Logo
ICANN
ICANN
Filtered Search

Are you sure you want to sign out from http://www.icann.org?

If you want to sign out from both http://www.icann.org and ICANN Account, click here.

Blogs de la ICANN

Los blogs de la ICANN brindan información actualizada sobre actividades de desarrollo de políticas, eventos regionales y demás novedades.

Data Protection/Privacy Activity Recap

17 de noviembre de 2017
Por Akram Atallah

Akram Atallah

Anterior President, Global Domains Division
y
Theresa Swinehart

Theresa Swinehart

SVP, Global Domains & Strategy

Theresa Swinehart is the Senior Vice President of Global Domains and Strategy. In this role, she works with the community, contracted parties, stakeholders, and policymakers to ensure broad and inclusive engagement, consensus-based policymaking through ICANN’s multistakeholder model, and effective, accountable policy implementation. Her responsibilities include policy implementation, review operation, and cross-functional strategic initiatives such as ICANN’s compliance with the European Union’s General Data Protection Regulation. An expert in global Internet governance, Theresa also serves as co-deputy to the President and CEO. Her extensive industry experience, including nearly 20 years as a key contributor to ICANN’s growth and development, gives her a valuable perspective on how ICANN organization can work efficiently and collaboratively to better serve the global Internet community.

Theresa rejoined ICANN after three years as Executive Director of Global Internet Policy at Verizon Communications, where she specialized in emerging issues as well as stakeholder and policy engagement. Prior to this, she served as ICANN’s Vice President of Global and Strategic Partnerships, leading a team responsible for partnership reform, global engagement and outreach, and the participation in international forums. Before ICANN, Theresa was Director of Global E-Commerce at MCI, where she was responsible for such issues as Internet service provider liability, data protection, and participation in Internet-related forums, including the formation of ICANN. 

Theresa has a bachelor’s degree in international relations from the University of California, Davis, a graduate degree in international studies from the University of Vienna, Austria, and a juris doctorate from American University. She served on the Internet Society’s Board of Trustees and Internet Governance Forum’s Multistakeholder Advisory Committee. Theresa began her career in international human rights. She is fluent in German and is conversant in French.

Contenido disponible solo en los siguientes idiomas

  • English
null

We have just returned from a very busy ICANN60 meeting in Abu Dhabi, where there were many productive community discussions focused on the European Union's General Data Protection Regulation (GDPR). We want to provide you with a brief recap of these dialogues, recent developments and what's next in terms of the legal analysis. As you'll recall from previous blogs on this topic, we are taking the following steps to determine the GDPR's scope of impact: We published a Personal Data Use Matrix based on contributions from stakeholders, and we commissioned a legal analysis from European law firm Hamilton to assess the data in the matrix and answer other questions related to the legislation's impact.

At ICANN60 we published a statement from Contractual Compliance on the ability of registries and registrars to comply with their WHOIS and other contractual requirements. Moving forward, we shared in Abu Dhabi our plan for the next phase of the Hamilton legal analysis, which will incorporate questions from the community, and will inform the publication of 2-3 models for compliance with the GDPR, as well as our contracts. We plan to solicit your input on these models in the coming months.

Also at ICANN60, at the cross-community session on the GDPR many of the discussions revolved around the continued availability of WHOIS, including changes that may be required in light of the legislation. We also heard concerns from registries and registrars about their ability to comply with contractual agreements with ICANN and the GDPR, as well as topics such as looking beyond WHOIS to include registration data more broadly, including data required to be escrowed and retained under ICANN's contracts. If you weren't able to attend, you can listen to an audio recording of the session.

Given that enforcement of the GDPR will become effective on 25 May 2018, these discussions and progress on the legal analysis are important to the contracted parties' ability to comply with GDPR from that day onwards without breaching their agreements with ICANN.

Göran Marby, our president and chief executive officer, made it clear during the meeting, including at several stakeholder sessions, that finding a path forward to ensure compliance with the GDPR while maintaining WHOIS to the greatest extent possible is a high priority. In this regard, as was also shared at ICANN60, the ICANN org is working with external legal counsel, Hamilton, on the next iteration of the legal analysis. This includes ultimately identifying potential models that address both GDPR and ICANN compliance obligations. 

As also noted above, at ICANN60 ICANN Contractual Compliance published a statement indicating that it would defer taking action against any registry or registrar for noncompliance with contractual obligations related to the processing of personal data under certain conditions. We encourage you to read the full statement here.

