ICANN GDPR Compliance Progress Uncertain, Officials Say
ICANN continues to struggle with who can access domain name registration data under the EU general data protection regulation, a Monday webinar heard. The law is specific about the role of data controllers, and ICANN is trying to determine if creating a unified model for access to nonpublic Whois data complies, said CEO Goran Marby. It's up to the community to decide whether it supports such unified access, he said. Legal and technical approaches are under consideration, said General Counsel John Jeffrey, including the Registration Data Access Protocol (RDAP), to enable users to access current domain registration data that could eventually replace the Whois database. Third parties seeking access to nonpublic data would submit a request to ICANN, which would approve it and pass it along to the data controllers (registries and registrars) or deny it, he said. Comments are due Oct. 13. There's also an expedited policy development process (ePDP) on ICANN's temporary specification for generic top-level domain registration data, said David Olive, senior vice president-policy development support. EPDP is expected to deliver a draft initial report by the Oct. 20-25 ICANN meeting in Barcelona, followed by publication of an initial report for comment shortly thereafter, he said. Marby said GDPR is fairly specific about the individual role of data controllers, and the only way to change the situation would be to lower the risk of liability for registries and registrars. He stressed that none of the proposed solutions will happen if contracted parties don't feel their GDPR risks are diminished. The probability of having a technical solution such as RDAP is likely low but ICANN must ask, he said.