The most important stakeholder in our solution is the individual whose personal data, associated with a domain name registration, is being processed by a registry and a registrar. By default, our tiered access program provides registries and registrars with the necessary checks and balances that will allow a GDPR compliant disclosure of personal information, based on the requestor who would like to obtain access to such information, the capacity in which the requestor is acting, as well as the legitimate purpose set out in the request.
If it would appear that the requestor has abused its credentials, the registrant can submit a complaint with the competent data protection authority, in the context whereof we will make available the (authenticated) information we have obtained from the requestor.
Our tiered access solution aims to significantly reduce the GDPR compliance costs incurred by registries (and registrars). Instead of manually processing requests for non-public domain name information, our solution will take over the entire process in an automated, controlled and GDPR compliant way. PwC provides you with a baseline framework that is compliant with privacy laws, this framework you can further tailor in accordance with your own requirements and the data you would like to disclose to requestors. This way, registrants have the assurance that their personal information is disclosed in a controlled manner to identified requestors who have stated that they have a legitimate reason to access such data.
Our Tiered Access solution is set up in such a way that it requires close to zero additional programming work for registries in the onboarding process.
Similar to Registries, our tiered access solutions significantly lowers the cost and process for responding to access requests relating to non-public domain name information. Requests made through our platform will be fulfilled in an automated, controlled and GDPR compliant manner. PwC provides you with a baseline framework that is compliant with privacy laws, which framework you can further tailor in accordance with your own requirements and the data you would like to disclose to requestors. This way, registrants have the assurance that their personal information is disclosed in a controlled manner to identified requestors who have stated that they have a legitimate reason to access such data.
Each individual request will be fulfilled and logged, so that the registrar and registry who manage the domain name registration for which non-public data was disclosed can track who has obtained access to which information and for which purpose.
Our Tiered Access solution is set up in such a way that it requires close to zero additional programming work for registrars in the onboarding process.
A requestor is a user of PwC’s Tiered Access program whose personal information and capacity has been verified and authenticated on the basis of documentary evidence provided by such user. This KYC-like (know your customer) process is an essential step in ensuring that only legitimate persons or organizations acting in a certain capacity can have access to such data. Furthermore, we will provide transparency to other stakeholders in our tiered access system on who has requested access, as well as the legitimate purpose invoked by the requestor for doing so.
When authenticated, requestors can submit requests for obtaining non-public domain name registration data through PwC’s Tiered Access program.
Each individual request for non-public domain name registration data will be fulfilled and logged, so that the registrar and registry who manage the domain name registration for which non-public data was disclosed can verify who has obtained access to which information and for which purpose.
One of the most critical steps in the service we provide is the authentication of each of our users, and more in particular registries, registrars and requestors. This process is similar to the “KYC” (“know your customer”) process that is used by financial institutions.
This way, PwC can verify who has obtained access to which data and for which purpose, and provide assurance towards all stakeholders in our Tiered Access solution: domain name registrants, registries and registrars.
Whenever a request is submitted through PwC’s Tiered Access system, the requestor is required to state the legitimate purpose for which he or she would like to have access to non-public domain name registration data. In most cases, this data is made available to the registry and the registrar who manage the domain name registration, so they can verify who has made the request and for which purposes.
If the registry or registrar would not consider the justification given in the request to be legitimate, they can file a complaint with PwC and - subsequently - the competent data protection authority.
For any information on how our solution works, click the corresponding box
The Tiered Access Program accommodates two types of users
Registries and Registrars: The domain name registries (gTLDs and ccTLDs) and registrars. The Tiered Access Program allows domain name registries and registrars to make non-public domain name registration data available in a GDPR compliant manner to Requestors who claim to have a legitimate interest in having access to such data.
Requestors: physical or legal persons who would like to obtain access to non-public domain name registration data. The identity of these users as well as the capacity in which they are acting are verified and recorded. During the testing phase of the Tiered Access Program, these are limited to law enforcement agencies, attorneys, trademark owners, and security experts. Note that one physical or legal person can have multiple capacities.
In the process of accrediting registries and registrars of the Tiered Access Program, PwC will rely on information published by ICANN / IANA, as well as information provided by registries who have been authorized to use the Tiered Access Program (e.g., for ccTLD registries, who have their own accreditation process for registrars).
When authorized as a “registry” or “registrar”, PwC will reach out to the technical teams of registries and registrars in order to see how the Tiered Access Program can connect to their systems in order to obtain access to non-public domain name registration data.
