Communications Litigation Today was a Warren News publication.
'Massive Migraines' for Registrars

ICANN Plan for 'Thick' Whois Directories Sparks GDPR Issues

ICANN's plans to make registries hold domain name owners' contact information or face data protection problems with a coming EU-wide privacy regime, called general data protection regulation, are sparking blowback from government officials and others. ICANN's "thick Whois consensus policy" requires all new domain name registrations be submitted to the registry as "thick" starting May 1 and all relevant registration data for existing domains be shifted from "thin" to thick by Feb. 1, 2019, the ICANN board said in a resolution adopted Oct. 29. ICANN defines "thin" registrations as those with only technical information such as domain name servers and creation dates, and "thick" as including registrants' contact details. EU privacy chiefs and the Internet Governance Project (here) said the plan will likely run afoul of privacy rules.

Board members agreed to delay compliance with the policy because of a disagreement between VeriSign, which operates .com and .net and provides back-end registry services for .jobs, and the Registrar Stakeholder Group, which is concerned that VeriSign-proposed changes to its registry-registrar agreements would fall afoul of GDPR, the October resolution said. Registrars "are essentially concerned that the contractual changes don't properly capture the GDPR implications," said Michele Neylon, CEO of registrar Blacknight Internet Solutions. VeriSign's contract is just one example, but since it asked for a change to the contract, it's the one in the spotlight, he said. "Many aspects of ICANN's contracts with registrars and registries are problematic in light of privacy laws, and with GDPR those headaches have become massive migraines."

To give both sides times to agree on amendments to contracts needed to implement VeriSign's policy, the board authorized ICANN to defer enforcement for 180 days. That let ICANN continue engaging with the European community, including the Article 29 Data Protection Working Party (WP29), data protection agencies, contracted parties and other relevant stakeholders to determine how GDPR relates, the board said.

"Unlimited publication of personal data of individual domain name holders raises serious concerns" about the lawfulness of the practice not only under the current EU data protection directive but also under the GDPR, which is based on the same principles, WP29 wrote in a Dec. 6 letter to ICANN Chairman Cherine Chalaby and CEO Göran Marby. Data protection authorities are "united" in recognizing that enforcement authorities entitled by law should have access to domain owners' personal data in the Whois directories, but they believe the original purposes of the directories can be achieved by layered access, the letter said. WP29 has "stressed the importance of layered access to the personal data contained in the WHOIS directories since 2003." The communication "will factor into our work" on the next generation of Whois, ICANN said Dec. 8.

ICANN and some stakeholders justify the need for thick Whois data on grounds of efficiency, IGP said. To encourage more competition between registries and registrars, ICANN makes domain names "portable" across registrars, allowing consumers moving from one domain name provider to another to transfer their contact information, it said. When thin registries transfer registrant contact information, there must be deliberation and approval between the registrant, administrative contact and registrar. "Thick data registries cut out the admin contact and allow for registrars to directly coordinate with registrants" to transfer data, it said. ICANN's business constituency favors this transition because it makes it easier for them to monitor domain name holders for alleged trademark infringements and consumer information such as credit card verification, IGP said.

By transitioning to thick registries, ICANN "is ignoring a fundamental principle of internationally-recognized data protection laws, namely data minimization: collect only so much data as you need to perform a task," IGP said. A registrar that doesn't secure or transfer the data of a registrant properly could be fined 2 percent of revenue under the GDPR, it said. Given the many unresolved questions about data security and privacy, it's puzzling that businesses would push for the transition, it said: They're supporting "policy change at the expense of their own customers' privacy and security," and ICANN should "look into scrapping this bad recommendation."