To be clear, we will defer enforcement on a temporary basis during this period of uncertainty. We also want to clarify that submission of a model does not mean that it will qualify for deferral or that any deferral granted will be permanent. ICANN is currently considering the process for reviewing deferral submissions.  The sharing of models is also an important contribution to feed into subsequent iterations of analysis from the Hamilton law firm.

In parallel the Registration Directory Services Policy Development Process (PDP) Working Group is working on the next generation of WHOIS, which includes privacy requirements. The outcome of this PDP will be the long-term solution to ensure consistency with the GDPR as well as other local data privacy laws. If you are interested in participating in the Registration Directory Services PDP, or follow the progress of the Working Group, please visit their wiki page.

We also have heard that you want to understand what the ICANN org is doing to make sure it complies with the new regulation. We continue to assess the data we collect from internal and external sources as we determine how to comply with the GDPR as an organization. This includes data from community members such as statements of interest, funded traveler requests and other non-registration information. We will continue to apprise the community of our efforts on our Data Protection/Privacy Issues page, just as we know that many of you are already working on your own efforts to address compliance with the law, just like ICANN org.

What's Next

Here's where we are now:

  • At ICANN60, we listened to the discussions and captured questions that were posed by the community. We will provide these questions, along with questions based on our own understanding of the issues, to Hamilton to help inform the next iteration of the legal analysis [PDF, 253 KB]. As a part of this, we will ask Hamilton to tailor and supplement the questions as needed to help ensure the scope of the analysis is appropriate. A list of those questions is published here.

    As noted above, we anticipate that the next phase of the Hamilton analysis will help clarify possible models for compliance by all parties.

  • As noted in the contractual compliance statement, we strongly encourage contracted parties to submit their models so we can also share them with Hamilton to incorporate in their follow-up legal analysis. Other stakeholders in the community may also propose models to be considered as part of the discussion.

    This feedback is essential to helping inform next steps and how to move forward, including finding a model or models that fulfill obligations for both the GDPR and ICANN compliance. We will provide additional information including detailed guidance regarding the process and eligibility as it evolves. To submit a model, email globalsupport@icann.org.

    On a related note, we are encouraged to know that various contracted parties are discussing the possibility of aligning models prior to submission. We commend this effort. Fewer models will ease the impact on end-users and operational processes for all of us including the contracted parties themselves.

  • We will continue to engage with the multistakeholder community, data protection authorities, and other parties including law enforcement and the intellectual property community.

In closing, we understand that there is more work to be done, including understanding the precise impact of the GDPR on ICANN's contracts. Let's keep the lines of communication open and work together towards a solution.

Authors

Akram Atallah

Anterior President, Global Domains Division

Akram Atallah

Anterior President, Global Domains Division
Theresa Swinehart

Theresa Swinehart

SVP, Global Domains & Strategy
Theresa Swinehart

Theresa Swinehart

SVP, Global Domains & Strategy

Theresa Swinehart is the Senior Vice President of Global Domains and Strategy. In this role, she works with the community, contracted parties, stakeholders, and policymakers to ensure broad and inclusive engagement, consensus-based policymaking through ICANN’s multistakeholder model, and effective, accountable policy implementation. Her responsibilities include policy implementation, review operation, and cross-functional strategic initiatives such as ICANN’s compliance with the European Union’s General Data Protection Regulation. An expert in global Internet governance, Theresa also serves as co-deputy to the President and CEO. Her extensive industry experience, including nearly 20 years as a key contributor to ICANN’s growth and development, gives her a valuable perspective on how ICANN organization can work efficiently and collaboratively to better serve the global Internet community.

Theresa rejoined ICANN after three years as Executive Director of Global Internet Policy at Verizon Communications, where she specialized in emerging issues as well as stakeholder and policy engagement. Prior to this, she served as ICANN’s Vice President of Global and Strategic Partnerships, leading a team responsible for partnership reform, global engagement and outreach, and the participation in international forums. Before ICANN, Theresa was Director of Global E-Commerce at MCI, where she was responsible for such issues as Internet service provider liability, data protection, and participation in Internet-related forums, including the formation of ICANN. 

Theresa has a bachelor’s degree in international relations from the University of California, Davis, a graduate degree in international studies from the University of Vienna, Austria, and a juris doctorate from American University. She served on the Internet Society’s Board of Trustees and Internet Governance Forum’s Multistakeholder Advisory Committee. Theresa began her career in international human rights. She is fluent in German and is conversant in French.