Folks

Since we all think principles are a good idea, I have set down the basics from the Temporary Spec - very simplistic, but it's a start.  What we need now is discussion on the principles.

Evin - I'm not sure if you have a new wiki page for discussion on the temporary spec, but if not, would you create on.

And Olivier - the Temporary Spec necessarily will deal with access - at the least, guiding principles, so whoever is on the EPDP will have some guidance on our red lines on access.

So please everyone - comments

Thanks

Holly

Temporary Specification for gTLD Registration Data

 

 

Principles for requirements to replace the RAA/Registry Requirements

(within the context of compliance with the GDPR)

 

Purpose of Collection of Data

Quoting from the Temporary Spec – which is quoting from the ICANN Bylaws:

purpose is to coordinate the bottom-up, multistakeholder development and implementation of policies “[f]or which uniform or coordinated resolution is reasonably necessary to facilitate the openness, interoperability, resilience, security and/or stability of the DNS including, with respect to gTLD registrars and registries”

Purpose includes

·       􏰂  resolution of disputes regarding the registration of domain names (as opposed to the use of such domain names, but including where such policies take into account use of the domain names);

·       􏰂  maintenance of and access to accurate and up-to-date information concerning registered names and name servers;

·       􏰂  procedures to avoid disruptions of domain name registrations due to suspension or termination of operations by a registry operator or a registrar (e.g., escrow); and

·       􏰂  the transfer of registration data upon a change in registrar sponsoring one or more registered names.

 

the Bylaws specifically obligate ICANN, in carrying out its mandate, to “adequately address issues of competition, consumer protection, security, stability and resiliency, malicious abuse issues, sovereignty concerns, and rights protection”

 

Geographic Coverage of EPDP Outcome:

·      Apply globally or

·      Apply only to European Economic Area (the coverage of the GD
R) and otherwise lesser requirements (existing RAA requirements?)

 

Data Collected

·      ‘Thick Whois” – based on the differing uses of the data is listed in the purpose above – OR

·      Some lesser amount of information

 

Consent

·      Registrants must be told, at the time of collection, what personal information is collected, why the collection is  necessary to achieve the purposes, who will have access and in what circumstances  access will be given to what information, and all circumstances in which the data will be transferred (to Registry, Escrow) and where heldThey must also be told their consent can be withdrawn at any time (and consequences of withdrawal) and how to withdraw consent

 

Access to Data – Tiered access (largely what is in the Technical Specification)

·      Applies to all Registrants – natural or corporate persons

·      Information generally publicly available

o   Registrant name

o   Anonymised email or other anonymous contact means

·      Access to other personal information –

o   Only to accredited entities (not individuals)–

o   Only in specific circumstances that warrant access