Responding to recommendation 11 only For ease of reference, I’m dropping in the recommendation language with my comments to follow: 1. The EPDP team recommends that ICANN Org, as a matter of urgency and as soon as practicable, undertakes a review of all its active processes and procedures so as to identify and document the instances in which personal data is requested from a registrar beyond the period of the 'life of the registration'. Retention periods for specific data elements should then be identified, documented, and relied upon to establish the required relevant and specific minimum data retention expectations for registrars. In addition, community members should be invited to contribute to this data gathering exercise by providing input on other legitimate purposes for which different retention purposes may be applicable. These contributions could help inform the deliberations foreseen during phase 2 of the EPDP Team’s work. 2. In the interim, the EPDP team has recognized that the Transfer Dispute Resolution Policy (“TDRP”) has been identified as having the longest justified retention period of one year and has therefore recommended registrars be required to retain only those data elements deemed necessary for the purposes of the TDRP, for a period of one year following the life of the registration. This retention is grounded on the stated policy stipulation within the TDRP that claims under the policy may only be raised for a period of 12 months after the alleged breach (FN: see TDRP section 2.2) of the Transfer Policy (FN: see Section 1.15 of TDRP). This retention period does not restrict the ability of registries and registrars to retain data elements provided in Recommendations 4 -7 for other purposes specified in Recommendation 1 for shorter periods. 3. The EPDP team recognizes that Contracted Parties may have needs or requirements for different retention periods in line with local law or other requirements. The EPDP team recommends that nothing in this recommendation, or in separate ICANN-mandated policy, should prohibit contracted parties from setting their own retention periods beyond that which is expected in ICANN policy. Similarly, should local law prevent retention for the minimum period as set by ICANN, the EPDP team recommends that a suitable waiver procedure is put in place that can address such situations. In addition, the waiver procedure should be reviewed to determine if it would be appropriate for other Contracted Parties to “join” themselves to an existing waiver upon demonstration of being subject to the same law or other requirement that grounded the original waiver application. On the first point, I’m ok with the spirit of what this tries to accomplish. We’ve only identified TDRS as a purpose for maintaining registration data beyond the life of a domain name. This calls for ICANN org to undertake a review to see if there are other purposes and invites the community to contribute. Obviously as we saw from public comments this opens the door for people to advocate for what data retention periods they would like, not just those that there is a justifiable purpose for under GDPR as we saw in the public comments, but I accept that it will be our job in phase 2 to sort through that much like we did in phase 1. I see a little bit of in inconsistency between the second sentence and the last sentence. I think I understand our intent to be for ICANN org to do a review, for the purpose of informing our phase 2 deliberations. If that review is not to inform phase 2, then there really isn’t a reason to ask for it. I’m also not sure that it is necessary for this to be a recommendation in the phase 1 final report. It is common practice for working groups to ask for ICANN Org’s assistance in gathering data, creating reports or conducting surveys (to name a few examples) in order to have data needed to inform policy recommendations. Those requests don’t need to be made as policy recommendations. If we do want to keep language in the report, how about something along these line: 1. In order to inform it’s phase 2 deliberations, the EPDP team recommends (requests?) that ICANN Org, as a matter of urgency and as soon as practicable, undertakes a review of all its active processes and procedures so as to identify and document the instances in which personal data is requested from a registrar beyond the period of the 'life of the registration'. Community members should be invited to contribute to this data gathering exercise by providing input on other legitimate purposes for which different retention purposes may be applicable. I believe the second point is intended to replace the existing 2 year data retention requirement in the RAA. That isn’t clear to me in my read of the recommendation. This is really a question for registrars as it pertains to their contract though so I’ll ask them if they are comfortable with how this language interacts with their contracts or if additional clarification is needed. I’m a little confused by the 3rd recommendation. I understand that the RAA has a data retention waiver process, but the 3rd sentence seems to call for a suitable waiver procedure to be put in place. The recommendation then goes on the say that the waiver process should be reviewed with a specific recommendation for modification. I think that one needs to be cleaned up a little (by a registrar maybe)? Best, Marc From: Gnso-epdp-team <gnso-epdp-team-bounces@icann.org> On Behalf Of Caitlin Tubergen Sent: Thursday, February 07, 2019 3:26 PM To: gnso-epdp-team@icann.org Subject: [EXTERNAL] [Gnso-epdp-team] For your review: updated recommendations 10, 11, 12 Dear EPDP Team: Attached, please find the updated recommendations. The updates are the result of today’s EPDP Team discussion As always, please feel free to flag any text that you believe does not represent what the Team agreed to. Best regards, Marika, Berry, and Caitlin