Hi Eric, Here, I wanted to quickly reply let you know that I’ll support your request for IRT discussion regarding the billing contact requirement. I’ll come back with more on how and when. Thanks for your understanding continued support to get our transition period started – tomorrow is 21 August 2024! Kind Regards, Dennis Chang From: Eric Rokobauer <erokobauer@squarespace.com> Date: Tuesday, August 20, 2024 at 2:28 PM To: Dennis Chang <dennis.chang@icann.org> Cc: "irt.regdatapolicy@icann.org" <irt.regdatapolicy@icann.org> Subject: [Ext] Re: [IRT.RegDataPolicy] Re: IRT Task 255: Registrar Data Escrow Spec Update Review V20240808. Due 13 Aug 2924. Hi Dennis, I appreciate you reviewing the language again with respect to comments made thus far about the collection of billing contact information. I also recognize that a publication of this updated specification needed to go out in time for the 21 August 2024 milestone date for the Registration Data Policy. All that being said, I am aligned with comments made by other IRT members who have spoken up thus far on the mailing list. It is my understanding that the identified personal data that MUST and/or MAY be collected (and subsequently transferred to escrow providers where applicable) in the Registration Data Policy, supersedes what is currently in the RAA. Any details collected outside of that, is outside of policy. I do not have any supporting (or different) details to share than what has been so already, but I did want to raise my hand here in support that further discussion is required for this IRT with respect to this specification. Thanks, Eric On Wed, Aug 14, 2024 at 11:12 PM Dennis Chang via IRT.RegDataPolicy <irt.regdatapolicy@icann.org<mailto:irt.regdatapolicy@icann.org>> wrote: Hello Sarah, Thank you for supporting the review and providing the feedback. Based on this input, we have looked at this area carefully again and confirmed our interpretation of the RAA requirements as continuing to apply. It’s the same conclusion we reached after having considered this since your first input in July. As such, we do not see an option to remove the billing contact information or make an exception in an isolated case. With the 21 August 2024 date coming up next week, we have published the updated Specification at https://www.icann.org/resources/pages/registrar-data-escrow-2015-12-01-en and are providing the required notifications and instructions to registrars and data escrow agents so that all of us involved in the implementation can be clear and coordinated. If the IRT members believe more discussion is required, we can support this to enable additional changes to the specification as needed between now and the policy effective date. Thank you for your support. Thanks, Dennis Chang From: "Sarah Wyld via IRT.RegDataPolicy" <irt.regdatapolicy@icann.org<mailto:irt.regdatapolicy@icann.org>> Organization: Tucows Reply-To: Sarah Wyld <swyld@tucows.com<mailto:swyld@tucows.com>> Date: Tuesday, August 13, 2024 at 11:17 AM To: "irt.regdatapolicy@icann.org<mailto:irt.regdatapolicy@icann.org>" <irt.regdatapolicy@icann.org<mailto:irt.regdatapolicy@icann.org>> Subject: [IRT.RegDataPolicy] Re: IRT Task 255: Registrar Data Escrow Spec Update Review V20240808. Due 13 Aug 2924. Hello Dennis, Thank you for this update. We still consider that the Registration Data Policy overrides the RAA requirements for data collection, and since the Registration Data Policy does not require collection of a Billing Contact we will stop collecting that data as part of implementing the new Policy. As such we will not have that data available to escrow. Thank you, Sarah Wyld, CIPP/E Policy & Privacy Manager Pronouns: she/they swyld@tucows.com<mailto:swyld@tucows.com> On 2024-08-08 6:20 p.m., Dennis Chang via IRT.RegDataPolicy wrote: Dear IRT, Thanks for your review of the Registrar Data Escrow Specification (RDE Specification). The following are a few more updates for your review resulting from feedback from IRT, Data Escrow Agents (DEAs), and others. We are considering this version as the final draft Registrar Data Escrow Specification to be published for implementation. (V20240808 [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1W-0VMwI41uNhV...