- Main Agenda:
Consideration of the Temporary Specification for gTLD Registration Data (Implementation of GDPR Interim Compliance Model)
Whereas, the European Union's General Data Protection Regulation (GDPR) is a set of rules adopted by the European Parliament, the European Council and the European Commission that will impose new obligations on all companies and organizations that collect and maintain any "personal data" of residents of the European Union, as defined under EU data protection law. The GDPR will take full effect on 25 May 2018.
Whereas, the GDPR has given new prominence and urgency to the long-standing debate about data protection and privacy in WHOIS.
Whereas, the ICANN Board reaffirms the importance of appropriate access to registration data for legitimate purposes as consistent with ICANN's mission.
Whereas, over the past several months ICANN org has consulted with community stakeholders, contracted parties, European data protection authorities, legal experts, and interested governments to understand the potential impact of the GDPR to personal data that participants in the gTLD domain name ecosystem collect, display and process (including registries and registrars) pursuant to ICANN contracts and policies.
Whereas, through an iterative process and with feedback from the community, ICANN org developed a proposed interim model for how ICANN and gTLD registries and registrars could continue to comply with ICANN contractual requirements and community-developed policies in relation to the GDPR (the "Proposed Interim Compliance Model").
Whereas, ICANN org requested and has received guidance from the Article 29 Working Party concerning the Proposed Interim Compliance Model, including areas where ICANN as received governmental advice and input reflecting differing views.
Whereas, the Governmental Advisory Committee ("GAC") provided advice to the Board in its San Juan Communiqué (15 March 2018) concerning the Proposed Interim Compliance Model. The advice was the subject of an exchange between the Board and the GAC to clarify the Board's understanding of the advice.
Whereas, ICANN org communicated with European data protection authorities and requested adequate time for gTLD registries and registrars to implement the Interim Compliance Model once additional clarification from the data protection authorities was incorporated into the Proposed Interim Compliance Model. The Article 29 Working Party highlighted the importance of ICANN communicating its full planned timescale by which the solutions will be implemented.
Whereas, ICANN is continuing to discuss with the ICANN community proposed unified access models for non-public WHOIS data.
Whereas, to cause compliance with the GDPR, the Board has considered adopting a temporary specification to implement the Proposed Interim Compliance Model, utilizing the procedure for Temporary Policies established in the Registry Agreement and the Registrar Accreditation Agreement (the "Temporary Specification for gTLD Registration Data" or "Temporary Specification"). A draft Temporary Specification was first provided to the ICANN community and the Board on 11 May 2018.
Whereas, the Board, at its Vancouver workshop on 12-13 May 2018, engaged in a substantial and robust review over two days regarding a proposed Temporary Specification, including identification of questions and potential improvements, and wants to share with the community the updates to a proposed Temporary Specification generated as a result of the Board's review to date. On 13 May 2018, the Board took a resolution identifying its intention to consider a Temporary Specification on or about 17 May 2018, and directing the ICANN CEO and President to continue to support the Board in discussion across the ICANN community regarding the refinements made prior to the Board's consideration of a proposed Temporary Specification for adoption.
Whereas, on 14 May 2018, ICANN org released an updated proposed Temporary Specification to the community and the Board, with updates reflecting the Board's inputs. On 15 May 2018, ICANN org convened a webinar to discuss the updates to the proposed Temporary Specification, with inputs received from across the ICANN community. The ICANN Board also accepted invitations from collections of stakeholders to discuss the proposed Temporary Specification.
Whereas, during May 2018, the Board has received multiple letters from parts of the ICANN community regarding the contents of a draft Temporary Specification.
Whereas, the Board has used the time since its 13 May 2018 resolution to confirm that appropriate modifications are incorporated into a proposed Temporary Specification prior to considering adoption. The Board also understands that additional explanatory materials on the Temporary Specification being adopted today will assist in creating a general understanding of the impact of the Temporary Specification across the ICANN community.
