GDPR and WHOIS: ICANN solving access and privacy problem?
WHOIS data access took centre stage at ICANN 63, held in Barcelona from October 20 - 25th. While other issues, such as the future of new gTLD applications, were discussed, post GDPR privacy concerns were, unsurprisingly, the focus of most discussions. Here are the key takeaways.
GDPR compliance requires smart decision making
The e-PDP (expedited Policy Development Process) Working Group gave an update on the progress they’ve made to bring the WHOIS database into GDPR (General Data Protection Regulation) compliance. Although direct participation in the e-PDP is limited to e-PDP Working Group members, anyone can listen to the group's conference call recordings and/or subscribe to its mailing list. Click here for more information.
Most certainly the saddest part of this presentation was that the group had to receive a crash course in data privacy laws as numerous members did not have very extensive knowledge on the topic...
It was, therefore, unsurprising that the group reported they are still seeking to define the purpose(s) for which registrants have to provide personal data when applying for the registration of a domain name.
And as we saw before with the now-defunct Registration Data Services Working Group - tasked with reforming the WHOIS system - privacy advocates on one side and brand owners as well as cybersecurity specialists on the other are battling each other. In the middle, between a rock and a hard place, are registries and registrars who, most of the time, are driven to despair by the lack of pragmatism found in each of the main opponents’ proposals.
With less than 7 months left before the Temporary Specification expires, there is little hope that this group will deliver a final report in time. To attempt to maintain some uniformity in the industry until a workable policy is issued, different parties throughout the week offered their own “solutions”.
In this lawyer’s opinion, the most interesting event was the tap on the shins from Göran Marby, ICANN's CEO, who instructed the registry and registrar stakeholder groups to issue a letter indicating their “non-refusal” of ICANN’s exploration of a model where ICANN would act as sole controller of the WHOIS database.
This would essentially require ICANN to evaluate every disclosure request from all over the world and judge the legitimacy of those to grant and deny access to redacted data. In such a scenario, ICANN may not manage and control WHOIS but it would have access to every WHOIS record from every registry and registrar, and would proceed with disclosures.
While very interesting on paper, this route would require some rather drastic measures from ICANN as it would need to create a dedicated structure within the EEA or in a country that has an adequate level of data protection. It would also need to hire a team of data privacy specialists, and devise a strong and robust system to safely access WHOIS records.
Domain market indicators
Although ICANN turned 20 years old this year (one more year and it will reach the legal age to drink…), it has never developed a proper tool to evaluate the consequences of its policies on the industry. This is why back in 2015 it attempted to create a marketplace health index. However, as is often the case with ICANN, this legitimate initiative was led astray and turned into a means for imposing new obligations on registries and registrars.
In face of the harsh criticism ICANN received, a multi-stakeholder Advisory Panel was established to expand and refine this initiative.
The Advisory Panel presented a progress report at ICANN 63. Regrettably, it appears from this presentation that rather than focusing on the data already held by ICANN or publicly available, ICANN is still looking at ways to access further data.
New gTLD applications expected to open 2020
The working group tasked with evaluating the efficiency of the first round of new gTLD is still hard at work and should deliver its final report by Q2 2019 - a quarter later than what was announced at ICANN 62 in Panama earlier this year. The main issue remains finding a solution for deciding on applicants who’ve applied for the same extension without having to resort to an auction process.
There is still hope that the next round of new gTLD applications will open in 2020.
An idea which seems to have gained traction within the community is the creation of a fast track program for well-known marks.
These marks are so famous that they are protected for the products and services they have gained a reputation for, even if they are not registered as trademarks. Owners of such marks would not have to wait for the next round but could apply for the delegation of the extension matching the brand they own.
WHOIS solution still a work-in-progress
ICANN's next meeting will be held in Kobe, Japan in 2019 (March 9 - 14). By then, we should have a clearer view on the e-PDP Working Group's ability to issue its report on time and/or alternative routes which have been found that allow for the disclosure of WHOIS data while complying with the GDPR.