The European Commission (EC) has finally weighed in on the recommendations of ICANN’s Expedited Policy Development Process (EPDP). The EPDP  is reforming WHOIS to make it consistent with GDPR and privacy rights. The EC comments, we are happy to report, are well aligned with the positions of privacy advocates. This should not be surprising, because the General Data Protection Regulation (GDPR) which is what forced ICANN to reform WHOIS in the first place, is a European law. However, within ICANN’s Governmental Advisory Committee (GAC) the EC has not always seemed to fully support GDPR. These comments put those concerns to rest. In this blog, we will detail the important points the EC has raised in its comments.

Disclosure of personal information is not a purpose!

One of the purposes for Whois outlined in the EPDP report was Purpose #2, which was enabling responses to lawful data disclosure requests. Having “disclosure” as a purpose was a compromise we had to make to bring intellectual property, government and security researcher interests to a consensus. But as IGP, the Noncommercial Stakeholders Group, and the contracted parties said multiple times, collecting data in order to disclose it to third parties is not a legitimate purpose under GDPR.

The EC comments confirmed this view. The EC told ICANN that disclosure of personal information to third parties is not a purpose but a processing activity. It also invited ICANN to differentiate between  processing activities and purposes, noting that:

…the European Commission considers that the purposes for processing WHOIS personal data by ICANN and/or the contracted parties should not include enabling access by third parties. This is also at the core of the concerns expressed for some time by the Data Protection Authorities (DPAs) and the European Data Protection Board (EDPB), which have clarified that the purposes of ICANN and contracted parties must not be conflated with the interests of third parties in accessing registration data.

It is very important that the European Commission finally decided to break its silence on this issue.

Establishing legitimate interest to access personal information

The European Commission agrees that Article 6(1)(f) can be invoked to establish the legitimate interest of third parties. However, the conditions that the EC enumerates are all too familiar for the GDPR lawyers and privacy advocates involved with this issue. The EC  states that in order to grant access to personal information, the Controller needs to carry out a balancing act to establish that the interest of the third party outweighs the fundamental right of the data subject. This means that the registrars primarily are responsible for carrying out such a balancing test and perhaps on a case by case basis. As to the Intellectual Property Rights holders, the existence of the right has to be established, the necessity or proportionality of access to data has to be ascertained. This leads us to conclude that policy recommendations about the process of granting access to personal information of domain name registrants should be based on individual cases and should not be a blanket right of access. It also reminds us that the excessive requests submitted by brand protection firms such as APPDETEX, might face legitimate delays because registrars have to carry out the balancing act.

Another very interesting point in EC’s comment is about law enforcement access to personal information. This point was also raised multiple times by GDPR lawyers, IGP and NCSG. Law enforcement agencies have to come up with their own means of access to personal information. Their mandate and the nature of their requests are different from other interest groups such as intellectual property rights holders. The European Commission finally declared that legitimate interest cannot be used as grounds for law enforcement access to personal information. Moreover, as the European Commission states,  law enforcement should be granted access in accordance with their own legal basis and Article 6(1)(f) cannot be used to establish their legitimate interest. The EC suggests that the legal basis for law enforcement access to personal information can be in their national laws. This is a surprising but welcome turn of events, as the law enforcement agencies that are based in Europe have been trying to gain access through the means that are predicted for intellectual property rights holders.

These parts of the EC’s comments are welcome and long overdue.

But, what about law enforcement access? 

However, the concluding section of the EC comments seems to have been written by a different author. It encourages facilitating EU law enforcement access to personal information and argues that protecting personal data by redacting certain data elements has affected EU law enforcement agencies. This is surprising since, in their comment on legitimate interest, they clearly stated that law enforcement has to establish its own legal basis for access, which can be based on their national laws. Should Europol and other EU agencies be waiting for EPDP team to come up with a solution? That is yet to be seen, but conflating the IP interests with law enforcement access does not seem to be GDPR compliant.