gTLD WHOIS and GDPR

GDPR impact on Internet Governance, and how ICANN is complying
GDPR is set to drastically impact work methodologies /models of data-centric organizations across diverse fields and domains, including gTLD domain name overlord ICANN. A timeline for ICANN’s GDPR related efforts is listed below:

1. ICANN, the overseer for gTLD domain name space is currently working to ensure compliance with GDPR, while maintaining public access to WHOIS to the greatest extent possible. ICANN is analyzing its policies and agreements (Registry Agreement, Registrar Accreditation Agreement) with gTLD contracted parties (Registries, Registrars) to check whether modifications are required in these policies and agreements to ensure GDPR compliance. ICANN is also soliciting legal advice as well as advice from the Internet community on this matter.

2. ICANN has also engaged European law firm Hamilton to provide a legal analysis of ICANN’s potential GDPR compliance issues. Hamilton’s three-part assessment found in its first memo that the WHOIS service in its current form must change. In the second part, Hamilton answered community questions about the law’s applicability and scope. In its third analysis, Hamilton described how processing data within the scope of WHOIS could be changed (using a gated/tiered access model) to become compliant with the GDPR.

3. On 2 November 2017, ICANN published a Statement from Contractual Compliance, which indicated that ICANN org would defer taking compliance action against any registry or registrar for non-compliance with contractual obligations related to the handling of gTLD registration data. To be eligible for this deferral, ICANN asked its contracted parties and stakeholders to submit proposed interim models for GDPR compliance. Subsequently, some contracted parties and stakeholders submitted their proposals.

4. In December 2017, ICANN announced that it is working on developing interim models for collecting registration data and implementing registration directory services that may be compliant with both the law (GDPR) and ICANN’s contractual agreements. ICANN cleared that these models are meant to facilitate community discussion and a final model will be chosen to be an interim solution. They do not replace any existing ICANN policy development work or policies.

5. On 12 Jan 2018, ICANN published for community input three proposed discussion models for collecting registration data and implementing registration directory services. These models reflect discussions from across the community and with EU data protection authorities, legal analyses and the proposed models ICANN had received till date. The input from the community will contribute to assessing the viability of each of the models. From that input either variations or modifications to one of these models will be identified at the end of January 2018 for the path forward. All 3 models provide layered / tiered access to WHOIS data- with some data being publicly available, and some being private.

6. The models differ based on what contact information is displayed in the public-facing WHOIS, applicability (EU-centric or global), the duration of data retention and what data is not displayed in a public-facing WHOIS:

Model 1 would allow for the display of Thick registration data, with the exception of the registrant’s phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.

Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts’ email addresses. To access the non-public information, registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis. Model 2 allows classes of entities (e.g. LEA’s or Intellectual Property Owners) to request access to non-public portions of WHOIS data. The reason being user groups (classes of entities) eligible for the certification program and the process for providing access is to be developed in consultation with the GAC so that public policy considerations are taken into account.

Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.

7. On 28 Feb 2018, ICANN chose a variant of 2nd model (accreditation / certification program) along with anonymized email addresses (of registrant, technical and administrative contacts) as its proposed interim model going forward. The chosen model includes a proposal for an accreditation program for continued access to full Thick WHOIS data for accredited users/entities. ICANN clarified that the legal justification for collection and use of the WHOIS data in the chosen interim model is not included at this point of time, but will be based on legitimate interests of the controllers or third parties, and will be detailed in an analysis accompanying the final model.

The Proposed Interim Model balances competing elements of models submitted by the Community and discussed in comments to the ICANN-proposed models. Consistent with ICANN Org’s stated objective to identify the appropriate balance for a path forward to ensure compliance with the GDPR while maintaining the existing WHOIS system to the greatest extent possible, the Proposed Interim Model maintains robust collection of registration data (including registrant, administrative, and technical contact information), but restricts most personal data to layered access via an accreditation program (and codes of conduct) to be developed in consultation with the GAC. Data Retention requirements in this model for Registrar / Registry / Escrow Agents will be lifespan of domain + additional 2 years.

