Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs.
On Thursday ICANN’s Board of Directors voted to reaffirm the “Temporary Specification for gTLD Registration Data.” The Temporary Specification was originally approved by the Board on 17 May 2018, a mere 8 days before the European Union's General Data Protection Regulation (GDPR) came into effect. It was then reaffirmed on 21 August 2018. The goal of the Temporary Specification is to establish temporary requirements for how ICANN and its contracted parties will comply with existing ICANN contractual requirements and community-developed policies in relation to the GDPR.
As required by procedures in the Registrar Accreditation Agreement and Registry Agreements, ICANN explains a temporary policy or specification must be reaffirmed every 90 days for up to a maximum of 1 year until it becomes a Consensus Policy. The GNSO Council has launched an Expedited Policy Development Process on the Temporary Specification, and the Working Group is continuing with its deliberations to develop proposed policy recommendations. The process has a budget of $590,000 [pdf] not including any required external legal counsel and advice.
European ccTLD registries, which aren’t subject to the Temporary Specification, have devised their own methods of complying with the GDPR. And while pretty much all European ccTLD registries devised means of complying late, none, at least of the larger registries, were as late as ICANN in announcing how they would comply, even though they all knew 2 years in advance what they were required to do. And none has faced legal action from a registrar stating objections as to what they are required to do.
The GDPR was developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. Its impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater. The GDPR was adopted by the European Parliament in April 2016 and came into force in May that year. It then became applicable in all member states, two years after the regulations enter into force. It is effective in all European Economic Area (EEA) countries, that is all EU countries plus Iceland, Liechtenstein, and Norway.
In September ICANN lost their fourth court case (including appeals) in their battle with EPAG, a subsidiary of Tucows. ICANN has been pursuing a preliminary injunction from the German courts to require EPAG to continue to collect elements of WHOIS data, as required under ICANN’s Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains. EPAG have 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.
But ICANN may be struggling to find a solution due to competing demands. As Michele Neylon from the Irish registrar and hosting company Blacknight said in May, “there might be more at play here than initially meets the eye. ICANN is probably coming under a lot of pressure from the US government and other interests in relation to public Whois. Recent speeches by US Department of Commerce’s head honcho David Redl in multiple venues have underlined the US government’s fixation with full public Whois.”