The European Data Protection Board (EDPB) adopted a letter, sent to the Internet Corporation for Assigned Names and Numbers (ICANN) by the EDPB Chair, Andrea Jelinek, with the purpose to provide guidance to ‘enable ICANN to develop General Data Protection Regulation (GDPR) compliant model for access to personal data processed in the context of WHOIS’. As a response to Goran Marby’s, ICANN’s President and CEO of the Board of Directors, letter sent to EDPB on 10 May 2018, the EDPB’s letter addresses the following issues: purpose specification and lawfulness of processing, collection of ‘full WHOIS data’, registration of legal persons, logging of access to non-public WHOIS data, data retention, and codes of conduct and accreditation. The Article 29 Working Party (WP29), an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission, as the EDPB’s predecessor, has been offering guidance to ICANN since 2003, on how to bring WHOIS in compliance with European data protection law. It is stated that the EDPB expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.
Privacy and data protection are two interrelated Internet governance issues. Data protection is a legal mechanism that ensures privacy. Privacy is usually defined as the right of any citizen to control their own personal information and to decide about it (to disclose information or not). Privacy is a fundamental human right. It is recognised in the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and in many other international and regional human rights conventions. The July 2015 appointment of the first UN Special Rapporteur on the Right to Privacy in the Digital Age reflects the rising importance of privacy in global digital policy, and the recognition of the need to address privacy rights issues the the global, as well as national levels.