Whereas, the Board has communicated to the GAC that the Board made a preliminary determination that its approach in the proposed Temporary Specification is inconsistent or could be viewed as inconsistent with certain items of the GAC's advice in the San Juan Communiqué, in particular given the guidance provided by the Article 29 Working Party. The Board provided a scorecard to reflect items of the GAC's advice that the Board may reject because of this.
Whereas, ICANN org continues to engage with the Article 29 Working Party to seek clarity on guidance provided by the Article 29 Working Party about the Interim Compliance Model being implemented through the Temporary Specification. On 17 May 2018, the ICANN Board received a letter [PDF, 525 KB] from the GAC requesting that the Board defer a formal rejection of the GAC Advice to allow the GAC time to provide further clarification where possible.
Resolved (2018.05.17.01), the Board adopts the Temporary Specification on gTLD Registration Data [PDF, 735 KB] pursuant to the procedures in the Registry Agreement and Registrar Accreditation Agreement concerning the establishment of temporary policies. In adopting this Temporary Specification, the Board has determined that:
- The modifications in the Temporary Specification to existing requirements concerning the processing of personal data in registration data is justified and immediate temporary establishment of the Temporary Specification is necessary to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet.
- The Temporary Specification is as narrowly tailored as feasible to achieve the objective to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet.
- The Temporary Specification will be effective for a 90-day period beginning 25 May 2018. The Board will reaffirm its temporary adoption every 90 calendar days for a total period not to exceed one year.
Resolved (2018.05.17.02), the Board understands that there are still outstanding related items necessary to be completed prior to the effective date of the Temporary Specification, specifically standard forms of data processing addenda (which contain EU Model Clauses to govern international data transfers where applicable) to be included in Registry-Registrar Agreements and Data Escrow Agreements, and directs the ICANN President and CEO, or his designee(s), to complete these items and provide notice of where these items can be found.
Resolved (2018.05.17.03), the Board acknowledges that there are other implementation items that require further community conversation and that the Board encourages the community to resolve as quickly as possible after the effective date of the Temporary Specification. These items are identified in the Annex to the Temporary Specification, though they are not required to be part of the scope of the resulting policy development process.
Resolved (2018.05.17.04), the Board affirms that further inputs are expected based on experiences once the GDPR goes into full effect, the Temporary Specification includes a process through which the ICANN Board may make adjustments to the Temporary Specification to address further inputs from the Article 29 Working Party/European Data Protection Board, court order of a relevant court of competent jurisdiction concerning the GDPR, applicable legislation or regulation, and/or as a result of the Board-GAC Bylaws Consultation.
Resolved (2018.05.17.05), the global public interest is served by the implementation of a unified policy governing aspects of the gTLD Registration Data when the GDPR goes into full effect.
Resolved (2018.05.17.06), the ICANN President and CEO, or his designee(s), is directed to produce additional explanatory material, in particular an identification of all policy and contractual terms impacted by the Temporary Specification.
Resolved (2018.05.17.07), the Board hereby implements the consensus policy development process set forth in ICANN's Bylaws and will consult with the GNSO Council as soon as possible on the path forward to consider the development of a consensus policy on the issues within the Temporary Specification. The Board will consult with the GNSO Council about the expected scope of the PDP, timing considerations, and relevant procedural requirements.
Resolved (2018.05.17.08), the Board adopts the Advisory Statement Concerning Adoption of the Temporary Specification for gTLD Registration Data, which sets forth its detailed explanation of its reasons for adopting the Temporary Specification and why the Board believes such Temporary Specification should receive the consensus support of Internet stakeholders.
Resolved (2018.05.17.09), the Board confirms that based on the 17 May 2018 letter from GAC, the Board is deferring formal action on determining that there are likely to be elements of the Temporary Specification that are inconsistent or could be viewed as inconsistent with certain items of GAC advice in the San Juan Communiqué. The Board will consider if further action is needed after continued discussion with the GAC.
