Last Week For Comments on Proposed ICANN GDPR-Compliant Whois Policy

It’s the last week for comments on ICANN’s proposals on how it deals with registration data collected for generic top level domains and become permanently compatible with the EU’s GDPR.

ICANN has been struggling with how to be compliant with the European Union’s General Data Protection Regulation (GDPR) that came into effect in May this year. It put out a Temporary Specification, which was approved by the ICANN Board on 25 May on the day the GDPR came into effect leaving registrars scrambling to update systems.

However one registrar that refused to play ball was the German registrar EPAG, part of the Tucows group. ICANN has been to court 4 times in battle with EPAG, losing and then appealing and losing. So far the scorecard is 4-0.

EPAG refused to collect the required registrant data for the gTLDs, such as .com and .top, as per their Registrar Accreditation Agreement they have signed with ICANN. The RAA in part specifies what registrant data must be collected upon registering a domain name for gTLDs. EPAG believed that the “Temporary Specification” ICANN introduced wasn’t compatible with the GDPR. EPAG had 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.

ICANN is likely facing pressure from mainly US-based bodies on one side who are wishing to be able to have unfettered access to domain name registration data that’s linked to copyright-infringing website content and the EU on the other.

So as a means of moving forward ICANN established an Expedited Policy Development Process (EPDP) Team considering the Temporary Specification for gTLD Registration Data.

The EPDP Team, formed in late November, is tasked with evaluating the Temporary Specification on gTLD Registration Data (Temp Spec) and deciding whether it should become an ICANN Consensus Policy as is, or with modifications, while complying with the GDPR and other relevant privacy and data protection laws and regulations. Their Initial Report contains the preliminary recommendations of the EPDP Team and a set of questions for public review and comment.

Some of the questions raised in the Initial Report include what data is collected from domain name registrants, the transfer of the data collected between registrars, registries, escrow providers and ICANN, what information is necessary, who has access to the information collected, what is “reasonable access” and a “lawful basis” to the data collected, policy updates relating to dispute resolution.

Depending on the outcomes of the consultation, it could end up with a GDPR compliant policy relating to the collection of domain name registration data and lead to an end of the court battle in Germany.

There are currently around 10 comments lodged. Comments close on 21 December and more information can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.