>) We are providing the redline [drive.google.com]<https://urldefense.com/v3/__https:/drive.google.com/file/d/1XpUTvnFUncsBDSgR...> document to ease your review of the difference between from the previous draft 20240722 version. 255 Review: RDE Specification Draft - v1.3 - 20240808 [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1W-0VMwI41uNhV...> Redline (comparison between v1.2 20240722 and v1.3 20240808) [drive.google.com]<https://urldefense.com/v3/__https:/drive.google.com/file/d/1XpUTvnFUncsBDSgR...> 20240813 Here’s the summary of changes: 1. Section 3.1.1 and subsections 3.1.1.* - clarifying the agreements involved between ICANN, registrars, and DEAs. 2. Section 3.1.8 - clarifying the language on DEA’s responsibilities to release deposit within 24 hours upon receiving notice. 3. Registrar and DEA can make their own agreement on deposit file size limit and max row limit rather than accepting the default 1 gigabyte file size 1 million rows per file. The change is captured in Section 4.1.1, 4.1.17, Appendix A Error Code 2007 and 2008. 4. Editorial update on the encryption standard is based on OpenPGP instead of PGP throughout the whole specification (Section 3.1.1.8, 3.1.1.9, 4.1.20, Appendix A Error Code 2004) You will note that some have asked about the inclusion of Billing Contact fields in the Registrar Data Escrow Specification. We cannot remove it as a requirement for the following reasons: Current requirements pertaining to data escrow are specified in Section 3.6 of the RAA. Under these requirements, registrars must escrow the data described in Subsections 3.4.1.2 through 3.4.1.5, which includes but is not limited to the Billing Contact data. Further, the Registration Data Policy includes requirements related to processing “Registration Data” as defined by the policy under Section 6. The Registration Data Policy will not modify or replace existing requirements under the RAA that are not specifically addressed and modified by the policy recommendations, including those requirements related to the processing of the Billing Contact data. Related to the Registrar Data Escrow Specification, we have also received inquiries regarding the requirement to collect and escrow Privacy and Proxy customer data, with some stating an understanding that the escrow was not required as this data is not included in Section 8 of the Registration Data Policy. Current requirements pertaining to data escrow are specified in Section 3.6 of the RAA and Section 2.5 of the Specification on Privacy and Proxy Registrations of the RAA. Under these requirements, registrars must escrow the data described in Subsection 3.4.1.5 of the RAA, which includes the underlying customer data of the Privacy or Proxy Service. Section 8 of the Registration Data Policy identifies each value of Registration Data that contracted parties must escrow. This further highlights why it is important to make clear that the policy only addresses Registration Data (as defined in Section 6 of the Registration Data Policy) and not all personal data that registrars must process. The updated RDE Specification needs to be published to support the 12-month Transition Period that begins on 21 August 2024. I ask for your review to be completed by 13 August 2024. I know that this is a quicker turnaround time than usual, but the updates are limited to four simple changes and the sooner we can publish the specification to establish clarity the better. Thank you for your continued support. -- Kind Regards, Dennis S. Chang GDD Programs Director Phone: +1 213 293 7889 Sykpe: dennisSchang www.icann.org<http://www.icann.org> One World – One Internet _______________________________________________ IRT.RegDataPolicy mailing list -- irt.regdatapolicy@icann.org<mailto:irt.regdatapolicy@icann.org> To unsubscribe send an email to irt.regdatapolicy-leave@icann.org<mailto:irt.regdatapolicy-leave@icann.org> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ IRT.RegDataPolicy mailing list -- irt.regdatapolicy@icann.org<mailto:irt.regdatapolicy@icann.org> To unsubscribe send an email to irt.regdatapolicy-leave@icann.org<mailto:irt.regdatapolicy-leave@icann.org> _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. -- Eric Rokobauer ICANN Compliance Manager He / Him / His erokobauer@squarespace.com<mailto:erokobauer@squarespace.com> SQUARESPACE