Minutes | Special Meeting of the ICANN Board 17 May 2018

A Special Meeting of the ICANN Board of Directors was held telephonically on 17 May 2018 at 18:00 UTC.

Cherine Chalaby, Chair, promptly called the meeting to order.

In addition to the Chair, the following Directors participated in all or part of the meeting: Maarten Botterman, Becky Burr, Ron da Silva, Sarah Deutsch, Chris Disspain (Vice Chair), Avri Doria, Rafael Lito Ibarra, Khaled Koubaa, Akinori Maemura, Göran Marby (President and CEO), George Sadowsky, Léon Sanchez, Matthew Shears, and Lousewies van der Laan.

The following Directors sent their apologies: and Mike Silber.

The following Board Liaisons participated in all or part of the meeting: Manal Ismail (GAC Liaison), Ram Mohan (SSAC Liaison), and Jonne Soininen (IETF Liaison).

The following Board Liaisons sent their apologies: Kaveh Ranjbar (RSSAC Liaison).

Secretary: John Jeffrey (General Counsel and Secretary).

The following ICANN Executives and Staff participated in all or part of the meeting: Akram Atallah (President, Global Domains Division), Gwen Carlson (Senior Director, GDD Communications), David Conrad (Senior Vice President and Chief Technology Officer), Samantha Eisner (Deputy General Counsel), Jamie Hedlund (SVP, Contractual Compliance & Consumer Safeguard and Managing Director - Washington D.C. Office), John Jeffrey (General Counsel and Secretary), Trang Nguyen (Vice President, Strategic Programs), David Olive (Senior Vice President, Policy Development Support), Wendy Profit (Board Operations Specialist), Erika Randall (Associate General Counsel), and Amy Stathos (Deputy General Counsel).

  1. Main Agenda:
    1. Consideration of the Temporary Specification for gTLD Registration Data (Implementation of GDPR Interim Compliance Model)
    2. AOB

 

  1. Main Agenda:

    1. Consideration of the Temporary Specification for gTLD Registration Data (Implementation of GDPR Interim Compliance Model)

      Cherine Chalaby introduced the agenda item, noting that the proposed resolution before the Board is a continuation of the Board's focused discussions in Vancouver about the Temporary Specification for gTLD Registration Data ("Temporary Specification"). The Temporary Specification incorporates changes needed to ICANN agreements with registries and registrars concerning the collection, publication, transfer and retention of gTLD registration data in light of the European Union General Data Protection Regulation (GDPR). Cherine provided an overview of the Board's previous action on 13 May 2018 where the Board decided that it needed additional time to consider the proposed Temporary Specification. The additional time would allow the Board could confirm that appropriate modifications were incorporated into the Temporary Specification based on the Board's discussions in Vancouver, along with additional comments from the community.

      Cherine reported that ICANN org staff provided the Board with an update on the inputs received from various parts of the community, along with changes made to the Temporary Specification to address the community comments.

      Becky Burr provided the Board with an overview of the proposed resolution to adopt the Temporary Specification. Becky stated that adopting the Temporary Specification would obligate contracted parties to comply with its provisions just the same as if it were a consensus policy. She also noted that this would be the first time the Board has used its authority to adopt a temporary specification, and as a result, it was appropriate for the Board to have given the Temporary Specification a rigorous review to ensure the Temporary Specification is as narrowly tailored as possible and within ICANN's mission.

      Sarah Deutsch noted that while supportive of the adoption of the Temporary Specification, she wanted to express concern that the Temporary Specification is imperfect in some respects. Sarah commented that that on balance, the potential harms resulting from the Board not taking action to provide direction and clarity to the contracted parties through the Temporary Specification could potentially be more severe than taking action to adopt the current iteration of the Temporary Specification. She stated that it was important for the community to work to ensure the remaining issues identified in the Annex are resolved quickly and satisfactorily.

      Avri Doria noted support for the resolution, but also expressed some concern about putting the burden of deciding who is a qualified for access to non-public WHOIS data on the contracted parties as opposed to having created a qualification scheme or having relied on due process.

      Ram Mohan commented that the GDPR is potentially only the beginning of a data privacy movement that is likely to sweep across multiple jurisdictions. Ram observed that finding the correct balance between local privacy requirements and ICANN requirements will continue to present a challenge going forward.

