Hello, All,

I reviewed yesterday’s call recording to compile a full summary of the input we received from you related to the questions related to possible requirements on data escrow and retention.

At the outset of our discussion on data escrow and data retention (beginning around 25:30 on the call), there was some hesitation by some in the room to discussing potential requirements for PP service providers. However, as we got further into the discussion, there seemed to be support for exploring proposals on these topics, but only to ensure that the requirements are the same for PP service providers regardless of whether or not the provider is Affiliated with a registrar (and ensuring no duplicate requirements for registrars).

There are documented PDP WG discussions on data escrow. I have not located any WG discussion specifically on data retention. However, there are existing RAA requirements for retention of PP customer contact information. This, coupled with PDP WG discussions about ensuring that customers are protected to the extent possible if an accredited PP service is terminated or goes out of business, seems to imply that such a requirement—retaining a limited set of Customer information (name, email, address, telephone number) to ensure that these Customers can be contacted in this situation—may fall within the intent of the PDP WG recommendations. This interpretation seemed to be supported by many on the call yesterday, including Theo, Chris, Steve and Susan. As a result, based on the discussion yesterday, we will proceed with drafting proposals on these topics to be discussed with the IRT, unless there is a continuing question regarding whether this was within the intent of the PDP WG.

If anyone on the IRT wishes to comment on this, specifically on whether you believe this is within or beyond the intent of the PDP WG, please do so by replying to this thread.

The current RAA requirements are noted below.

Specification on Privacy and Proxy Registrations (expires 1 January 2018):

“2.5 Escrow of P/P Customer Information. Registrar shall include P/P Customer contact information in its Registration Data Escrow deposits required by Section 3.6 of the Agreement. P/P Customer Information escrowed pursuant to this Section 2.5 of this Specification may only be accessed by ICANN in the event of the termination of the Agreement or in the event Registrar ceases business operations.”

Note—this requirement to escrow PP customer contact information will expire with the interim specification

RAA

3.6 Data Escrow. During the Term of this Agreement, on a schedule, under the terms, and in the format specified by ICANN, Registrar shall submit an electronic copy of the data described in Subsections 3.4.1.2 through 3.4.1.5 to ICANN or, at Registrar's election and at its expense, to a reputable escrow agent mutually approved by Registrar and ICANN, such approval also not to be unreasonably withheld by either party. The data shall be held under an agreement among Registrar, ICANN, and the escrow agent (if any) providing that (1) the data shall be received and held in escrow, with no use other than verification that the deposited data is complete, consistent, and in proper format, until released to ICANN; (2) the data shall be released from escrow upon expiration without renewal or termination of this Agreement; and (3) ICANN's rights under the escrow agreement shall be assigned with any assignment of this Agreement. The escrow shall provide that in the event the escrow is released under this Subsection, ICANN (or its assignee) shall have a non-exclusive, irrevocable, royalty-free license to exercise (only for transitional purposes) or have exercised all rights necessary to provide Registrar Services.

(NOTE—this is a data retention requirement—the same data that is required to be retained is required to be escrowed) 3.4.1.5 the name, postal address, e-mail address, and voice telephone number provided by the customer of any privacy service or licensee of any proxy registration service, in each case, offered or made available by Registrar or its Affiliates in connection with each registration. Effective on the date that ICANN fully implements a Proxy Accreditation Program established in accordance with Section 3.14, the obligations under this Section 3.4.1.5 will cease to apply as to any specific category of data (such as postal address) that is expressly required to be retained by another party in accordance with such Proxy Accreditation Program (emphasis added).

Best,

Amy

Amy E. Bivins

Registrar Policy Services Manager

Registrar Services and Industry Relations

Internet Corporation for Assigned Names and Numbers (ICANN)

Direct: +1 (202) 249-7551

Fax: +1 (202) 789-0104

Email: amy.bivins@icann.org