ICANN Resolutions » Consideration of GNSO EPDP Recommendations on the Temporary Specification for gTLD Registration Data
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
Whereas, on 17 May 2018, the ICANN Board adopted the Temporary Specification for gTLD Registration Data (Temporary Specification) pursuant to the procedures in the Registry Agreement and Registrar Accreditation Agreement concerning the establishment of temporary policies;
Whereas, following the adoption of the Temporary Specification, and per the procedure for Temporary Policies as outlined in the Registry Agreement and Registrar Accreditation Agreement, a Consensus Policy development process as set forth in ICANN's Bylaws needs to be initiated immediately and completed within a one-year time period from the implementation effective date (25 May 2018) of the Temporary Specification;
Whereas, the Generic Names Supporting Organization (GNSO) Council approved the Expedited Policy Development Process (EPDP) Initiation Request (https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-s...) and the EPDP Team Charter (https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-s...) on 19 July 2018;
Whereas, the EPDP followed the prescribed EPDP procedures as stated in the Bylaws, resulting in a Final Report delivered on 20 February 2019;
Whereas, the EPDP Team reached consensus on all but two recommendations in relation to the issues outlined in the Charter;
Whereas, the GNSO Council reviewed and discussed the recommendations of the EPDP Team and approved all Recommendations on 4 March 2019 by a GNSO Supermajority vote (see https://gnso.icann.org/en/council/resolutions#20190304-1);
Whereas, the GNSO Council vote exceeded the required voting threshold set forth in the ICANN Bylaws to impose new Consensus Policies on ICANN contracted parties;
Whereas, after the GNSO Council vote, a public comment period was held on the approved Recommendations, and the majority of comments focused on issues that were the subject of lengthy debates during the EPDP Team's Phase 1 work and the
Recommendations on these topics represent carefully-crafted compromises. Several of these issues have already been confirmed as requiring further review and consideration during phase 2 of the EPDP Team's work (https://www.icann.org/public-comments/epdp-recs-2019-03-04-en);
Whereas, the European Commission submitted a public comment on 17 April 2019 and sent ICANN org a follow-up letter on 3 May 2019, which indicated that Purpose 2, as stated in Recommendation 1, may require further refinement to ensure that it is consistent with and facilitates a predictable and consistent user experience compliant with applicable law;
Whereas, the Governmental Advisory Committee (GAC) was requested to raise any public policy concerns that might occur if the proposed policy is adopted by the Board (https://www.icann.org/en/system/files/correspondence/chalaby-to-ismail-0...);
Whereas, the GAC responded to the Board's notice, stated in the response that "the GAC would welcome the ICANN Board's adoption the EPDP Phase 1 policy recommendations as soon as possible[,]" and did not raise any public policy concerns that might occur if the recommended Consensus Policy is adopted by the Board;
Whereas, in its 30 May 2018 resolution, the Board adopted the scorecard titled "GAC Advice – San Juan Communiqué: Actions and Updates (30 May 2018)" in which the Board deferred consideration of four advice items pending further discussion with the GAC as requested by the GAC in its 17 May 2018 letter to the ICANN Board Chair;
Whereas, ICANN org continues to evaluate the Recommendations and plans to request additional guidance from the Data Protection Authorities regarding the interplay between legitimate and proportionate access to registrant data and ICANN's SSR mission;
Whereas, the Thick WHOIS Transition Policy requires gTLD registrars to migrate to the relevant registry operator all required fields of existing domain names that are available in the registrar database;
Whereas, the Recommendations, at Recommendation 7, state that data elements collected and generated "must be transferred from registrar to registry provided an appropriate legal basis exists and a data processing agreement is in place," and that transfer is optional for contact information;
Whereas, the Recommendations state, at Recommendation 12, that the Organization field will be published if that publication is acknowledged or confirmed by the registrant, and that the registrar may redact or delete the contents of that field if the registrant does not confirm;
Whereas, a registrar's deletion of the contents of the Organization field may result in a loss of information about the registrant's identity;
