Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data

The Expedited Policy Development Process on the Temporary Specification for gTLD Registration Data (EPDP) was initiated by the GNSO Council on 19 July 2018 to determine if the Temporary Specification for gTLD Registration Data should become ICANN consensus policy, with or without modifications, while ensuring compliance with the European Union's General Data Protection Regulation (GDPR) and other relevant privacy and data protection laws.

Background on the development of the EPDP option

History

On January 8, 2012, GNSO Policy staffers released a discussion paper^[1] about the many questions that had arisen from the implementation of the New gTLD Program, especially concerning when policy vs. implementation work was needed. The GNSO Policy & Implementation Working Group was formed in July 2013.^[2] On June 24, 2015, the GNSO Council unanimously adopted the WG's recommendations, which included three new GNSO processes. The GNSO Guidance Process (GGP) and the GNSO Expedited Policy Development Process required changes to the ICANN Bylaws. The EPDP procedures, outlined in Annex A-1 of the ICANN Bylaws, went into effect on September 28, 2015.

Criteria

The GNSO Council may invoke the EPDP (1) to address a narrowly defined policy issue that has already been identified and scoped, following the adoption and/or implementation of a GNSO policy recommendation by the Board; or (2) to create new or additional recommendations for an issue on which extensive, pertinent background information already exists; for instance, the issue may have been discussed in an Issue Report for a PDP that was not initiated or completed or was part of a GGP.^[3]

Temporary Specificiation Context

History

On 17 May 2018, the ICANN Board adopted the Temporary Specification as an interim model for WHOIS compliance. This temporary specification was designed to allow registries and registrars to be compliant with the GDPR without being in breach of their contract with ICANN. The procedure for Temporary Policies requires the consensus policy development process to be completed within a year of the Temporary Specification effective date of 25 May 2018.
On 19 July 2018, the GNSO Council initiated and chartered a two-phase EPDP on the Temporary Specification for gTLD Registration Data Team. During Phase 1, the EPDP Team determined whether the Temporary Specification should become an ICANN Consensus Policy as is, or with modifications.

On 20 February 2019, the EPDP Phase 1 Team submitted its Final Report.
On 4 March 2019, the GNSO Council adopted all 29 recommendations.
On 15 May 2019, the ICANN Board adopted 27 of the recommendations^[4] On 17 May 2019 the Implementation Team published the Interim Registration Data Policy for gTLDs^[5] effective as of 20 May 2019, requiring contracted parties to continue implementing the Temporary Specification pending the ultimate Registration Data Policy.
On 29 May 2019, ICANN Org and the implementation review team (IRT) began implementing the Registration Data Policy. On 02 October 2019, the GNSO council liaison informed the GNSO Council that the recommended 29 February 2020 effective date was not feasible.
On 1 November 2019, the implementation team delivered a report on Recommendation 15.1^[6] to the GNSO about how ICANN retains data
On 6 December 2019, the implementation team delivered a report on Recommendation 15.4^[7] to the EPDP Phase 2 Team about the ICANN process for handling registrar data retention waivers

On 18 February 2020, the implementation team delivered the "Recommendation 27 Wave 1" Report^[8] to GNSO about the potential Registration Data Policy's impacts on existing consensus policies
On 8 July 2020, the implementation team delivered a report on Recommendation 17.2 to the EPDP Phase 2 Team about differentiating between Legal and Natural Persons in Domain Name Registration and Data Directory Services
In August 2020, the EPDP team completed Phase 2 and published the final report.
On 24 September 2020, the GNSO Council approved the Phase 2 Priority 2 recommendations.

On 23 February 2021, the implementation team delivered Recommendation 27 Wave 1.5 Report to GNSO on Registration Data Policy Impacts on Privacy and Proxy Services Accreditation Issues (PPSAI) and Translation and Transliteration of Contact Information (T/T) On 21 June 2021, the Board adopted Recommendations 19-22 about city field redaction, display of privacy/proxy registrations’ contact data, the purpose of data processing as it relates to the security, stability, and resiliency of the DNS, and registration data retention time periods.

Mission and Scope

The EPDP Team's objective is to determine if the Temporary Specification should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law. At a minimum, the EPDP is expected to consider the questions laid out in the charter.