Rationale for Resolutions 2018.05.17.01 – 2018.05.17.09
The European Union's General Data Protection Regulation (GDPR) will go into effect on 25 May 2018. The GDPR is a set of rules adopted by the European Parliament, the European Council and the European Commission that will impose new obligations on all companies and organizations that collect and maintain any "personal data" of residents of the European Union, as defined under EU data protection law. The GDPR impacts how personal data is collected, displayed and processed among participants in the gTLD domain name ecosystem (including registries and registrars) pursuant to ICANN contracts and policies. Modifications need to be made prior to 25 May to allow ICANN and gTLD registries and registrars to continue to comply with ICANN contractual requirements and community-developed policies in relation to the GDPR. Though there has been significant work across the ICANN community to reach a compliance model, ICANN-adopted policies need to be updated to allow compliance with the GDPR. A full community-developed consensus policy is not yet available. Without a unified applicable policy in place, there will be fragmentation in how ICANN's contracted parties implement their own compliance programs in relation to gTLD registration data. As such, a unified applicable policy is needed in place prior to 25 May 2018, and doing so is in the public interest. The public interest is not served if the ICANN Board fails to take action on this critical issue.
ICANN org's agreements with registries and registrars require compliance with Board-adopted temporary policies or specifications. To develop a temporary policy or specification, at least two-thirds of the Board must vote to approve the temporary specification, and the changes in the specification must be justified and "necessary to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet." The temporary policy or specification must be as narrowly tailored as feasible to achieve those objectives.
ICANN org, in consultation with the Board, has been exploring the possibility of a temporary policy or specification as a mechanism to implement the Interim GDPR Compliance Model. A draft of a proposed Temporary Specification for gTLD Registration Data ("Temporary Specification") was released to the Board and the community on 11 May 2018. That proposed Temporary Specification is drafted to establish temporary requirements for how ICANN and gTLD registries and registrars will continue to comply with existing ICANN contractual requirements and community-developed policies in relation to the GDPR.
At the Board's Vancouver Workshop, the Board used its time on 12 and 13 May 2018 to engage in substantial discussion with ICANN organization on the posted draft of the Temporary Specification, which resulted in additional proposed changes. At the end of its workshop, the Board took a resolution signaling its intention to consider a proposed Temporary Specification, and that doing so will be in the public interest. The Board identified that because of the significance of the Board approving a Temporary Specification, it was appropriate for the Board to take additional time prior to adoption, both for the Board's review and to have opportunities to discuss with the ICANN community on the contents of a proposed Temporary Specification.
The Board in its 13 May 2018 also identified that taking action on a Temporary Specification is within the public interest, because of the need for a uniformly applicable policy drafted to achieve compliance with the GDPR. It is important that a Temporary Specification be adopted so that it can be in force on 25 May 2018. The Board reaffirms these positions today.
An updated draft of a proposed Temporary Specification was shared with the ICANN community and Board on 14 May 2018. On 15 May 2018, ICANN org hosted a community-wide webinar to discuss the updated document. Where invited, the Board accepted invitations from community constituencies to further discuss a draft Temporary Specification. Additional refinements were made to the language of the Temporary Specification as a result of these ongoing discussion, however, there were no changes made that modified how the Proposed Interim Compliance Model is implemented through the Temporary Specification.
Through the Board's deliberations, it also identified that there are areas that are not policy topics within a Temporary Specification, but where further community conversation is needed on implementation. These items are identified in the Annex to the Temporary Specification, though they are not required to be part of the scope of the resulting policy development process. The Board encourages the community to resolve these items as quickly as possible after the effective date of the Temporary Specification.
This action is consistent with ICANN's mission "[…] to ensure the stable and secure operation of the Internet's unique identifier systems […]". As one of ICANN's primary roles is to be responsible for the administration of the topmost levels of the Internet's identifiers, facilitating the ability to identify the holders of those identifiers is a core function of ICANN.
ICANN's mission to ensure the security and stability of the operation of the Internet's system of unique identifiers has led to the obligations associated with providing the WHOIS service that are in ICANN consensus policies and contracts that ICANN has with registries and registrars. These policies and contractual obligations govern the collection, retention, escrow, transfer, and display of WHOIS registration data, which includes contact information of natural and legal persons as well as technical information associated with a domain name. Through these policies and contracts, ICANN sets the minimum requirements for WHOIS, ensuring the availability of WHOIS information to mitigate attacks that threaten the stable and secure operation of the Internet and to serve the public service uses above.
