Pascal is a PwC Partner with more then 20 years of experience. He advises clients in the private and public sector on Risk Assurance ( internal audit, risk management, internal control) and Privacy related matters. Prior to my focus on Risk Assurance & Privacy Pascal delivered external audit services.
The Tiered Access Program accommodates two types of users
Registries and Registrars: The domain name registries (gTLDs and ccTLDs) and registrars. The Tiered Access Program allows domain name registries and registrars to make non-public domain name registration data available in a GDPR compliant manner to Requestors who claim to have a legitimate interest in having access to such data.
Requestors: physical or legal persons who would like to obtain access to non-public domain name registration data. The identity of these users as well as the capacity in which they are acting are verified and recorded. During the testing phase of the Tiered Access Program, these are limited to law enforcement agencies, attorneys, trademark owners, and security experts. Note that one physical or legal person can have multiple capacities.
2. Connecting with Registries & Registrars
In the process of accrediting registries and registrars of the Tiered Access Program, PwC will rely on information published by ICANN / IANA, as well as information provided by registries who have been authorized to use the Tiered Access Program (e.g., for ccTLD registries, who have their own accreditation process for registrars).
When authorized as a “registry” or “registrar”, PwC will reach out to the technical teams of registries and registrars in order to see how the Tiered Access Program can connect to their systems in order to obtain access to non-public domain name registration data.
Verified registries and registrars will receive a unique verification link. Once the registry/registrant clicks on this link, he or she will be known in our system as a validated user.
2.1. Scenario definition
In order to assist registries and registrars in fulfilling GDPR compliant requests for access to non-public domain name registration data, the Tiered Access Program incorporates a number of scenarios in accordance with which Requestors may formulate such requests.
Generally speaking, each scenario includes a combination of many parameters that will be taken into account by the Tiered Access Program when fulfilling a request for access. These parameters consist of the capacity of the requestor, the reasons for obtaining access to non-public domain name registration data, the data points that will be disclosed, the jurisdiction of the registrant, etc.
PwC has developed a number of template scenarios that are being made available through the Tiered Access Program and which are considered compliant with the GDPR, bearing in mind the legitimate interest claimed by the requestor and the proportionality of the data that is disclosed to the requestor in this scenario. However, registries and registrars may implement alternative and additional scenarios which will overrule PwC’s templates.
Simply stated, each template includes statements (“rules”) by the registry or registrar of whether or not a particular data point can be disclosed to the requestor, given the particular scenario. In total, each template includes 46 different data points.
There is no limit to the number of templates a registry or registrar can develop, in addition to the default templates that are made available by PwC.
2.2. Rule setting
Each template that is activated by a registry or registrar results in a rule. Rules can contain the following elements:
Requestor Type: This is the end user who is allowed to make a request. At this stage, the Tiered Access Program supports following Requestor types:
law enforcement agent or agency;
intellectual property owner;
Domain: The top-level domain. Registries can define different templates and rules for each specific top-level domain;
Use Case: The legitimate interest that is claimed by the Requestor.
Once these three elements are set, a template can be selected. This template will be applicable in the scenario with the previously selected Requestor, top-level domain and use case.
3. Requestor Verification and accreditation
Independent from the previous step, PwC will verify the identity of any party (individual, legal entity) who would like to use the Tiered Access Program as an authorized Requestor. This includes parties who, acting in a certain capacity, would like to have access to such non-public information (Requestors).
Each and every Requestor will have to be verified. Depending on the type of Requestor (IP owner, lawyer…) the evidence that needs to be provided will differ. The Tiered Access Programwill do this verification manually or automatically, depending on the complexity of the user type. Once a user is verified he will have access to the Tiered Access Program. The Requestor can request WHOIS information for a specific domain name. Which information the Requestor will see, depends on the rules defined by the registry/registrar.
The process of identifying, verifying and authorizing a party who would like to become an authorized user is entirely managed by PwC’s international and multilingual competence centre, using state-of-the-art and trusted methodologies and tools.
During the testing phase, PwC will only accredit law enforcement agents, IP owners, attorneys and security specialists as requestors of the Tiered Access Program, based on specific criteria that have been developed for each jurisdiction.
4. Fulfilling Domain Name Registration Data Request
When a registry and/or registrar has been authorized to use the Tiered Access Program, the appropriate technical connections are in place and the templates containing the different rules have been defined, authorized Requestors can start submitting domain name registration data access requests to be fulfilled by such registry or registrar through the PwC Tiered Access Program.