      Ram also expressed the importance of the community arriving at some consensus policy decisions on the important issues identified in the Annex to the Temporary Specification. George Sadowsky agreed, and remarked that the community should work to come to resolution on these issues as quickly as possible. George also suggested that the Board send a stronger statement about the positive aspects of WHOIS and its continued importance.

      Matthew Shears suggested that ICANN consider what processes or mechanisms are available for earlier engagement on future legislative changes that could have significant impacts on the domain name ecosystem so that ICANN can ensure that it is addressing these types of issues as early as possible. Lousewies van der Lann agreed and suggested that the Board consider whether there are lessons learned from this process that could apply in other situations going forward.

      Göran Marby thanked the Board and the community for all of the work leading up to the development of the Temporary Specification.

      After discussion, the Board took the following action:

      Whereas, the European Union's General Data Protection Regulation (GDPR) is a set of rules adopted by the European Parliament, the European Council and the European Commission that will impose new obligations on all companies and organizations that collect and maintain any "personal data" of residents of the European Union, as defined under EU data protection law. The GDPR will take full effect on 25 May 2018.

      Whereas, the GDPR has given new prominence and urgency to the long-standing debate about data protection and privacy in WHOIS.

      Whereas, the ICANN Board reaffirms the importance of appropriate access to registration data for legitimate purposes as consistent with ICANN's mission.

      Whereas, over the past several months ICANN org has consulted with community stakeholders, contracted parties, European data protection authorities, legal experts, and interested governments to understand the potential impact of the GDPR to personal data that participants in the gTLD domain name ecosystem collect, display and process (including registries and registrars) pursuant to ICANN contracts and policies.

      Whereas, through an iterative process and with feedback from the community, ICANN org developed a proposed interim model for how ICANN and gTLD registries and registrars could continue to comply with ICANN contractual requirements and community-developed policies in relation to the GDPR (the "Proposed Interim Compliance Model").

      Whereas, ICANN org requested and has received guidance from the Article 29 Working Party concerning the Proposed Interim Compliance Model, including areas where ICANN as received governmental advice and input reflecting differing views.

      Whereas, the Governmental Advisory Committee ("GAC") provided advice to the Board in its San Juan Communiqué (15 March 2018) concerning the Proposed Interim Compliance Model. The advice was the subject of an exchange between the Board and the GAC to clarify the Board's understanding of the advice.

      Whereas, ICANN org communicated with European data protection authorities and requested adequate time for gTLD registries and registrars to implement the Interim Compliance Model once additional clarification from the data protection authorities was incorporated into the Proposed Interim Compliance Model. The Article 29 Working Party highlighted the importance of ICANN communicating its full planned timescale by which the solutions will be implemented.

      Whereas, ICANN is continuing to discuss with the ICANN community proposed unified access models for non-public WHOIS data.

      Whereas, to cause compliance with the GDPR, the Board has considered adopting a temporary specification to implement the Proposed Interim Compliance Model, utilizing the procedure for Temporary Policies established in the Registry Agreement and the Registrar Accreditation Agreement (the "Temporary Specification for gTLD Registration Data" or "Temporary Specification"). A draft Temporary Specification was first provided to the ICANN community and the Board on 11 May 2018.

      Whereas, the Board, at its Vancouver workshop on 12-13 May 2018, engaged in a substantial and robust review over two days regarding a proposed Temporary Specification, including identification of questions and potential improvements, and wants to share with the community the updates to a proposed Temporary Specification generated as a result of the Board's review to date. On 13 May 2018, the Board took a resolution identifying its intention to consider a Temporary Specification on or about 17 May 2018, and directing the ICANN CEO and President to continue to support the Board in discussion across the ICANN community regarding the refinements made prior to the Board's consideration of a proposed Temporary Specification for adoption.

      Whereas, on 14 May 2018, ICANN org released an updated proposed Temporary Specification to the community and the Board, with updates reflecting the Board's inputs. On 15 May 2018, ICANN org convened a webinar to discuss the updates to the proposed Temporary Specification, with inputs received from across the ICANN community. The ICANN Board also accepted invitations from collections of stakeholders to discuss the proposed Temporary Specification.

      Whereas, during May 2018, the Board has received multiple letters from parts of the ICANN community regarding the contents of a draft Temporary Specification.

