ICANN is still fighting its corner living in hope that courts in Europe will accept its ill thought out response to the collection of personal information they require of gTLD domain name registrants following the implementation of the European Union’s General Data Protection Regulation.
Whether you agree or disagree with the merits of the GDPR, ICANN has joined what’s becoming a long line of American-based organisations that have failed to understand, initially at least, that Europe has different views on competition and privacy to the United States. Microsoft, Apple, Amazon, Facebook and Google, who last week was fined €4.3 billion, have all had to either amend their ways of working in the EU or been fined, or both. And now ICANN is failing to grasp that Europe has differing views on how to deal with issues that impact upon it, this time privacy with the introduction of the GDPR.
When it comes to privacy there are major differences that ICANN appears to have failed to grasp with the European Union “generally allowing more rights to the individual” notes The Observer. This has been pushed further with the GDPR. In short, the GDPR seeks to give individuals that are residents of the EU control over their personal data and simplify the regulatory environment for businesses operating in the EU.
For privacy, the US “takes a more ad-hoc approach to data protection, often relying on a combination of public regulation, private self-regulation, and legislation” according to an article in Politics and Policy a few years ago.
So when it came to the GDPR ICANN acted late and with their multistakeholder approach, it was always going to take time to come up with a workable solution. ICANN announced a “temporary specification” to be implemented by generic top level domain registries, and hence registrars, a mere 7 days before the GDPR came into effect on 25 May.
ICANN’s temporary specification required Registry Operators and Registrars to continue to collect all WHOIS information for generic top level domains (gTLDs). However, WHOIS queries will only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.
While there were drafts of the GDPR to work on for implementation in the lead up to 25 May, many registries and registrars went alone in their compliance, figuring it was better to comply with the European Commission than with ICANN.
One such registrar to implement their own solution was the German EPAG, a subsidiary of Tucows. In a blog post back in May, Tucows noted that “in order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimisation.”
Tucows took the view ICANN’s temporary specification wasn’t compliant with the GDPR. They had problems with 3 core issues. These issues were the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.
Which led to a dispute on how the GDPR impacts EPAG’s registrar accreditation agreement. “The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”
So ICANN took EPAG to court in a Regional Court in Bonn, Germany. ICANN lost. ICANN appealed. Now the Bonn court has decided to refer to the Higher Regional Court in neighbouring Cologne.
In explaining the referral, ICANN noted the German court’s initial ruling “determined that it would not issue an injunction against EPAG. ICANN appealed this decision. Upon receipt of the appeal, the Regional Court exercised its option to re-evaluate its decision instead of immediately forwarding the matter to the Higher Regional Court to address the appeal.”
“In referring the matter to the Higher Regional Court in Cologne, the Regional Court did not change its original determination not to issue an injunction against EPAG. The Regional Court also rejected the alternative claims submitted by EPAG in recent court filings. Notably, the Regional Court issued this second ruling without consideration of the additional court filings submitted earlier this week by ICANN and ICANN's Intellectual Property Constituency. Those filings will be part of the record to be transferred to the Higher Regional Court for the appeal.
“ICANN will continue to pursue this matter as part of its public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system. ICANN awaits further direction from the Higher Regional Court on next steps, which could include referring the matter to the European Court of Justice, issuing a decision based upon the papers already submitted, requesting additional briefings or scheduling a hearing with the parties.”
ICANN had several years to work on the implementation of the GDPR, but work only started in earnest in the year before its implementation. And when little had happened early this year, the European domain name community began to get worried.
At the Domain Pulse conference in Munich in February, Ashley La Bolle, EPAG’s Managing Director said in a panel discussion registries hadn’t been given the information they required to allow they and registrars to implement solutions.
La Bolle later told Domain Pulse (the blog, not the conference!) that “we wish that ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”
So while there is at least one more appeal to come, the court rulings in Germany have said that ICANN’s requirements are illegal and the RAA isn’t valid. As Kieren McCarthy noted in The Register explaining the history of how we got where we are, following the court decision “any registrar that doesn't want to follow the Whois as outlined in ICANN's contract is pretty much free not to do so. By refusing to cede to anybody, ICANN undermined itself.”
As global tech companies from Facebook to Microsoft to Google are aware, Europe has set the global standard when it comes to privacy. And ICANN really has no choice to do anything other than follow and develop policies that comply. The Republicans in the US though may have other ideas.
And as McCarthy concludes, “not that Whois, ICANN and the US-led internet are going anywhere. They just won't be as unassailable or as likely to make terrible decisions.”