en

Data Protection and Privacy Update

18 October 2017

Akram Atallah, Former President, Global Domains DivisionTheresa SwinehartTheresa Swinehart, SVP, Global Domains and Strategy, Co-Deputy to the President and CEO
null

There has been a lot of activity since our last update on 11 September. Here's a brief recap on where we are and a look-ahead at upcoming activities.

On 4 October we held a webinar to discuss data protection/privacy activities related to the European Union's General Data Protection Regulation (GDPR). If you missed it, we have published the presentation, audio recordings and transcripts in multiple languages, and responses to unanswered questions on our data protection/privacy page. The user story matrix can also be found on this page.

As previously communicated, we engaged the European law firm Hamilton to provide an independent legal analysis, that will be developed in phases.

We are pleased to note that the first part of the initial independent legal analysis was published [PDF, 252 KB] today, which includes an appendix with the general questions we provided to Hamilton as "food for thought" in analyzing GDPR in relation to gTLD registration data.

This first memo focuses on potentially challenging areas with existing requirements for registries and registrars to provide open, publicly available WHOIS services. It provides a general overview of key concepts in the GDPR (e.g. personal data, consent, the role of data controllers and processers and data protection authorities, etc.) and how these concepts relate to gTLD WHOIS services.

The memo highlights the complexity of these issues in the domain name space, and concludes that the current open, publicly available WHOIS services cannot remain unchanged. The WHOIS system has to become adaptable to address the GDPR from the European perspective, as well as other changing regulations around the world.

Since GDPR will likely effect how WHOIS data is displayed, it could impact our ability to maintain a single global WHOIS system. In turn, this will likely impact either ICANN's agreements or its ability to enforce contractual compliance of its agreements using a single and consistent approach. In the short term, we need to work together to understand the scope of this impact and find the right balance between maintaining the current WHOIS services and compliance with local laws.

On the engagement front we continued to interact with a range of stakeholders to raise awareness about ICANN's privacy- and data protection- related work. We participated in the annual international DPAs conference in Hong Kong, the European Commission's High Level Group on Internet Governance and the CENTR General Assembly in Brussels, where GDPR was a major topic of discussion. These events provided a further opportunity to hear many perspectives and learn about existing practices in this area.

Next up is ICANN60, which will be held in Abu Dhabi, and is just around the corner. We encourage you to attend the cross-community "General Data Protection Regulation (GDPR) Implications for ICANN" session, which is planned for Thursday, 2 November at 10:30am local time (UTC +4). Remote participation is offered if you can't be there in person.

A Look Ahead

ICANN, like many other organizations, is looking at the new regulation to see how it is relevant and determine how best to comply with the new framework with respect to the data we collect and process for internal and external services, as well as the implications for the ICANN community and its policies and procedures more widely.

As a reminder, this legal analysis is intended to serve as building block for community discussions about how to approach GDPR issues in the domain name space.

Here's where we need help from the multistakeholder community:

Please review the initial legal analysis and provide feedback. This includes identifying possible questions, and how best to interact with data protection agencies and others to get to the next step of the analysis.

It will be helpful to receive your feedback at the earliest opportunity, so as to inform the upcoming discussions at ICANN60, and to feed into future iterations of the legal analysis. Either reach out to us directly or email gdpr@icann.org.

For those of you traveling to Abu Dhabi, we wish you safe travels and look forward to seeing you in person. If you aren't making the trip, we hope you will participate remotely.

Former President, Global Domains Division

Akram Atallah

Theresa Swinehart
Theresa Swinehart
SVP, Global Domains and Strategy, Co-Deputy to the President and CEO

Theresa Swinehart

Read biographyRead biography