I'd like to provide an update on our ongoing discussions relating to the GDPR. Today in Brussels, ICANN org's Akram Atallah, John Jeffrey, Elena Plexida, and Theresa Swinehart joined me along with Board member Maarten Botterman, to meet with the Article 29 Working Party (WP29) Technology Subgroup and representatives of the Directorate-General for Communications Networks, Content & Technology and Directorate-General for Justice and Consumers. This meeting was in follow-up to the Article 29 Working Party 11 April letter. I was grateful for this opportunity to share with them additional details on the ICANN org's work with the community to develop an interim compliance model. We also reiterated ICANN's mission and how it relates to the purposes of WHOIS defined in the model. The Bylaws (Section 1.2) require ICANN to perform its mission "for the benefit of the Internet community as a whole;" and that ICANN must take into account that WHOIS, "meets the legitimate needs of law enforcement, promoting consumer trust and safeguarding registrant data." (Section 4.6 (e)(ii)).
During the meeting we hand-delivered communications received from the Business Constituency [PDF, 108 KB], Intellectual Property Constituency [PDF, 137 KB], International Trademark Association [PDF, 202 KB], Non-Commercial Stakeholders Group [PDF, 179 KB], and the U.S. Government [PDF, 259 KB].
We also provided the following materials:
- A chart [XLSX, 14 KB] comparing ICANN's Proposed Interim Model [PDF, 922 KB] with input received from WP29 [PDF, 400 KB], the International Working Group on Data Protection in Telecommunications (IWGDPT, a.k.a. "Berlin Group") and the GAC [PDF, 232 KB];
- A proposed timeline [PDF, 33 KB] for implementing the interim compliance model;
- And a technical paper [PDF, 1.85 MB] outlining how WHOIS works.
We reiterated to the WP29 that we are committed to compliance with the law and that we, along with the community and ICANN's 2,500 contracted parties, still need additional time for implementation. Also, without further guidance from the data protection authorities (DPAs) on a working model, it is difficult to retain a single approach to a GDPR compliant WHOIS system. During the discussion regarding the timeline, the DPAs requested information regarding the implementation of anonymized email addresses in WHOIS contact information. It is clear from our meeting that registrant, administrative, and technical contact email addresses must be anonymized.
We also shared some further thinking on the accreditation model and will provide them with a more detailed version based on their input during the meeting. This information will also be shared with the community.
We appreciate the feedback we received during the meeting. From our discussions, we agreed that there are still open questions remaining, and that ICANN will provide a letter seeking additional clarifying advice to better understand our plan of action to come into compliance with the law. We also understand that the community may have opinions regarding the clarifications or interpretations of the law provided by the DPAs. All of this information is needed for the ICANN org and community to move forward, so that we can continue to establish the necessary milestones for compliance, and ultimately implement a model that is fully compliant with the law.
We continue to work with the ICANN Board on the important next steps to be in compliance with the law, together with the community.
Our dialogue with the DPAs is part of our overall work including evaluating all of our available options to ensure we maintain a stable and secure Internet and comply with our bylaw obligations relating to WHOIS. We will continue to publish questions, proposals, and solicit community input as your feedback remains a vital part of the discussions.
As always, you can follow the latest updates on our Data Protection/Privacy Issues page including the updates to the FAQs [PDF, 76 KB]. We welcome the community's input and invite you to email your thoughts to gdpr@icann.org.