Whereas, ICANN org analyzed the Recommendations and, based on current information and subject to further inputs from Data Protection Authorities and legal analysis, believes the Recommendations (with the possible exceptions of Recommendation 1, Purpose 2 and the option to delete data in the Organization field in Recommendation 12) do not appear to be in conflict with (a) the GDPR, (b) existing requirements for gTLD registry operators and registrars, or (c) ICANN's mandate to ensure the stability, security and resiliency of the Internet's DNS;
Whereas, ICANN org analyzed the Recommendations and, based on current information and subject to further inputs from Data Protection Authorities and legal analysis, believes the Recommendations (with the possible exceptions of Recommendation 1, Purpose 2 and the option to delete data in the Organization field in Recommendation 12) are in the public interest;
Whereas, in a 3 May 2019 letter, the European Commission stated: "we have constantly urged ICANN and the community to develop a unified access model that applies to all registries and registrars and provides a stable, predictable, and workable method for accessing non-public gTLD registration data for users with a legitimate interest or other legal basis as provided for in the General Data Protection Regulation (GDPR). The European Commission considers this to be both vital and urgent, and we urge ICANN and the community to develop and implement a pragmatic and workable access model in the shortest timeframe possible, to which we will contribute actively";
Whereas, the Board developed a scorecard to facilitate its consideration of the Recommendations, titled "Scorecard: EPDP Phase 1 Recommendations" in which it identified issues to consider in implementation of the Phase 1 Recommendations and in Phase 2 as work continues, informed by the valuable inputs from all parties;
Whereas, the Board understands that any action on these Recommendations other than adoption requires the Board, pursuant to Section 6, Annex A-1 of the ICANN Bylaws, to (i) articulate the reasons for its determination in a report to the GNSO Council and (ii) to submit the Board statement to the GNSO Council;
Resolved (2019.05.15.02), the Board adopts the GNSO Council Policy Recommendations for a new Consensus Policy on gTLD Registration Data as set forth in section 5 of the Final Report in accordance with Sections A and B of the attached scorecard titled "Scorecard: EPDP Phase 1 Recommendations".
Resolved (2019.05.15.03), the Board directs the President and CEO, or his designee(s), to develop and execute an implementation plan for the adopted Recommendations that is consistent with the guidance provided by the GNSO Council and to continue communication with the community on such work.
Resolved (2019.05.15.04), the Board determines that, at this time, Recommendation 1, Purpose 2 is not in the best interests of the ICANN community or ICANN.
Resolved (2019.05.15.05), the Board determines that, at this time, Recommendation 12, with respect to the option to delete data in the Organization field, is not in the best interests of the ICANN community or ICANN.
Resolved (2019.05.15.06), the Board does not adopt Recommendation 1, Purpose 2, at this time. The Board articulates its reasons for not adopting Recommendation 1, Purpose 2, at this time in the below rationale, and will submit to the GNSO Council a formal Board Statement incorporating the rationale for discussion as soon as feasible, as specified in Annex A-1, Section 6 of the ICANN Bylaws. The Board looks forward to a productive discussion with the GNSO Council on the concerns raised and will consider any further Supplemental Recommendation arising out of this discussion process in line with the Board's obligations.
Resolved (2019.05.15.07), the Board does not adopt Recommendation 12, with respect to the option to delete data in the Organization field, at this time. The Board articulates its reasons for not adopting Recommendation 12, with respect to the option to delete data in the Organization field, at this time in the below rationale, and will submit to the to the GNSO Council a formal Board Statement incorporating the rationale for discussion as soon as feasible, as specified in Annex A-1, Section 6 of the ICANN Bylaws. The Board looks forward to a productive discussion with the GNSO Council on the concerns raised and will consider any further Supplemental Recommendation arising out of this discussion process in line with the Board's obligations.
Resolved (2019.05.15.08), the Board directs the President and CEO, or his designee(s), to continue to evaluate the impacts of the Recommendations to ICANN org and the contracted parties in light of the GDPR and the impacts of the Recommendations on existing ICANN policies and agreements, taking into account any additional legal analysis and inputs from Data Protection Authorities; to align and/or adjust the implementation plan for these Recommendations based on that evaluation in consultation with the Implementation Review Team, the GNSO Council, and/or Board, as appropriate; and to ensure that the implementation of the Recommendations reflects ICANN's own and original purpose in ensuring the security, stability, and resiliency of the Domain Name System.
