The EPDP Team was tasked by the GNSO Council to address the following two questions:

  1. Whether any updates are required to the EPDP Phase 1 recommendation on this topic (“Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so“);
  2. What guidance, if any, can be provided to Registrars and/or Registries who differentiate between registrations of legal and natural persons.

In addressing these questions, the EPDP Team started with a review of all relevant information, including (1) the study undertaken by ICANN org,[1] (2) the legal guidance provided by Bird & Bird, and (3) the substantive input provided on this topic during the public comment forum on the addendum. Following the review of this information, the EPDP Team identified a number of clarifying questions, that, following review by the EPDP Team’s legal committee, were submitted to the Bird & Bird (see https://community.icann.org/x/xQhACQ).

As part of its approach in dealing with these two questions, the EPDP Team agreed to commence with identifying possible guidance to Registrars and/or Registries who decide to differentiate between registrations of legal and natural persons.

Proposed Guidance

In developing the guidance below, the EPDP Team would like to remind the Council and broader community of the following:

  1. GDPR and other data protection legislation set out requirements for protecting personal data, not non-personal data.
  2. Per EPDP Phase 1 Recommendation #6, “as soon as commercially reasonable, Registrar must provide the opportunity for the Registered Name Holder to provide its Consent to publish redacted contact information, as well as the email address, in the RDS for the sponsoring registrar”.
  3. Per the EPDP Phase 1 recommendation #17 “Registrars and Registry Operators are permitted to differentiate between registrations of legal and natural persons, but are not obligated to do so”.
  4. Distinguishing between legal and natural person data alone is not sufficient [a][b][c]as the data provided by legal persons may include personal data.
  5. Registrars operate different business models (Retail, Reseller, Brand Protection, Others), and one-size-fits-all or overly prescriptive guidance does not properly consider the range of registrar business models and the various process flows the different business models may require. Instead, Registrars require flexibility to implement differentiation in a manner that best suits their business model and reduces the risks associated with differentiation to an acceptable level for that particular Registrar.
  6. Per Phase 2 Final Report Recommendation #9.4.4: “the EPDP Team recommends that the following types of disclosure requests, for which legal permissibility has been indicated under GDPR for full automation (in-take as well as processing of disclosure decision) MUST be automated from the time of the launch of the SSAD (…) No personal data on registration record that has been previously disclosed by the Contracted Party.”

The EPDP Team would like to put forward the following guidance to assist Registrars who want to differentiate between registrations[d][e] of legal and natural persons, or, more specifically, between personal and legal personal non-personal data.

  1. Ideally, differentiation between personal data and legal person non-personal data happens at the time of registration, as this would minimize the risk [f]that personal data gets inadvertently published or non-personal data gets redacted. However, the EPDP Team understands [g]that this may not be possible or practical in all circumstances, e.g., existing domain name registrations.  
  2. As part of the implementation, Registrars should consider using a type of flag in the RDDS that would identify the type of data it concerns (personal or non-personal data) as this could facilitate review of disclosure requests as well as indicating changes to the type of data in the registration data field(s).

The EPDP Team has identified three different high-level scenarios for how differentiation can occur based on who is responsible and the timing of such differentiation. It should be noted that other approaches and/or a combination of these may be possible.

  1. Data subject self-identification at time of data collection / registration
  1. Registration data collection process includes indication of legal or natural person type, followed by confirmation that only non-personal data is provided for legal person type.
  2. If legal person is selected and a confirmation by the data subject is provided that the registration data does not include any personal data, registration data set is published.
  3. If natural person is selected or personal data is confirmed present, registration data is not published[h][i], unless consent for publication has been provided by the data subject[j][k].  

  1. Data subject self-identification after initial collection
  1. Data is collected and provisionally redacted.
  2. Registrant indicates legal type after registration is completed, for example, at the time of renewal for existing registrations or through a separate notice requesting self-identification[2].
  3. If the data subject identifies as a legal person and confirms that the registration data does not include personal data, data is then published.

  1. Registrar determines type based on data provided[l]
  1. Data is collected.
  2. Registrar uses collected data to infer legal or natural person type.
  3. If legal person is selected and registrar confirms that no personal data is present, registration data set is published.
  4. If natural person is selected or personal data is detected, registration data is not published unless consent for publication has been provided by the data subjec[m]t.[n]

In all of the above scenarios, clear communication and guidance needs to be provided to the registrant (data subject) concerning the possible consequences of [o]identifying as a legal or natural person.

Registrars may also choose to use a third party to verify that a legal person has correctly identified itself.

The EPDP Team recognizes that in all of the above scenarios, there is the possibility of misidentification, which may result in the inadvertent publication of personal data. However, following the guidance above and clearly documenting the process and all data processing steps should help minimize risk to a minimum.[p][q] 

[1] As part of its Phase 1 Policy Recommendation #17, the EPDP Team recommended, “as soon as possible ICANN Org undertakes a study, for which the terms of reference are developed in consultation with the

community, that considers:

  • The feasibility and costs including both implementation and potential liability costs of differentiating between legal and natural persons;
  • Examples of industries or other organizations that have successfully differentiated between legal and natural persons;
  • Privacy risks to registered name holders of differentiating between legal and natural persons; and
  • Other potential risks (if any) to registrars and registries of not differentiating.

ICANN org delivered the study to the EPDP Team in July 2020.

[2] Note, the implementation of EPDP Phase 1, recommendation #12 (Organization Field) may facilitate the process of self-identification.

[a]Is not sufficient for what?

[b]distinction between differentiation and publishing/disclosure is required

[c]I don't think we would agree that it's not sufficient. However, happy to discuss making the additional distinction that follows.

[d]the provided guidance focuses on differentiation only for the purpose of disclosure. The GDPR differentiates between legal persons and natural persons and thus making this distinction makes senseregardless of the disclosure or publishing of the data which will depend on whetherthe data includes personal information or not. For that we need two flags one for the registrant type (natural/legal/unidentified) and another for the data type (includes PI/does not include PI)

[e]Hadia, could you perhaps provide some context as to why you believe the differentiation 'makes sense' outside of disclosure. Specifically, why would such a differentiation, in the context of the temp spec, be considered necessary in a manner other than in the context of disclosure?

[f]There is no "risk" in non-personal data redaction.

[g]I don't think we'd agree with this sentence. Why couldn't the registrant self-identify at the time of registration?

[h]Note that this requires a "flag"

[i]Need a better word than "disclosure" for the act of returning unredacted data in response to a query

[j]Note that this existing policy requires a "flag"

[k]Note that data subject may not be the party executing the process on their behalf - consent by third party impossible.

[l]This option is not acceptable to NCSG. We want the RNH to be in control of how they are designated. I cannot see any justification for allowing a second party to make that determination for them, given it's consequences for data publication.

[m]Just want to re-flag the issue of obtaining third party consent as per Bird & Bird Memo on consent. d) does not take this properly into account.

[n]Suggest deletion: unrealistic, except for maybe corporate registrars

[o]How can you communicate "guidance" to a registrant if the registrar is the one determining the person type by looking at records on its own without any involvement of the RNH?

[p]Would not be part of typical recommendation language. Revise the intent of this statement by providing examples of who does what in a Could/Should/May/Must format.

[q]Assessment of legal risk: legal determination the EPDP team cannot and should not make.