One of the areas that was of particular concern in the aftermath of the RegisterFly meltdown was registrant data. In simple terms, if a registrar fails there could be a serious issue gaining access to the information linking registrants to their domain names. For some registries this isn’t that much of an issue, as they are what is known as “thick registries” ie. the registrant details are also held directly by the registry. Unfortunately this isn’t the case for .com, which is where the bulk of registrations lie.
In order to rectify this situation ICANN put in motion a data escrow program. Basically this would mean that registrars would have to place registrant information with a 3rd party. If the registrar has issues then the data associated with the domains should still be safe.
According to a recent announcement from ICANN the data escrow contract has been granted to Iron Mountain.
Under the data escrow provision of the Registrar Accreditation Agreement (RAA),
all ICANN-accredited registrars must regularly deposit a backup copy of their
gTLD registration data with ICANN through ICANN’s arrangement with Iron Mountain
or they may elect to use a Third Party Provider of RDE services that has been
approved by ICANN. The data held in escrow may be released to ICANN upon termination
of a registrar’s accreditation agreement or expiration of the accreditation
agreement without renewal to facilitate transfer of registrations from the
failed registrar to another registrar. ICANN plans to have all accredited registrars
enrolled in the RDE program within the next six months.
While this is probably a very positive move in terms of protecting registrants it does raise some interesting privacy issues as well. Does this sort of data transfer have implications for EU data privacy law?
While the technical implementation of the data escrow may incur extra costs for registrars they are not being expected to pay the escrow fees – these will be covered by ICANN directly.