Resolved (2019.05.15.09), the Board confirms its understanding, with respect to Recommendation 7, that the Recommendation does not repeal or overturn existing Consensus Policy including, in this case, the Thick WHOIS Policy, and directs ICANN org to work with the Implementation Review Team to examine and transparently report on the extent to which these Recommendations require modification of existing Consensus Policies, including the Thick WHOIS Transition Policy.
Resolved (2019.05.15.10), the Board adopts the scorecard titled "Scorecard: EPDP Phase 1 Recommendations" and directs the President and CEO, or his designee(s), to take the actions as identified therein, including in implementation of the Phase 1 Recommendations and in support of Phase 2 as work continues, informed by the valuable inputs from all parties.
Resolved (2019.05.15.11), the Board confirms that based on the 24 April 2019 letter from the GAC, the Board's adoption of the Recommendations and acceptance and continued deferral of some of the GAC advice from the San Juan Communiqué is not inconsistent with GAC advice.
Resolved (2019.05.15.12), the Board continues to support the multistakeholder policy development efforts in Phase 2 and encourages the community to continue to support this important work on an expeditious basis, including on all topics that were identified for additional consideration in Phase 2.
Why is the Board addressing the issue?
On 17 May 2018, the ICANN Board adopted the Temporary Specification for gTLD Registration Data (Temporary Specification) pursuant to the procedures in the Registry Agreement and Registrar Accreditation Agreement concerning the establishment of temporary policies. Following the adoption of the Temporary Specification, and per the procedure for Temporary Policies as outlined in the Registry Agreement and Registrar Accreditation Agreement, a Consensus Policy development process as set forth in ICANN's Bylaws needs to be initiated immediately and completed within a one-year time period from the implementation effective date (25 May 2018) of the Temporary Specification.
The GNSO Council had a number of discussions about next steps to clarify issues around scope, timing and expectations, including a meeting between the GNSO Stakeholder Group and Constituency Chairs on 21 May 2018, the Council meeting on 24 May 2018, a meeting between the ICANN Board and the GNSO Council on 5 June 2018 and an extraordinary GNSO Council meeting on 12 June 2018. The GNSO Council approved the Expedited Policy Development Process (EPDP) Initiation Request (https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-s...) and the EPDP Team Charter (https://gnso.icann.org/sites/default/files/file/field-file-attach/temp-s...) on 19 July 2018.
The EPDP Team was formed and held its first meeting on 1 August 2018, followed by the publication of the Charter-required "Triage" Report on 15 September 2018 and its Initial Report on 21 November 2018. The EPDP Team reached full consensus / consensus on the recommendations contained in the Final Report apart from two recommendations (#2 and #16).
On 4 March 2019, the GNSO Council voted to approve with the required GNSO Supermajority support all the recommendations contained in the Final Report from the Team that had been chartered to conduct an EPDP on the Temporary Specification for gTLD Registration Data. This included even those recommendations for which there was divergence within the EPDP Team. Please see the Final Report for a summary of all the approved recommendations.
The EPDP Team on the Temporary Specification for gTLD Registration Data was chartered:
to determine if the Temporary Specification for gTLD Registration Data should become an ICANN Consensus Policy, as is or with modifications, while complying with the GDPR and other relevant privacy and data protection law.
As part of its deliberations on this issue, the EPDP Team was tasked to consider, at a minimum, the specifically-identified questions related to the Temporary Specification, which were outlined in the EPDP Charter. These questions related to the different sections of the Temporary Specification, and included, for example, the purposes for processing gTLD registration data, and the collection, transfer, and publication of gTLD registration data as outlined in the Temporary Specification.
The policy recommendations, if approved by the Board, will impose obligations on contracted parties. The GNSO Council's vote in favor of these items satisfies the voting threshold required by Section 11.3(i)(xv) of the ICANN Bylaws regarding the formation of consensus policies. Under the ICANN Bylaws, the GNSO Council's Supermajority support for the EPDP recommendations obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the policy is not in the best interests of the ICANN community or ICANN org.
If the Board determines that its adoption of one or more of the Recommendations is not in the best interests of the ICANN community or ICANN, the Board shall articulate its reasons for this determination in a report to the Council. At the conclusion of the Council and Board discussions, the Council shall meet to affirm or modify its Recommendation and communicate that conclusion to the Board.
