Export Compliance Daily is a Warren News publication.
Registries, Registrars 'Not Waiting'

ICANN Board Considering Temporary Spec for GDPR Compliance

The ICANN board delayed action Sunday on a temporary Whois "specification" aimed at giving it time to come up with a new model that complies with EU privacy law. With the looming EU General Data Protection Regulation May 25 effective date, ICANN proposed an interim plan that balances the existing Whois model with the GDPR by "allowing for the robust collection of [domain name] registration data but also restricting the access to personal data to layered/tiered access," ICANN CEO Göran Marby blogged Friday. Users with a legitimate reason would be able to seek access to non-public data through registrars and registries, and could contact either the registrant or administrative and technical contacts through an anonymized email or web form, he said. Registrants could opt into having full contact details available. But the board didn't vote on the draft at this weekend's Vancouver meeting, emailed Michele Neylon, managing director of Irish domain registrar and hosting company Blacknight Internet Solutions. ICANN didn't comment Monday.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Marby approached the Article 29 Data Protection Working Party (WP29) Thursday with many follow-up questions (available here) to the group's earlier comments on ICANN's proposed interim solution (see 1804160022). At the top were queries seeking reassurance of a moratorium on enforcement, including: (1) Whether, as France's Commission Nationale de L'Informatique et des Libertés indicated, other WP29 data protection authorities would also "encourage compliance" rather than begin imposing fines after May 25. (2) Whether ICANN's plan of action provides enough information for fines not to be immediately set on ICANN and its 2,500-plus data controllers "who operate the WHOIS system." The letter seeks clarifications on such things as access to nonpublic Whois data, security of the data, international transfers, data retention and codes of conduct and accreditation for third parties seeking access to nonpublic registration information.

It's understandable ICANN might want clarity on some points, but "the entire timing of this is unhelpful," Neylon told us. Registrars and registries "cannot wait for ICANN anymore and will make changes to how they handle Whois ... to be compliant," he said. Neylon posted his GDPR compliance policy and said other registries and registrars also did so or are expected to do so shortly. "From conversations I've had with both it's clear that people are not waiting to take action." Neylon said many registrars and registries were "in touch with individual board members [before their meeting over the weekend] to point out the issues we'd found" with the specification.

"How on earth can you marry reality and policy?" Neylon asked. A temporary Whois policy that would be in place for a year or so was expected, he said at a Wednesday eco-Association of Internet Industry/Internet Infrastructure Coalition (i2C) webinar. It will now be a "major challenge" to carry out an expedited policy development process (PDP) in which the issue will be how to get stakeholders to come together when all previous attempts to change the Whois policy have failed miserably over the past 20 years, he said. "Unless there is a seismic shift in how the various stakeholders engage in policy development in this area I can easily see this emergency PDP failing as well," he emailed.

"ICANN needs to stop trying to get data protection authorities to bless its temporizing," emailed Georgia Institute of Technology School of Public Policy professor Milton Mueller. The internet body, he said, "knows what it needs to do to Whois if it is to comply with GDPR," because the Noncommercial Stakeholders Group and some registrars and registries have been saying it for years: remove most of registrants' personally identifiable information from indiscriminate publication.