Dear
IRT,
Thanks
for your review of the Registrar Data Escrow Specification
(RDE Specification).
The
following are a few more updates for your review resulting
from feedback from IRT, Data Escrow Agents (DEAs), and
others. We are considering this version as the final draft
Registrar Data Escrow Specification to be published for
implementation. (V20240808)
We are providing the redline
document to ease your review of the difference between from
the previous draft 20240722 version.
Here’s
the summary of changes:
-
Section
3.1.1 and subsections 3.1.1.* - clarifying the agreements
involved between ICANN, registrars, and DEAs.
-
Section
3.1.8 - clarifying the language on DEA’s responsibilities
to release deposit within 24 hours upon receiving notice.
-
Registrar
and DEA can make their own agreement on deposit file size
limit and max row limit rather than accepting the default
1 gigabyte file size 1 million rows per file. The change
is captured in Section 4.1.1, 4.1.17, Appendix A Error
Code 2007 and 2008.
-
Editorial
update on the encryption standard is based on OpenPGP
instead of PGP throughout the whole specification (Section
3.1.1.8, 3.1.1.9, 4.1.20, Appendix A Error Code 2004)
You
will note that some have asked about the inclusion of
Billing Contact fields in the Registrar Data Escrow
Specification. We cannot remove it as a requirement for the
following reasons:
Current
requirements pertaining to data escrow are specified in
Section 3.6 of the RAA. Under these requirements, registrars
must escrow the data described in Subsections 3.4.1.2
through 3.4.1.5, which includes but is not limited to the
Billing Contact data.
Further,
the Registration Data Policy includes requirements related
to processing “Registration Data” as defined by the policy
under Section 6.
The Registration Data Policy will not modify or replace
existing requirements under the RAA that are not
specifically addressed and modified by the policy
recommendations, including those requirements related to
the processing of the Billing Contact data.
Related
to the Registrar Data Escrow Specification, we have also
received inquiries regarding the requirement to collect and
escrow Privacy and Proxy customer data, with some stating an
understanding that the escrow was not required as this data
is not included in Section 8 of the Registration Data
Policy. Current requirements pertaining to data escrow are
specified in Section 3.6 of the RAA and Section 2.5 of the
Specification on Privacy and Proxy Registrations of the
RAA. Under these requirements, registrars must escrow the
data described in Subsection 3.4.1.5 of the RAA, which
includes the underlying customer data of the Privacy or
Proxy Service.
Section
8 of the Registration Data Policy identifies each value of
Registration Data that contracted parties must
escrow. This further highlights why it is important to make
clear that the policy only addresses Registration Data (as
defined in Section 6 of the Registration Data Policy) and
not all personal data that registrars must process.
The
updated RDE Specification needs to be published to support
the 12-month Transition Period that begins on 21 August
2024. I ask for your review to be completed by 13 August
2024. I know that this is a quicker turnaround time than
usual, but the updates are limited to four simple changes
and the sooner we can publish the specification to establish
clarity the better.
Thank
you for your continued support.
--
Kind Regards,
Dennis S. Chang
GDD Programs
Director
Phone: +1 213 293
7889
Sykpe: dennisSchang
www.icann.org One
World – One Internet