Many large American businesses – notably, Facebook and the intellectual property interests – are strongly interested in retaining free and unrestricted access to domain name registrants’ personal information (known as Whois data). As it became clear that ICANN’s multistakeholder process would restrict that access to comply with Europe’s privacy regulation, GDPR, they lobbied the U.S. Congress to pass legislation ordering ICANN to reverse its attempts to require open access to personal data in Whois.
IGP criticized these attempts to impose US legislation on DNS governance. Imposing different national laws on the global DNS undermines the global compatibility of DNS services and could trigger a legislative arms race around the world. Fortunately, that proposed legislation has gone nowhere.
But now it is Europe’s turn to try to fragment and jurisdictionalize DNS governance. Ironically, not only is it seeking to layer EU Directives over ICANN rules, it is doing so to cater to the demands of the same privacy-hostile interests which Europe claims to be saving us from.
Recently, the European Commission released a proposal to amend the Europe’s Directive on Network and Information Security. The proposed revision, known as NIS2, specifically singles out the domain name industry for territorial regulation. Article 23, in particular, deals with Whois Accuracy.
ICANN rules already require domain name registrants to supply accurate information. They require registrants to provide “accurate and reliable contact details” upon penalty of having the domain suspended. Registrars are required to send their registrants an annual reminder of their obligation to maintain the accuracy of their WHOIS contact data. Forms can be filed with ICANN compliance challenging the accuracy of registration data.
And yet, each of the 5 sections of the Article 23 starts with the phrase “Member States shall ensure.” Why is the NIS telling “member states” to ensure something that ICANN already ensures? Why is national law being layered unnecessarily over ICANN’s contractual system?
Below, we go through the text of Article 23 and add some commentary. As you will see, insofar as these regulations are meaningful, they duplicate what ICANN and the EPDP process are already doing. Insofar as they do not duplicate what already is required, they raise concerns.
- For the purpose of contributing to the security, stability and resilience of the DNS, Member States shall ensure that TLD registries and the entities providing domain name registration services [do they mean registrars?] for the TLD shall collect and maintain accurate and complete domain name registration data [already required by ICANN contracts.] in a dedicated database facility [what exactly is a “dedicated database facility”? Does a third party cloud service qualify? It’s always bad policy to require specific technological solutions in legislation.] with due diligence subject to Union data protection law as regards data which are personal data.
- Member States shall ensure that the databases of domain name registration data referred to in paragraph 1 contain relevant information to identify and contact the holders of the domain names and the points of contact administering the domain names under the TLDs. [contact info is already required by ICANN, but what does it mean “to identify”? Should the DNS record require biometrics, national ID numbers, or DNA information? If so, this expands the requirement beyond ICANN rules and violates data minimization standards.]
- Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD have policies and procedures in place to ensure that the databases include accurate and complete information. Member States shall ensure that such policies and procedures are made publicly available. [Policies and procedures are already publicly available.]
- Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD publish, without undue delay after the registration of a domain name, domain registration data which are not personal data. [it is already required by ICANN contracts. We are not aware of any complaints about delays in publishing registration data.]
- Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD provide access to specific domain name registration data upon lawful and duly justified requests of legitimate access seekers, in compliance with Union data protection law. [The EPDP has just spent two years ensuring the same thing.] Member States shall ensure that the TLD registries and the entities providing domain name registration services for the TLD reply without undue delay to all requests for access. [What is an “undue delay”? The ICANN SSAD has specific standards for that. Is the EC trying to usurp or change those requirements?] Member States shall ensure that policies and procedures to disclose such data are made publicly available. [ICANN policies and procedures are already publicly available]
To repeat, Article 23 mostly duplicates what ICANN and the EPDP process are already doing. Insofar as it adds something different, or creates the possibility of divergence, it reflects lobbyist-driven attempts to circumvent and undermine the laborious attempt by ICANN to make its Whois regime both globally applicable and compliant with privacy principles of the GDPR.
How did this happen? Same as in the U.S. During ICANN’s policy development process on Whois and privacy, Facebook and other surveillance caucus interests tried very hard to introduce more stringent accuracy requirements. By accuracy they mean they want to move beyond existing accuracy requirements to turn registrars into identity authentication mechanisms. But this effort was shot down for two reasons. First, accuracy under the GDPR – and even in U.S. privacy principles – is a right of the data subject, not a right of third parties. That is, accuracy means that a data subject has the right to review the data retained about them and to order corrections when it is inaccurate, such as a false credit default report or some other damaging record. The surveillance caucus tried to turn accuracy into a third party right, a requirement to provide the type and level of personally identifiable information that would allow third parties to track you down. Second, accuracy efforts were shot down on procedural grounds. It was out of scope for the EPDP, which was all about making Whois data collection, processing and publication compliant with GDPR. Since an accuracy policy was already in place, a new or strengthened accuracy requirement would require a new, separate policy proceeding. It is clear that the lobbyists who didn’t succeed in bending the ICANN process fully to their will went to the European Commission to try to do so.
Europe’s claim to be more concerned about privacy than the evil U.S. has taken a big hit, in our view. Public comments can be filed on the NIS2 until February 10, 2021. Comments can be posted here.