I remember one of my first conversations about ICANN and WHOIS General Data Protection Regulation compliance with the ICANN CEO. The CEO told me (as he repeatedly told others) that ICANN should consult with the Data Protection Authorities about how to comply with GDPR. I agreed. The boundaries of WHOIS GDPR compliance are set by law and not by ICANN. The community can take a role within those boundaries to make policies, but if ICANN is to avoid penalties and fines it must be compliant with GDPR. Aside from that, the data protection guidelines mandated by GDPR are justified and reasonable protections of individual rights.
Fast forward, the Data Protection Authorities’ guidance is out. No surprise: the Data Protection Authorities that ICANN rightly insisted on seeking guidance from, told ICANN exactly what the Noncommercial Stakeholders Group (NCSG) and the Internet Governance Project had been telling them all along. They need to define in detail a specific purpose of WHOIS in order to determine if specific uses of the data are legitimate; their data retention period must be justified by that specific purpose; they need to be careful with the international data transfer; and their certification process for tiered access must also comply with data protection norms.
Instead of reacting to this guidance with some reflection and perhaps a change in approach, ICANN has made an announcement just yesterday, the same day it got the guidance. The statement expresses ICANN’s disappointment that the WP 29 did not give them some time off from the law. They want a year-long moratorium to keep WHOIS open so that they can come up with a policy that is compliant with GDPR. They want to keep WHOIS in its current state: i.e. you can still access registrants’ personal data even when GDPR goes into effect. Why do they want a moratorium to keep WHOIS open? It would make more sense to close the data off (this means remove personal information, not all the information available in WHOIS) until we come up with a policy. That way ICANN would not face a fine! The ICANN’s announcement gets quite amusing: ICANN wants to throw itself under the bus to save consumers, protect the trademark owners and above all, drum roll: fight “fake news.” That ICANN resorts to this nonsense shows that it still does not take GDPR compliance seriously.
Why are we in this situation in the first place? Perhaps, because we were busy with the IANA transition and ICANN accountability, the previous CEO of ICANN saw the time ripe to leave very quickly before he had to deal with the GDPR issue, the American trademark lawyers were (and still are) in denial, and the registries and registrars were just in angst thinking at some point they might have to come up with their own plan. The Noncommercial Stakeholders Group was the broken record that everyone perceived as not worth paying attention to. But GDPR got real and ICANN has to deal with it.
There is another good speculation about why ICANN, which has always put the interest of corporations first, suddenly cares about protecting the world and wants to prevent some of WHOIS information becoming private: Big players are putting pressure on ICANN to keep WHOIS open. Among them, might be the US government putting pressure on ICANN to do something about this annoying European law. At the State of the Net (SOTN) conference held in January 2018, assistant secretary Redl stated:
“Right now, NTIA has two main priorities internationally. The first is the preservation of the WHOIS service, which has become one of NTIA’s most pressing issues related to ICANN over the last several months […..] Today, I would like be clear — the WHOIS service can, and should, retain its essential character while complying with national privacy laws, including the GDPR. It is in the interests of all Internet stakeholders that it does. And for anyone here in the U.S. who may be persuaded by arguments calling for drastic change, please know that the U.S. government expects this information to continue to be made easily available through the WHOIS service.”
To be clear, we never asked for WHOIS to go dark. Under GDPR, not all the WHOIS data has to become private. Those who argue that if we don’t have an accreditation model by May 25th, WHOIS will go dark, are wrong. ICANN can continue to publish the technical and minimal contact data required by its purpose as coordinator of the global DNS. But if you have been operating your business based on unlimited access to domain name registrants’ personal information, you will have a hard time continuing it.
Since the WP29 did not respond to ICANN’s request for a moratorium, ICANN wants to take someone to court in Europe over this WHOIS issue and get some time off from the law. But who will ICANN be taking to court? They are not sure. The CEO said:
“we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”
In the end, I have a few tips for ICANN: instead of studying available remedies and legal actions to get a temporary relief from GDPR compliance, start working on an accreditation model that is compliant with the GDPR. Define the purpose of Whois based on ICANN’s mission, and address the WP29 concerns with the help of a neutral independent legal team. If you don’t have the time, make the sensitive data private, then come up with an accreditation plan. ICANN has better listen this time, there is a law and a hefty fine we can count on!
The issue is, not only ICANN might be fined, but every gTLD Registry and Registrar (and very few of those can survive even the ‘cheap’ fine of 10M EUR). To have WHOIS services working, one needs some company to provide those services (and it is not realistic to expect provision of services by bankrupt companies). P.s: fines are per incident, so even ICANNs funds are not going to be enough to cover all incidents.