GDPR Compliance Versus Access to Whois Data Issues Rankle After ICANN Meeting
The Oct. 20-25 ICANN meeting left a key question hanging, stakeholders said: Whether policy for aligning the Whois database of domain registrants with the EU general data protection regulation (see 1810220002) should take precedence over how to give access to nonpublic information to legitimate requesters such as law enforcement. As talks on an expedited policy development process (ePDP) to replace the "temporary specification" on Whois GDPR compliance continued, some wanted work to proceed in parallel on some sort of unified access model (UAM). The idea is backed by governments and the business (BC) and intellectual property constituencies (IPC) but opposed by noncommercial users, registrars and others.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The current temporary specification "created a fragmented system for providing access consisting of potentially thousands of distinct policies depending upon the registrar involved," GAC said Oct. 25. Survey results show a "clear trend" that since implementation, the spec "significantly affected law enforcement and cyber-security professionals' ability to investigate and mitigate crime" using data that previously publicly available in Whois, it said.
"Time is of the essence" in implementing a final spec for Whois services and developing a unified access model for third-party access to nonpublic Whois data, the GAC said. Though the ePDP team is tasked with defining what "reasonable access" to the data means, community work on developing a unified access model "should proceed in parallel and can complement the EPDP's efforts," it said.
For the European Commission, it's up to ICANN to organize its Whois policy development process, including the ePDP and UAM, "but we insist this should be done in a way that ensures a stable solution is in place as soon as possible" before the temporary spec expires in May, the EC emailed. The commission supports the development of a unified access model, saying it "should be fully in line with EU data protection rules."
"There's a few different threads and schools of thoughts that are in direct conflict ... on some aspects of this," emailed Michele Neylon, CEO of Irish registrar Blacknight Solutions. In the ePDP, "there has been a constant push to jump immediately to 'access' which has caused the entire thing to be slowed down," he said: Until a clear legal basis for collection of Whois data is decided, "there can be no path forward on granting access."
Noncommercial stakeholders are also opposing a parallel process, emailed Georgia Institute of Technology School of Public Policy professor Milton Mueller, a member of the Non-Commercial Users Group. The NCSG is concerned about the circulating draft access model, said an Oct. 19 comment before the ICANN meeting in Barcelona. Under the terms of the ePDP charter, the access question is meant to be taken up only after the revision of the temporary spec is finalized, it said: The draft access model "disproportionately favors stakeholders with a vested interest in preserving unlawful access to WHOIS data, to the detriment of data subjects' rights." Circulation of a "possible" unified framework "is not only an inappropriate use of scarce resources, but most troublingly of all, a circumvention of established consensus-based multistakeholder processes," NCSG said.
ICANN CEO Goran Marby is also exploring options on contracted party liability and access to full Whois data via an Aug. 20 draft framework. Registries and registrars agree it's "possible for ICANN to conduct such exploration in parallel with the ongoing ePDP, and without usurping the community's policy development authority," Registrars Stakeholder Group Chair Graeme Bunton and Registries Stakeholder Group past Chair Paul Diaz wrote in an Oct. 22 letter to ICANN Chairman Cherine Chalaby and Marby. Nevertheless, they sought "more detailed explanation and analysis of the approach being contemplated, which we believe is essential to enable meaningful dialogue with data protection authorities in order to understand its legal viability."