2022-10-10 EPDP Phase 2 Small Team - Meeting #18

PROPOSED AGENDA

Below are the responses from the ICANN org team to the questions that the small team put forward.

Answers to Small Team questions sent 28 September 2022

The EPDP Phase 2 small team had its first meeting today post ICANN75 to further deliberate on the Whois Disclosure System. Based on that discussion, the team would like to confirm and request ICANN org’s feedback whether requests that are made for data pertaining to domain name registrations that are under the management of non-participating registrars will be logged. 

1. Question: At a minimum, could this logging include the name of the non-participating registrar and the domain name in question?  

Answer: 

As an added feature designed to gather data concerning system usage and to encourage registrar participation, the WHOIS Disclosure System could log the number of requests that are made for data pertaining to domain name registrations that are under the management of non-participating registrars. For example, a report could be created on the number of requests for domains from non-participating registrars. This report could indicate which registrars are receiving these requests, as part of the overall reports issued on the use of the WHOIS Disclosure System. 

With regard to logging domain names, since they can be considered as personal data when relating to an identified or identifiable person, it would be necessary to identify and document the purpose for such processing and to assess whether it is necessary to process domain names for such purpose. 

Therefore, it would be useful to understand from the EPDP Phase 2 small team, the purpose and the related benefits they see in collecting the domain names for requests addressed to non-participating registrars, how the collection of the domain names will achieve this purpose, and whether there are other measures available to achieve this purpose which would not entail the processing of the domain names that are considered personal data. Until these have been clarified, the domain names should not be logged. 

1. Question: Could the requestor continue filling out the data request form, if the requestor chooses to do so, after having been informed that the data request will NOT be forwarded to the non-participating registrar and that any information provided will be used for data collection purposes that are intended to help inform future decisions about how to proceed with the Whois Disclosure System / SSAD?               

Answer:

Requests completed through the WHOIS Disclosure System will contain information about the requestor, including personal data, but also information about the request which may contain all sorts of data (copy of evidence, information about a third party individual, third party personal data, copy of LEA requests, confidential evidence,...). The Data Request Form of the WHOIS Disclosure System is available in Appendix 3 of the Whois Disclosure System Design Paper (the “Data Request Form”).  

In the normal process of the WHOIS Disclosure System (that is, when domain names managed by participating registrars are concerned), ICANN org will process personal data collected from the Data Request Form based on the legitimate interests (Art. 6 (1) f) GDPR) as legal basis.

In case requestors would be asked, voluntarily, to complete the Data Request Form even after being confirmed that the domain name subject to the request is under the management of non-participating registrars, ICANN org would likely not be able to rely on legitimate interests (Art. 6 (1) f) GDPR) as legal basis and would need to rely on a specific consent from the requestor which would be valid only to the extent personal data of the requestor are concerned. However, as noted above, it is likely that personal data of other individuals will be concerned by the request which cannot be covered by the consent of the requestor (except for the unlikely case that the requestor has obtained prior consent from all individuals concerned by the request prior to submitting it). 

It is doubtful whether ICANN org could rely on the legal basis of legitimate interests (Art. 6 (1) f) GDPR) for processing personal data collected from the Data Request Form for requests pertaining to domain name registrations that are under the management of non-participating registrars, considering that collecting the complete Data Request Form’s data might be considered unnecessary to achieve the purpose of evaluating the use of the WHOIS Disclosure System for future decision-making reasons, as further discussed in the next paragraph. It is also important to note that other data protection laws beyond the GDPR will need to be considered for the processing of this data.

The processing of the data collected through the Data Request Form for requests that are made for domain name registrations that are under the management of non-participating registrars will need to achieve the purpose set out and shall not go beyond what is reasonably necessary to achieve this purpose, in line with the principles of data minimisation and proportionality. Collecting personal data from the complete Data Request Form for requests pertaining to domain name registrations that are under the management of non-participating registrars will most likely be disproportionate to the objective of evaluating the use of the WHOIS Disclosure System for future decision-making reasons. 

Since the WHOIS Disclosure System will collect ICANN account logs (identity and email address of the requestor) and could log the number of requests that are made for data pertaining to domain name registrations that are under the management of non-participating registrars, as mentioned above,  we recommend that the EPDP Phase 2 Small Team identify the data fields from the Data Request Form Questions (Appendix 3 to the WHOIS Disclosure System Design Paper) that would be necessary to assess the usage of the WHOIS Disclosure System. The additional personal data that would be collected would need to be strictly necessary for the objective (purpose) of the processing identified.

Considering the above, it should be noted that since there may be no legal basis for this processing under the GDPR, there is a risk for ICANN in case it would process personal data from the Data Request Form for requests pertaining to domain name registrations that are under the management of non-participating registrars, to be in breach of the GDPR which could result in fines and damage claims. 