      Whereas, the Board has used the time since its 13 May 2018 resolution to confirm that appropriate modifications are incorporated into a proposed Temporary Specification prior to considering adoption. The Board also understands that additional explanatory materials on the Temporary Specification being adopted today will assist in creating a general understanding of the impact of the Temporary Specification across the ICANN community.

      Whereas, the Board has communicated to the GAC that the Board made a preliminary determination that its approach in the proposed Temporary Specification is inconsistent or could be viewed as inconsistent with certain items of the GAC's advice in the San Juan Communiqué, in particular given the guidance provided by the Article 29 Working Party. The Board provided a scorecard to reflect items of the GAC's advice that the Board may reject because of this.

      Whereas, ICANN org continues to engage with the Article 29 Working Party to seek clarity on guidance provided by the Article 29 Working Party about the Interim Compliance Model being implemented through the Temporary Specification. On 17 May 2018, the ICANN Board received a letter [PDF, 525 KB] from the GAC requesting that the Board defer a formal rejection of the GAC Advice to allow the GAC time to provide further clarification where possible.

      Resolved (2018.05.17.01), the Board adopts the Temporary Specification on gTLD Registration Data pursuant to the procedures in the Registry Agreement and Registrar Accreditation Agreement concerning the establishment of temporary policies. In adopting this Temporary Specification, the Board has determined that:

      1. The modifications in the Temporary Specification to existing requirements concerning the processing of personal data in registration data is justified and immediate temporary establishment of the Temporary Specification is necessary to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet.
      2. The Temporary Specification is as narrowly tailored as feasible to achieve the objective to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet.
      3. The Temporary Specification will be effective for a 90-day period beginning 25 May 2018. The Board will reaffirm its temporary adoption every 90 calendar days for a total period not to exceed one year.

      Resolved (2018.05.17.02), the Board understands that there are still outstanding related items necessary to be completed prior to the effective date of the Temporary Specification, specifically standard forms of data processing addenda (which contain EU Model Clauses to govern international data transfers where applicable) to be included in Registry-Registrar Agreements and Data Escrow Agreements, and directs the ICANN President and CEO, or his designee(s), to complete these items and provide notice of where these items can be found.

      Resolved (2018.05.17.03), the Board acknowledges that there are other implementation items that require further community conversation and that the Board encourages the community to resolve as quickly as possible after the effective date of the Temporary Specification. These items are identified in the Annex to the Temporary Specification, though they are not required to be part of the scope of the resulting policy development process.

      Resolved (2018.05.17.04), the Board affirms that further inputs are expected based on experiences once the GDPR goes into full effect, the Temporary Specification includes a process through which the ICANN Board may make adjustments to the Temporary Specification to address further inputs from the Article 29 Working Party/European Data Protection Board, court order of a relevant court of competent jurisdiction concerning the GDPR, applicable legislation or regulation, and/or as a result of the Board-GAC Bylaws Consultation.

      Resolved (2018.05.17.05), the global public interest is served by the implementation of a unified policy governing aspects of the gTLD Registration Data when the GDPR goes into full effect.

      Resolved (2018.05.17.06), the ICANN President and CEO, or his designee(s), is directed to produce additional explanatory material, in particular an identification of all policy and contractual terms impacted by the Temporary Specification.

      Resolved (2018.05.17.07), the Board hereby implements the consensus policy development process set forth in ICANN's Bylaws and will consult with the GNSO Council as soon as possible on the path forward to consider the development of a consensus policy on the issues within the Temporary Specification. The Board will consult with the GNSO Council about the expected scope of the PDP, timing considerations, and relevant procedural requirements.

      Resolved (2018.05.17.08), the Board adopts the Advisory Statement Concerning Adoption of the Temporary Specification for gTLD Registration Data, which sets forth its detailed explanation of its reasons for adopting the Temporary Specification and why the Board believes such Temporary Specification should receive the consensus support of Internet stakeholders.

      Resolved (2018.05.17.09), the Board confirms that based on the 17 May 2018 letter from GAC, the Board is deferring formal action on determining that there are likely to be elements of the Temporary Specification that are inconsistent or could be viewed as inconsistent with certain items of GAC advice in the San Juan Communiqué. The Board will consider if further action is needed after continued discussion with the GAC.

      All members of the Board present voted in favor of Resolutions 2018.05.17.01 – 2018.05.17.09. Mike Silber was unavailable to vote on the Resolutions. The Resolutions carried.

