The Internet Corporation for Assigned Names and Numbers (“ICANN”) today announced that it has received a letter from the Article 29 Working Party (WP29) [PDF, 400 KB] that provides guidance on the European Union’s General Data Protection Regulation (GDPR) and its impact on the collection, retention and publication of domain name registration data and the WHOIS system. ICANN organization’s response to the letter from the Article 29 Working Party will be published shortly here.
“We appreciate the guidance provided by the Article 29 Working Party on this important issue and have accepted an invitation to meet with the WP29 Technology Subgroup in Brussels on 23 April for further discussions,” said Göran Marby, ICANN president and CEO.
“However, we are disappointed that the letter does not mention our request for a moratorium on enforcement of the law until we implement a model. Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”
“A moratorium on enforcement action by DPAs would potentially allow for the introduction of an agreed-upon accreditation model and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model. It will also allow for reconciliation between the advice ICANN has received from its Governmental Advisory Committee (GAC) and the Article 29 Working Party. Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented until the interim compliance model and the accreditation model are implemented.”
“A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services. Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.”
“In parallel, we will carefully consider this advice, along with all of the input we have received from the multistakeholder community, before making changes to the current iteration of the proposed interim model,” Marby continued. “As a part of this, we will explore all options as we continue dialogues with DPAs and the interested parties that comprise the multistakeholder community.”
“It’s important to balance the right to privacy with the need for information. While ICANN recognizes the importance of the GDPR and its goal of protecting personal data, parts of the ICANN community have noted the negative impact of a fragmented WHOIS. For example, it will hinder the ability of law enforcement to get important information and the anti-spam community to help ensure the Internet protects end-users. It will also:
- Protect the identity of criminals who may register hundreds of domain names specifically for use in cyberattacks;
- Hamper the ability of consumer protection agencies who track the traffic patterns of illicit businesses;
- Stymie trademark holders from protecting intellectual property; and
- Make it significantly harder to identify fake news and impact the ability to take action against bad actors.
These are just a few examples from a long list of potentially adverse scenarios.”
Marby also requested that the DPAs include ICANN in any proceedings relating to WHOIS, and asks that it be included in all discussions and actions of the privacy regulators with the other WHOIS data controllers. He also said that ICANN org is continuing its efforts to prepare for implementation of a new model. Additional information on ICANN’s data protection/privacy activities, including legal analyses, proposed compliance models, and community feedback is published here.