ICANN Interim Proposal for GDPR Whois Compliance Leaves Key Questions Unanswered
ICANN gave European data protection authorities (DPAs) a proposed model for complying with the EU general data protection regulation, President Göran Marby said Monday. Unanswered questions remain, and ICANN needs "firm advice" from privacy chiefs and governments before moving ahead, he said at ICANN's meeting this week in San Juan, Puerto Rico, where NTIA Administrator David Redl also sought access to information in the group's database of website registrants. Stakeholders disagreed over making registrant email addresses public, the role of the Governmental Advisory Committee and how entities that will be able to access nonpublic registration data should be accredited. GAC members said Tuesday they're worried about lack of a required temporary system for dealing with access to nonpublic data before a formal accreditation system is implemented.
ICANN considered a wide variety of approaches to addressing Whois under GDPR but settled tentatively on one interim compliance model (the "cookbook"), General Counsel John Jeffrey said Monday. The key change from the current system is a layered or tiered approach that allows a public version of the Whois database and a nonpublic layer accessible only to authorized parties, he said.
The plan addresses what registrant data should be collected and retained; whether the model should apply only to the European economic area or globally; what information will be visible on the public Whois; and how access will be made available on the nonpublic database, Jeffrey said. For now, the full amount of registration data will be collected, and will be fully transferred from domain name registrars to registries. Data available publicly would include an organization's (but not a registrant's) name, and the registrant's state, province and country (but not street, city or postal code), he said. Instead of making email addresses public, the system would use anonymized email addresses or web forms to enable registrants to be contacted, Jeffrey said. Parties with access to the nonpublic database could prove their entitlement, Jeffrey said. For nongovernmental entities, such as IP owners, there would be an opportunity to create codes of conduct on how to qualify for certification for access to the data, he said.
Preservation of the Whois service is a top priority for the U.S. in ICANN, Redl said Monday. His written remarks urged ICANN to revise the interim model "to permit access to the most amount of registration data as possible," and said the U.S. is concerned about the uncertainty around how access for legitimate purposes -- such as law enforcement, IP enforcement and cybersecurity -- will be maintained during the period between the GDPR's entry into force and the time the ICANN community agrees on accreditation. The U.S. "will not accept a situation in which Whois information is not available or is so difficult to gain access to that it becomes useless for the legitimate purposes that are critical to the ongoing stability and security of the Internet," he said.
There are positive aspects, said GAC Public Safety Working Group co-Chair Laureen Kapin of the FTC. It contains a framework to address law enforcement needs, and continues the collection of "thick" Whois data that includes registrants' contact information and designated administrative and technical contact information, she said. The cookbook provides a role for the GAC in advising on potential accreditation systems and on codes of conduct for access to nonpublic data by users pursuing legitimate interests. The proposal maintains current data retention requirements, and will allow future accreditation to maintain full access to the information by law enforcement agencies and anonymized Whois requests, she said.
'A Bit Late'
It's "a bit late" but is an important step, said Nick Wenban-Smith, general counsel of U.K. country-code top-level domain registry Nominet, speaking for the Registries Stakeholder Group. Registries like the opt-in nature of the model, that they would be able to use it globally, and that registrant email addresses won't be publicly available, he said. Wenban-Smith criticized ICANN for not explaining how continued blanket access to nonpublicly available Whois data complies with GDPR data-minimization rules. Given the likelihood the nonprofit won't meet the compliance date of May 25, registries will have to come up their own policies for releasing the data, which could lead to fragmentation of the policies, he said.
GAC members' chief concern is lack of a required temporary system for access to nonpublic data by law enforcement and other third parties until a formal accreditation scheme is in place, said GAC's Kapin. Governments are unclear about why ICANN hasn't fully explained why it proposes to mask some registrants' information; why it's "over-complying" with the GDPR by masking nonpublic information from legal entities despite the regulation not applying to them; and why it hasn't clarified the GAC role in GDPR compliance, she said.
The cookbook needs more work, said Schollmeyer & Rickert IP lawyer and longtime ICANN player Thomas Rickert. The most important question is the role of the GAC, he said: Some worry that if governments are used to help make the Whois compliance system operational, the committee's role will be expanded beyond its advisory role, he said.
The only way IP rights owners can protect their rights is if they have access to users' email addresses, said Patrick Charnley, International Federation for the Phonographic Industry legal policy and licensing director, speaking for ICANN's IP Constituency. ICANN promised to stick as closely as possible to the existing Whois system but failed to do so by applying the proposed model to legal as well as natural persons and making it global, he said. The Business Constituency also wants registrant email addresses public, said Domain Tool CEO Tim Chen. Ensure security practitioners are included in the accreditation process discussions, he said.
The Non-Commercial Stakeholders Group doesn't believe self-accreditation for nonpublic access is reasonable, said Stephanie Perrin. The group would prefer a possible International Standards Organization or other standard and a stronger focus on human rights issues inherent in allowing access to Whois data, she said. The At-Large Advisory Committee believes the interim model is more balanced than some predicted, but not recognizing the difference between legal and natural persons is disappointing, said Chair Alan Greenberg.
GAC members will have further discussions about the GDPR during the week and issue a statement.