      Rationale for Resolutions 2018.05.17.01 – 2018.05.17.09

      The European Union's General Data Protection Regulation (GDPR) will go into effect on 25 May 2018. The GDPR is a set of rules adopted by the European Parliament, the European Council and the European Commission that will impose new obligations on all companies and organizations that collect and maintain any "personal data" of residents of the European Union, as defined under EU data protection law. The GDPR impacts how personal data is collected, displayed and processed among participants in the gTLD domain name ecosystem (including registries and registrars) pursuant to ICANN contracts and policies. Modifications need to be made prior to 25 May to allow ICANN and gTLD registries and registrars to continue to comply with ICANN contractual requirements and community-developed policies in relation to the GDPR. Though there has been significant work across the ICANN community to reach a compliance model, ICANN-adopted policies need to be updated to allow compliance with the GDPR. A full community-developed consensus policy is not yet available. Without a unified applicable policy in place, there will be fragmentation in how ICANN's contracted parties implement their own compliance programs in relation to gTLD registration data. As such, a unified applicable policy is needed in place prior to 25 May 2018, and doing so is in the public interest. The public interest is not served if the ICANN Board fails to take action on this critical issue.

      ICANN org's agreements with registries and registrars require compliance with Board-adopted temporary policies or specifications. To develop a temporary policy or specification, at least two-thirds of the Board must vote to approve the temporary specification, and the changes in the specification must be justified and "necessary to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet." The temporary policy or specification must be as narrowly tailored as feasible to achieve those objectives.

      ICANN org, in consultation with the Board, has been exploring the possibility of a temporary policy or specification as a mechanism to implement the Interim GDPR Compliance Model. A draft of a proposed Temporary Specification for gTLD Registration Data ("Temporary Specification") was released to the Board and the community on 11 May 2018. That proposed Temporary Specification is drafted to establish temporary requirements for how ICANN and gTLD registries and registrars will continue to comply with existing ICANN contractual requirements and community-developed policies in relation to the GDPR.

      At the Board's Vancouver Workshop, the Board used its time on 12 and 13 May 2018 to engage in substantial discussion with ICANN organization on the posted draft of the Temporary Specification, which resulted in additional proposed changes. At the end of its workshop, the Board took a resolution signaling its intention to consider a proposed Temporary Specification, and that doing so will be in the public interest. The Board identified that because of the significance of the Board approving a Temporary Specification, it was appropriate for the Board to take additional time prior to adoption, both for the Board's review and to have opportunities to discuss with the ICANN community on the contents of a proposed Temporary Specification.

      The Board in its 13 May 2018 also identified that taking action on a Temporary Specification is within the public interest, because of the need for a uniformly applicable policy drafted to achieve compliance with the GDPR. It is important that a Temporary Specification be adopted so that it can be in force on 25 May 2018. The Board reaffirms these positions today.

      An updated draft of a proposed Temporary Specification was shared with the ICANN community and Board on 14 May 2018. On 15 May 2018, ICANN org hosted a community-wide webinar to discuss the updated document. Where invited, the Board accepted invitations from community constituencies to further discuss a draft Temporary Specification. Additional refinements were made to the language of the Temporary Specification as a result of these ongoing discussion, however, there were no changes made that modified how the Proposed Interim Compliance Model is implemented through the Temporary Specification.

      Through the Board's deliberations, it also identified that there are areas that are not policy topics within a Temporary Specification, but where further community conversation is needed on implementation. These items are identified in the Annex to the Temporary Specification, though they are not required to be part of the scope of the resulting policy development process. The Board encourages the community to resolve these items as quickly as possible after the effective date of the Temporary Specification.

      This action is consistent with ICANN's mission "[…] to ensure the stable and secure operation of the Internet's unique identifier systems […]". As one of ICANN's primary roles is to be responsible for the administration of the topmost levels of the Internet's identifiers, facilitating the ability to identify the holders of those identifiers is a core function of ICANN.

      ICANN's mission to ensure the security and stability of the operation of the Internet's system of unique identifiers has led to the obligations associated with providing the WHOIS service that are in ICANN consensus policies and contracts that ICANN has with registries and registrars. These policies and contractual obligations govern the collection, retention, escrow, transfer, and display of WHOIS registration data, which includes contact information of natural and legal persons as well as technical information associated with a domain name. Through these policies and contracts, ICANN sets the minimum requirements for WHOIS, ensuring the availability of WHOIS information to mitigate attacks that threaten the stable and secure operation of the Internet and to serve the public service uses above.