What is the proposal being considered?
The ICANN Board is considering the adoption of the Recommendations outlined in section 5 of the EPDP Team Final Report (see https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-g...), which would establish a new Consensus Policy on gTLD Registration Data.
Which stakeholders or others were consulted?
As mandated by the GNSO's PDP Manual, the EPDP Team reached out shortly after its initiation to ICANN's Supporting Organizations and Advisory Committees as well as the GNSO's Stakeholder Groups and Constituencies to seek their input on the Charter questions. See https://community.icann.org/display/EOTSFGRD/Request+for+Early+Input+-+1... for all the responses received (these were from the Business Constituency, the Intellectual Property Constituency, the Governmental Advisory Committee, the Non-Commercial Stakeholder Group, the Registrars Stakeholder Group, the Registries Stakeholder Group, the Security and Stability Advisory Committee, and the At-Large Advisory Committee).
Also as mandated by the GNSO's PDP Manual, the EPDP Team's Initial Report was published for public comment following its release on 21 November 2019 (see https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-...). All the public comments received were compiled into a uniform Public Comment Review Tool and reviewed by the EPDP Team (see https://community.icann.org/display/EOTSFGRD/Public+Comment+Review+Tool). As required by the ICANN Bylaws, public comment was also requested prior to ICANN Board consideration (see https://www.icann.org/public-comments/epdp-recs-2019-03-04-en).
In addition, the Working Group held three face-to-face meetings: the first meeting was held in Los Angeles from 24 – 26 September 2018; the second meeting was held during the ICANN public meeting in Barcelona from 20 – 25 October 2018; and the third meeting was held in Toronto from 16 – 18 January 2019. The EPDP Team's second face-to-face meeting in Barcelona included open community sessions. Transcripts, documents, and recordings of all EPDP Team meetings can be found on the EPDP Team wiki space at: https://community.icann.org/display/EOTSFGRD/EPDP+on+the+Temporary+Speci....
During the course of its work, the EPDP Team recognized some of the issues under discussion required the expertise of legal counsel. A sub-group of the EPDP Team, the EPDP Legal Committee, worked together to identify the preferred qualifications and experience the EPDP Team was seeking. ICANN org, in following its standard procedure which includes a conflict of interest assessment, identified Ruth Boardman of Bird & Bird as the outside legal counsel dedicated to this effort. Ruth Boardman jointly heads the International Privacy and Data Protection Group of Bird & Bird.
The full legal memos are available for review, but the topics which received further guidance from legal counsel have been provided below:
Applicability of GDPR Art. 6.1.b reference "to which the data subject is party" and "necessary for performance of a contract."
Potential liability of a registered name holder's incorrect self-identification of a natural or legal person, which ultimately results in public display of personal data.
Meaning of "informing" the data subject with respect to provision of separate administrative and technical contact.
Accuracy of data requirements under GDPR.
Is the data provided by the Registered Name Holder ("RNH") for the "City" field in the RNH's address personal data?
Applicability of territorial scope under GDPR.
Transfer of registration data from registrars to registries (Thick WHOIS).
The EPDP Team also reviewed the European Data Protection Board's ("EDPB") advice on the Temporary Specification in detail.
Lastly, the following list of resources, which includes previously received guidance on RDDS, privacy law, ICANN policies, et. al., was made available for EPDP Team review and reference.
In recognition of the EPDP Team's condensed timeline, the GNSO Council chose to invite two liaisons from ICANN org to participate directly within the EPDP Team: one liaison from ICANN's Legal Team and one liaison from ICANN's Global Domains Division. The ICANN Org liaisons attended most of the EPDP Team calls, joined the EPDP Team for its face-to-face meetings, and provided background information and answers to questions from the EPDP Team.
What concerns or issues were raised by the community?
The GNSO's Stakeholder Groups and associated Constituencies were given the opportunity to provide additional statements, which were annexed to the Final Report. Below, please find a high-level summary of the concerns noted within the statements.