In essence, fulfilling domain name registration data access requests through the Tiered Access Program includes the following high-level processes:
4.1. Receive and Process Requests for Non-Public Domain Name Registration Data
Receive and Process Requests for Non-Public Domain Name Registration Data: Once a requestor is authorized by PwC, he or she will be able to initiate requests for obtaining access to non-public domain name registration data. When doing so, the requestor needs to justify the reasons for which he or she would like to access such data, and substantiate such request.
Although this substantive information will not be reviewed by PwC or passed on to registries or registrars with the request itself, PwC logs the content of this request and may, as the case may be, disclose this information if a complaint is being filed on the basis of illegitimate processing of personal information (see step 6 below).
Following receipt of a request by an authorized user, PwC will request all information relating to the domain name that is subject of the request with the authorized registry and/or registrar. Generally speaking, this is done through a secure connection between the Tiered Access Program on the one hand and the WHOIS or RDAP server of the registry and/or registrar.
Any and all technically complete requests made by requestors will result in a query being made by PwC to the respective registrar and registry. PwC will not “cache” domain name registration data previously obtained from registries or registrars. However, each request (and response) will be individually logged, for compliance and audit purposes.
Also, although PwC will have access to any and all information relating to domain names managed by registries and registrars, it does not process any information with respect to a domain name for which it has not received a request from a requestor. Therefore, PwC does not “copy” or “collect” in any way domain name registration data that is not the subject of a request.
4.2. Data Collection & Filtering
When receiving PwC’s request through the Tiered Access Program, the respective registrar and/or registry will submit any and all data with respect to the domain name (i.e., both public and non-public information) to PwC.
Subsequently, PwC will only pass on to the requestor the information that is considered proportionate in light of the scenario defined by the requestor.
By default, the Tiered Access Program contains rulesets that have been extensively checked and validated by an expert PwC legal team. Therefore, when registries and registrars decide to use PwC’s predefined ruleset, the fulfilment of requests by Authorized Users will be fully in line with the GDPR.
If a custom rule is set for a specific scenario, this rule will overwrite the default rule (initially defined by PwC). This way the registry and registrar have all flexibility and can adapt the rules to their own modus operandi.
At all times, an authorized registry or registrar will be able to verify which scenarios and rules have been defined, and change these with respect to future requests that have been processed through the Tiered Access Program.
The benefits of this process for both registries and registrars are manifold:
it requires almost no coding, no implementation of new technology, or development of complicated rulesets and business logic on the side of registries and registrars;
the submission, in a controlled manner and environment, of non-public domain name registration data is entirely outsourced to PwC. No manual intervention from the registry or registrar is required;
by initially providing all domain name registration data to PwC, we can demonstrate that we have correctly passed on proportionate information, in light of the scenario indicated by the requestor.
4.3. Data Provisioning
The requestor receives proportionate public and non-public domain name registration data for the requested domain name, depending on the specific scenario at hand. The information is not only displayed when the request is fulfilled, but also made available in the online environment of the Requestor and sent to the Requestor by email.
4.4. Store Request and Data Provisioning Logs
In addition to logging the legitimate interest and substantive information provided by the requestor, PwC also logs the information that (i) has been obtained from registries and registrars, and (ii) made available to the requestor on the basis of the scenario at hand.
4.5. Review by Registries and Registrars
Registries and registrars will be able to view each request that has been made for domain names they manage. This will allow them to verify whether PwC has provided responses to disclosure requests in line with the scenarios that have been approved by them, and – as the case may be – modify the data points that will be made available by PwC for future requests.
If a complaint is being filed for illegitimate processing of personal information, the respective registry, registrar and PwC will be able to provide a full audit trail of the request that has been made by the requestor (including the legitimate interest claimed by the requestor), the data that was collected by PwC and the data that was made available to the requestor by PwC.
As the case may be, PwC will make these logs available to the competent Data Processing Authority for their follow-up, as set out in the GDPR. Any such information may include the identity and contact details of the authorized requestor who has obtained access to the non-public domain name registration data, which information is kept on record by PwC as per step 4.1 of this process.
We believe that this possibility – including the likelihood that the competent Data Processing Authority will impose fines upon a requestor whenever he or she has illegitimately processed personal information of a registrant - be a deterrent to abuse. Furthermore, PwC reserves the right to temporarily or permanently suspend access to the Tiered Access Program in case PwC, registries and/or registrars are of the opinion that a requestor is not acting in accordance with the terms and conditions of the Tiered Access Program.