As 2017 comes to an end, it's a good time to assess where we are and where we are going with our work to address potential compliance issues with ICANN agreements with generic top-level domain (gTLD) registries and registrars in light of the European Union's General Data Protection Regulation (GDPR).
A Look Back at 2017
We started out by working with an ad hoc group of community volunteers to help us create and populate a matrix of user stories of the personal data that gTLD registries and registrars collect, transmit, or publish pursuant to ICANN agreements or policies. The purpose for collecting this information was to inform discussions about whether there are potential compliance issues under ICANN agreements with registries and registrars because of the new law, and to engage with data protection authorities.
We continued this work by facilitating discussions within the multistakeholder community during ICANN Public Meetings, blogs, and webinars.
Also, we engaged the European law firm Hamilton to provide legal analysis on these issues. This analysis, developed in parts, aims to serve as building blocks for community discussions about how to approach GDPR issues in the domain name space. Ultimately, this data will help us outline a legal framework on which to build possible models for compliance with both the GDPR and ICANN's contracts with gTLD registries and registrars.
- Part 1 [PDF, 252 KB], published on 16 October 2017, described the potential issues that could arise in relation to the WHOIS service in its current form as a result of the GDPR.
- Part 2 [PDF, 577 KB], published on 15 December 2017, addressed questions that the ICANN community has raised with a goal of providing a better general understanding of the effects of the GDPR on the domain name space.
- Part 3 [PDF, 440 KB], published today, elaborates on how the processing of data within the scope of WHOIS could possibly be changed to become compliant with the GDPR. This analysis lays out a legal framework to guide our approach to begin building potential compliance models with the community's input.
Charting a Path for the New Year
As we look to the new year, we are mindful that the May 2018 GDPR enforcement date is fast approaching. It's important to plot out where we're going so that we start the year with the energy and direction that we'll need to get us to our goal.
We've made it a high priority to find a path forward to ensure compliance with the GDPR while maintaining WHOIS to the greatest extent possible. Now, it is time to identify potential models that address both GDPR and ICANN compliance obligations.
We'll need to move quickly, while taking measured steps to develop proposed compliance models. Based on the analysis from Hamilton, it appears likely that we will need to incorporate the advice about using a layered access model as a way forward.
Before 15 January 2018, we want to publish for Public Comment proposed compliance models. As a first step, we'd like to hear your feedback and suggestions about the layered access approach described in Part 3 of the Hamilton legal analysis.
To help us meet this deadline, please submit your feedback before 10 January 2018. As we look to settle on a compliance model by the end of January, the community's continued participation and input will be instrumental in ensuring that we've appropriately shaped the model. Email your comments and suggestions to firstname.lastname@example.org.
To be clear, your feedback about the layered access approach outlined in the Hamilton memo is not intended to replace the ongoing process we published about how to submit a proposed compliance model in response to the 2 November 2017 Statement from Contractual Compliance. We have received one suggested model and know that many of you have been working to finalize your proposals. Your models will help us shape our proposal and we will continue to publish your submissions on our webpage as we receive them.
We look forward to continuing our engagement with the ICANN community in 2018 as we work together on this important issue. As before, we will continue to provide updates via blogs, webinars, and documents on our Data Protection/Privacy Issues webpage.