ICANN Ignores Data Protection Experts as It Considers EU Privacy Rules, Privacy Advocates Say
ICANN fails to include privacy advocates in efforts to comply with new EU data protection laws, activists said. Meeting this week in Johannesburg, the body holds a policy discussion Tuesday on practical solutions to the potential impact of the EU general data protection regulation (GDPR). Privacy experts haven't been asked to take part on the panel despite ICANN's approach to data protection long being flawed and, under the GDPR, the organization could be subject to large penalties, they said.
ICANN is discussing privacy and data protection developments with its community, focused mostly on the GDPR, which takes effect May 25, it blogged Thursday. ICANN "has an obligation to adhere to existing policy as developed by the community," which includes policies that might be affected by the GDPR, it said. The new measure could affect ICANN and the domain name system (DNS) via personal data that participants in the DNS ecosystem, including registries and registrars, collect, display and process, pursuant to ICANN contracts, and by personal data ICANN collects and processes. ICANN privacy-related activities include talks with the Registries and Registrar Stakeholder Groups to understand potential issues and to ensure compliance with relevant laws, it said. Multistakeholder policy development actions underway include efforts to boost privacy and proxy services available to registrants and updates to the procedure for handling Whois conflicts with data protection law, said the nonprofit, also engaged with European data protection authorities to find out how the GDPR will affect it.
ICANN "better be" thinking about how to comply with the GDPR, wrote professor Milton Mueller of the Georgia Institute of Technology School of Public Policy for the Internet Governance Project. "Everyone knows ICANN's Whois policies (see 1703100062), which require registries and registrars to provide indiscriminate public access to personal data about domain name registrants, violate European privacy laws." This didn't matter much previously because data protection laws "didn't have much teeth when it came to ICANN and the domain name industry," he said. Under the GDPR, such violations could result in fines of up to 4 percent of an organization's revenue, he wrote. "Real money is on the table."
Mueller slammed ICANN for listening only to registries and registrars, not privacy advocates or noncommercial domain name users, in dealing with data protection issues. Tuesday's panel includes only lawyers representing top level domain registries, platform providers and internet service providers and a law enforcement representative, he said. Although Mueller, a longtime player in ICANN's noncommercial community, and others argued for a registrant or privacy activist on the panel, the request was denied, he said. This was "a deliberate decision to prevent the Whois/privacy problem from being discussed in a balanced and fair way," he wrote. ICANN didn't comment.
The panel's organizer wrote Monday that he doesn't "know where the crazy notion comes from that all contracted parties (registries and registrars) would be plotting a scheme together with ICANN to play down the effects of the GDPR." The session's point is to help registries and registrars determine how to deal with the regulation, not to hear presentations from panelists, Peter Vergote, legal and corporate affairs director at DNS Belgium, the .be registry, wrote on Mueller's blog. "It's the audience that is playing the lead."
The Council of Europe "has tried for some time" to get data protection discussions "on the table at ICANN," and facilitated a successful "Privacy Day" with representatives from all relevant interests at the March 11-16 ICANN meeting in Copenhagen, emailed Sophie Kwasny, head of the Council of Europe data protection unit. "It hasn't always been very easy to get the topic on the radar," but the CoE hopes the GDPR makes ICANN realize that compliance is unavoidable, she said. The CoE is a human rights organization whose 47 members include the EU 28, with the U.S. an observer.
"I have had privacy concerns about the WHOIS process since it was established," emailed Georgia Institute of Technology Law and Ethics professor Peter Swire. As lead privacy official in the Clinton administration, he suggested more privacy-protective approaches to the Commerce Department officials working on ICANN's creation, but those approaches weren't adopted, he said. "I believe the stricter fines under GDPR are getting ICANN's attention." The organization would benefit from "careful attention" to insights from privacy experts, he added.
Indiscriminate publication of user data in Whois "has been illegal for a long time," said Electronic Frontier Foundation Senior Global Policy Analyst Jeremy Malcolm. ICANN's Generic Names Supporting Organization Registration Data Services Policy Development Process Working Group, of which Malcolm is a member, is considering a replacement for Whois. Unlike most ICANN working groups, which are "completely dominated by rightsholders, in this group the privacy activists actually seem to have the balance of power because European law is clearly on their side," he emailed: Law enforcement agencies and rights owners are pushing back, and "insist that clearly it must by OK to publish this information because That's How Things Were Always Done." ICANN has been in denial for too long, he added.