Users without accreditation for full WHOIS access would maintain the ability to contact the registrant or administrative and technical contacts, either through an anonymized email, web form, or other technical means. The Proposed Interim Model would be required to be implemented where required because of a nexus to the European Economic Area, while providing flexibility to registries and registrars to apply the model on global basis based on implementability and fairness considerations. The model would apply to all registrations, without requiring registrars to differentiate between registrations of legal and natural persons. The model would include data processing agreements (including Temporary Policies and/or Special Amendments) between and among ICANN, registries, registrars, and data escrow agents as necessary for compliance with the GDPR.

8. Just prior to ICANN-61 meeting (10-15 March 2018), ICANN shared its customized interim GDPR compliance model (in form of a Cookbook that also provides legal justifications for Registrant Data Collection, Processing and Retention in compliance with GDPR) with Data Protection Authorities (DPA’s) of all 28 EU member states; and strongly communicated to DPA’s that ICANN is looking forward to DPA’s for review of its chosen model as well as solid guidance as to how to proceed further for GDPR compliance.

9. GAC consensus advice to ICANN board regarding ICANN’s GDPR Compliance efforts:

GAC has advised ICANN to ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties.

GAC advised ICANN to consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism.

The GAC does not envision an operational role in designing and implementing the proposed accreditation program (for entities to access non-public portions of WHOIS database) but reiterates its willingness to advise the Board and engage with ICANN Org and the community on the development of codes of conduct from a public policy perspective.

GAC advised ICANN to reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection.

GAC advised ICANN to distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR

GAC advised ICANN to ensure confidentiality of WHOIS queries by law enforcement agencies.

10. By ICANN’s own estimation , a GDPR compliance model for WHOIS system would not be implemented until at least December 2018 – causing a prolonged WHOIS access outage.

11. On 26 March 2018, ICANN CEO Goran Marby wrote to the data protection authorities of all 28 European Union states, along with the European Data Protection Supervisor, to ask for guidance on how to implement new privacy laws (GDPR). ICANN mentioned that it is looking forward to receiving GDPR compliance advice from Article 29 WP following their 10-11 April plenary meeting, which will help ICANN to complete its proposed model. ICANN is hopeful that it will also be provided with a moratorium (a legally authorized period of delay in the performance of a legal obligation) on enforcement that would allow sufficient time to implement the model and build the appropriate accreditation system.

12. On 29 Mar 2018, ICANN had a positive conversation with representatives from the technology subgroup of the Article 29 Working Party on GDPR and its impact on the collection, retention and publication of domain name registration data and the WHOIS system. ICANN and the WHOIS system will be on the upcoming Article 29 plenary’s agenda for 10-11 April 2018.

13. As mentioned about an accreditation program in #7 above (ICANN’s chosen model and cookbook), a portion of Internet community led by GNSO’s BC and IPC constituencies have drafted and shared with community for comments and consensus an accreditation / certification model for users/entities that want to get access to non-public portions of WHOIS. The proposed accreditation model deliberates on following:

  • The types of eligible entities that may seek access to data
  • Legitimate and lawful purposes for accessing data
  • How eligible entities may be accredited to access data
  • A proposed operating model
  • Terms of accreditation

So far, ICANN CEO has shied away from accepting this proposed accreditation model and/or sending it to EU DPA’s, and has suggested IPC/BC to build community consensus on this model first.

14. Article 29 working party “WP29” (an advisory board made up of representatives of each of the data protection authorities of each EU member state) during its plenary meeting on 10-11 April 2018 discussed ICANN’s proposed interim compliance model for GDPR compliance. WP29 praised ICANN for proposing an interim model which included an accreditation program for access to non-public WHOIS information; however, WP29 indicated that the purposes for collection of personal data was not sufficiently detailed, and urged “ICANN to revisit its current definition of “purposes” in light of these requirements.” It also stressed to ICANN the need to link each specific purpose of the collection of data to a relevant legal basis. WP29 also did not commit to any moratorium that ICANN had been demanding.

15. ICANN further met with WP29 Technology Subgroup in Brussels on 23 April to discuss WHOIS and GDPR compliance issues. During the meeting, ICANN shared its proposed timeline for implementing the interim compliance model with WP29 Technology Subgroup, and also shared some further thinking on the accreditation model. However, no concrete solutions emerged out of this meeting too, and it is clear that there will be no moratorium.