The European Data Protection Board (EDPB) sent a letter to the Internet Corporation for Assigned Names and Numbers (ICANN), written by the EDPB Chair, Andrea Jelinek, with the purpose of providing guidance to ‘enable ICANN to develop a General Data Protection Regulation (GDPR) compliant model for access to personal data processed in the context of WHOIS’. In response to a letter sent by ,Göran Marby, President and CEO of the Board of Directors, ICANN, to the EDPB on 10 May 2018, the EDPB addresses the following issues: purpose specification and lawfulness of processing, collection of ‘full WHOIS data’, registration of legal persons, logging of access to non-public WHOIS data, data retention, and codes of conduct and accreditation. The Article 29 Working Party (WP29), the EDBP’s predecessor, has been offering guidance to ICANN since 2003, on how to bring WHOIS into compliance with European data protection law. It is stated that the EDPB expects ICANN to develop and implement a WHOIS model for legitimate use by the relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of that data.
Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. The July 2015 appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age reflects the rising importance of privacy in global digital policy, and the recognition of the need to address privacy rights issues the the global, as well as national levels.