Verified registries and registrars will receive a unique verification link. Once the registry/registrant clicks on this link, he or she will be known in our system as a validated user.
In order to assist registries and registrars in fulfilling GDPR compliant requests for access to non-public domain name registration data, the Tiered Access Program incorporates a number of scenarios in accordance with which Requestors may formulate such requests.
Generally speaking, each scenario includes a combination of many parameters that will be taken into account by the Tiered Access Program when fulfilling a request for access. These parameters consist of the capacity of the requestor, the reasons for obtaining access to non-public domain name registration data, the data points that will be disclosed, the jurisdiction of the registrant, etc.
PwC has developed a number of template scenarios that are being made available through the Tiered Access Program and which are considered compliant with the GDPR, bearing in mind the legitimate interest claimed by the requestor and the proportionality of the data that is disclosed to the requestor in this scenario. However, registries and registrars may implement alternative and additional scenarios which will overrule PwC’s templates.
Simply stated, each template includes statements (“rules”) by the registry or registrar of whether or not a particular data point can be disclosed to the requestor, given the particular scenario. In total, each template includes 46 different data points.
There is no limit to the number of templates a registry or registrar can develop, in addition to the default templates that are made available by PwC.
Each template that is activated by a registry or registrar results in a rule. Rules can contain the following elements:
Requestor Type: This is the end user who is allowed to make a request. At this stage, the Tiered Access Program supports following Requestor types:
law enforcement agent or agency;
attorney;
intellectual property owner;
security expert;
Domain: The top-level domain. Registries can define different templates and rules for each specific top-level domain;
Use Case: The legitimate interest that is claimed by the Requestor.
Once these three elements are set, a template can be selected. This template will be applicable in the scenario with the previously selected Requestor, top-level domain and use case.
Independent from the previous step, PwC will verify the identity of any party (individual, legal entity) who would like to use the Tiered Access Program as an authorized Requestor. This includes parties who, acting in a certain capacity, would like to have access to such non-public information (Requestors).
Each and every Requestor will have to be verified. Depending on the type of Requestor (IP owner, lawyer…) the evidence that needs to be provided will differ. The Tiered Access Programwill do this verification manually or automatically, depending on the complexity of the user type. Once a user is verified he will have access to the Tiered Access Program. The Requestor can request WHOIS information for a specific domain name. Which information the Requestor will see, depends on the rules defined by the registry/registrar.
The process of identifying, verifying and authorizing a party who would like to become an authorized user is entirely managed by PwC’s international and multilingual competence centre, using state-of-the-art and trusted methodologies and tools.
During the testing phase, PwC will only accredit law enforcement agents, IP owners, attorneys and security specialists as requestors of the Tiered Access Program, based on specific criteria that have been developed for each jurisdiction.
When a registry and/or registrar has been authorized to use the Tiered Access Program, the appropriate technical connections are in place and the templates containing the different rules have been defined, authorized Requestors can start submitting domain name registration data access requests to be fulfilled by such registry or registrar through the PwC Tiered Access Program.
In essence, fulfilling domain name registration data access requests through the Tiered Access Program includes the following high-level processes:
Receive and Process Requests for Non-Public Domain Name Registration Data: Once a requestor is authorized by PwC, he or she will be able to initiate requests for obtaining access to non-public domain name registration data. When doing so, the requestor needs to justify the reasons for which he or she would like to access such data, and substantiate such request.
Although this substantive information will not be reviewed by PwC or passed on to registries or registrars with the request itself, PwC logs the content of this request and may, as the case may be, disclose this information if a complaint is being filed on the basis of illegitimate processing of personal information (see step 6 below).
Following receipt of a request by an authorized user, PwC will request all information relating to the domain name that is subject of the request with the authorized registry and/or registrar. Generally speaking, this is done through a secure connection between the Tiered Access Program on the one hand and the WHOIS or RDAP server of the registry and/or registrar.
Any and all technically complete requests made by requestors will result in a query being made by PwC to the respective registrar and registry. PwC will not “cache” domain name registration data previously obtained from registries or registrars. However, each request (and response) will be individually logged, for compliance and audit purposes.
Also, although PwC will have access to any and all information relating to domain names managed by registries and registrars, it does not process any information with respect to a domain name for which it has not received a request from a requestor. Therefore, PwC does not “copy” or “collect” in any way domain name registration data that is not the subject of a request.