      WHOIS is not a single, centrally managed database. Rather, registration data is held in disparate locations and administered by multiple registries and registrars. They each set their own conventions for the WHOIS service, consistent with the minimum requirements established in their contracts with ICANN.

      Many gTLD registries and registrars are concerned about whether ICANN policies and contracts requiring them to collect, create, retain, escrow, and publish a variety of data elements related to registry/registrar operations, domain name registrations, and registrants are in conflict with the GDPR.

      To ensure continued availability of the WHOIS service to the greatest extent possible and other processing of gTLD registration data while complying with the GDPR and avoid fragmentation of WHOIS, the Temporary Specification will provide a single, unified interim model to ensure a common framework for registration data directory services. To continue this public service and maintain the security and stability of the Internet, the Temporary Specification will allow for continued provision of WHOIS services via ICANN's contracts with domain name registries and accredited registrars.

      There is work continuing to define standard forms of data processing addenda (containing EU Model Clauses to govern international data transfers where applicable) for Registry-Registrar Agreements and Data Escrow Agreements that Registry Operators and Registrars can rely upon to implement certain of the obligations in force in the Temporary Specification without the requirement to give notice to ICANN and seek approval for necessary data processing provisions. These will be completed and made publicly available prior to the Temporary Specification going into force.

      As required when a temporary policy or specification is adopted, the Board also is taking action to implement the consensus policy development process. The Board will consult with the GNSO Council on potential paths forward (e.g. Expedited Policy Development Process) for considering the development of a consensus policy on the issues within the Temporary Specification, which must be concluded in a one-year time period.

      The Board has developed an Advisory Statement to provide a detailed explanation of its reasons for adopting the Temporary Specification and why the Board believes such Temporary Specification should receive the consensus support of Internet stakeholders. The Advisory Statement is provided here [PDF, 511 KB] and is incorporated by reference into the rationale to the Board's resolutions.

      On 16 May 2018, the ICANN Board received a letter from the GAC requesting that the Board defer a formal rejection of the GAC Advice to allow the GAC time to provide further clarification where possible. Pursuant to that request, the Board is not taking action today to initiate a formal Bylaws Consultation meeting between the GAC and the Board to address elements of the Temporary Specification that are inconsistent or could be viewed as inconsistent with items of the GAC advice in the San Juan Communiqué. The Board looks forward to receiving further clarification from the GAC and engaging in further discussion.

      Overall, the Board's actions are expected to have an immediate impact on the continued security, stability or resiliency of the DNS, as it will assist in maintaining WHOIS to the greatest extent possible while the community works to develop a consensus policy. The initiation of focused consensus policy development work to consider the Temporary Specification is expected to have an impact on financial resources as the research and work progresses. If the resource needs are greater than the amounts currently budgeted to perform work on WHOIS- and GDPR-related issues, the President and CEO will bring any additional resource needs to the Board Finance Committee for consideration, in line with existing fund request practices.

      When the Temporary Specification goes into effect on 25 May 2018, the WHOIS system will remain available, though there will be some changes. Registry Operators and Registrars are still required to collect all registration data. If Internet users submit a WHOIS query, at a minimum the user will receive "thin" data in return, including technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration. Additionally, the user will have access to an anonymized email address or a web form to facilitate email communication with the relevant contact (e.g. registrant, administrative, technical contacts). ICANN org is expected to enforce the Temporary Specification as it is fully incorporated into the relevant Registry Agreements and Registrar Accreditation Agreements.

      This is an Organizational Administrative Function of the Board for which public comment is not required, however the proposed Interim Compliance Model implemented through the Temporary Specification has been the subject of comments from the community over the past several months (https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en). The Board actions approved today help serve the public interest and further the requirement in ICANN's Bylaws to "assess the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promoting consumer trust and safeguarding registrant data." [Bylaws Sec. 4.6(e)(ii)]

    2. AOB

      The Board discussed scheduling a meeting on 21 May to consider possible litigation actions related to the GDPR.

      The Chair called the meeting to a close.

Published on 25 June 2018