Data Protection/Privacy Update: Seeking Community Feedback on Proposed Unified Access Model
Today we’re sharing for discussion the draft Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data [PDF, 93 KB]. At a high-level, it provides a process for how third parties may access non-public WHOIS data.
I also want to take this opportunity to thank the ICANN community for their hard work and valuable inputs that led us to the adoption of the Temporary Specification for gTLD Registration Data (Temp Spec). The European Data Protection Board (EDPB) also recognized these community efforts and said it “expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.” Just as we all worked together to agree on tiered/layered access, which is a major change to the WHOIS services, your contributions here will help us shape this model.
The EDPB also said that it “may engage further with ICANN to ensure that the legal requirements under EU data protection law are properly addressed.” We note the importance of community collaboration as we seek this legal certainty. The ICANN Board of Directors, in the Temp Spec, encouraged continued community work “to develop an accreditation and access model that complies with GDPR.” To further these community discussions, we have also published a chart [PDF, 90 KB] comparing our draft framework elements against those of two models proposed by ICANN community members.
The framework lays out a series of central questions to help frame discussions about how such a model may work, including how and which users with a legitimate purpose, as defined by the law, can gain access to non-public registration data. It builds on the “Calzone Model” (Attachment 2), the Temp Spec, and also incorporates ideas from community members and relevant data protection authorities. This proposed unified access model would provide transparency, uniformity, and most importantly foster discussions that may increase legal certainty and simplify the process for all parties.
Because access to non-public registration data is a public policy concern, and public policy is in the purview of governments, ICANN org’s proposal is to start by engaging with governments in the European Economic Area, which are also members of the Governmental Advisory Committee (GAC). Some of the questions to be discussed with governments include how law enforcement, individual users and other private third parties would be authenticated to access non-public registration data. There remain open questions on this and other issues for which we welcome your input. For example, the scope of data an eligible user group would have access to may be limited to only the fields a user requires, or the full WHOIS record for a particular query.
In addition to sharing this framework with the community, we intend to discuss it with the EDPB to ensure the model is compliant with the European Union’s General Data Protection Regulation (GDPR).
The community has also raised questions about this draft model and other related activities. I want to note that developing a unified access model has been part of our conversations regarding the GDPR from the start, including an approach outlined in both the Calzone and the Cookbook. Part of ICANN org’s role is to facilitate discussions with the data protection authorities (DPAs) to confirm, where possible, that the community’s consensus policy is compliant with the GDPR. ICANN continues to maintain a high level of transparency relating to our role. Our community conversations on these issues will help guide our discussions with the DPAs and we will continue to document these discussions.
I encourage you to review the proposed unified access model and participate in community discussions on this topic, including at ICANN62, where there will be several sessions related to the GDPR and the Temp Spec. In addition, you can provide your feedback via email to email@example.com. Be sure to visit our Data Protection/Privacy page for regular updates and an overview of our activities in this area.