When receiving PwC’s request through the Tiered Access Program, the respective registrar and/or registry will submit any and all data with respect to the domain name (i.e., both public and non-public information) to PwC.
Subsequently, PwC will only pass on to the requestor the information that is considered proportionate in light of the scenario defined by the requestor.
By default, the Tiered Access Program contains rulesets that have been extensively checked and validated by an expert PwC legal team. Therefore, when registries and registrars decide to use PwC’s predefined ruleset, the fulfilment of requests by Authorized Users will be fully in line with the GDPR.
If a custom rule is set for a specific scenario, this rule will overwrite the default rule (initially defined by PwC). This way the registry and registrar have all flexibility and can adapt the rules to their own modus operandi.
At all times, an authorized registry or registrar will be able to verify which scenarios and rules have been defined, and change these with respect to future requests that have been processed through the Tiered Access Program.
The benefits of this process for both registries and registrars are manifold:
it requires almost no coding, no implementation of new technology, or development of complicated rulesets and business logic on the side of registries and registrars;
the submission, in a controlled manner and environment, of non-public domain name registration data is entirely outsourced to PwC. No manual intervention from the registry or registrar is required;
by initially providing all domain name registration data to PwC, we can demonstrate that we have correctly passed on proportionate information, in light of the scenario indicated by the requestor.
The requestor receives proportionate public and non-public domain name registration data for the requested domain name, depending on the specific scenario at hand. The information is not only displayed when the request is fulfilled, but also made available in the online environment of the Requestor and sent to the Requestor by email.
In addition to logging the legitimate interest and substantive information provided by the requestor, PwC also logs the information that (i) has been obtained from registries and registrars, and (ii) made available to the requestor on the basis of the scenario at hand.
Registries and registrars will be able to view each request that has been made for domain names they manage. This will allow them to verify whether PwC has provided responses to disclosure requests in line with the scenarios that have been approved by them, and – as the case may be – modify the data points that will be made available by PwC for future requests.
If a complaint is being filed for illegitimate processing of personal information, the respective registry, registrar and PwC will be able to provide a full audit trail of the request that has been made by the requestor (including the legitimate interest claimed by the requestor), the data that was collected by PwC and the data that was made available to the requestor by PwC.
As the case may be, PwC will make these logs available to the competent Data Processing Authority for their follow-up, as set out in the GDPR. Any such information may include the identity and contact details of the authorized requestor who has obtained access to the non-public domain name registration data, which information is kept on record by PwC as per step 4.1 of this process.
We believe that this possibility – including the likelihood that the competent Data Processing Authority will impose fines upon a requestor whenever he or she has illegitimately processed personal information of a registrant - be a deterrent to abuse. Furthermore, PwC reserves the right to temporarily or permanently suspend access to the Tiered Access Program in case PwC, registries and/or registrars are of the opinion that a requestor is not acting in accordance with the terms and conditions of the Tiered Access Program.
At this stage, we are testing the functionalities of the Tiered Access Program with a select number of registries and registrars, and more specifically:
Based on the feedback received, we will make modifications and enhancements to the functionalities of the Tiered Access Program. Therefore, we are welcoming any comments or suggestions you may have.
More in particular, we are currently investigating how the Tiered Access Program will be able to handle OAuth, OpenIDConnect, and other authorization protocols, as per the recommendations of ICANN’s Technical Study Group. We will, of course, involve the test group in these discussions.
It is entirely up to the registry and registrar to determine to which extent it will use the outputs generated by the Tiered Access Program in any responses to access requests received by the registry or registrar.
At PwC, we’re committed to providing quality services to our public and private clients all over the world.
PwC is founded on the principle of creating value through relationships – it’s a principle that lies at the heart of everything we do and everywhere we are. To offer the best possible solutions the project involves experts in every field.
Partner, PwC
Our value promise starts with our relationship with you. We aim to start building value from day one
With the Tiered Access Program, PwC is envisaging to offer workable, practical, but most importantly: a GDPR compliant solution to all key actors in the domain name industry in relation to providing controlled access to non-public domain name registration information.
Of course, we will follow closely any further developments and participate in discussions that are currently ongoing within the ICANN Community in order to ensure that our solution keeps pace with new insights and recommendations that are currently being formulated.
If you would like to discuss how the Tiered Access Program can assist you, or if you have any questions or comments in relation to this Solution Description, please reach out to one of our contacts mentioned below.
