Dear IRT,

 

Thanks for your review of the Registrar Data Escrow Specification (RDE Specification).  

 

The following are a few more updates for your review resulting from feedback from IRT, Data Escrow Agents (DEAs), and others. We are considering this version as the final draft Registrar Data Escrow Specification to be published for implementation. (V20240808) We are providing the redline document to ease your review of the difference between from the previous draft 20240722 version.

 

255

Review: RDE Specification Draft - v1.3 - 20240808 Redline (comparison between v1.2 20240722 and v1.3 20240808)

20240813

 

Here’s the summary of changes:

1. Section 3.1.1 and subsections 3.1.1.* - clarifying the agreements involved between ICANN, registrars, and DEAs.
2. Section 3.1.8 - clarifying the language on DEA’s responsibilities to release deposit within 24 hours upon receiving notice.
3. Registrar and DEA can make their own agreement on deposit file size limit and max row limit rather than accepting the default 1 gigabyte file size 1 million rows per file. The change is captured in Section 4.1.1, 4.1.17, Appendix A Error Code 2007 and 2008.
4. Editorial update on the encryption standard is based on OpenPGP instead of PGP throughout the whole specification (Section 3.1.1.8, 3.1.1.9, 4.1.20, Appendix A Error Code 2004)

 

You will note that some have asked about the inclusion of Billing Contact fields in the Registrar Data Escrow Specification. We cannot remove it as a requirement for the following reasons: 

 

Current requirements pertaining to data escrow are specified in Section 3.6 of the RAA. Under these requirements, registrars must escrow the data described in Subsections 3.4.1.2 through 3.4.1.5, which includes but is not limited to the Billing Contact data.

 

Further, the Registration Data Policy includes requirements related to processing “Registration Data” as defined by the policy under Section 6. The Registration Data Policy will not modify or replace existing requirements under the RAA that are not specifically addressed and modified by the policy recommendations, including those requirements related to the processing of the Billing Contact data.

 

Related to the Registrar Data Escrow Specification, we have also received inquiries regarding the requirement to collect and escrow Privacy and Proxy customer data, with some stating an understanding that the escrow was not required as this data is not included in Section 8 of the Registration Data Policy. Current requirements pertaining to data escrow are specified in Section 3.6 of the RAA and Section 2.5 of the Specification on Privacy and Proxy Registrations of the RAA.  Under these requirements, registrars must escrow the data described in Subsection 3.4.1.5 of the RAA, which includes the underlying customer data of the Privacy or Proxy Service.  

 

Section 8 of the Registration Data Policy identifies each value of Registration Data that contracted parties must escrow. This further highlights why it is important to make clear that the policy only addresses Registration Data (as defined in Section 6 of the Registration Data Policy) and not all personal data that registrars must process.

 

The updated RDE Specification needs to be published to support the 12-month Transition Period that begins on 21 August 2024. I ask for your review to be completed by 13 August 2024. I know that this is a quicker turnaround time than usual, but the updates are limited to four simple changes and the sooner we can publish the specification to establish clarity the better. 

 

Thank you for your continued support.