As this blog post shows, ICANN’s management is now thinking about how to comply with the European General Data Protection Regulation (GDPR). They’d better be. Everyone knows ICANN’s Whois policies, which require registries and registrars to provide indiscriminate public access to personal data about domain name registrants, violate European privacy laws. In the past, this didn’t matter much, because the data protection laws didn’t have much teeth when it came to ICANN and the domain name industry. But under the GDPR, such violations will result in fines of up to 4% of an organization’s revenue. Not only registries and registrars, but ICANN itself, could be subject to these serious penalties. Real money is on the table.
But even with this huge threat looming over it, ICANN still can’t handle the data protection issue wisely and fairly. All of its efforts to prepare for the crisis reveal the same bias that got it into the problem to begin with. ICANN’s internal efforts involve only registries and registrars – the supply side of the industry – and not registrants. The aforementioned blog says that ICANN has formed an internal task force “comprised of senior leaders and subject matter experts” to focus on this important matter. Who is on this task force? Just contracted parties (registries and registrars), other registries and ICANN staff. There has been no effort to include privacy advocates or noncommercial users in this internal task force.
It gets worse. The blog invites all the attendees and remote participants at next week’s Johannesburg meeting to a Cross Community Session on GDPR. One would think that a “Cross-community” session would live up to its name and foster a dialogue amongst all relevant stakeholder groups, including domain name registrants, data protection experts and privacy advocates. But it doesn’t! The only people allowed to speak on this panel are lawyers representing top level domain registries, platform providers and internet service providers, and a law enforcement person. Not a single representative of domain name registrants, not a single privacy advocate, not a single data protection authority was allowed on the panel.
And when we say “not allowed,” we mean it. The person responsible for organizing the session, Peter Vergote of Belgium’s .BE registry, was repeatedly asked to include a registrant representative on that panel. In particular, the name of privacy advocate Stephanie Perrin, an internationally recognized privacy expert, winner of the Electronic Frontier Foundation (EFF) Pioneer Award, and someone familiar with the workings of ICANN, was put forward. Vergote refused to balance the discussion by allowing her on the panel. But they did include a European member of the law enforcement-dominated Public Safety Working Group. Isn’t it interesting that Europe is represented in a discussion of its own data protection law not by any data protection authorities, but by law enforcement interests who have demonstrated numerous times their lack of interest in privacy and data protection?
So the imbalance was not an oversight. It’s a deliberate decision to prevent the Whois/privacy problem from being discussed in a balanced and fair way. To see what a joke this is, consider that “Topic 2” of the cross-community session, which is supposed to “explore how the GDPR affects registrants, and services by registries and registrars,” does not even allow a registrant to appear on the podium. Instead, they have a lawyer for a major TLD registry talk about the topic. Are we the only ones crazy enough to think that someone from an ICANN stakeholder group representing domain name registrants ought to address the impact of the GDPR on registrants?
Of course, ICANN has been doing this for years. A blog post from 2014 shows you how the game is routinely played in ICANN. The difference now is that the stakes are much higher. It’s absurd for ICANN to keep its head in the sand and continue to pretend that it can continue to pretend that privacy and data protection advocates don’t exist.
Participants in the ICANN meeting should attend this so-called “Cross community” session in force and demand answers from the organizers as to why ICANN keeps having such an imbalanced and unfair dialogue.