Enforcement of the European Union’s General Data Protection Regulation (GDPR) is coming on 25 May and as of yet, ICANN still hasn’t worked out a way to deal with the conflicts between the collection of domain name registration data (WHOIS) and the requirements of GDPR.
Acknowledging it’s likely they won’t have a solution by the enforcement date, ICANN’s President and CEO Göran Marby wrote on the organisation’s blog last week that they’re “working to develop interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements. To be clear, these proposed models are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”
In November ICANN “published a Statement from Contractual Compliance, which indicated ICANN org would defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”
So what is the GDPR? It’s the E.U.’s way of harmonising data protection laws across the 28-member states and gives greater protection to data and the privacy of EU citizen’s data.
It applies to any organisation that processes data about individuals relating to the sale of goods or services to citizens in EU countries, which includes the registration of domain names involving registrars, resellers and registries. Which means that even businesses from outside of the EU who process data on the citizens of the European Union need to comply. This includes domain name registries and registrars.
The penalties for non-compliance are steep. Organisations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 million, the maximum fine. And if their data is infringed, the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed and to sue for compensation when non-material damage has been suffered. Consent for the collection of the data is necessary, and the withdrawal of consent must be made available.
Personal data under the GDPR is defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Which also includes WHOIS data required when registering a domain name.
The E.U. has expressed their concerns about how ICANN is progressing. In a letter to ICANN, the EU’s ARTICLE 29 Data Protection Working Party says “the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.” The letter states a “layered access” may meet the GDPR while also providing law enforcement with the access they require. The EU has been calling for such a layered access since 2003.
Regarding the publication of WHOIS data collected when registering a domain name, the WP letter says there are concerns regarding the way consent is given when collecting WHOIS data and how that consent is given.
In last week’s blog post, Marby outlines what ICANN has been doing, and the 3 options for moving forward. ICANN obtained legal advice that advised in November WHOIS as it currently exists must change. In December Marby advised ICANN was working on some “interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements.” The models “are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”
And then last week ICANN published for community input three proposed discussion models for collecting registration data and implementing registration directory services that reflect discussions “from across the community and with data protection authorities, legal analyses and the proposed models we have received to date.”
Marby summarised the three models [pdf] in his post at a high-level, which are reproduced below. “The models differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS:
- Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
- Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
- Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.
Feedback must be received by 29 January 2018 with comments to be sent to email@example.com.
The models are available to read in more detail at https://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf.