ICANN Moves Closer to Interim Fix for EU Data Protection Compliance Problems
ICANN plans to choose an interim Whois model that complies with the EU general data protection regulation (GDPR) were delayed to mid-February to allow more discussion time, CEO Gðran Marby blogged. Earlier this month, he proposed three approaches and asked for input. ICANN had intended to settle on one model by the end of this month, but it's clear more time is needed, he said Thursday. NTIA's head also had Whois GDPR concerns (see 1801290041). Meanwhile, responses to an ICANN consultation showed interest in some form of layered access to domain name owners' information.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
ICANN's three models differ based on what registrant contact information is displayed, Marby said Jan. 12. One would allow the display of "thick" Whois registration data, excluding domain name owners' phone number and email address and the name and mailing address of the technical and administrative contacts. To gain access to that nonpublic information, third parties would have to self-certify their legitimate interest in accessing the data. The model would apply if the registrant is a natural person and the registrant, registry, registrar and/or data processor is in the European economic area. The organization defines thick data as including registrants' contact information and their designated administrative and technical contact information, plus the sponsoring registrar and registration status information supplied by a "thin" registry (which includes only technical data sufficient to identify the applicable registrar, status of the registration and creation and expiration dates for each domain registration in its Whois database).
Under the second model, thin registration data would be displayed, minus the registrant's phone number and email address and the name and postal address of the technical and administrative contacts. To access the nonpublic information, registries and registrars would have to provide access for only a defined set of third-party requestors certified under a formal accreditation/certification program. Model 3 would allow the display of thin registration data and any other nonpersonal registration data, and someone seeking the information would have to provide a subpoena or other court order to access it. ICANN Friday hosts a webinar on the options.
To prepare for the GDPR, ICANN solicited legal advice from Swedish law firm Hamilton Advokatbyrå. Its latest memo tackled the issue of how ICANN could change its Whois data-processing to comply with the regulation. It floated the idea of an interim "layered access model where different personal data usages within the scope of the Whois services are analyzed to formulate different purposes, requiring access to different types and amounts of data, for different processing activities." The approach could be used until a longer-term solution is found, it said.
The legal advice prompted criticism from the Internet Governance Project and others. The memo "contains some important and astute observations, [but] the conclusions it reaches are seriously muddled," blogged IGP member Milton Mueller of the Georgia Tech School of Public Policy. The critical issue is the purpose of Whois, and the memo recognized there's no clearly defined, commonly accepted purpose of Whois, he wrote. It divided the alleged purposes of the database into four categories: administrative actions, recovery of registrant data due to disasters and disruptions, law enforcement, and processing of data by rights holders, he wrote.
The memo acknowledged the obvious conflicts between these purposes and privacy law but showed "great solicitousness for finding some form of compliance with GDPR that would continue to make these uses possible," Mueller said. The memo appeared not to advocate for layered access to the information, but said the best way to comply with the GDPR would be to create an interim solution based on layered access that would allow the processing of some Whois data for some limited purposes, Mueller noted. The final conclusions "are not supported by" the analysis and don't offer a viable way forward, he said.
The ICANN Business Constituency said "many important business operations depend upon public availability of WHOIS, such as the ability to obtain digital certificates, or the ability to protect against spam, fraud, and other types of online abuse." Too restrictive a model could detract from the ability to ensure internet security and stability, it said. The ICANN Intellectual Property Constituency faulted the legal memo for embracing layered access solely for contract, administrative and data/disaster recovery purposes, saying, "This is too narrow." The IPC urged "pursuing the register model of publicly available WHOIS data ... to the greatest extent possible while also adopting a layered access model for personal data that isn't publicly available to meet the interests of third parties such as rights owners."
Consent is the key issue, said the Council of Registrars (CORE) which says it's aimed at preserving, developing and sharing resources for internet names and identifiers. Free and unequivocal consent is the way to keep some data publicly available, with the rest treated under a layered access approach, said CORE Chief Policy Officer Amadeu Abril i Abril. ICANN's third option is the best, but it should be tweaked to assume registrants' names, phone numbers and addresses contain personal data that should be withheld from public display unless the domain name owner "actively provides their voluntary, informed consent," said Electronic Frontier Foundation Senior Global Policy Analyst Jeremy Malcolm.