An Update on ICANN's GDPR-Related Efforts
With the year coming to an end, I would like to take a moment to provide an overview of ICANN's efforts regarding the European Union's (EU) General Data Protection Regulation (GDPR), and what to expect in 2021.
EPDP Phase 2 Recommendations
As I wrote in October, the Expedited Policy Development Process (EPDP) Phase 2 team submitted its final report to the Generic Names Supporting Organization (GNSO) Council, which accepted the report and sent it to the ICANN Board for consideration. When the GNSO decides on a policy and the ICANN Board directs us to implement that policy, it is ICANN org's job to make it happen.
The EPDP Phase 2 Final Report outlines 22 recommendations, 18 of which are regarding a System for Standardized Access/Disclosure (SSAD) for nonpublic generic top-level domain (gTLD) registration data. In their response, the Board indicated that it intends to initiate an Operational Design Phase (ODP) to assess the operational impact of these 18 SSAD recommendations, to be launched in early 2021. This ODP, like the feasibility assessments ICANN org previously prepared for the Board prior to considering policy recommendations, is intended to inform the Board by closely examining the potential risks, costs, resource requirements, and timelines for implementation. I have asked the Supporting Organizations and Advisory Committees to provide us with their comments on the proposed ODP by 22 January 2021.
The remaining four recommendations relate to issues for which the EPDP was not able to reach conclusion during Phase 1, such as the data retention period for registration data and the display of privacy and proxy information. These four "Priority 2" recommendations have been posted for Public Comment, and I encourage you to submit your thoughts and feedback before the period closes on 22 January 2021.
While the ICANN Board considers the EPDP Phase 2 Final Report, the EPDP will move on to its Phase 2A work, which is aimed at resolving two outstanding topics. The first is the question of whether registrant data policy ought to distinguish between the data of legal persons versus natural persons, taking into account the study conducted by the ICANN organization, legal guidance, and feedback received during the Public Comment period. The second relates to the feasibility of unique contacts to have a uniform anonymized email address across registrations. The team will review the legal guidance received on each topic and further evaluate these issues to determine whether any further policy guidance or requirements should be recommended on these topics.
This effort has only been possible thanks to the ICANN community. I would like to thank everyone who has been involved in this incredibly important process for their continued dedication to finding a solution that brings registration data directory services into compliance with the GDPR.
Engagement and Developments in Europe
Meanwhile, ICANN org's engagement efforts with the European Commission (EC), European Data Protection Authorities, and the European Data Protection Board (EDPB) have continued. On 15 and 16 December 2020, a number of important EU initiatives of relevance to the Domain Name System (DNS) – including domain name registration data and DNS service providers were unveiled. We encourage you to read more about these initiatives in this blog from our Government Engagement team.
Especially notable among these initiatives is the proposal for a revised Directive on Security of Network and Information Systems (NIS2 Directive). This proposal would require EU Member States to ensure that domain name registries and registrars "collect and maintain accurate and complete domain name registration data" and "provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers," both in compliance with the EU data protection law. In its most recent letter to ICANN org, the EC emphasized the relevance of the NIS2 Directive, pointing to the fact that the proposal "leaves open the possibility to use an interface, portal, or other technical tools to provide an efficient system for requesting and accessing registration data."
The NIS2 Directive adds to the community's discussion about how the GDPR may apply to registration data accuracy. The EC has repeatedly reiterated the view that the existing GDPR obligation, which requires data controllers to take reasonable steps to ensure accuracy of personal data for which they are processed, already creates a risk of non-compliance with the GDPR in relation to registration data should such steps not be appropriate. Thus, it is interesting that the NIS2 Directive proposed by the EC makes accuracy of registration data explicit.
While the NIS2 Directive is at this stage a legislative proposal, which, once agreed and consequently adopted, will take another 18 months for implementation into the national laws of the EU Member States, currently applicable EU data protection law poses a number of challenges for the timely implementation of the SSAD. This includes the uncertainty regarding the legality of data transfers from the EU and European Economic Area (EEA) to third countries following the Schrems II decision of the Court of Justice of the European Union (CJEU) as well as the still-unclear interpretation of the concepts of controller and processor, especially in technically complex multi-stakeholder models such as the SSAD.
ICANN org has voiced its concerns in this regard to relevant EU authorities, including the EDPB and the EC. It has also recently commented on the EDPB's proposed measures that supplement transfer tools to ensure compliance with the EU's level of protection of personal data, the EC's updated standard contractual clauses for transferring personal data to non-EU countries, as well as the EDPB's consultation on the guidelines for the concepts of controller and processor.
Additional clarity and guidance from the relevant EU authorities are necessary to further ICANN org's ability to develop and implement a viable access model. Their continued input is critical to determining whether the solution outlined in the final report can be implemented in compliance with the GDPR. The EC has assured ICANN org in its most recent letter that it remains committed to facilitating interactions on this matter with the European Data Protection Authorities and is also discussing with them the opportunity to formally consult the EDPB for an opinion. For ICANN org, as a technical organization, it will be essential to receive such guidance in order to develop and implement a viable system that provides a stable, predictable, and workable method for requesters with a legitimate interest to access non-public gTLD registration data. The challenge remains: in balancing the global public interest served by having access to domain name registration data with the privacy rights of domain name holders. This is a public policy question. When a law protecting citizen's data inadvertently seems to hinder efforts to protect them from online fraud or cyberattack, it is for lawmakers to resolve.
For more information, updates, and relevant documents, please visit our dedicated Data Protection/Privacy Issues page. I wish you all a healthy and happy holiday around the world and look forward to working with you next year.