A divergence of views between the European Union and the United States over privacy and the openness of WHOIS has continued ever since the European Union introduced their General Data Protection Regulation (GDPR) in May last year. A result has been that European registries and registrars have been at odds with ICANN over what data can be collected and made publicly available when European individuals and businesses register domain names. ICANN has been forced to attempt to comply with European law while balancing US interests.
In a speech in early April to the FDA Online Opioid Summit, the US National Telecommunications and Information Administration’s (NTIA) David Redl spoke of how “the loss of WHOIS data following the introduction of the GDPR without a predictable and timely mechanism to access redacted information has little benefit for consumer privacy, and major benefits for cyber-criminals.” Redl went on to say those collecting WHOIS data had “stopped publishing much of the data because they feared it would make them vulnerable to the massive fines GDPR imposes for privacy violations.”
Redl says progress is being made but issues remain from a US perspective and the “NTIA continues to actively push U.S. interests in these discussions.” But there are concerns regarding allowing groups such as “third parties with legitimate interests, like law enforcement, IP rights holders, and cybersecurity researchers to access non-public data critical to fulfilling their missions.”
To date, the Europeans haven’t budged and ICANN has developed a draft of a model. It comes around 10 months on from the implementation of the GDPR and 3 years since it was adopted by the EU. With the current Temporary Specification expiring on 20 May ICANN have said they need “to move forward to ensure that [they] have a gTLD registration policy in place that meets the requirements of the GDPR.”
The model that has been developed by ICANN builds on the technology available via the Registration Data Access Protocol (RDAP). Using this approach would position ICANN, the Draft Technical Model for Access to Non-Public Registration Data paper says, as the sole access point to non-public registration data. The draft model “recommends a technical model for authenticating, authorising, and providing access to non-public registration data to third parties with legitimate interests based on existing technologies. ... The technical model would support a process that would allow users to verify their identity and legitimate purpose for requesting data, come to a central service managed by ICANN, and receive approval or denial of the request. If approved, ICANN would ask the appropriate registry and/or registrar to provide the requested data to ICANN, which in turn would provide it to the third party.” The group that has put together the proposal “has not made decisions or recommendations on policy questions, e.g., who gets access, to which data fields and under what conditions should access be given, and what is a legal legitimate interest for requesting such data.”
A public comment period closed in mid-April and the Expedited Policy Development Process (EPDP) Team is currently considering responses that will be submitted to the Board.
The European Commission, through their European Data Protection Board has told ICANN several times it is up to them “to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.”
ICANN has received setbacks in their quest to develop a model that is compliant with the GDPR. One was a court case that saw the German registrar EPAG take ICANN to court over ICANN’s insistence they continue collecting registration data. EPAG won the case, and in total the German courts sided with EPAG 4 times as ICANN repeatedly appealed the decision.
ICANN sought to require EPAG to continue to collect elements of WHOIS data, as required under their Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains. EPAG had 3 concerns with the Temporary Specification ICANN introduced as a stopgap measure to comply with the GDPR based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.