The ICANN org has been working to further develop its proposal for a possible unified access model, in order to engage in discussions with the community and relevant data protection authorities. Following the June publication of the Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data [PDF, 93 KB], we have striven to deepen our understanding of the European Union's General Data Protection Regulation (GDPR). Today, we published the Draft Framework for a Possible Unified Access Model for Continued Access to Full WHOIS Data – For Discussion [PDF, 521 KB], and we are seeking your input on this proposal. Your feedback will be important as we continue our dialogue with the European Data Protection Board (EDPB) in order to seek legal clarity for any such access mechanism. Lowering the legal risks for data controllers/contracted parties is necessary to develop a workable unified access model.
This proposal is a working draft intended to facilitate further discussions with the EDPB and the ICANN community. It outlines basic parameters based on ICANN org's current understanding of the GDPR, so that we can continue to seek input from the EDPB. Having clear guidance may increase legal certainty for data controllers about whether a unified access model could be implemented, as well as assist the community in the Expedited Policy Development Process (EPDP) to consider the Temporary Specification for gTLD Registration Data (Temp Spec).
As communicated before, ICANN org's work to develop a proposed model is not intended to replace the community's policy development process. Rather, we are seeking to be responsive to a range of stakeholder communications, including the EDPB's statement on 27 May 2018 which noted "to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders." Additionally, there is a need for guidance about what may legally be permitted in a model so that this information can be factored into policy work.
While the Temp Spec requires access to non-public WHOIS data for those with legitimate purposes as defined by the law, registrars and registry operators have differing approaches to meeting that requirement. ICANN's proposal explores whether it is possible to develop an automated and unified approach across all gTLD registrars and registry operators in a manner consistent with the GDPR, including the obligations placed on data controllers.
This next iteration seeks to address and help clarify the technical and legal foundation upon which a unified access model could potentially be built. It does not attempt to design the final unified access model or how it could be implemented. The details, including how a model may be operationalized, would require further and deeper community discussion and engagement. Indeed, the Temp Spec's annex contemplates and encourages further community discussions on this topic.
The proposal also includes various open questions, where we see the community's opinions currently diverge. These include: whether authenticated users must provide a legitimate interest for each individual authenticated query; what the logging requirements should be; if the full WHOIS data set must be returned for authenticated query; who must provide access (registry, registrar, or both); whether there should be a fee for access; and whether there should be a centralized portal (operated by ICANN) from which authenticated users are able to perform queries of non-public WHOIS data.
We are seeking your input on all of these key issues, so please send your comments to email@example.com. As we continue to move forward, I will keep you apprised of our discussions with the EDPB. As always, you can find updates and other relevant documents at our Data Protection/Privacy Issues page.