Registration Data Accuracy Scoping Team: Difference between revisions

Line 88:

In a December 1, 2022 letter to the GAC, ALAC, and SSAC, GNSO Council Chair [[Sebastien Ducos]] explained that, as a result of the motion, work on proposals requiring access to registration data was paused, and that the Scoping Team’s further engagement would depend on the outcome of ICANN org’s legal and contractual analyses and the completion of the DPA.<ref name="rda-ducos-2022"></ref>

== ICANN org Assessment ==

Pursuant to the Council’s 2022 resolution and earlier Board requests, ICANN org developed and assessed four possible scenarios for obtaining data to inform discussions on registration data accuracy. These scenarios were shared with the Scoping Team in May 2022 and later described in detail in ICANN org’s “Assessment of Registration Data Accuracy Scenarios”, delivered to the GNSO Council on October 19, 2023.

The four scenarios were:

# analysis of publicly available registration data for syntactic and operational accuracy (similar to the approach used in WHOIS ARS);

# a proactive Contractual Compliance audit of registrar compliance with validation and verification obligations under the RAA;

# analysis of a representative sample of full (public and non-public) registration data voluntarily provided by registrars to ICANN; and

# a voluntary registrar survey on accuracy-related practices.

ICANN org’s assessment concluded, among other points:<ref name="rda-assessment"></ref>

* Scenario 1 (public data analysis) would not provide meaningful insight because much of the relevant data is no longer publicly available after GDPR and the Temporary Specification.

* Scenario 2 (compliance audit) could be performed within existing contractual authority, and DPIA analysis indicated that a narrowly tailored audit could be carried out consistent with GDPR, but such an audit would primarily confirm compliance with existing obligations and would be resource-intensive (estimated cost of up to US$750,000 for a full-scale audit), without answering broader questions about identity-level accuracy.

* Scenario 3 (analysis of full data samples) raised significant legal concerns, with ICANN org indicating that it might lack a sufficient legal basis under GDPR to collect and process a representative sample of full registration data solely for an accuracy study, absent additional policy or contractual changes.

* Scenario 4 (voluntary registrar survey) could provide some insight into registrar practices but might yield statistically unrepresentative data if participation were limited, and would still face questions about the legal basis for processing certain data.

The report noted that none of the scenarios would confirm whether the registrant was who they claimed to be, which for some stakeholders formed part of their concept of “accuracy”. It proposed alternative steps, including leveraging historical and ongoing Contractual Compliance audit data and analyzing European ccTLD practices in the context of evolving legislative requirements such as the EU NIS2 Directive.<ref name="rda-assessment"></ref>

== References ==

@@ Line 88: / Line 88: @@
 In a December 1, 2022 letter to the GAC, ALAC, and SSAC, GNSO Council Chair [[Sebastien Ducos]] explained that, as a result of the motion, work on proposals requiring access to registration data was paused, and that the Scoping Team’s further engagement would depend on the outcome of ICANN org’s legal and contractual analyses and the completion of the DPA.<ref name="rda-ducos-2022"></ref>
+== ICANN org Assessment ==
+Pursuant to the Council’s 2022 resolution and earlier Board requests, ICANN org developed and assessed four possible scenarios for obtaining data to inform discussions on registration data accuracy. These scenarios were shared with the Scoping Team in May 2022 and later described in detail in ICANN org’s “Assessment of Registration Data Accuracy Scenarios”, delivered to the GNSO Council on October 19, 2023.
+The four scenarios were:
+# analysis of publicly available registration data for syntactic and operational accuracy (similar to the approach used in WHOIS ARS);
+# a proactive Contractual Compliance audit of registrar compliance with validation and verification obligations under the RAA;
+# analysis of a representative sample of full (public and non-public) registration data voluntarily provided by registrars to ICANN; and
+# a voluntary registrar survey on accuracy-related practices.
+ICANN org’s assessment concluded, among other points:<ref name="rda-assessment"></ref>
+* Scenario 1 (public data analysis) would not provide meaningful insight because much of the relevant data is no longer publicly available after GDPR and the Temporary Specification.
+* Scenario 2 (compliance audit) could be performed within existing contractual authority, and DPIA analysis indicated that a narrowly tailored audit could be carried out consistent with GDPR, but such an audit would primarily confirm compliance with existing obligations and would be resource-intensive (estimated cost of up to US$750,000 for a full-scale audit), without answering broader questions about identity-level accuracy.
+* Scenario 3 (analysis of full data samples) raised significant legal concerns, with ICANN org indicating that it might lack a sufficient legal basis under GDPR to collect and process a representative sample of full registration data solely for an accuracy study, absent additional policy or contractual changes.
+* Scenario 4 (voluntary registrar survey) could provide some insight into registrar practices but might yield statistically unrepresentative data if participation were limited, and would still face questions about the legal basis for processing certain data.
+The report noted that none of the scenarios would confirm whether the registrant was who they claimed to be, which for some stakeholders formed part of their concept of “accuracy”. It proposed alternative steps, including leveraging historical and ongoing Contractual Compliance audit data and analyzing European ccTLD practices in the context of evolving legislative requirements such as the EU NIS2 Directive.<ref name="rda-assessment"></ref>
 == References ==