Communications Litigation Today was a Warren News publication.
'Uncharted Territory' in GDPR

ICANN Attempt to Standardize Access to Whois Faces Resistance

Efforts to create a standardized system for access to private domain registrant data are in disarray after ICANN constituencies objected to portions. The system for standardized access/disclosure (SSAD) proposal is phase 1 of an expedited policy development process (EPDP) for compliance with EU's general data protection regulation (GDPR). Some claimed opponents are trying to cling to the old Whois system despite its illegality. The EPDP team now must look into two more contentious issues.

ICANN has been in compliance with GDPR since it took effect, and "no one is saying that the current and proposed policies don't comply," emailed CEO Goran Marby. In phase 1 of the EPDP, the community developed recommendations for a new policy for generic top-level domain registration data. Phase 2 aimed to create a system for standardized access to nonpublic gTLD registration data. Most recommendations got community support, he noted.

Governments are concerned about several aspects of the final report adopted by the Generic Names Supporting Organization (GNSO) Council, said the Governmental Advisory Committee (GAC) minority statement. The disclosure system appears fragmented, said Laureen Kapin, co-chair of the GAC public safety working group and FTC international consumer protection counsel, Tuesday at the virtual ICANN meeting in Hamburg. Governments worry that standards for and reviews of decisions against disclosing personal data aren't enforceable and the proposal doesn't sufficiently address consumer protection, she said.

The GAC wants a third policy development process (phase 2a) to require registrars and registries to make publicly available the data of legal persons, which at the moment they have the option to redact (the GDPR doesn't protect data from legal entities), and to determine whether it's feasible to allow unique domain registrants to use uniform anonymized email addresses. The GNSO Council granted the request Wednesday, directing the EPDP team to report back on whether consensus is possible or the EPDP should be ended. GAC also wants clarification of the role of data controllers and processors in the system. A European Data Protection Board consultation on the concepts of controller and processor ended Oct. 19; ICANN's response is here.

The Security and Stability Advisory Committee refused to endorse the report in its current form. "We believe that a much better system is possible within the limitations imposed by the [GDPR], and the EPDP has not provided outcomes that are reasonably suitable for security and stability," it said. The At-Large Advisory Committee, Business Constituency and Intellectual Property Constituency also opposed the report. The two constituencies, both part of the GNSO, were overruled by a supermajority vote in favor of the proposal by the registrar, registry, noncommercial user and ISP constituencies, noted GAC public safety working group member Chris Lewis-Evans.

GAC and SSAC "somehow got it into their heads that the SSAD proposed by EPDP would give them unlimited, automatic access to non-published registrations data, on request," emailed Georgia Institute of Technology professor Milton Mueller, of the Non-Commercial Stakeholders Group. That couldn't happen without breaching data protection law, he told us. "They are fighting a losing battle" because even if they succeed in getting ICANN to push through a deviation from the consensus policy adopted by the GNSO, "a lawsuit will shut the whole thing down."

The concerned groups represent those with the biggest interest in accessing nonpublic registration data, blogged rickert.law (Bonn) attorney Thomas Rickert, who represented the ISP and Connectivity Provides Constituency on the EPDP. That leads to questions of why ICANN should build a system that's not supported by those for whom it's intended, and why there's such a lack of support, he said.

The policy development process shouldn't be jettisoned because of these disagreements, Rickert said. "We are entering uncharted territory" where a new system for access to registrant data has to be built from scratch. "Not supporting the ICANN policy process is as good as begging for legislation." Lack of support is due to a "systemic error in the EPDP's work" -- the expectation that the now-illegal Whois system, or a slight tweak, could continue. Everyone should "step back and relax," he advised. The issue of what to do about Whois may be the most controversial one in ICANN's history, but compromise should be possible, and the building blocks are in the SSAD recommendations.

The ICANN community went as far as it believed was possible in developing policies regarding access to nonpublic gTLD registration data "given the uncertainties that still exist under the law," Marby told us. He said that his organization "continues to remain willing to assume greater responsibility with respect to disclosure or registration data to help serve the public interest if the impacts of this are clear under the law."