Skip to main content

Data Protection and Privacy Update: Seeking Community Feedback on Proposed Compliance Models

Gdpr seeking community feedback 750x424 12jan18 en

Happy new year to you all. We have kicked off 2018 by continuing our work on data protection and privacy issues. In particular, we are preparing for the 25 May 2018 enforcement date for the European Union's General Data Protection Regulation (GDPR). As I've previously written, we are working to ensure compliance with this law while maintaining access to WHOIS to the greatest extent possible.

Our work in this area began when we asked the community for user cases and created a matrix of these different use cases about the personal data that gTLD registries and registrars collect, transmit or publish pursuant to ICANN agreements or policies. In the absence of a WHOIS policy, the user stories are essential for describing the many different uses of the WHOIS system. The matrix informed discussions about whether there were potential compliance issues under ICANN's agreements with registries and registrars because of the new law, and aided in our engagement with data protection authorities.

On 2 November 2017, we published a Statement from Contractual Compliance, which indicated ICANN org would defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible for this deferral, we asked ICANN's contracted parties and stakeholders to follow this process to submit proposed interim models for compliance. We've published those community-proposed models here.

In parallel, we engaged the European law firm Hamilton to provide its legal analysis of these issues. The three-part assessment found in its first memo [PDF, 253 KB] that the WHOIS service in its current form must change. In the second part [PDF, 577 KB], Hamilton answered community questions about the law's applicability and scope. In its third analysis [PDF, 440 KB], Hamilton described how processing data within the scope of WHOIS could be changed to become compliant with the GDPR. We asked for your feedback on these analyses and published your input here.

In December, I wrote that we were working to develop interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements. To be clear, these proposed models are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.

Today we published [PDF, 624 KB] for community input those three proposed discussion models for collecting registration data and implementing registration directory services. These models reflect discussions from across the community and with data protection authorities, legal analyses and the proposed models we have received to date. Please provide your input on these models. The input from the community will contribute to assessing the viability of each of the models. From that input either variations or modifications to one of these models will be identified at the end of January for the path forward. To help inform this, please provide your feedback by 29 January 2018. Please send your feedback to gdpr@icann.org.

The three models are summarized at a high-level below. The models differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS:

  • Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
  • Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
  • Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.

Please click here to see the models [PDF, 624 KB].

We will share these models as we continue our engagement work, including with the Article 29 Working Party.

As always, we'll continue to keep the community apprised of the various discussions we have. We've also received a range of correspondence relating to the GDPR. We urge you to visit our data protection/privacy page to view the latest correspondence, proposed models from the community, and other materials relevant to this discussion.

Happy 2018 and we look forward to all the work with the community over the coming year.

Comments

    Couponado USA  05:40 UTC on 16 January 2018

    This is a very nice and informative post!

    Vrikson Ivan Acosta Velasquez  10:03 UTC on 16 January 2018

    Considering the stated above about the 3 models and in the document "Proposed Interim Models for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation – For Discussion", I conclude that the best model to be chosen is 2B. Greeting, Vrikson Iván Acosta Velásquez

    secura  02:34 UTC on 18 January 2018

    These proposals are an important contribution for the discussion. The European Union's General Data Protection Regulation (GDPR) says, that the documentation of data must be necessary. I do not see, how any entry of data or publication of data for an ADMIN-C or TECH-C (and BILLING-C) could be justified. The WHOIS should consist only of data of the domain owner. The data protection is a right of persons. A company can not be an owner of this right. Therefore my proposal: WHOIS consists of the data of the domain owner. If the owner is a company all data should be published, including e-mail address and phone number. If the domain owner is a private person, all data should be stored by the registry, but e-mail address and phone number should not be published. Hans-Peter Oswald Secura GmbH

    HAAS  02:26 UTC on 29 January 2018

    This is a very important issue. I am in favour of Model 1 with a "thick Whois". The protection of personal data has to meet "legitimate interests". It means that the interests of third parties whose rights are infringed have to be taken into consideration. Internet is a huge place for all types of infringements and for counterfeiting on a worldwide level. Privacy of personal data should not make it more complicated and expensive, or sometimes even impossible, to fight against these practices that are harming our economies and can be dangerous for people. Thank you for taking this comment into consideration, Best regards, Marie-Emmanuelle HAAS - Attorney at Law Paris Bar

    Maarten Simon  13:23 UTC on 29 January 2018

    As model 1 is simply not compliant with the GDPR it does not make sense to discuss it. If the idea behind model 3 is to keep publishing as much (non personal) data as possible, that sounds as something to support. In that way the whois would comply with the GDPR and at the same still tries to show as much as possible the information in line with the whois policy. Most relevant seems to be however in what circumstances and to whom registries and registrars will be obliged to provide the data that is no longer available for everyone online. I would say that the GDPR provides more room there than working on the basis of formal legal orders and suggest to look into that. Maarten Simon, SIDN

    Maarten Simon  13:23 UTC on 29 January 2018

    As model 1 is simply not compliant with the GDPR it does not make sense to discuss it. If the idea behind model 3 is to keep publishing as much (non personal) data as possible, that sounds as something to support. In that way the whois would comply with the GDPR and at the same still tries to show as much as possible the information in line with the whois policy. Most relevant seems to be however in what circumstances and to whom registries and registrars will be obliged to provide the data that is no longer available for everyone online. I would say that the GDPR provides more room there than working on the basis of formal legal orders and suggest to look into that. Maarten Simon, SIDN

    kirankumar  03:55 UTC on 30 January 2018

    Inline with proposed Comprehensive models for Data Protection and Privacy Update I thoroughly Support since this has got right combination across three models . Model 1 is Compliance .Model 2 is adherence to public policy considerations .Model3 applies This model would apply to all registrations on a global basis , unless the registrant otherwise grants permission, registrars and registries would be required to display the data .To access Model3 data third party has to get permission from stringent law and order across all countries enacting their Patent and Copyright law which provides lot of scope to perform

    Jonathan Webb  01:55 UTC on 12 March 2018

    Under the GDPR data can be disclosed where there is a legitimate reason, such as where there is a legal dispute. The provisions for this set out above are poorly thought out and do not serve the interests of either those who are registered or those who may legitimately require that information. I am a creative and typically I require who is information ( name and postal address ) in order to take action to enforce my copyright. Under the proposals above I would now have to engage a legal professional to do this for me. This immediately means , somebody is going to end up with a very large legal bill, most likely their copyright infringer. The UK has a tradition of "small claim" which is very effective and allows people with a dispute to go to court without the use of a legal adviser and this spare both claimant and defendant the massive costs of employing lawyers. This system is so successful that the USA is also considering a small claims system. The above proposal make no allowance for a law abiding citizen with a legitimate grievance to obtain the data to which they are entitled at a reasonable cost. In the worst case scenario of a small dispute, say a copyright dispute over 100 GBP worth of photographs, the above system may force the claimant to employ a lawyer. Typical costs of employing a lawyer for a copyright dispute in the UK appear to be around 20,000 GBP. If the defendant also employs one, the total legal costs would double. This means that a small copyright or similar dispute could end up with the copyright infringer loosing his or her home. A far better system would be to allow people with legitimate grounds for access to who is data , to be able to access the data themselves. Safe guards could include a token small fee. For example the UK Land Registry charges 3 GBP. this is only a small sum but means that harvesting data in bulk for spam purposes is uneconomical. The enquirer should also provide an outline of the reasons why he needs the information.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."