WHOIS is not a single, centrally managed database. Rather, registration data is held in disparate locations and administered by multiple registries and registrars. They each set their own conventions for the WHOIS service, consistent with the minimum requirements established in their contracts with ICANN.
Many gTLD registries and registrars are concerned about whether ICANN policies and contracts requiring them to collect, create, retain, escrow, and publish a variety of data elements related to registry/registrar operations, domain name registrations, and registrants are in conflict with the GDPR.
To ensure continued availability of the WHOIS service to the greatest extent possible and other processing of gTLD registration data while complying with the GDPR and avoid fragmentation of WHOIS, the Temporary Specification will provide a single, unified interim model to ensure a common framework for registration data directory services. To continue this public service and maintain the security and stability of the Internet, the Temporary Specification will allow for continued provision of WHOIS services via ICANN's contracts with domain name registries and accredited registrars.
There is work continuing to define standard forms of data processing addenda (containing EU Model Clauses to govern international data transfers where applicable) for Registry-Registrar Agreements and Data Escrow Agreements that Registry Operators and Registrars can rely upon to implement certain of the obligations in force in the Temporary Specification without the requirement to give notice to ICANN and seek approval for necessary data processing provisions. These will be completed and made publicly available prior to the Temporary Specification going into force.
As required when a temporary policy or specification is adopted, the Board also is taking action to implement the consensus policy development process. The Board will consult with the GNSO Council on potential paths forward (e.g. Expedited Policy Development Process) for considering the development of a consensus policy on the issues within the Temporary Specification, which must be concluded in a one-year time period.
The Board has developed an Advisory Statement to provide a detailed explanation of its reasons for adopting the Temporary Specification and why the Board believes such Temporary Specification should receive the consensus support of Internet stakeholders. The Advisory Statement is provided here [PDF, 511 KB] and is incorporated by reference into the rationale to the Board's resolutions.
On 16 May 2018, the ICANN Board received a letter from the GAC requesting that the Board defer a formal rejection of the GAC Advice to allow the GAC time to provide further clarification where possible. Pursuant to that request, the Board is not taking action today to initiate a formal Bylaws Consultation meeting between the GAC and the Board to address elements of the Temporary Specification that are inconsistent or could be viewed as inconsistent with items of the GAC advice in the San Juan Communiqué. The Board looks forward to receiving further clarification from the GAC and engaging in further discussion.
Overall, the Board's actions are expected to have an immediate impact on the continued security, stability or resiliency of the DNS, as it will assist in maintaining WHOIS to the greatest extent possible while the community works to develop a consensus policy. The initiation of focused consensus policy development work to consider the Temporary Specification is expected to have an impact on financial resources as the research and work progresses. If the resource needs are greater than the amounts currently budgeted to perform work on WHOIS- and GDPR-related issues, the President and CEO will bring any additional resource needs to the Board Finance Committee for consideration, in line with existing fund request practices.
When the Temporary Specification goes into effect on 25 May 2018, the WHOIS system will remain available, though there will be some changes. Registry Operators and Registrars are still required to collect all registration data. If Internet users submit a WHOIS query, at a minimum the user will receive "thin" data in return, including technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration. Additionally, the user will have access to an anonymized email address or a web form to facilitate email communication with the relevant contact (e.g. registrant, administrative, technical contacts). ICANN org is expected to enforce the Temporary Specification as it is fully incorporated into the relevant Registry Agreements and Registrar Accreditation Agreements.
This is an Organizational Administrative Function of the Board for which public comment is not required, however the proposed Interim Compliance Model implemented through the Temporary Specification has been the subject of comments from the community over the past several months (https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en). The Board actions approved today help serve the public interest and further the requirement in ICANN's Bylaws to "assess the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promoting consumer trust and safeguarding registrant data." [Bylaws Sec. 4.6(e)(ii)]
No resolution taken.
Published on 17 May 2018