The charter questions break down into two sections:

1. Questions on the "Terms of the Temporary Specification"
2. Questions on a "System for Standardized Access to Non-Public Registration Data"

EPDP Team

Structure

The EPDP is constituted of participants filling different roles including:

• Team Members
  • GNSO Members are appointed by Stakeholder Groups (SGs)
    • Contracted Party House (6 Members, 6 Alternates)
      • Registries Stakeholder Group (3 Members, 3 Alternates)
      • Registrars Stakeholder Group (3 Members, 3 Alternates)
    • Non-Contracted Party House (12 Members, 6 Alternates)
      • Commercial Stakeholder Group (6 Members, 3 Alternates)
      • Non-Commercial Stakeholder Group (6 Members, 3 Alternates
  • ALAC ( 2 Members, 2 Alternates)
  • SSAC (2 Members, 2 Alternates)
  • GAC (3 Members, 3 Alternates)
  • RSSAC (2 Members, 2 Alternates) (Not Filled)
  • ccNSO (2 Members, 2 Alternates) (Not Filled)
• Liaisons
• Team Alternates
• Observers

On 18 April 2019, the GNSO Council approved the appointment of Janis Karklins, Latvian Ambassador to the United Nations at Geneva, as the chair for the EPDP Team Phase 2.^[9]

Members

Alternates

Phases

EPDP Phase 1 Final Report

The Final Report of the Temporary Specification for gTLD Registration Data (EPDP) was published on 20 February 2019. The representatives from the Intellectual Property Constituency (IPC) and Business Constituency (BC) voted against the Final Report, but since all other GNSO Councillors were in favour, the Final Report was approved.^[10] The report was then passed to the ICANN Board for adoption.

The report contains an analysis of affected parties, anticipated time to implement recommendations, and other pertinent information that will assist the Board's deliberations on the EPDP Phase 1 policy recommendations^[11]. The recommendations from this report must be adopted by concerned parties on or before 29 February 2020.

EPDP Phase 2

Deliberations and Initial Report

In Phase 2, the EPDP team was tasked with addressing open issues left unresolved from Phase 1, addressing issues listed in the Annex to the Temporary Specification,^[12] and developing a standardized access system for nonpublic registration data.^[13] The team's Initial Report was published for public comment in February 2020^[14] The report outlined a proposed model for SSAD, where requests were sent to a centralized clearinghouse, and then action up on responses to were taken up by each contracted party, as applicable. The model was based on the following broad principles:

• Ideally, receipt, authentication, and transmission of SSAD requests should be automated wherever feasible. Disclosure decisions may be automated to the extent feasible, but should be standardized as much as possible across decisions.
• SSAD should be subject to continuous improvement, via a method of review and improvement that operates within the policies outlined by the EPDP, ICANN Bylaws, GNSO procedures & guidelines, and data protection legislation and regulation.
• Contracted parties should be subject to service-level agreements (SLAs) regarding response time for SSAD requests, based on priority.
• Responses to requests should be transmitted directly from the contracted party to the requestor, but there must be some sort of logging or tracking mechanism so that the SSAD "clearinghouse" is able to monitor and record decisions, compliance with SLAs, and perform other oversight of request processing.^[14]

The Initial Report contained 19 recommendations regarding the proposed model:^[14]

Final Report

The EPDP team submitted the Phase 2 Final Report to the GNSO Council on July 31, 2020, which the GNSO council approved on September 24, 2020. The Final Report primarily set out recommendations for a System for Standardized Access/Disclosure (SSAD) to nonpublic gTLD registration data. The 18 SSAD-related policy recommendations addressed the following areas:

• Accreditation of SSAD requestors, including governmental entities
• Required criteria and content of SSAD requests
• Response requirements
• Required Service Level Agreements (SLAs)
• Automation of SSAD processing
• Terms and conditions of SSAD
• Logging, auditing, and reporting requirements;
• Creation of a GNSO Standing Committee to evaluate SSAD operational issues and propose improvements to the GNSO Council.

The EPDP Team advised the GNSO council to treat these recommendations as one package and pass them on as such to the ICANN Board.^[15]

References