GDPR keeps on creating WHOIS-related challenges for ICANN
Data privacy es el nuevo negro! At least for the domain industry who, while at ICANN 63 in Barcelona, reviewed the consequences of the Temporary Specification for gTLD Registration Data. Meant to buy ICANN time as it works on making the WHOIS database GDPR compliant, it hasn't exactly proven a seamless stopgap.
Consequences of the Temporary Specification
Earlier this year, ICANN (Internet Corporation for Assigned Names and Numbers) issued a temporary policy which, in a nutshell, allows registries and registrars to take any action deemed necessary to comply with the GDPR (General Data Protection Regulation) and other data privacy acts. This move rendered management and use of the WHOIS database deeply fragmented.
Registries and registrars have been interpreting and sometimes even ignoring the terms of this policy in their efforts to try to comply with the GDPR as best they can.
Intellectual property and business constituencies have been the most vocal community members to complain about the consequences of the WHOIS database redaction, but the whole industry has been impacted by it.
EuroDNS is no exception. We decided to stay as close as possible to the terms of the GDPR, avoiding any actions which overstep the scope of those terms. As such, we redacted the details of contact profiles belonging to individuals, only publishing:
- an anonymised email address which allows the public to contact domain registrants without disclosing their identity: and
- the city, postal code and country allowing for third parties to know which courts have jurisdiction in case of a dispute
Legal persons (companies) remain responsible for determining which personal data they publish. We do not redact their data.
WHOIS database confusion
Regrettably, our actions have only applied to registries for which EuroDNS has full control over the WHOIS databases (.COM, .NET, and .JOBS).
For all other extensions, the registry controls the WHOIS output and, despite what registrants and/or registrars would like to publish, the applicable registry has the power to redact it.
In the case of the example below, eurodns.domains, EuroDNS, as the controller of the personal data of its managing director, Xavier Buck, has obtained the consent of Xavier to publish his details in the Whois database. There is no need to redact our company’s details.
But, to avoid implementing expensive technical measures for an uncertain period of time, we have elected to recourse to an undifferentiated redaction. At least, in this case, we publish the name of the registrant's organisation which not every registry does.
Domain registrar transfer complications
Those asymmetrical and unpredictable redactions are complicating inter-registrar transfers, as there is no way to automate the creation of the Form of Authorisation (FOA) required for transfers. To use the famous analogy of an e-PDP working group member, "the authorisation code used to transfer a domain name is akin to the key of a car and the FOA to the registration certificate.” For the moment, registrants can transfer their domain names (cars) solely with an authorisation code (key).
Certain registrars are aware of this problem and are proceeding to transfers without the FOA. But others are insisting on its provision which can delay and, sometimes, even render transfers impossible.
Personal data disclosure involving EuroDNS
Certain IP rights representatives- like the aforementioned intellectual property and business constituencies - have been complaining to anyone who is willing (or not) to listen to them talk about their loss of WHOIS database access and the dire consequences it has for public safety...
In EuroDNS's experience, the problem is two-fold. On the one hand, brand owners' representatives must cease sending fully automated, baseless cease-and-desist letters and actually review each case. On the other hand, registries and registrars must better communicate what they require in order to disclose data they have anonymised.
In EuroDNS' case, unless the request comes from a Luxembourgish law enforcement agency armed with a court order, we require at minimum the following:
- The requestor's full name and contact details. In case the requestor is not located within the EEA or in a country that has an adequate level of data protection, we require they provide the details of the requestor's EEA-based representative and a written statement that the personal data disclosed will remain with this representative and within the EEA.
- Proof of representation:
- Evidence that the requestor is entitled to represent the entity on whose behalf they are making the disclosure, be it a power of attorney or an extract of the company registry.
- If the requestor is an individual, a written statement along with evidence of their identity.
- A meaningful description of the specific issue the request is attempting to resolve along with the specific location of the issue (URL). For example, a trademark issue would include the specific trademark and a description of the perceived infringement.
- A brief description of the legitimate interest on which the request is based.
- A statement, under penalty of perjury, that any personal data received through a request will be processed in compliance with any applicable data protection laws, and that it won't be stored, transferred, or otherwise shared in contravention with any applicable data protection laws.
- The guarantee that in case of illegal use of the disclosed data, requestor will hold EuroDNS harmless.
We will review any request we receive and will always reply in turn. Nonetheless, we will only disclose personal data when the legitimate interest is made clear to us. If there is any doubt, we will inform the requestor that they need to take action before a Luxembourgish court of law which has competence to deal with such matters.
GDPR data privacy questions persist
ICANN has created a dedicated team to ensure that registries and registrars with whom ICANN has an agreement complies with the terms of their agreement. In the case of registrars, however, most interaction with the ICANN compliance department involves the provision of personal data. ICANN, a nonprofit corporation established in California, has few means at its disposal for the sharing or receiving of personal data belonging to European residents.
ICANN could use EU Standard contractual clauses, but the validity of this instrument remains rather uncertain at the moment. Worse even, the compliance department members who oversee Europe are based in Turkey, which doesn’t have a stellar record when it comes to human rights – data privacy protection one of those rights.
The registrar constituency has sent a letter to ICANN’s legal department asking how they intend to solve this issue but they’ve not yet replied.
Furthermore, in light of the above issues related to WHOIS and the GDPR, ICANN's compliance department also announced it is indefinitely postponing its next round of audits.