The At-Large Advisory Committee noted the following concerns that it believed were not adequately addressed by the EPDP Team:
Maximizing access to RDDS information for those involved with cybersecurity and consumer protection;
Maximizing stability and resiliency of a trustworthy DNS;
Protecting and supporting individual Internet users; and
The Business Constituency and Intellectual Property Constituency noted their position on the importance of reasonable consideration by contracted parties of requests for lawful disclosure of non-public registration data, including requests made within the context of consumer protection, cybersecurity, intellectual property, or law enforcement within the lawful disclosure purpose (Purpose 2).
The Governmental Advisory Committee noted its concerns that the Final Report does not sufficiently recognize the benefits of the WHOIS database.
The Internet Service Providers and Connectivity Providers Constituency noted its concerns with consent being given in a compliant fashion and that the current language in the Final Report may not address consent in a GDPR-compliant manner.
The Non-Commercial Stakeholder Group also noted its concerns with Purpose 2, noting its position that disclosure to third parties is not a valid ICANN purpose for processing domain name registrants' data and could ultimately be overruled by the law. The Non-Commercial Stakeholder Group also noted its concerns with Purpose 7, as it could result in an increase to the number of data elements in the RDDS or WHOIS, some of which could contain personal information. The Non-Commercial Stakeholder Group stated that these additional data elements should not be escrowed. The Non-Commercial Stakeholder Group dissented on Recommendation 2, noting its position that ICANN's Office of the Chief Technology Officer has repeatedly stated that it does not need access to the personal information of domain name registrants to do its work. The Non-Commercial Stakeholder Group also noted its position that rules with respect to RDDS should be universally applied and uniformly applicable; therefore, Recommendation 16, which permits but does not require registrars to apply geographic differentiation to registered name holders, does not align with a uniform, global Internet.
The Registries Stakeholder Group noted its concerns with the workbooks in Annex D being incorporated by reference into the Final Report. It also noted concerns with Recommendations 7 and 27, noting its position that the language does not reflect the consensus of the EPDP Team, and additionally noted concerns with Recommendation 2, noting it is out of scope for this EPDP.
The Security and Stability Advisory Committee noted its position that, contrary to the text of Recommendations 16 and 17, registrars should be required to differentiate based on geographic location and between natural and legal persons after a suitable implementation period. This request for differentiation is based on a balancing of cost to contracted parties with the costs on the parties who rely upon domain registration data for the wide array of legitimate purposes.
Submissions to the public comment forum following GNSO Council approval of the recommendations (see https://www.icann.org/public-comments/epdp-recs-2019-03-04-en), focused on topics such as purposes for processing gTLD registration data, responsible parties, over-application of GDPR, data redaction, data accuracy, legal vs. natural persons, geographic differentiation and phase 2 of the EPDP.
The above summary represents some noted points of impact among the affected Constituencies and Stakeholder Groups. The Board understands that these issues and concerns were raised during the EPDP Team's deliberations and that, in accordance with the PDP Process defined in the GNSO PDP Manual and the ICANN Bylaws, the EPDP Team delivered a Final Report to the GNSO Council and the Council approved the report and Consensus Policy Recommendations.
Notwithstanding the concerns identified above, there was broad community support for the Recommendations, as reflected by the consensus support of the EPDP Team for 27 of the 29 Recommendations and the GNSO Council's supermajority vote to adopt all Recommendations.
Please refer to the full statements in Annex G of the Final Report for further information.
What significant materials did the Board review?
In taking this action, the Board considered:
GAC San Juan Communiqué, dated 15 March 2018;
The EPDP Team's Final Report, dated 20 February 2019;
The GNSO Council's Recommendations Report to the Board, dated 29 March 2019;
The comments and the summary of public comments received in response to the public comment period that was opened following the GNSO Council's adoption of the recommendations contained in the Final Report, and GAC advice received on the topic.
The letter from the GAC to the Board, dated 24 April 2019;
The European Commission's 3 May 2019 letter to ICANN org, which expanded upon the Commission's comment submitted during the public comment period.
Scorecard: EPDP Phase 1 Recommendations
What factors did the Board find to be significant and are there positive or negative community impacts?
