At EuroDNS, we value your rights to anonymity...
In this post our in-house legal eagle, Luc, shares his thoughts on the 2013 Registrar Accreditation Agreement (RAA). This is the contract that forms the basis of the relationship between ICANN and its accredited domain registrars. If we want to offer new gTLDs to our customers, signing this contract is mandatory. The RAA ensures that all registrars play by the same rules, but in some cases we feel that customer' privacy could be compromised. Let's see what Luc thinks...
Registrar Accreditation Agreement 2013
As reported back in April of this year, ICANN has finally recognised that several provisions of the new Registrar Accreditation Agreement (RAA) - the mandatory agreement required by registrars to allow them to offer new extensions to their customers - could contravene local privacy laws.
However, until recently, the process allowing exemption from these obligations, that breach European laws on data privacy, were not clearly defined.
Between a .ROCK & a hard .PLACE
This lack of clarity placed EuroDNS in a position where despite our willingness to sign the new agreement and to offer the new extensions for registration, we couldn’t knowingly enter into an agreement illegal under Luxembourgish law. Furthermore and notwithstanding any legal standpoint, agreeing to retain and disclose our customers’ personal data for no legitimate and clearly defined purpose goes against our moral stance. Being strongly rooted in Europe, we value your rights to anonymity and believe that we should not be obliged to keep your personal data for years after you've let your domain name expire or - of course we know you wouldn’t - transfer away to another registrar. For this reason, EuroDNS has not yet signed the new accreditation agreement.
ICANN recognises three means to evidence that the laws under which a registrar is established are in conflict with the RAA provisions on personal data handling.
A registrar may either:
- hire and pay a law firm of its jurisdiction to write a legal opinion that abides by the RAA provisions on personal data collection and retention, stating it would violate its local laws; or
- request its national privacy watchdog to issue a written guidance showing that compliance with the RAA provisions on personal data collection and retention, would violate the local law; or
- benefit from a waiver already granted to a registrar established in the same jurisdiction.
This exception process having been introduced less than two weeks ago and with no waiver having been granted, meant the third route was not possible.
EuroDNS was consequently left with a choice between the first two options.
The Luxembourgish Data Protection Agency being very reactive, and more importantly, monitoring the ICANN world, we have elected to choose the second option and to ask them to issue a written guidance on the compatibility between the Luxembourgish Data Protection Act and the data retention mechanism.
No United States of Europe
As per the European legislation system, each member is obliged to transpose European directives into their local laws. It is only logical to trust that this incompatibility with the directive would also exist with each national law stemming from this legislative act. This reasoning was of course pointed out by the Working Party in their aforementioned letter.
"In order to avoid unnecessary duplication of work by 27 national data protection authorities in Europe, with this letter, the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe."
Regrettably, it appears that ICANN is not keen on recognising this letter as valid grounds for exemption to the data collection and retention obligation for any European registrar.
Indeed, less than four days after the publication of the exemption process, ICANN General Counsel John Jeffrey replied to the Working Party with a letter stating in a rather roundabout way that the incompatibility with local laws had to be established for each European state.
EuroDNS is now awaiting the release of the Luxembourgish DPA written guidance so it can be submitted to ICANN; and will sign the new accreditation agreement as soon as the exemption is granted.
Although regrettable, we are confident that this delay will not impair EuroDNS’ capacity to offer you its services for each new extension as soon as they're available.
In the meantime, EuroDNS teams are preparing for the new obligations and processes that this new accreditation agreement will bring to EuroDNS and more importantly, to you. As per the result of a self-assessment audit we conducted, EuroDNS is already abiding by most of the new accreditation agreement obligations. However, as several of our processes will have to be adapted, we will publish a series of blog posts detailing each of these modifications to ensure a smooth transition for each of our customers.
Enjoyed this blog post? Follow EuroDNS on Twitter and we'll keep you updated with more thoughts from Luc in the future. And as Luc says, EuroDNS already lives by most of the RAA rules; but if we consider those rules are going to hurt our customers - then we will challenge them.