ICANN, the GDPR and WHOIS

11 Apr 2019 16:30h - 18:15h

Event report

 

The session was organised by the Internet Corporation for Assigned Names and Numbers (ICANN) Cross Community Working Group on Internet Governance (CCWG-IG). It expanded on the work of the current Expedited Policy Development Process (EPDP) team to ensure that registries and registrars are compliant with the European Union’s General Data Protection Regulation (GDPR) which came into force in May 2018. The session was moderated by Mr Olivier Crepin-Leblond (Chair, CCWG-IG).

Mr Keith Drazek (Chair, Council of the Generic Name Supporting Organisation (GNSO), ICANN) spoke about the role of the GNSO which is an organ within ICANN that is responsible for policy development regarding generic Top-Level Domains (gTLD). He noted the particularity of this body, given that registrars and registries have contracts with ICANN and are bound by the policies developed by the GNSO.

Drazek explained that ICANN issued a Temporary Specification in May 2018 in response to the GDPR which came into effect in the same month. Drazek noted that Temporary Specifications can only be valid for 12 months before the rules are either replaced, adapted to new regulatory circumstances, or simply go back to existing rules. The specification was imposed after the recognition that ICANN was unable to enforce its contractual obligations due to the GDPR and so the GNSO council had 12 month to develop a new regulation which they did by introducing a charter for the EPDP. Additionally, the council decided to work in two phases. The first phase related to confirming, or not, the Temporary Specification as a Consensus Policy by 25 May 2019. The second phase will look into the related policy recommendations and discuss a standardised access model to non-public registration data.

Kurt Pritz (Former Chair, EPDP, ICANN) reiterated the process that led to the Temporary Specification and noted that ICANN’s policy regarding the publication of registration data (‘WHOIS data’) was non-compliant with the GDPR. Pritz further mentioned that Temporary Specifications are only effective for one year in order to safeguard ICANN’s bottom-up multistakeholder model.

However, Pritz said that a permanent solution to the specification was needed given that law enforcement agencies, cybersecurity specialists and other third parties need to have access to registrants’ data for legal and other legitimate reasons. Additionally, Pritz mentioned the desire of third parties to have a consistent approach to access these types of information. Pritz also mentioned the challenges faced by the EPDP team which rapidly needed to familiarise itself with the provisions and complexities of the GDPR.

He noted that the Expedited Policy Development Process retains all the safeguards in ICANN’s policy-making process except for the introductory report which is usually required to initiate the Policy Development Process (PDP). The EPDP Team was composed of registries and registrars and all other stakeholders. The EPDP organised two public comment periods, published comment analysis and review, prepared formal initial and final reports, maintained formal consensus to ascertain support, and carefully implemented transparent meetings that were accessible to the public.

Pritz outlined the EPDP team’s approach which reviewed the lawful purposes for the processing of data according to the Temporary Specification, factored in GDPR requirements, and developed and/or revised purposes with their corresponding legal bases. The team came up with seven purposes for processing data which data include consent, necessity to perform a contract or enabling other legitimate uses (i.e. law enforcement) among others.

Pritz explained that in addition to the identified legal, lawful and legitimate purposes for the processing of data, the EPDP Team identified and approved 28 other policy recommendations. These include recommendations pertaining to the development of a standardised model for the lawful disclosure of non-public registration data in the second phase of the process, the negotiation of data protection agreements between ICANN and contracting parties and the mandate that ICANN and GNSO examine existing policies for GDPR compliance.

Finally, Pritz highlighted some of the lessons learned in this process and mentioned the use of professional mediation in the process, the value of face-to-face meetings, and the improved transparency for observers among other important factors which are contributing to the positive evolution of the multistakeholder model.

Mr Olivier Crepin-Leblond (Chair, CCWG-IG, ICANN) spoke about phase two and the next steps that ICANN will undertake.

He noted that the public comment period on the final GNSO report will close on 17 April 2019 and that the ICANN board will make the decision of whether to adopt the report as the Consensus Policy before 25 May 2019. Furthermore, he mentioned that an ICANN Implementation Review Team (IRT) will work on the development of operational and contractual details to implement the policies. Crepin-Leblond said that between the expiration of the Temporary Specification after 25 May 2019 and the full implementation of the IRT’s work, contracting parties will have the choice to comply with either the Temporary Specification or the new Consensus Policy. Crepin-Leblond invited all interested parties to follow or contribute to the work of the EPDP by following this link.

Mr Nigel Hickson (Government Engagement Team, ICANN) thanked the speakers for their great efforts in leading this process and highlighted the complexity of the process. He qualified the process as a testament to the multistakeholder process.

 

By Cedric Amon