News Alert

https://www.icann.org/news/announcement-2015-06-05-en

Advisory Concerning Registrar Obligations to Provide Data to ICANN Pursuant to Section 3.4.3 of the 2013 RAA

5 June 2015

Section 3.4.3 of the 2013 Registrar Accreditation Agreement (the "2013 RAA") requires registrars to provide certain data, information, and records to ICANN upon request and incorporates a procedure by which ICANN and registrars can agree to limitations, protections, or alternative solutions in the event a registrar believes that the provision of such data to ICANN would violate applicable law or legal proceedings.

Several registrars have requested clarification from ICANN regarding the 2013 RAA's procedure for discussing and agreeing on appropriate limitations, protections, or alternative solutions for production of data, information, or records requested by ICANN. In particular, registrars have told ICANN that meaningful discussions of potentially relevant legal issues require that ICANN identify

(i) the purposes for which ICANN is requesting such data, information, or records;
(ii) how ICANN intends to use such data, information, or records; and
(iii) duration for which ICANN intends to retain such data, information, or records.¹

The following advisory outlines the relevant provisions of the 2013 RAA and explains the steps that ICANN will take upon a registrar's request if ICANN seeks access to data, information, or records pursuant to Section 3.4.3 of the 2013 RAA.

Relevant Provisions of the 2013 RAA

Section 3.4.3 of the 2013 RAA provides:

3.4.3 During the Term of this Agreement and for two (2) years thereafter, Registrar shall make the data, information and records specified in this Section 3.4 available for inspection and copying by ICANN upon reasonable notice. In addition, upon reasonable notice and request from ICANN, Registrar shall deliver copies of such data, information and records to ICANN in respect to limited transactions or circumstances that may be the subject of a compliance-related inquiry; provided, however, that such obligation shall not apply to requests for copies of the Registrar's entire database or transaction history. Such copies are to be provided at Registrar's expense. In responding to ICANN's request for delivery of electronic data, information and records, Registrar may submit such information in a format reasonably convenient to Registrar and acceptable to ICANN so as to minimize disruption to the Registrar's business. In the event Registrar believes that the provision of any such data, information or records to ICANN would violate applicable law or any legal proceedings, ICANN and Registrar agree to discuss in good faith whether appropriate limitations, protections, or alternative solutions can be identified to allow the production of such data, information or records in complete or redacted form, as appropriate. ICANN shall not disclose the content of such data, information or records except as expressly required by applicable law, any legal proceeding or Specification or Policy.

Procedure for Data To Be Made Available to ICANN

1. If, pursuant to Section 3.4.3, ICANN provides notice to a registrar requiring that (1) data, information, or records be made available to ICANN for inspection or copying; or (2) that data, information or records be delivered to ICANN, the registrar may request, in writing (with email deemed sufficient), that ICANN provide a written description specifying to a reasonable extent: (a) the data, information, and records that are the subject of the request; and (b) the purpose, including identification of the transfers envisaged to third parties and the purpose of such transfer, for which ICANN maintains that access to or a copy of the data, information, and records is necessary (the "Access Purpose Description").
2. ICANN will, upon the written request of the registrar, provide the registrar with the Access Purpose Description in writing (with email deemed sufficient). With respect to the purpose, ICANN is limited to one or more of the purposes described in the draft document "Description of 2013 RAA Data Retention Specification data elements and potentially legitimate purposes for collection/retention" that was posted on 21 March 2014 (the "Description") as it may be modified by ICANN from time to time. Any future changes to the Description must be in line with the law and regulations applicable to the registrars, including but not limited to rules on the processing of data for purposes which are not incompatible with the legitimate purpose for which the data were originally collected. ICANN will work in good faith to agree with the Registrar on appropriate levels of data protection, if applicable, and, respecting any safeguards necessary to achieve this purpose (e.g., Standard Contractual Clauses, if appropriate).
3. If an Access Purpose Description is requested by a registrar and provided by ICANN, ICANN will not process or use the data, information, and records for any purpose other than those stated in the Access Purpose Description. This does not exclude ICANN from issuing a further Access Purpose Description, referring to one or more purposes listed in the Description, if another purpose becomes relevant with respect to such data, information, and records and is in line with the law and regulations applicable to the registrars, including but not limited to rules on the processing of data for purposes which are not incompatible with the legitimate purpose for which the data were originally collected. As provided in Section 3.4.3 of the 2013 RAA, ICANN will not disclose the content of such data, information, or records to a third party except as expressly required by applicable law; any legal proceeding; or Specification or Policy (as defined in the 2013 RAA) in line with the law and regulations applicable to the registrars, including but not limited to rules on the processing of data for purposes which are not incompatible with the legitimate purpose for which the data were originally collected; and, to the extent applicable, in line with any "onward transfer requirements" safeguards to which ICANN has stipulated to ensure appropriate levels of data protection on part of ICANN (e.g., Standard Contractual Clauses, if appropriate). If ICANN is required to disclose the content of the data, information or records in accordance with the preceding sentence, it will immediately notify the registrar involved in writing (with email deemed sufficient) of the grounds for the order or requirement, the party to whom the data must be disclosed and the stated purpose of the disclosure, as well as the legal means available to oppose such disclosure, if and to the extent stated in the order or requirement, unless and to the extent such notification is expressly prohibited by law or court order.
4. ICANN will delete the data, information, and records if and when they are no longer required for the purpose(s) stated in the Access Purpose Description(s), subject to adherence to any retention requirements mandated by law, if any.

If a registrar believes that the provision of any such data, information, or records to ICANN would violate applicable law or any legal proceedings, any ensuing good faith discussions between ICANN and the registrar will take into consideration the purposes set forth in the Access Purpose Description provided by ICANN. In those good faith discussions, ICANN would take into account, without limitation any legal opinion submitted by the registrar from a nationally recognized law firm in the applicable jurisdiction and, in particular, the rulings or guidance provided by a national or EU governmental body of competent jurisdiction including relevant data protection authorities, as well as the requirement of Section 3.7.2 2013 RAA that registrar shall abide by applicable laws and governmental regulations.

If good faith discussions are ongoing between ICANN and the registrar as indicated above, ICANN would refrain from commencing a compliance procedure against the registrar for breach of Section 3.4.3 of the 2013 RAA for a reasonable period of time with the goal of allowing the good faith discussions to facilitate a resolution.

¹In discussions with ICANN, most registrars have acknowledged that legitimate purposes exist for the retention of the data elements specified in Articles 1.1 and 1.2 of the Data Retention Specification (the "Specification") of 2013 RAA, but some registrars have called for clarification of the 2013 RAA's process for ICANN's request for data from a registrar to ensure a compatible use of the data, which is not addressed by the waiver process described in the Specification.