The Board takes this action today to adopt, with the exceptions noted below, the Recommendations developed following the GNSO EPDP as set out in Annex A-1 of the ICANN Bylaws. These Recommendations received the required GNSO Supermajority support of the GNSO Council. As outlined in the ICANN Bylaws, the Council's supermajority support obligates the Board to adopt the recommendations unless, by a vote of more than two-thirds, the Board determines that the recommended policy is not in the best interests of the ICANN community or ICANN. This Board action will initiate ICANN org's implementation of the Board-adopted Recommendations as a new Consensus Policy, in consultation with an Implementation Review Team.
In taking action today to adopt the Recommendations, with the exceptions noted below, the Board notes that there are a few areas where consideration should be taken during the implementation phase to ensure that the resulting policy: (a) serves ICANN's public interest mandate; (b) safeguards the security, stability, and resiliency of the DNS; and (c) protects registrants.These areas, addressed in additional detail in the EPDP Phase 1 Recommendations Scorecard, include:
Data Retention (Recommendation 15). The Board understands that this recommendation modifies existing data retention requirements. The Board understands that the EPDP Team is committed to additional work in Phase 2 on the topic of data retention. The Board directs ICANN org to undertake a review to identify instances where personal data is needed beyond the life of the registration, as recommended by the EPDP Team.
Feasibility of Study (Recommendation 16). In adopting this Recommendation, the Board notes its understanding that there was divergence in the EPDP about the value of a study to inform the policy, and that requests for such a study have been presented to the Board. The Board directs the CEO and org to discuss with the EPDP Phase 2 Team the merits of a study to examine the feasibility and public interest implications of distinguishing between registrants on a geographic basis based on the application of GDPR. Further action should be guided by the conversations within the EPDP Phase 2 Team.
Data Protection Agreements With Contracted Parties (Recommendation 19). The Board notes that the determination of the roles and responsibilities for the processing of gTLD registration data is based on a legal analysis of the law. The Board directs ICANN org to undertake this legal analysis and consult with the Data Protection Authorities as appropriate.
Data Processing Activities and Responsible Parties (Recommendation 20). The Board notes that the determination of the roles and responsibilities for the processing of gTLD registration data is based on a legal analysis of the law. The Board directs ICANN org to undertake this legal analysis and consult with the Data Protection Authorities as appropriate.
Policy Effective Date (Recommendation 28). The Board notes that the Recommendation sets an effective date for the policy. Given the complexity of the implementation, there is a possibility that this date may not be met. The Board directs ICANN org to provide regular status updates of the progress of implementation and flag any potential issues or concerns with timeline so that issues can be addressed in a timely manner.
In taking action today, the Board also notes the following:
Purposes for Processing of gTLD Registration Data (Recommendation 1). This recommendation defines seven ICANN purposes for processing gTLD registration data, six of which the Board adopts at this time. The Board notes that ICANN purposes are governed by consensus policies developed by the ICANN community and are not solely pursued by ICANN org.
Transfer of gTLD Registration Data From Registrars to Registry Operators (Recommendation 7). The Board confirms its understanding that Recommendations do not repeal or overturn existing Consensus Policy including, in this case, the Thick WHOIS Transition Policy. Consistent with Recommendation 27, the Board directs ICANN Org to work with the Implementation Review Team to examine and transparently report on the extent to which these Recommendations require modification of existing Consensus Policies. Where modification of existing Consensus Policies is required, we call upon the GNSO Council to promptly initiate a PDP to review and recommend required changes to Consensus Policies.
In adopting Recommendation 7, the Board notes that the Purposes contained in the Final Report, at Recommendation 1, provide the legal basis for processing the aggregate minimum data set under this Recommendation. The Board requests that the EPDP Phase 2 team consider whether the suggested corrections contained in the Registry Stakeholder Group's comments and the accompanying chart in Appendix G of the Final Report more accurately reflect the Phase 1 consensus and should be adopted.
Legal Versus Natural (Recommendation 17). The Board adopts this recommendation and continues to defer GAC advice in this area based on the 24 April 2019 letter from the GAC. The Board notes that the Recommendation states that the EPDP Team "will determine and resolve the Legal vs. Natural issue in Phase 2."
Reasonable Access (Recommendation 18). The Board understands that this Recommendation provides a mechanism for third parties with legitimate interests to access non-public gTLD registration data and obligates the contracted parties to disclose the requested non-public data if the request passes the balancing test.
