Data Processing Specification for ICANN-Accredited Registries and Registrars

What We Need Your Input On

ICANN org seeks community input on draft Data Processing Specifications (DPS) applicable to the Registrar Accreditation Agreement and Registry Agreement. Pursuant to the Phase 1 Recommendations 19 and 20 of the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data, ICANN org and a team convened by the Contracted Party House negotiated the terms of the DPS for which we now seek public comment.

ICANN org is preparing to implement the DPS so contracted parties can begin utilizing it during the Registration Data Policy transition period (21 August 2024 - 20 August 2025). 

Background

Applicable Consensus Policy Recommendations

The EPDP Phase 1 consensus policy recommendations set out updated requirements for the contracted parties for gTLD registration data elements to be collected, transferred from registrars to registry operators, deposited with data escrow agents, published and/or redacted in the registration data directory services, and disclosed upon requests from third parties. These updated requirements, once in effect via the Registration Data Policy, will replace prior requirements for gTLD registration data processing contained in the Temporary Specification for gTLD Registration Data (currently applicable via the Interim Registration Data Policy for gTLDs).

EPDP Phase 1 Recommendations 19 and 20 guided the negotiation and drafting of the DPS:

Recommendation 19. The EPDP Team recommends that ICANN Org negotiates and enters into required data protection agreements, as appropriate, with the Contracted Parties. In addition to the legally required components of such agreement, the agreement shall specify the responsibilities of the respective parties for the processing activities as described therein. Indemnification clauses should ensure that the risk for certain data processing is borne, to the extent appropriate, by the parties that are involved in the processing. Due consideration should be given to the analysis carried out by the EPDP Team in its Final Report.

Recommendation 20. During Phase 1 of its work, the EPDP Team documented the data processing activities and responsible parties associated with gTLD registration data. The EPDP Team, accordingly, recommends the inclusion of the data processing activities and responsible parties, outlined below, to be confirmed and documented in the relevant data protection agreements, noting, however, this Recommendation may be affected by the finalization of the necessary agreements that would confirm and define the roles and responsibilities.

Recommendation 20 included an outline of who the team identified as the “responsible parties” for each of the data processing activities contemplated under the Registration Data Policy (collection, transfer, escrow, publication, etc.) and the legal basis for each activity. As set out in further detail below, these were taken into account in the drafting of the DPS. As recommended in Recommendation 20, the draft DPS documents the data processing activities contemplated to occur pursuant to the Registration Data Policy and identifies the parties who perform those processing activities.

Registration Data Policy

Section 5 of the Registration Data Policy states that:

ICANN, gTLD Registry Operators, and accredited Registrars MUST enter into required data protection agreements with each other and with relevant third party providers contemplated under this Policy where applicable law requires. The terms may include legal bases for processing Registration Data.

Where such agreements between Registry Operator or Registrar and ICANN are required to comply with applicable law, ICANN must, upon request and without undue delay, enter into a data protection agreement or agreements with Registry Operator or Registrar as implemented pursuant to the Registration Data Policy.

If Registry Operator or Registrar determines that such agreements are required by applicable law, it MUST make the request without undue delay pursuant to this policy.

The data protection agreements MAY also be modified and updated from time-to-time based on additional guidance from relevant data protection authorities as provided for by applicable law.

ICANN org is in the process of implementing a standardized process for this requirement. This is envisioned to work in practice as follows: if a registry operator or registrar determines that it must enter into a data protection agreement with ICANN in order to comply with applicable law and the Registration Data Policy, the contracted party must request to sign the DPS with ICANN (the “agreement” that will be “implemented pursuant to the Registration Data Policy”).

DPS Scope Is Limited to Registration Data Policy

The DPS was drafted to implement the EPDP Phase 1 Policy Recommendations. As such, the scope of the DPS is limited. The DPS provides a contractual framework to enable the processing of gTLD registration data contemplated in the Registration Data Policy to be performed in compliance with applicable data protection law. 

The DPS will not require the contracted parties to provide ICANN with greater access to gTLD registration data than the access currently contemplated under applicable ICANN agreements and policies. For example, a DPS between ICANN and a registrar will not require the registrar to provide ICANN with unlimited access to any gTLD registration data held by the registrar beyond the access that is required under the RAA. This is specifically noted because community discussions concerning registration data accuracy have, at times, identified a need for a DPS. It has been suggested that, if a DPS between ICANN and a registrar is in place, ICANN org can obtain gTLD registration data from the contracted parties to study registration data “accuracy.” This is an inaccurate perception: Unless the RAA or future Consensus Policy requires contracted parties to provide ICANN with access to gTLD registration data for this purpose, registrars are not required to provide this data to ICANN org. ICANN’s access to gTLD registration data held by the registrars is limited by the terms of the RAA.

In addition, the DPS is not drafted to account for the processing of non-gTLD registration data that ICANN and contracted parties may process pursuant to current or future Consensus Policy and contract requirements beyond the Registration Data Policy. For example, the  EPDP Phase 2 recommendations for a System for Standardized Access/Disclosure to Non-Public gTLD Registration Data (SSAD), which are pending Board consideration, envision requirements for ICANN’s and contracted parties’ processing of requestor contact information in the course of intake and routing of SSAD requests. And, the recommendations of the Privacy and Proxy Service Providers Accreditation Issues PDP Working Group (pending implementation) would put into place requirements for privacy and proxy service providers’ processing of customer contact data. The DPS currently does not encompass these data processing operations. However, if and when those recommendations are implemented, the DPS could be adapted to accommodate those new policies or other policy recommendations or contract requirements that are developed and implemented in the future.

Data Processing Specification Overview

• DPS will be a Specification to the Registry Agreement (RA) and Registrar Accreditation Agreement (RAA) 
• DPS is an agreement between parties who, independent of each other, control their own processing of personal data that is contemplated by the Registration Data Policy (agreement between “independent controllers”)
• Per the Registration Data Policy, contracted parties must request to enter into the DPS with ICANN if the contracted party determines that the DPS is required for its processing of registration data to comply with applicable law
• DPS sets out high-level data protection requirements for the processing of gTLD registration data (“Personal Registration Data”)
• DPS requires parties to comply with applicable law
• DPS describes “who does what” with gTLD registration data under Registration Data Policy
• DPS is drafted to accommodate contracted parties’ efforts to comply with any applicable data protection law (not limited, for example, to the European General Data Protection Regulation (GDPR))

The DPS is not:

• DPS is not a “joint controller arrangement”
• DPS is not a “Data Processing Agreement”
• DPS does not require contracted parties to provide ICANN with greater data access than that required under the RA/RAA and applicable consensus policies

Next Steps

After the completion of the comment window, ICANN org will review comments and compile a summary report.

Supporting Information

This additional information from ICANN org provides more context for this Public Comment Proceeding and may help you review the proposals for input and publish a submission.