The Board requests that the EPDP Phase 2 team consider whether the suggested corrections contained in the Registry Stakeholder Group's comments and the accompanying chart in Appendix G of the Final Report more accurately reflect the Phase 1 consensus and should be adopted.

Legal Versus Natural (Recommendation 17). The Board adopts this recommendation and continues to defer GAC advice in this area based on the 24 April 2019 letter from the GAC. The Board notes that the Recommendation states that the EPDP Team "will determine and resolve the Legal vs. Natural issue in Phase 2."
Reasonable Access (Recommendation 18). The Board understands that this Recommendation provides a mechanism for third parties with legitimate interests to access non-public gTLD registration data and obligates the contracted parties to disclose the requested non-public data if the request passes the balancing test.
The adopted Recommendations provide flexibility to address these matters identified above in consultation with the Implementation Review Team and during the EPDP-recommended negotiations with contracted parties. If any issues arise during implementation that would adversely impact ICANN org's ability to implement these Recommendations (e.g. if it is determined that implementation of one or more Recommendations would not serve ICANN's public interest mandate, safeguard the security, stability, and resiliency of the DNS, or protect registrants), ICANN org should escalate these concerns to the Board, as appropriate.

The Board has determined that because additional consultation with the GNSO Council and/or additional guidance from the Data Protection Authorities is needed to inform its consideration of the following Recommendations, it is not in the best interests of the ICANN community or ICANN to adopt these portions of Recommendations at this time:

Purpose 2 (Recommendation 1). The Final Report notes that this purpose is a placeholder pending additional work in Phase 2.

The Board does not adopt this Recommendation at this time in light of the EPDP Team's characterization of this as a placeholder and the need to consider recent input from the European Commission. Based on the views presented in the recent letters from the European Commission, Purpose 2, as stated in the EPDP Team's Final Report, may require further refinement to ensure that it is consistent with and facilitates ICANN's ability to deliver a predictable and consistent user experience compliant with applicable law. The Board's concern is that if the wording of purpose 2 is deemed inconsistent with applicable law, the impact might be elimination of an ICANN purpose. There are clear ICANN purposes that ICANN should be able to employ under existing legal frameworks to deploy a unified method to enable those with a legitimate and proportionate interest to access non-public gTLD registration data, although such purposes may need to be restated or further refined based on additional legal, regulatory or other input. The Board directs ICANN org to continue to evaluate this proposed purpose and to request additional guidance from the DPAs, regarding the legitimate and proportionate access to registrant data and ICANN's Security, Stability, and Resiliency mission.

Similar concerns were raised by the Coalition for Online Accountability in their 14 May 2019 letter to the ICANN Board.

The Organization Field (Recommendation 12). The Board understands that implementation of this Recommendation, with respect to the option for registrars to delete the contents of the field if the registrant does not confirm the data for publication, may result in the loss of the ability to identify the registrant.

The Board requests that as part of Phase 2, the EPDP consider the extent to which deletion (as opposed to redaction) that results in loss of or changes to the name of the registrant is in the public interest and consistent with ICANN's mission. The Board looks forward to discussing this issue more in depth with the GNSO Council under the mandated Bylaws process.

Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?

There may be fiscal impacts on ICANN associated with the creation of a new gTLD Registration Policy. The implementation plan should take into account costs and timelines for implementation. An internal ICANN org implementation team has been formed and has begun to review the recommendations to analyze the implementation requirements. ICANN org considers the scope of effort required for this implementation to be significant and extensive.

The implementation of these recommendations will result in changes to registry and registrar systems, and accordingly, the costs to contracted parties were discussed by the EPDP Team during the drafting of the recommendations.

Are there any security, stability or resiliency issues relating to the DNS?

Failure to implement the recommendations could hamper the identification of those responsible for the administration of domain names on the Internet. In cases where those domain names are being used for abusive purposes, e.g., phishing, botnet command and control, malware distribution, etc., the ability of anti-abuse actors to block the abuse could be limited, thereby posing security, stability, and resiliency risks to the DNS and the Internet as a whole.

Implementing the recommendations should provide for access to registration information for legitimate purposes to accredited entities as per GDPR requirements. While not returning the ability to obtain registration data access to the status quo ante prior to the implementation of GDPR, the recommendations would permit GDPR-compliant access aimed at being in support of security, stability, and resilience of the DNS.

Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?

Public comment has taken place as required by the ICANN Bylaws and GNSO Operating Procedures in relation to GNSO policy development.

Is this within ICANN's mission? How does this action serve the public interest?

Consideration of community-developed policy recommendations is within ICANN's mission as defined at Article 1, section 1.1(i) of the ICANN Bylaws. This action serves the public interest, as ICANN has a core role as the "guardian" of the Domain Name System.