ICANN and GDPR – nowhere near compliance
The Internet Corporation for Assigned Names and Numbers (ICANN) Initial Report of the Expedited Policy Development Process (EPDP) on the Temporary Specification for generic Top Level Domain (gTLD) Registration Data Team makes for difficult reading. This is because, though it contains a serious attempt at complying with the General Data Protection Regulation (GDPR) compliance, it ignores fundamental criticism by European data protection authorities it has been made aware of as early as fifteen years ago.
The issue at hand is that ICANN, in its role as the global guardian of the internet domain name system for generic top level domains (such as .com and .org ), requires through it standard contractual clauses all its domain name registrars to not only maintain up-to-date contact information about domain name holders, but also to share that data with other registrars as well as the wider world through the public WHOIS directory service. The problem is that this often results in disproportionate processing of personal data and/or transfers of personal data regarding data subjects covered by the GDPR to third countries outside the European Economic Area (EEA). ICANN has been aware of its policies being irreconcilable with EU data protection legislation, first of all through an Opinion of the predecessor of the European Data Protection Board (EDPB), the then Article 29 Working Party (WP29) in 2003. However, it has only recently started to take steps to redress this.
One of the key issues raised by WP29, back in 2003, was that without defining clearly for what purposes the data could be used and collected, it was not possible to asses the data protection compliance of the WHOIS directory services in terms of lawfulness and proportionality. However, while the Initial Report proposes a strong reliance on “legitimate purpose of the controller” as a legal basis for most of the data processing practices, it at no point shows that it has balanced those purposes with the interests of the data subjects. This lack of proportionality was an explicit concern of the WP29 opinion in 2003, and the Initial Report falls far short of the balancing tests as described in WP 29 Opinion 05/2014.
Furthermore, the Initial Report doesn’t acknowledge the principle of data minimisation. It is almost trivial to imagine ways of serving the purposes described in the Initial Report without sharing the WHOIS directory data across all ICANN registrars, let alone making it publicly available.
Lastly, there is the fundamental question about the role of domain name registrars in conflicts between actors beyond direct interests in domain names themselves. Do they, or ICANN, have to be privatised enforcers of intellectual property rights (IPR), or otherwise support such privatised enforcement? Likewise for computer crime (“cybercrime”)? If ICANN’s role is to safeguard the functioning of the internet, does that mean it should safeguard it at a technical or functional level, or at a policy or even legal level?
As arcane as the debate about the ICANN WHOIS directory service may seem at first sight, it encapsulates in a nutshell many of the threats to digital rights that we are facing: privatisation of law enforcement, overrepresentation of narrow commercial interests at the expense of wider data protection interests, censorship in the name of IPR, and fundamental questions of internet governance. That said, ICANN could and should do better than this. The way forward is to restrict itself to maintaining the domain name registries and leave other purposes it foresees to actors that are willing and able to provide for the safeguards required to perform such a role. ICANN and its registrars are poorly suited for it and should steer clear of it.
ICANN Initial Report of the EPDP on the Temporary Specification for gTLD Registration Data Team
Article 29 Working Party Opinion 2/2003 on the application of the data protection principles to the Whois directories
Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC
Privacy at ICANN: WHOIS winning? (18.04.2018)
(Contribution by Walter van Holst, EDRi member Vrijschrift, the Netherlands)