New 2013 Registrar Accreditation Agreement approved by ICANN

International

Earlier this year, a war of words between registrar groups and ICANN took place over the latter's proposed new Registrar Accreditation Agreement (RAA). ICANN was keen to get the new agreement approved in time to coincide with the signing of the first Registry Agreements (RA) with new gTLD applicants and, in the end, it achieved this partly by including a possible waiver for some of the more controversial requirements.

The 2013 RAA incorporates a raft of new measures, such as registrant contact data verification and retention of registrant data that are designed to increase registrant accountability and thus shore up confidence in the domain name registration system, notably for IP rights advocates and law enforcement agencies. It was subject to numerous amendments as a result of extensive consultation by ICANN with the representatives of registrar groups and the public over the period between 2011 and 2013.

The new 2013 RAA was approved by ICANN on June 27 2013 and the first RAs entered into with a handful of registrars at a signing ceremony held at the 47th ICANN meeting in Durban, South Africa on July 15 2013. Time was of the essence for ICANN to get the new RAA approved by the ICANN board in view of the fact that it will be obligatory for any registrar that wants to sell new gTLD domain names.  

However, in the run up to its approval, concerns were expressed about some of the new provisions of the 2013 RAA, the most serious of which were voiced by the Article 29 Working Party, a body made up of privacy regulators from each EU nation. According to this body, the obligation for registrars to retain registrant data, including such elements as credit card details, for a period of up to two years after the termination of a domain name contract, violates data protection law in Europe. In a letter sent to ICANN on June 6 2013, the Article 29 group illustrated the risk entailed by such a practice by stating as follows:

"Taking into account the diversity of these registrars in terms of size and technical and organisational security measures, and the chance of data breaches causing adverse effects to individuals holding a domain name, the Working Party finds the benefits of this proposal disproportionate to the risk for individuals and their rights to the protection of their personal data."

In order to avoid having such concerns derail the process, ICANN had included, in September 2012, a procedure for registrars to request a waiver from the contentious obligations if necessary in order to avoid violating applicable data protection law. The RAA states that such a waiver request must be based on a "written legal opinion from a nationally recognized law firm" or "written guidance from a governmental body of competent jurisdiction providing that compliance with the data collection and/or retention requirements of this specification violates applicable law".

It had been hoped that the Article 29 letter would itself serve as sufficient justification for European registrars to opt out of contentious provisions, but at the recent ICANN meeting in Durban, ICANN VP Cyrus Namazi told the Governmental Advisory Committee that this was not the case, as Article 29 was “not a legal authority”. Namazi added that opting out would only become an option once the principle was "adopted into legislation by the EU".

Even if EU-based registrars manage to escape complying with certain clauses of the new 2013 RAA, Michele Neylon, chair of the Registrar's Stakeholder Group (a group that had negotiated with ICANN in relation to the 2013 RAA over a period of almost two years), fears that “the unfortunate reality is that a lot of companies may sign contracts without being aware of what they’re agreeing to”, adding that “the entire exercise could be seen as a failure if the outliers - registrars not actively engaged in the ICANN process or whose first language is not English - are not communicated with.”

Although ICANN does hold outreaches with registrars on matters such as contractual compliance in countries like China, the 2013 RAA itself is in English and, as Michele Neylon has also noted, somewhat scathingly: “Most of the communications, events, etc, are conducted in English. If English is not your first language, it’s very hard to actively participate within this entire circus.”

It will be interesting to see how individual registrars, both large and small, deal with fulfilling their new obligations under the 2013 RAA to verify and retain registrant data and whether the European Parliament will enact laws that allow EU-based registrars the possibility of opting out of problematic clauses. In the absence of the latter, it may be a matter of reality biting for EU-based registrars seeking to sell new gTLDs.

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris

Get unlimited access to all WTR content