With the recently adopted Temporary Specification for gTLD Registration Data now in effect, I wanted to take this opportunity to update you on what the ICANN organization is doing internally to comply with the European Union's General Data Protection Regulation (GDPR). I also wanted to share some new information about our ongoing dialogue with the Article 29 Working Party (WP29), which has now become the European Data Protection Board (EDPB).
With regard to our internal compliance efforts within the ICANN org, we have updated several of our policies, including the following policies that cover both the ICANN org and Public Technical Identifiers (PTI):
- An updated online Privacy Policy
- A revised Terms of Service
- A revised Cookies Policy
- A new Notice of Applicant Privacy (relating to data processed for employment applications)
- A revised New gTLD Program Personal Data Privacy Statement
Links to the new online Privacy Policy, Terms of Service, and Cookies Policy have been placed on ICANN supported websites, including icann.org, as well as community-facing sites, such as the Community Wiki, atlarge.icann.org, gac.icann.org, and whois.icann.org, to name a few. Pop-up notifications, banners, and hard-coded text have been deployed on most of these sites to notify users of these recent changes. You can find all of these policies here. Over the next few weeks, acknowledgment or consent language regarding our data processing practices and Terms of Service is being placed on every fillable and downloadable form available across all ICANN org supported websites. We've also rolled out internal changes to the way we handle personal data, from data processing arrangements with vendors to our various personnel policies.
As for our external activities, we recently published a letter from the European Commission's (EC) Directors Generals (Roberto Viola, DG Communications Networks, Content & Technology; Paraskevi Michou, DG Migration and Home Affairs; and Tiina Astola, DG Justice and Consumers) about our efforts related to the WHOIS services. We are pleased with the positive feedback they've provided regarding the Temporary Specification. In my response, I reiterated our appreciation of the Commission's ongoing facilitating role, and outlined the next steps now that the Temporary Specification has been adopted.
We also appreciate the 27 May 2018 communication from the European Data Protection Board and its recognition of the work ICANN has undertaken with its stakeholders and contracted parties on GDPR as it applies to the WHOIS services. We look forward to continuing our dialogue with the community and the relevant European data protection authorities, including the European Data Protection Board, as we seek further clarification on the law and work to develop a unified access model for providing continued access to full WHOIS data. This includes identifying opportunities for ICANN, beyond its role as one of the "controllers" with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.
We will continue to keep the ICANN community updated on these discussions as they occur. As the ICANN Board is required to reaffirm the Temporary Specification 90 days after its adoption, we encourage ongoing community discussions and welcome your feedback at gdpr@icann.org. An announcement related to our recent legal activities related to the GDPR is published here. Be sure to visit our Data Protection/Privacy page for regular updates and an overview of our activities in this area.
