Advisory: Chinese Privacy Law and its Impact on Registration Data Disclosure
ICANN has issued this advisory to make the community aware of a Chinese data protection law that may impact access to nonpublic gTLD registration data.
27 June 2022
On 1 November 2021, China implemented the Personal Information Protection Law of the People's Republic of China (PIPL), which concerns the processing of data concerning natural persons within the territory of the People's Republic of China. ICANN organization (org) alerted the community to the implementation of this law in a 21 October 2021 blog.
Since the law's effective date, ICANN org has begun to receive Contractual Compliance complaints concerning instances in which registrars are asserting the PIPL as a basis for denying requests from third parties for access to nonpublic gTLD registration data. The PIPL is just one of countless laws that, like the European Union's General Data Protection Regulation (GDPR), may impact contracted parties' approaches to compliance with applicable ICANN agreements and Consensus Policies. This Advisory is intended to clarify how ICANN Contractual Compliance approaches enforcement of contractual obligations that are impacted by local law and explain how PIPL may impact requirements relating to disclosure of nonpublic registration data.
In response to GDPR, the ICANN Board adopted the Temporary Specification for gTLD Registration Data (Temporary Specification), which included requirements related to the provision of reasonable access to nonpublic registration data associated with gTLD domain names. Subsequently, the Interim Registration Data Policy for gTLDs (Interim Policy), was adopted requiring ICANN contracted parties to continue to implement measures consistent with the Temporary Specification.
The Interim Policy permits and in some cases requires ICANN contracted parties (registrars and registry operators) to redact previously public registration data containing personal data in Registration Data Directory Services (RDDS). Under Appendix A, Section 4.1 of the Temporary Specification, ICANN contracted parties must provide third parties reasonable access to personal data in registration data on the basis of a legitimate interest pursued by third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of Registered Name Holders or data subjects pursuant to Article 6(1)(f) GDPR.
While PIPL is similar to the European Union's GDPR, which helped to guide the current reasonable access requirement described above, there are distinct differences between the two. The PIPL concerns the processing of personal data concerning natural persons within the territory of the People's Republic of China. In addition to the processing of such data within China, the PIPL also applies to data processing of individuals located in China that is carried out outside the territory of the People's Republic of China if the purpose is to provide products or services to domestic natural persons, to analyze and evaluate the activities of domestic natural persons, and in other circumstances provided by laws and administrative regulations. Like with GDPR, PIPL specifies legal bases for processing personal data, including transfers of personal data to third parties. However, whereas GDPR provides that personal data may be processed pursuant to legitimate interests pursued by third party (GDPR Article 6(1)f), PIPL contains no comparable "legitimate interest" purpose, as noted in Jian-Chuan Zhang's 21 October 2021 blog.
Under the PIPL, the most likely applicable legal basis for processing gTLD registration data is consent. Consent under PIPL must be specific and informed, which requires, for example, notification to the individual of "the recipient's name and contact information, the purposes and means of processing and the categories of personal information to be processed…" (PIPL Article 23). Other legal bases for processing personal data within PIPL (besides consent) are exceptionally narrow. Therefore, in most cases subject to PIPL, a contracted party is likely to require separate and informed consent from a data subject before it will disclose nonpublic personal data to a third party. Absent specific informed consent from the data subject, disclosure may not be permitted by applicable law.
ICANN Contractual Compliance will continue to enforce compliance with Section 4.1, Appendix A of the Temporary Specification pursuant to its established process and approach for all compliance matters, taking into account the specifics of each case. As ICANN policies and contractual requirements are applied within the bounds of the laws and regulations that are applicable to each contracted party, this will include consideration of applicable local laws that may impact how a contracted party processes and responds to requests for access to nonpublic registration data.
If you believe an ICANN contracted party has failed to comply with its requirement to provide reasonable access to nonpublic registration data, you may file a complaint with ICANN Contractual Compliance using the complaint form available here. Additional information on how to submit complaints concerning requests for access to non-public registration data can be found here.