Skip to main content

Possible Unified Access Model Published for Community Input

Gdpr unified access model 1563x782 20aug18 en

The ICANN org has been working to further develop its proposal for a possible unified access model, in order to engage in discussions with the community and relevant data protection authorities. Following the June publication of the Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data [PDF, 93 KB], we have striven to deepen our understanding of the European Union's General Data Protection Regulation (GDPR). Today, we published the Draft Framework for a Possible Unified Access Model for Continued Access to Full WHOIS Data – For Discussion [PDF, 521 KB], and we are seeking your input on this proposal. Your feedback will be important as we continue our dialogue with the European Data Protection Board (EDPB) in order to seek legal clarity for any such access mechanism. Lowering the legal risks for data controllers/contracted parties is necessary to develop a workable unified access model.

This proposal is a working draft intended to facilitate further discussions with the EDPB and the ICANN community. It outlines basic parameters based on ICANN org's current understanding of the GDPR, so that we can continue to seek input from the EDPB. Having clear guidance may increase legal certainty for data controllers about whether a unified access model could be implemented, as well as assist the community in the Expedited Policy Development Process (EPDP) to consider the Temporary Specification for gTLD Registration Data (Temp Spec).

As communicated before, ICANN org's work to develop a proposed model is not intended to replace the community's policy development process. Rather, we are seeking to be responsive to a range of stakeholder communications, including the EDPB's statement on 27 May 2018 which noted "to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders." Additionally, there is a need for guidance about what may legally be permitted in a model so that this information can be factored into policy work.

While the Temp Spec requires access to non-public WHOIS data for those with legitimate purposes as defined by the law, registrars and registry operators have differing approaches to meeting that requirement. ICANN's proposal explores whether it is possible to develop an automated and unified approach across all gTLD registrars and registry operators in a manner consistent with the GDPR, including the obligations placed on data controllers.

This next iteration seeks to address and help clarify the technical and legal foundation upon which a unified access model could potentially be built. It does not attempt to design the final unified access model or how it could be implemented. The details, including how a model may be operationalized, would require further and deeper community discussion and engagement. Indeed, the Temp Spec's annex contemplates and encourages further community discussions on this topic.

The proposal also includes various open questions, where we see the community's opinions currently diverge. These include: whether authenticated users must provide a legitimate interest for each individual authenticated query; what the logging requirements should be; if the full WHOIS data set must be returned for authenticated query; who must provide access (registry, registrar, or both); whether there should be a fee for access; and whether there should be a centralized portal (operated by ICANN) from which authenticated users are able to perform queries of non-public WHOIS data.

We are seeking your input on all of these key issues, so please send your comments to gdpr@icann.org. As we continue to move forward, I will keep you apprised of our discussions with the EDPB. As always, you can find updates and other relevant documents at our Data Protection/Privacy Issues page.

Comments

    Vipin  03:05 UTC on 12 September 2018

    Hello, i would like to ask all members, your opinion on UAM (unified access model) for whois data i was reading the draft published on ICANN website so the question is other than registrars and registries the companies who facilitate domain registration services under reseller model can apply to be part of eligible groups of UAM to gain access to data. And i read that it would be decided by Governments and facilitated by GAC so what would be the procedure to do so ? Also the complete time line of final roll out of this?

    Eleeza Agopian  10:36 UTC on 28 September 2018

    (Posting on behalf of Theresa Swinehart, Senior Vice President, Multistakeholder Strategy and Strategic Initiatives) Dear Vipin, thank you for your comments. Regarding your question on eligible groups permitted to gain access to data, this is one of the topics we continue to seek input on as part of a possible unified access model. The aim of this possible model is to foster discussions with European data protection authorities (DPAs) that may increase legal certainty for use of the model, helping to ensure compliance with the law, and simplify the process for all parties. ICANN’s work on this possible model does not replace the multistakeholder policy development process. We encourage your continued feedback at gdpr @ icann. org, which will be published alongside other comments on the proposed models on our main Data Protection/Privacy page. Thank you again, Theresa Swinehart

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."