ICANN GDPR and Data Protection/Privacy Update
As part of our ongoing work together on the General Data Protection Regulation (GDPR) and seeking clarity for any access mechanism for non-public registration data, I promised to provide regular updates. These updates and any clarity received are input into the community's policy work, and do not replace it, as we continue our efforts together on this issue.
Since our last blog updating on the publication of a possible unified access model, we have been exploring different avenues to address the tension between ICANN's public interest requirements that contractually obligate registries and registrars to provide access to WHOIS data, and the potential liability faced by ICANN, registries and registrars as data controllers when making non-public registration data available to third-parties in response to WHOIS queries.
Lowering the legal risks for contracted parties as data controllers is necessary to develop a workable unified access model.
With that in mind we have been considering variations involving technical and legal approaches. A technical solution for authentication implementation for a possible unified access model for continued access to registration data could be implemented building on the technology available via the Registration Data Access Protocol (RDAP).
The avenues we are exploring are also in line with correspondence and discussions with the European Commission1 and community2, where ICANN has stated that it wants to understand whether there are opportunities for ICANN, beyond its role as one of the 'controllers' with respect to WHOIS or its contractual enforcement role, to be acknowledged under the law as the coordinating authority of the WHOIS system.
We are looking forward to discussing these issues with the community to determine support for shifting the liability for providing access to non-public registration data to ICANN and establishing a globally scalable unified solution for access to non-public WHOIS data. Needless to say, that any avenue we pursue needs to be compliant under the GDPR. As such, it will be important to engage with the European Data Protection Board to test with them whether the approaches and interpretations of the law may ultimately provide a feasible solution meeting the needs of stakeholders seeking access to non-public WHOIS.
As to community engagement, as you may be aware, we had planned to hold a community webinar and are now working to find a new date in light of several stakeholder meetings that conflicted with the proposed time for the week of 24 September.
As you know, the ICANN Board of Directors held a workshop in Brussels recently where, in the margins, Board Chair Cherine Chalaby and I had the opportunity to meet with Mariya Gabriel, the European Commissioner for Digital Economy and Society. You may have seen her tweet following the meeting.
As a reminder, please also review the next iteration of the Draft Framework for a Possible Unified Access Model for Continued Access to Full WHOIS DATA published on 20 August. Your input to this is important as we continue our dialogue with the European Data Protection Board and decision makers in order to seek clarity on such an access mechanism. You can send your comments to firstname.lastname@example.org. You can also check our Data Protection/Privacy Issues page for the latest updates on this and related topics.