As we anticipated, ICANN the organization, under the pressure of powerful interest groups, decided to come up with its own model for access to personal information of domain name registrants data. It is a draft for “discussion.” But there is a timeline as well:
Phase 1: Community discussion and consultations on the Unified Access Model
Phase 2: Consultation with the European Data Protection Board on the Unified Access Model and the approach to develop Code of Conducts for various Eligible User Groups
Phase 3: Further refinement and finalization of the Unified Access Model based on inputs from the community and the European Data Protection Board
It seems ICANN wants to have a model in place by December 2018. Despite the fact that most registrars are not receiving many requests for access, ICANN insists that a unified access model should be in place by then. The matter of “who” should get access has been delegated to GAC but ICANN has also stated that third parties with “legitimate interest” should have access in compliance with Article 6 (1)(f) of GDPR. It also mentions that both registries and registrars should provide access to data. This requires Thick registries and the transition of the legacy .com and .net TLDs to thick registries, which are not acceptable requirements. They add that if only registrars should be in charge of giving access, then it should be discussed in a PDP. They believe there should be an authenticating body and GAC should decide on the authenticating bodies. Or some have proposed that organizations such as WIPO which provide dispute resolution should authenticate the legitimate IP interest.
ICANN 62 is going to be filled with GDPR discussions. We need to stop ICANN’s unilaterally developed accreditation model and get them to accept what the community develops. How should we approach this?
Understand what access is about
It’s access to personal information of domain name registrants, not “nonpublic WHOIS data.” It seems like some people are saying “nonpublic WHOIS data” to water down the seriousness of the issue. These interest groups want to have access to personal information of domain name registrants: their address, their phone number, their email!! This is what “nonpublic WHOIS data” means!
ICANN’s model is about accreditation, not access
ICANN’s recommended model is not an access model, it’s an accreditation model. It revolves mostly around “who” should be given (unlimited) access and what authenticating bodies should grant them this privilege. They state that they will first ask GAC and then if there is no response they will ask the community. As we said in our previous blog, accreditation is a secondary issue, not a primary issue when it comes to access, and we may not want to accredit broad classes of people at all. We should focus on the process and restraints of giving access to data, and the accountability of those who give it, not accreditation at this stage.
The “authenticating bodies”
ICANN wants GAC to appoint authenticating bodies that authorize users who can have access to personal information of domain registrants. If GAC cannot come up with authenticating bodies then the community can make suggestions. Some community members made a suggestion that shows why having authenticating bodies is such a bad idea. They proposed The World Intellectual Property Organization (WIPO) as an organization for authenticating IP lawyers. Our short answer to the approach of having authenticating bodies is: no. Our long answer is: you cannot put a biased organization in charge and oblige registrars to give access to their customers’ data!
Who should be in charge of giving access to personal information
ICANN believes registries and registrars will be in charge but then says that the discussions about whether only registrars are in charge of giving access belong to relevant PDPs. We believe that the whole discussion about who should be in charge belongs to a PDP and we wonder why ICANN org thinks that it can answer the question and then says a clarification belongs to a PDP. Seems like all along ICANN knew too well it is invading the picket fence and getting engaged with something that is a policy issue. Our answer to this question is: only registrars will be in charge of giving access.
Scope of data
ICANN org believes there might be two answers to the question about the scope of data the requestor can access: one is access to full WHOIS record for each query and one is access to a limited record in accordance to the legitimate purpose or interest of the request. Obviously, it is better for the privacy of domain name registrants that data be available for specific domain names and the information received has to be in accordance to the legitimate purpose. ICANN does not have two options! It only has one: Access should be given to a limited record in accordance to the legitimate purpose of the request. That is the only answer compliant with the GDPR. Further, this is a policy question. Other than the answer should be compliant with GDPR, the policy has to be set by the community and not ICANN org.
Registries and registrars will be required to give access
ICANN wants to oblige registries and registrars to give access to authenticated users. But as it says they are obliged only if it is in accordance to local law and is a legitimate interest. Funny enough ICANN has not really corrected its legitimate purpose and interest definition despite the WP29 guidelines.
The code of conduct elements
The code of conduct applies to the conditions under which legitimate users can have access to personal information of domain name registrants. The elements ICANN enumerates are not wrong but they are incomplete and it wants to develop these codes of conduct in consultation with GAC and European Data Protection Board. Did it fail to mention the community by mistake? Does it understand that access to personal information of WHOIS registrants is a policy issue that should be developed within the community?
Who would enforce the code of conduct?
Remember the concept of authenticating bodies? ICANN believes that authenticating bodies should enforce the code of conduct. What is wrong with this approach? Independence and neutrality of authenticating bodies will not be ensured. Would WIPO enforce the code of conducts on its devoted IP lawyers because they went too far to enforce their intellectual property rights? We doubt that. We need neutral ADR providers.
All in all, ICANN’s proposal is too theoretical, does not even solve the problem and is a clear ICANN org intervention into a policy issue that the community should be developing, We invite ICANN org to calm down and watch us come up with a policy for access.