How ICANN is manipulating its GDPR discussions

As this blog post shows, ICANN’s management is now thinking about how to comply with the European General Data Protection Regulation (GDPR). They’d better be. Everyone knows ICANN’s Whois policies, which require registries and registrars to provide indiscriminate public access to personal data about domain name registrants, violate European privacy laws. In the past, this didn’t matter much, because the data protection laws didn’t have much teeth when it came to ICANN and the domain name industry. But under the GDPR, such violations will result in fines of up to 4% of an organization’s revenue. Not only registries and registrars, but ICANN itself, could be subject to these serious penalties. Real money is on the table.

But even with this huge threat looming over it, ICANN still can’t handle the data protection issue wisely and fairly. All of its efforts to prepare for the crisis reveal the same bias that got it into the problem to begin with. ICANN’s internal efforts involve only registries and registrars – the supply side of the industry – and not registrants. The aforementioned blog says that ICANN has formed an internal task force “comprised of senior leaders and subject matter experts” to focus on this important matter. Who is on this task force? Just contracted parties (registries and registrars), other registries and ICANN staff. There has been no effort to include privacy advocates or noncommercial users in this internal task force.

It gets worse. The blog invites all the attendees and remote participants at next week’s Johannesburg meeting to a Cross Community Session on GDPR. One would think that a “Cross-community” session would live up to its name and foster a dialogue amongst all relevant stakeholder groups, including domain name registrants, data protection experts and privacy advocates. But it doesn’t! The only people allowed to speak on this panel are lawyers representing top level domain registries, platform providers and internet service providers, and a law enforcement person. Not a single representative of domain name registrants, not a single privacy advocate, not a single data protection authority was allowed on the panel.

And when we say “not allowed,” we mean it. The person responsible for organizing the session, Peter Vergote of Belgium’s .BE registry, was repeatedly asked to include a registrant representative on that panel. In particular, the name of privacy advocate Stephanie Perrin, an internationally recognized privacy expert, winner of the Electronic Frontier Foundation (EFF) Pioneer Award, and someone familiar with the workings of ICANN, was put forward. Vergote refused to balance the discussion by allowing her on the panel. But they did include a European member of the law enforcement-dominated Public Safety Working Group. Isn’t it interesting that Europe is represented in a discussion of its own data protection law not by any data protection authorities, but by law enforcement interests who have demonstrated numerous times their lack of interest in privacy and data protection?

So the imbalance was not an oversight. It’s a deliberate decision to prevent the Whois/privacy problem from being discussed in a balanced and fair way. To see what a joke this is, consider that “Topic 2” of the cross-community session, which is supposed to “explore how the GDPR affects registrants, and services by registries and registrars,” does not even allow a registrant to appear on the podium. Instead, they have a lawyer for a major TLD registry talk about the topic. Are we the only ones crazy enough to think that someone from an ICANN stakeholder group representing domain name registrants ought to address the impact of the GDPR on registrants?

Of course, ICANN has been doing this for years. A blog post from 2014 shows you how the game is routinely played in ICANN. The difference now is that the stakes are much higher. It’s absurd for ICANN to keep its head in the sand and continue to pretend that it can continue to pretend that privacy and data protection advocates don’t exist.

Participants in the ICANN meeting should attend this so-called “Cross community” session in force and demand answers from the organizers as to why ICANN keeps having such an imbalanced and unfair dialogue.

 

5 comments

  1. Peter Vergote

    Dear Milton,

    Your blog entry may be well intended but it unfortunately lacks accuracy. I’m getting the feeling that you are so hard looking for organized complots against GDPR that you actually fail to see what the session in Johannesburg is all about.

    Why did I not include Stephanie Perrin in the panel? First and foremost because the role of the panel is very limited. It serves to set the scene and act as a catalyst for interaction with and feedback from the audience. It’s the audience that is playing the lead role in this session and not the panel! Secondly, the whole session has a run time of 90 minutes which is too limited for a topic as huge as GDPR. If we want to have a session that is focused and beneficial for the ICANN community, we simply cannot afford to have 60 minutes of that valuable time being consumed by presentations from the panelists.

    Does this mean that I deliberately want to shut out the point of view of registrants? By no means! I would absolutely welcome to hear from Stephanie and I hope she will attend the session and take the opportunity to make comments, observations or give advise as Oliver Süme and myself go round in the room to give the mic to people who want to step in the debate.

    Quite frankly, I don’t know where the crazy notion comes from that all contracted parties (registries and registrars) would be plotting a scheme together with ICANN to play down the effects of the GDPR. Please allow me to share the toughts that have lead towards this session. Within the ccNSO we felt that European ccTLD’s have a far broader experience when it comes down to deal with privacy regulations and the protection of individual rights of registrants than some of our peers in the gTLD space. As we know that the impact of GDPR is going to stretch out far beyond the physical borders of the EU, we wanted to set up a session on GDPR that could help our colleagues from other registries and registrars in their search for ways to implement GDPR in their systems. The aim of the whole session is in fact the opposite of what you seem to imply in your blog post.

    I’m more than happy to discuss this further in detail as soon as I arrive in Johannesburg. I wish this session to be helpfull for the whole ICANN community and I truly deplore that some already start to burry it with criticism in stead of reaching out and participate in the session in an active but respectful way.

    On a personal note, and to highlight the careful attention that some registries provide to protection of privacy of their users, I invite you to do a whois search for wijnblog.be (my personal blog) on http://www.dnsbelgium.be. You should see that my personal data (apart from my email) are shielded. Not because I use a sort of privacy shield, this is just plain and simple policy of the registry.

    Peter Vergote

  2. Milton Mueller

    Thanks for your careful reply, Peter. I did not, however, see any inaccuracies identified by your reply. What you did offer us was a patently weak excuse for the composition of the panel. You say no registrant was included because “the role of the panel is very limited. It serves to set the scene and act as a catalyst for interaction with and feedback from the audience.” No. That is completely unconvincing. If that is true, why don’t you ask Ms. Burr or Ms. Bauer-Bulst to step down and allow Perrin to “set the scene?” You have virtually every stakeholder group represented on that panel…except registrants, privacy advocates and data protection authorities. The pattern is too obvious. Why is it always the people on the registrant/privacy side of this debate who are made invisible in these discussions? ICANN has engaged in this kind of exclusion for 15 years, and we are tired of it.

    That being said, I am happy to see you acknowledge that “the impact of GDPR is going to stretch out far beyond the physical borders of the EU, we wanted to set up a session on GDPR that could help our colleagues from other registries and registrars in their search for ways to implement GDPR in their systems.” That would be great, if the panel were set up to do that. But if that was your intent, you implemented badly. Why do you not have a data protection authority who is expert on how data protection law will apply to this case on that panel? It makes no sense whatsoever to have a Public Safety Working Group member, whose main concern is surveillance and not compliance with data protection law, there.

    I was also happy to see that .BE follows registrant-friendly policies. If you’d allow registrants to be represented in this dialogue, you might fund more positive recognition of that fact when you “set the scene.”

    I won’t be in Johannesburg. but a lot of angry noncommercial registrants will be. Have fun.

  3. Pingback: How ICANN is manipulating its GDPR discussions « Data Protection News
  4. Becky Burr

    I hope that you were able to participate remotely and perhaps have now had the opportunity to speak with noncommercial stakeholders here in Johannesburg about ICANN’s GDPR compliance work.

  5. Richard Hill

    Gee, is this implying that ICANN is not as multi-stakeholder as it should/could be?