Many large American businesses – notably, Facebook and the intellectual property interests – are strongly interested in retaining free and unrestricted access to domain name registrants’ personal information (known as Whois data). As it became clear that ICANN’s multistakeholder process would restrict that access to comply with Europe’s privacy regulation, GDPR, they lobbied the U.S. Congress to pass legislation ordering ICANN to reverse its attempts to require open access to personal data in Whois.

IGP criticized these attempts to impose US legislation on DNS governance. Imposing different national laws on the global DNS undermines the global compatibility of DNS services and could trigger a legislative arms race around the world. Fortunately, that proposed legislation has gone nowhere.

But now it is Europe’s turn to try to fragment and jurisdictionalize DNS governance. Ironically, not only is it seeking to layer EU Directives over ICANN rules, it is doing so to cater to the demands of the same privacy-hostile interests which Europe claims to be saving us from.

Recently, the European Commission released a proposal to amend the Europe’s Directive on Network and Information Security. The proposed revision, known as NIS2, specifically singles out the domain name industry for territorial regulation. Article 23, in particular, deals with Whois Accuracy.

ICANN rules already require domain name registrants to supply accurate information. They require registrants to provide “accurate and reliable contact details” upon penalty of having the domain suspended. Registrars are required to send their registrants an annual reminder of their obligation to maintain the accuracy of their WHOIS contact data. Forms can be filed with ICANN compliance challenging the accuracy of registration data.

And yet, each of the 5 sections of the Article 23 starts with the phrase “Member States shall ensure.” Why is the NIS telling “member states” to ensure something that ICANN already ensures? Why is national law being layered unnecessarily over ICANN’s contractual system?

Below, we go through the text of Article 23 and add some commentary. As you will see, insofar as these regulations are meaningful, they duplicate what ICANN and the EPDP process are already doing. Insofar as they do not duplicate what already is required, they raise concerns.

Article 23

  1. For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services [do they mean registrars?] for the TLD shall collect and maintain accurate and complete domain name registration data [already required by ICANN contracts.] in a dedicated database facility [what exactly is a “dedicated database facility”? Does a third party cloud service qualify? It’s always bad policy to require specific technological solutions in legislation.] with due diligence subject to Union data protection law as regards data which are personal data.
  2. Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs. [contact info is already required by ICANN, but what does it mean “to identify”? Should the DNS record require biometrics, national ID numbers, or DNA information? If so, this expands the requirement beyond ICANN rules and violates data minimization standards.]
  3. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available. [Policies and procedures are already publicly available.]
  4. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data. [it is already required by ICANN contracts. We are not aware of any complaints about delays in publishing registration data.]
  5. Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. [The EPDP has just spent two years ensuring the same thing.] Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all requests for access. [What is an “undue delay”? The ICANN SSAD has specific standards for that. Is the EC trying to usurp or change those requirements?] Member States shall ensure that policies and procedures to disclose such data are made publicly available. [ICANN policies and procedures are already publicly available]

To repeat, Article 23 mostly duplicates what ICANN and the EPDP process are already doing. Insofar as it adds something different, or creates the possibility of divergence, it reflects lobbyist-driven attempts to circumvent and undermine the laborious attempt by ICANN to make its Whois regime both globally applicable and compliant with privacy principles of the GDPR.

How did this happen? Same as in the U.S. During ICANN’s policy development process on Whois and privacy, Facebook and other surveillance caucus interests tried very hard to introduce more stringent accuracy requirements. By accuracy they mean they want to move beyond existing accuracy requirements to turn registrars into identity authentication mechanisms. But this effort was shot down for two reasons. First, accuracy under the GDPR – and even in U.S. privacy principles – is a right of the data subject, not a right of third parties. That is, accuracy means that a data subject has the right to review the data retained about them and to order corrections when it is inaccurate, such as a false credit default report or some other damaging record. The surveillance caucus tried to turn accuracy into a third party right, a requirement to provide the type and level of personally identifiable information that would allow third parties to track you down. Second, accuracy efforts were shot down on procedural grounds. It was out of scope for the EPDP, which was all about making Whois data collection, processing and publication compliant with GDPR. Since an accuracy policy was already in place, a new or strengthened accuracy requirement would require a new, separate policy proceeding. It is clear that the lobbyists who didn’t succeed in bending the ICANN process fully to their will went to the European Commission to try to do so.

Europe’s claim to be more concerned about privacy than the evil U.S. has taken a big hit, in our view. Public comments can be filed on the NIS2 until February 10, 2021. Comments can be posted here.

5 thoughts on “Now it’s Europe’s turn to try to circumvent ICANN DNS policies

  1. First of all, GDPR does not prohibit creation and use of registers like WHOIS. The question or issue is – who gets access to the data, how data access is managed, and how data is used afterwards. when necessary for investigations or law enforcement there are no problems to access WHOIS data. Yes, request and explanation why data is necessary (what’s required by GDPR) takes time and effort. But that is not big problem.
    Second – EU (like rest of West) has always been double-tongued. They can support free speech and censorship (blocking of “harmful” content), Arab spring while providing surveillance tools to dictators, strong encryption and backdoors. And list goes on.

    1. Atis: The article does not say GDPR “prohibit[s] creation and use of registers like Whois.” It does, however, clearly prohibit what ICANN was doing with Whois before, namely publish PII indiscriminately. To answer the questions you pose “who gets access, etc.” we have been working in the EPDP within ICANN for years. The issue is whether those questions are answered by ICANN policy or by 192 different national governments.

  2. Hello Milton,

    Thought provoking article. However, I would like to offer you the following points for your additional consideration:

    – Article 23 as it is written appears to encompass all TLDs, both gTLD and ccTLD. Therefore, this is not merely a recitation of ICANN’s requirements as ICANN has little to no oversight/power over ccTLDs.
    – In Paragraph 1, I think the use of the phrase “domain name registration services” was intentional. I think it was written to encompass all parties in the registration process, e.g. resellers, privacy services, etc, This is not unlike the ACPA that introduced the term Registration Authority,
    – Paragraph 2, regarding contact info. If you look at this beyond just gTLDs. There are some European ccTLD that collect different data elements as part of their registration process.

    While I will not deny that Article 23 was likely written with EPDP in mind, much like the language in the US appropriation bill, I think your over simplification of analysis through just an ICANN gTLD lens is problematic.

      1. Hello Milton,

        Just like the European GPRD has a global impact, the NIS2 directive will have a global impact when companies do business in the EU and are falling under the scope of the transposed Directive (once it has been approved by the EP and the Council and has been translated in MS Law).

        There has been some frowning on Article 23 in the industry though, as the NIS is about stability and resilience of critical infrastructure and hence was mostly applicable to the European ccTLD ecosystem. This Article clearly expands the scope to the usage of domain names. Transposed to the DNS the NIS was all about keeping the DNS flow, – paraphrasing “Dune” -, regardless of its purpose; NIS2 goes way beyond that original scope.

        But we all know the issues when it comes to handling the abuse of domain names and the “accuracy” of registrant data, hence the addition of the Article 23. The global pandemic might have added some urgency to the matter especially with the abusive registrations related to Corona/COVID-19 and now the vaccines.

        The impact can be significant as all parties involved in the registration of domain names might be held responsible for the accuracy of the data, depending on the transposition of the voted and approved Directive. To give an idea how far this potentially can go, the Belgian transposition of the NIS Directive foresees financial fines but also criminal penalties for infractions against the NIS law. This does put the law on the radar of CEO.

        We’ll have to see how the EP and the Council will react on this addition to the NIS Directive.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.