Dear All,

Regarding data retention, ICANN org has previously identified a question and some areas that we wanted to flag for the EPDP Team, which we sent to the mailing list on 22 December 2018 (https://mm.icann.org/pipermail/gnso-epdp-team/2018-December/001125.html). We are flagging them here again for the EPDP Team’s consideration/discussion as you work to finalize the recommendation.

The question/flags are:

There are several data elements that are currently required to be retained, but are not addressed in the Initial Report. Should the retention obligation for these data elements remain or be discontinued?
If billing and payment-related data is no longer required to be collected, retained, and (with respect to billing contact data) escrowed, this could impact continuity of service to registrants and availability of this data in the event of a payment dispute or related investigation. ICANN org also notes that the ICANN Registrar Accreditation Policy <https://www.icann.org/resources/pages/policy-statement-2012-02-25-en> requires a registrar to receive a reasonable assurance of payment prior to activating a domain registration.

Data elements currently required to be collected, but are not addressed in the Initial Report include:

Billing/Other Contact ID (where available)
Billing/Other Contact Name (where available)
Billing/Other Contact Street (where available)
Billing/Other Contact City (where available)
Billing/Other Contact State/Province (where available)
Billing/Other Contact Postal Code (where available)
Billing/Other Contact Country (where available)
Billing/Other Contact Email (where available)
Billing/Other Contact Phone (where available)
Billing/Other Contact Fax (where available)
(RAA 3.4.1.5) the name, postal address, e-mail address, and voice telephone number provided by the customer of any privacy service or licensee of any proxy registration service, in each case, offered or made available by Registrar or its Affiliates in connection with each registration.
Full Contact Information for Privacy Proxy Registrations
Full Contact Information for Registrants who have Consented to Full Display
(Data Retention Specification 1.1.7.) Types of domain name services purchased for use in connection with the Registration
(Data Retention Specification 1.1.8.) To the extent collected by Registrar, "card on file," current period third party transaction number, or other recurring payment data.
(Data Retention Specification 1.2.1) Information regarding the means and source of payment reasonably necessary for the Registrar to process the Registration transaction, or a transaction number provided by a third party payment processor;
(Data Retention Specification 1.2.2) Log files, billing records and, to the extent collection and maintenance of such records is commercially practicable or consistent with industry-wide generally accepted standard practices within the industries in which Registrar operates, other records containing communications source and destination information, including, depending on the method of transmission and without limitation: (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number; and (3) email address, Skype handle, or instant messaging identifier, associated with communications between Registrar and the registrant about the Registration; and
(Data Retention Specification 1.2.3 ) Log files and, to the extent collection and maintenance of such records is commercially practicable or consistent with industry-wide generally accepted standard practices within the industries in which Registrar operates, other records associated with the Registration containing dates, times, and time zones of communications and sessions, including initial registration.
(RAA 3.4.2.1) the submission date and time, and the content, of all registration data (including updates) submitted in electronic form to the Registry Operator(s);
(RAA 3.4.2.2) all written communications constituting registration applications, confirmations, modifications, or terminations and related correspondence with Registered Name Holders, including registration contracts;
(RAA 3.4.2.3) records of the accounts of all Registered Name Holders with Registrar.

Best,

Dan and Trang

ICANN Org Liaisons

From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> on behalf of Kurt Pritz <kurt@kjpritz.com>
Date: Tuesday, January 22, 2019 at 1:20 PM
To: EPDP <gnso-epdp-team@icann.org>
Subject: [Gnso-epdp-team] EPDP Recommendation 11 - email list discussion

Hi Everyone:

There were several items (Recommendations) that we agreed to discuss via email with the idea that we could close on them without taking time for discussion in a meeting. This email concerns Recommendation 11, addressing the data retention period.

The current recommendation states:

The EPDP Team recommends that Registrars are required to retain the herein-specified data elements for a period of one year following the life of the registration. This retention period conforms to the specific statute of limitations within the Transfer Dispute Resolution Policy (“TDRP”).

Small Team Discussion

(1) The small team noted that “statute of limitation” as used in the Recommendation was probably an inappropriate use of a legal term of art and should be replaced with more appropriate language. This point is addressed in the proposed updated Recommendation below.

(2) Some on the small team advocated for a longer retention period, suggesting that a longer retention period could be anchored in existing ICANN policy requirements or other outside requirements. (The current retention period is anchored is the Transfer DRP as the “tall pole” among all the other purposes for processing registration data.) The updated language below, proposed by small team B, clarifies that the proposed data retention period is for ICANN related requirements and different retention periods may apply as a result of local requirements or circumstances.

Proposed updated language recommendation 11 – data retention

The EPDP Team recommends that: Registrars are required to retain the herein-specified data elements for ICANN-related requirements for a period of one year following the life of registration. This minimum retention period is consistent the requirements of the Transfer Dispute Resolution Procedure, which has the longest retention requirement of any of the enumerated Purposes for Processing Registration Data.

Note, Contracted Parties may have needs or requirements for longer retention periods in line with local law or other requirements. This is not prohibited by this language. Similarly, should local law prevent retention for the period of one year, there are waiver procedures in place that can address such situations.

Actions

Those supporting a retention greater than one year generally should submit rationale for such a retention period including related ICANN policy requirements to which this could be anchored. These submissions will be discussed via email.

Submit comments for support for the amended Recommendation or requesting edits to the recommendation with rationale.

Deadline: Friday, 24 January, additional email discussion might follow depending on responses.

Thank you and best regards,

Kurt