In addition, while this answer only addresses the data protection implications of this logging, there may be other risks and liabilities associated with the logging of this data by ICANN org,  since applicable laws (such as criminal laws) might also foresee obligations to report certain crimes or offenses. If the Small Team believes that ICANN org should proceed to log information concerning requests submitted to non-participating registrars, the Small Team should clearly identify which data elements must be logged, the specific purpose for logging these data elements, and a clear rationale for why these data elements are necessary for this purpose. With that information, ICANN could evaluate whether the asserted benefits of this information outweigh the risks of processing this data to determine whether this added functionality can be incorporated into the system design.

In case the GNSO Council would make a policy mandating all registrars to participate in the system, data will be processed for all requests logged and the risks and impediments noted above would not apply. 

1. Question: Could the requestor be able to download the completed data request form so that the requestor can send the request to the non-participating registrar directly? Answer: 

A PDF or Word format of the empty request form could be made available for download in the WHOIS Disclosure System. As to whether the request could be completed in the WHOIS Disclosure System and be downloaded in a format suitable for sharing with non-participating registrars, we need to first assess whether it would technically be possible without all the data being logged and retained in the system and whether we could apply a different retention period than for requests that are logged for participating registrars.

-------------------------------

Answers to Small Team Questions sent 5 October 2022

1. Question: Can the email notifying a registrar of a request contain all the information required to act upon the request if the requestor consents to such information being emailed to the registrar?  (in other words, can we allow the registrar to process the request without the operational overhead of having to log into the NSP?) Answer: 

The aim of implementing a WHOIS Disclosure System is to gather information concerning demand and usage to inform Board and community discussions concerning the SSAD recommendations. Building in work-arounds to the system to enable registrars to respond to requests would have the benefit of enabling the system to potentially route requests to more registrars, but this would also defeat the Small Team’s stated purpose for the implementation of a WHOIS Disclosure System as an information-gathering exercise to inform the SSAD discussions.

ICANN org would welcome the opportunity to work with the Small Team to identify mechanisms to encourage registrars to interact with the envisioned WHOIS Disclosure System. See the answer to question 2 below for additional discussion of this issue.

As noted in our response to Question 2 in questions sent to ICANN org on 28 September, requests completed through the WHOIS Disclosure System will contain information about the requestor, including personal data, but also information about the request which may contain all sorts of data (copy of evidence, information about a third-party individual, third-party personal data, copy of LEA requests, confidential evidence, etc.). 

Could the Small Team please specifically identify what you believe is “all the information required to act upon the request”? If the Small Team could identify which of the answers from the Data Request Form of the WHOIS Disclosure System (available in Appendix 3 of the WHOIS Disclosure System Design Paper (the “Data Request Form”), as-is, or with modifications, are required for a registrar to act upon a request, we could potentially find a way to ease the registrars’ operational burdens associated with using the system, while also implementing protections for personal data as required by applicable law and achieving the goals of the system (including collecting data to help inform the further consultation between the ICANN Board and the GNSO Council on the SSAD-related policy recommendations.)

If the Small Team would confirm that sending the completed Data Request Form to the registrar managing the domain name subject to the request is necessary, including personal data of the requestor and third party(it’s), ICANN org is willing to consider this request, on the common understanding that the registrar will accept all risks related to sending personal and confidential data via a less secure transmission mode and deviate from the original design which was built in accordance with the principles of privacy and security by design.

1. Question: Can registrars log into the NSP on a certain cadence (e.g., monthly) to update the status requests? (thereby reducing operational overhead)

Answer:

There is no policy or contractual clause to mandate a specific behavior from the participating registrars, including how often they log into NSp. That said, it is important to note that the intended purpose of the WHOIS Disclosure System is to collect data to help inform the further consultation between the ICANN Board and the GNSO Council on the next steps related to the SSAD policy recommendations. Thus, updating request status in the WHOIS Disclosure System as frequently and as close to being in real time as possible is beneficial to gathering meaningful data and to ensuring a streamlined and logical requestor experience. We could explore alternative methods of data export and entry by registrars which would relieve the need to login. However, this would require additional work by the ICANN org design team and may require revisions to the published proposed design, as well as timeline and costs. 

1. Question: Can registrars opt-out of the service after opting-in if they face operational issues?

Answer:

Yes. As noted above, the purpose of the WHOIS Disclosure System is to collect data on usage. As registrars opt out of the system, there will be less data collected.

BACKGROUND DOCUMENTS

Audio Recording

Zoom Recording

Chat Transcript - located on zoom recording/ select the chat tab