The Temp Spec is not dead – it just smells funny
Thomas Rickert & Lars Steffen from the eco Names & Numbers Forum, on the 1-year anniversary of ICANN’s Temporary Specification for the processing of personal data in the context of domain registrations.
With the entry into force of the General Data Protection Regulation on 25 May 2018, ICANN was faced with the challenge of adapting the scope of data collected during the registration of generic domain names, their storage and processing, and their publication in the public WHOIS to the new legal framework.
Therefore, on 17 May 2018, the ICANN Board of Directors adopted a Temporary Specification (the “Temp Spec”) to respond to the requirements of the General Data Protection Regulation regarding the processing of personal data within the context of “registration data.” The Temp Spec tool used by the Directorate has a great advantage and – at the same time – an inverse disadvantage, depending on the observer’s point of view.
The advantage is that the ICANN Board of Directors is thus given the opportunity to react to urgent or crisis situations with policies that have not been developed and adopted by a policy development process based on ICANN’s typical multi-stakeholder model. Temp Spec policies become a binding part of the contract for all registries of generic top-level domains and registrars without having to go through the time-consuming process of grassroots democratic policy development.
The downside is that ICANN’s statutes contain precautionary mechanisms to prevent these temporary workarounds from becoming a permanent solution and in this way circumventing the multi-stakeholder process and involving the ICANN community. Thus, the ICANN Board of Directors may only adopt such Temp Specs for three months at a time. Although these temporary policies may be re-confirmed by the Governing Board for a further three months after the three-month period has expired – which has also happened in the present case – they may only be re-confirmed up to a maximum of one year. At the same time, an accelerated policy development process, the so-called “expedited policy development process” (EDPD for short), must be initiated in the GNSO, the interest group for registries of generic top-level domains at ICANN. As part of this process, the Temp Spec must either be confirmed, rejected, or modified.
The working group for the EPDP started its work on 19.06.2018 in order to work on a further development or replacement of the temporary specification. On 20 February 2019 the team sent its first recommendations to the ICANN Board of Directors.
The one-year anniversary of the Temp Spec is also its final day of existence, as the ICANN Board of Directors is no longer allowed to extend it in its original version.
On 15 May2019, the ICANN Board of Directors made and published its decision (https://www.icann.org/resources/board-material/resolutions-2019-05-15-en#1.b) on the proposals of the EPDP Working Group.
But let us briefly summarize again what has happened in the meantime: We have already reported that I work for the eco members as a representative of the Internet Service Provider and Connectivity Provider Constituency (ISPCP) in the EPDP working group. Despite all the differences of opinion among the stakeholders gathered in this group, the EPDP team published its final report on the first of two phases of its work on 20 February 2019. On 04 March 2019, the GNSO Council adopted the 29 recommendations from this report, whereby the Intellectual Property Constituency (IPC) and the Business Constituency (BC), who did not agree with some aspects, did not vote for the report.
It is no exaggeration to say that the recommendations of the EPDP team deviated significantly from the Temp Spec in a number of areas and modified it perceptibly, so that the Temp Spec can be regarded as having been given a “general overhaul.”
But what decision has the ICANN Board of Directors now made? The Management Committee adopted 27 of the 29 recommendations. Comments on implementation or recommendations for further elaboration in the second phase of the EPDP have been added to some of the recommendations, as can be seen on the so-called scorecard (https://www.icann.org/en/system/files/files/epdp-scorecard-15may19-en.pdf).
At the time the decision was taken, the Board of Directors did not see itself as in a position to adopt the following recommendations:
Recommendation #1, which states that the purpose of data processing is for ICANN to be able to respond to requests from third parties for unpublished WHOIS data. The processing of personal data for the purpose of responding to requests for information from third parties was already the subject of heated discussions during the work of the EPDP team. Ultimately, the correspondence with the European Commission may well have led to ICANN’s Board of Directors wanting to see further work on this issue in the second phase of the EPDP.
Recommendation #12, which deals with the “Organization” field and stipulates that the data stored for this field may only be published if the registrant agrees. In the absence of such feedback from the registrant, the registrar may either delete the data in this field or simply no longer publish it. The ICANN Board of Directors has adopted the part of the recommendation where the data are no longer published and excluded the part where the data are deleted. The reason given for this is that there may be cases in which the registrant can only be identified by the information in the “Organization” field and deletion then no longer allows the registrant to be assigned to the domain.
But what happens now? Work on the second phase of the EPDP has only just begun.
This process will ultimately result in the “Registration Data Policy”. Until then, the so-called “Interim Registration Data Policy for gTLDs”, now based on the modified Temp Spec, will apply. Its implementation will take place in three stages:
- The specifications of the Temp Spec are to be further implemented by the Contracted Parties, i.e. registries and registrars.
- Once a final Registration Data Policy has been finalized, agreed upon, and published together with the Implementation Review Team, and formally announced to the Contracted Parties, the registries and registrars may either implement the Temp Spec or the Registration Data Policy, or mix elements of both.
- From the date on which the Registration Data Policy becomes effective, this alone must be followed. The EPDP team has recommended 29 February 2020 for this.
Whether and for how long we will continue to see elements of the Temp Spec in the market depends on the development cycles of the registries and registrars and their pleasure in implementation. The Temp Spec, which never had many friends in any case and is no legal masterpiece, is nonetheless in an ongoing process of disintegration.
Or – borrowing from Frank Zappa: The Temp Spec isn’t dead, it just smells funny.