The adopted Recommendations provide flexibility to address these matters identified above in consultation with the Implementation Review Team and during the EPDP-recommended negotiations with contracted parties. If any issues arise during implementation that would adversely impact ICANN org's ability to implement these Recommendations (e.g. if it is determined that implementation of one or more Recommendations would not serve ICANN's public interest mandate, safeguard the security, stability, and resiliency of the DNS, or protect registrants), ICANN org should escalate these concerns to the Board, as appropriate.
The Board has determined that because additional consultation with the GNSO Council and/or additional guidance from the Data Protection Authorities is needed to inform its consideration of the following Recommendations, it is not in the best interests of the ICANN community or ICANN to adopt these portions of Recommendations at this time:
Purpose 2 (Recommendation 1). The Final Report notes that this purpose is a placeholder pending additional work in Phase 2.
The Board does not adopt this Recommendation at this time in light of the EPDP Team's characterization of this as a placeholder and the need to consider recent input from the European Commission. Based on the views presented in the recent letters from the European Commission, Purpose 2, as stated in the EPDP Team's Final Report, may require further refinement to ensure that it is consistent with and facilitates ICANN's ability to deliver a predictable and consistent user experience compliant with applicable law. The Board's concern is that if the wording of purpose 2 is deemed inconsistent with applicable law, the impact might be elimination of an ICANN purpose. There are clear ICANN purposes that ICANN should be able to employ under existing legal frameworks to deploy a unified method to enable those with a legitimate and proportionate interest to access non-public gTLD registration data, although such purposes may need to be restated or further refined based on additional legal, regulatory or other input. The Board directs ICANN org to continue to evaluate this proposed purpose and to request additional guidance from the DPAs, regarding the legitimate and proportionate access to registrant data and ICANN's Security, Stability, and Resiliency mission.
Similar concerns were raised by the Coalition for Online Accountability in their 14 May 2019 letter to the ICANN Board.
The Organization Field (Recommendation 12). The Board understands that implementation of this Recommendation, with respect to the option for registrars to delete the contents of the field if the registrant does not confirm the data for publication, may result in the loss of the ability to identify the registrant.
The Board requests that as part of Phase 2, the EPDP consider the extent to which deletion (as opposed to redaction) that results in loss of or changes to the name of the registrant is in the public interest and consistent with ICANN's mission. The Board looks forward to discussing this issue more in depth with the GNSO Council under the mandated Bylaws process.
Are there fiscal impacts or ramifications on ICANN (strategic plan, operating plan, budget); the community; and/or the public?
There may be fiscal impacts on ICANN associated with the creation of a new gTLD Registration Policy. The implementation plan should take into account costs and timelines for implementation. An internal ICANN org implementation team has been formed and has begun to review the recommendations to analyze the implementation requirements. ICANN org considers the scope of effort required for this implementation to be significant and extensive.
The implementation of these recommendations will result in changes to registry and registrar systems, and accordingly, the costs to contracted parties were discussed by the EPDP Team during the drafting of the recommendations.
Are there any security, stability or resiliency issues relating to the DNS?
Failure to implement the recommendations could hamper the identification of those responsible for the administration of domain names on the Internet. In cases where those domain names are being used for abusive purposes, e.g., phishing, botnet command and control, malware distribution, etc., the ability of anti-abuse actors to block the abuse could be limited, thereby posing security, stability, and resiliency risks to the DNS and the Internet as a whole.
Implementing the recommendations should provide for access to registration information for legitimate purposes to accredited entities as per GDPR requirements. While not returning the ability to obtain registration data access to the status quo ante prior to the implementation of GDPR, the recommendations would permit GDPR-compliant access aimed at being in support of security, stability, and resilience of the DNS.
Is this either a defined policy process within ICANN's Supporting Organizations or ICANN's Organizational Administrative Function decision requiring public comment or not requiring public comment?
Public comment has taken place as required by the ICANN Bylaws and GNSO Operating Procedures in relation to GNSO policy development.
Is this within ICANN's mission? How does this action serve the public interest?
Consideration of community-developed policy recommendations is within ICANN's mission as defined at Article 1, section 1.1(i) of the ICANN Bylaws. This action serves the public interest, as ICANN has a core role as the "guardian" of the Domain Name System.