Data Protection/Privacy Update: Additional Guidance from the European Data Protection Board
The ICANN community has been engaged in focused discussion and engagement about the impact of the European Union's General Data Protection Regulation (GDPR) on the WHOIS system over the past year. During this time, ICANN org worked with the community to develop an interim approach for how ICANN and gTLD registries and registrars could continue to comply with ICANN agreements in relation to the GDPR. This interim solution was adopted by the ICANN Board in May 2018 as the Temporary Specification for gTLD Registration Data. The community continued discussions during ICANN's recent meeting in Panama (ICANN62), which included discussions about initiating policy development work for a long-term solution, as well as a possible unified approach to allow continued access to full WHOIS data to third-parties with a legitimate interest. You can find key updates, documents, legal analyses, guidance from European data protection authorities, and inputs from the community about this topic on our Data Protection/Privacy Issues webpage.
An important letter [PDF, 764 KB] of note, was received by ICANN on 5 July 2018, from the European Data Protection Board (EDPB) which provided additional guidance that may help significantly to advance the ICANN community's discussion on this important issue. We are very grateful to the EDPB for its guidance and willingness to engage with ICANN. We are carefully evaluating the additional guidance concerning our compliance with the GDPR, as it relates to publication and access to personal data which is processed in the context of ICANN's coordination of the WHOIS through its contracts with its 2,500 domain name registries and registrars. This blog will address what we are looking at from the letter and why we think the guidance is so important.
Below I will highlight some of the key points in the letter and share our initial thinking about possible options for incorporating this guidance into WHOIS in the coming weeks and months.
The EDPB's letter provides answers to some of the open questions from ICANN and the ICANN community relating to ICANN's approach in the Temporary Specification. A good example, on a specific open question concerning registrations of legal persons and whether such registrations are impacted by the GDPR, the EDPB advises that it "considers that personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publically available by default in the context of WHOIS. If, on the other hand, the registrant provides generic contact email information (e.g. email@example.com), the EDPB does not consider that the publication of such data in the context of WHOIS would be unlawful…."
Second, the EDPB's letter provides important guidance to advance recent community discussions about a unified access model for how legitimate users of WHOIS data could continue to have access to non-public data. The EDPB notes that non-public WHOIS data could be made available to third parties "provided that appropriate safeguards are in place to ensure that the disclosure is proportionate and limited to that which is necessary and the other requirements of the GDPR are met…." The EDPB confirms its expectation of ICANN developing "a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement…" This is a strong indicator that we will receive additional inputs were the community to continue its work and come together to identify a method providing access to non-public WHOIS data consistent with the law. The EDPB letter provides helpful insight into transparency requirements that should be part of a model, including appropriate logging of data requests, as well helpful suggestions in the event ICANN is considering a model that uses codes of conduct and accreditation as the approach to providing access to the data.
Third, the EDPB highlights some areas where ICANN may provide additional clarity about GDPR compliance as it relates to the global WHOIS system. The areas identified by the EDPB relate to ICANN's purposes for processing gTLD registration data, data collection, as well as the appropriate period for retaining personal data.
Last, the EDPB letter makes reference to ICANN's ongoing legal proceedings in Germany against the registrar EPAG, with specific references to the clarifications ICANN provided in its court filings concerning administrative and technical contact details that are collected as part of a WHOIS record. Because of this reference, earlier this week, ICANN submitted the EDPB's letter to the court for its consideration. A copy of this submission will be published on our Litigation Documents webpage.
We are carefully considering the guidance provided by the EDPB to inform the ICANN Board whether clarifications, changes or implementation adjustments may be needed to the Temporary Specification adopted on 17 May 2018. We also are evaluating this guidance as it relates to the Framework Elements for a Unified Access Model, possible contractual compliance actions against contracted parties, as well as the ongoing legal proceedings in Germany where ICANN asked the Regional Court in Bonn for assistance in interpreting the GDPR in order to protect the data collected in WHOIS.
We would encourage the community to read the full of the EDPB letter, share your thoughts and continue to participate in discussions we will have over the coming months. We also hope that the EDPB's guidance will be a helpful input to the important policy work being conducted in the expedited policy development process that is being initiated by the GNSO Council. We look forward to continuing to work with you, and we are hopeful that we can continue the progress of the collective ICANN community on these important issues. We will continue to keep the community apprised of developments, and please also see our Data Protection/Privacy and provide any input through firstname.lastname@example.org.