Data Retention Requirements in the 2013 RAA
My recent post on the ICANN Blog highlighted the 2013 RAA and some of its noteworthy improvements designed to protect registrants and the Internet-using public. An additional update included in the 2013 RAA is the Data Retention Specification.
The Data Retention Specification updates and clarifies the data retention obligations that were included in the 2009 RAA (and previous versions of the RAA). The 2013 RAA generally requires more data elements to be retained by registrars than before, but divides the data elements into groups that must be kept for either 2 years beyond the registration term or 180 days – both shorter than what was required under previous versions of the RAA.
Compliance with Laws
The 2013 RAA data retention requirements were based on recommendations strongly supported by the governments of the world through ICANN’s Governmental Advisory Committee. However, some registrars expressed concerns that local data protection and other privacy laws might make it difficult for them to comply with these new requirements. ICANN recognizes that laws vary from country to country and that some of the new data retention requirements in the 2013 RAA may conflict with certain European data protection and privacy regulations. To be clear, governing laws take precedence over the terms of the RAA.
The 2013 RAA features a new “severability” provision that provides a mechanism for situations where a provision of the agreement is held to be unenforceable under applicable law. Also, a specific provision concerning waivers was incorporated into the Data Retention Specification to deal with cases where compliance with the data collection and/or retention requirements might be prohibited by applicable law.
Eligibility for a Compliance Waiver Under the 2013 RAA
The first new 2013 RAAs became effective in August 2013, and in September 2013 ICANN posted a “Process for Handling Registrar Data Retention Waiver Requests”. To be eligible for a compliance waiver of the data retention requirements, registrars must present ICANN with an opinion from a law firm or a ruling or guidance from a governmental body of competent jurisdiction that states that collecting or retaining one or more data elements in the manner required by the specification violates applicable law. A broad general assertion that the data collection and Data Retention Specifications requirements are unlawful will be insufficient, as it fails to identify the specific 2013 RAA requirement that is problematic. Rather, the waiver request must specify the applicable law, the specific allegedly offending data collection and/or retention requirement(s), and the manner in which the collection and/or retention violates the law. This specificity helps ICANN to determine the appropriate limitations on the scope and duration of data collection and retention requirements when granting the waiver.
The 2013 RAA calls for ICANN and the registrar to discuss waiver requests in good faith in an effort to reach a mutually acceptable resolution. If ICANN agrees with the registrar’s determination that collection or retention of any data element violates applicable law, then ICANN may suspend compliance and enforcement of the affected provisions and grant a waiver (after first posting its preliminary waiver determination online for 30 days). ICANN contemplates that waivers should be tailored to limit the scope and/or duration of data collection and retention as necessary to comply with local law, but will not completely eliminate all requirements for data collection and retention.
Privacy Laws Allow for Retention of Data
In countries with data privacy laws applicable to registrars, ICANN has found that restrictions generally permit the retention of registration data, but only for legitimate purposes, and for a period no longer than is necessary for the purposes for which the data were collected or for which they are further processed. What constitutes a legitimate purpose and how long data can be retained are complicated questions, and the answers may vary from one country to the next, even within the European Union (EU), which is subject to the same data privacy directive across all member states.
ICANN’s position is that there are important public and registrant protection purposes that support the requirements for registrars to keep records of domain registrations, even for some period of time beyond expiration of a domain name. For example, registration data would be necessary to attempt to undo a domain name hijacking, even though the registrar might consider the registration agreement to have terminated at the time of an (unauthorized) transfer.1 Similarly, a victim of identity theft might contest a credit card charge for a registration that was deleted by the registrar due to use of the domain for phishing or malware distribution in violation of its service agreement; basic registration record-keeping would be required to facilitate resolution of the matter. Registrars might also need registration data to resolve billing errors or disputes, such as in the imposition of a registration renewal fee after a domain was transferred or deleted. These are just a few real-life examples where there would be a legitimate reason for registrars to maintain registration and transaction records for some period of time following the deletion or transfer of a registration.
Status of Submitted Waiver Requests
The complexity and diversity of national privacy laws has resulted in considerable investments of time and resources by ICANN and registrars alike. To date, 15 waiver requests have been submitted by registrars within the European Union. The EU’s Article 29 Working Party has also written to ICANN to express its concerns about the legality of data retention requirements of the 2013 RAA within the EU. Because each country may interpret its data privacy requirements differently, ICANN is working through each of the submitted requests, country-by-country.
On 24 January 2014 ICANN posted the first “Notice of Preliminary Determination To Grant Registrar Data Retention Waiver Request” to Registrar OVH SAS in France. The proposed waiver would permit OVH SAS to maintain certain information specified in part of the Data Retention Specification for the duration of its sponsorship of each registration and for a period of 1 additional year thereafter (rather than 2 years thereafter). ICANN and its outside counsel have been engaged in talks with several other registrars about their waiver requests. We are optimistic that these discussions will allow ICANN to grant additional waivers soon.
WHOIS Conflicts of Law Procedure
The procedures for seeking a waiver of the data retention obligations under the 2013 RAA differ from than those that apply under the WHOIS Conflicts of Law Procedure that was developed by the ICANN community and adopted by the Board. We are aware of the challenges the existing two-procedure approach might pose and have also heard the suggestion from some registrars that the threshold required to invoke the Whois Conflicts procedure might be too high. In an effort to try to resolve these concerns, ICANN will soon be announcing a public review of the Whois Conflicts procedure, which will incorporate substantial community input. More details about this review will be published in the coming weeks.
ICANN remains committed to protecting registrants and the public, and to compliance by registrars with applicable laws. We look forward to further discussions with registrars, governments and other stakeholders on these issues, including at the upcoming ICANN meetings 23-27 March 2014 in Singapore.