Europe Says Proposed WHOIS Data Verification and Data Retention Proposals Unlawful

The European Commission has expressed concerns to ICANN about the proposed revisions of the two remaining unresolved issues in the Registrar Accreditation Agreement concerning verifying contact details and data retention of WHOIS data saying the proposed requirements would be unlawful in Europe. The letter on behalf of the Article 29 Working Party is also miffed that ICANN has made no effort to discuss the issues from a European perspective.ICANN is currently seeking comments on the RAA and this week announced that since the meeting in Prague in June, significant progress has been made, though two key issues remain unresolved. These two areas are:

  • annual re-verification of contact details, a proposal that has originated from law enforcement requests
  • data retention for two years.

On the re-verification of contact details, or WHOIS, the current ICANN proposal would make it mandatory for registrars to obtain and verify an email addresses and telephone number and to annually update these details.The Article 29 Working Group letter notes “the problem of inaccurate contact details in the WHOIS contact database cannot be solved without addressing the root of the problem: the unlimited public accessibility of private contact details in the WHOIS database.The letter notes “the problem of inaccurate contact details in WHOIS cannot be solved without addressing the root of the problem: the unlimited accessibility of private contact details in the WHOIS database.” However the Working Party does acknowledge “the contact details are being harvested on a large scale and abused for spamming. In other words, the way the system is designed provides a strong incentive for natural persons to provide inaccurate contact details.”But the collection of contact details in the WHOIS database the Working Party reminds is for “the purposes of collecting and publishing contact details in the WHOIS database … to facilitate contact about technical issues.The Working Party is concerned that although “WHOIS data can be used for other beneficial purposes [it] does not in itself legitimise the collection and processing of personal data for those and other purposes.”The Working Party says the proposal for re-verifying telephone numbers and email addresses every two years, and to publish these contact details publicly, would be unlawful in Europe.On the second issue, data retention, the Working Party notes “the proposed data retention specification has a very broad scope” and includes other categories of data that can be processed by registrars including telephone numbers and email addresses not contained in WHOIS data, as well as credit card details, Skype IDs and various other identifying data.The Working Party says they strongly object “to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.”The Working Party also says that just because the “personal data can be useful for law enforcement does not legitimise the retention of these personal data after the termination of the contract.”The Working Party also says that the proposed data retention requirement would, as with the proposal for re-verifying data every two years, to be unlawful in Europe. It would see registrars and data controllers, who collect the personal data, be put “in the uncomfortable position of violating European data protection law.”The Working Party letter concludes saying they have expressed an interest in being consulted by ICANN about privacy-related WHOIS issues on several occasions, and are still willing to meet. But it appears they have been ignored.