Europe Tells ICANN Its GDPR Compliance Plans Need More Work


The internet supervisory body says it will continue to press for a moratorium on GDPR enforcement while it works to makes changes

The European Commission’s data  protection advisory body has said it continues to have “concerns” about plans to bring the internet’s WHOIS service into compliance with sweeping new data rules set to come into force in Europe next month, indicating those plans are as yet insufficient.

In a letter by the Article 29 Working Party (WP29), which is made up of representatives from EU member states’ data protection bodies, to internet oversight body ICANN, the European group identified a number of areas in which it was of the “utmost importance” for ICANN to “either reconsider or further evaluate its current approach”.

The response is a further blow to ICANN’s plans to modify the WHOIS system, which makes contact information publicly available on anyone who registers a web domain.

In its current form WHOIS is incompatible with the EU’s General Data Protection Regulation (GDPR), which is set to come into force on 25 May.

data encryptionLate effort

US-based ICANN only began its GDPR compliance efforts for WHOIS late last year.

In a January letter to the WP29, ICANN president Göran Marby outlined the organisation’s plan for bringing WHOIS into compliance, and requested a moratorium on enforcement while the plans were put into place.

In its response, the WP29 detailed various areas it considers need to be reworked, but made no mention of the requested moratorium.

In its reply to the WP29’s letter, ICANN said that while it is willing to continue working on a compliance plan, it considers a moratorium essential.

Without a stay on enforcing the GDPR where it comes to WHOIS, the thousands of registrars and registries who are contracted to ICANN are likely to implement their own limitations on accessing WHOIS data according to their interpretation of the law.

Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue,” Marby said in a statement. “We may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS.”

He said ICANN is considering “all available remedies”, including legal action in Europe, to protect its ability to continue operating WHOIS.

‘Legitimate’ access

The WP29’s letter touched on a number of areas it considered ICANN defined in an overly vague way, such as what constituted “legitimate” access to WHOIS data.

“The WP29 stresses the importance of explicitly defining legitimate purposes in a way which comports with the requirements of the GDPR,” the group wrote.

In its response, ICANN argued that interfering with WHOIS’ operation would mean difficulties for organisations who use the data to track down criminals, investigate illicit businesses or protect intellectual property.

But the WP29 said ICANN must define legitimate purposes for data access in a way that corresponds to its own mandate of coordinating the stable operation of the internet’s unique identifier systems, and not to those of third parties.

“The WP29 cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case,” the group wrote.

Marby said that as ICANN continues to press for a moratorium he has also accepted an offer to meet with the WP29’s technology subgroup in Brussels on 23 April for further discussions.

The US government has reportedly advised ICANN it wants WHOIS to continue to provide broad access to registrants’ data, and would consider imposing legislation to ensure it does so.

US government bodies, including law enforcement agencies, make routine use of WHOIS data in the course of their work.

How much do you know about privacy? Try our quiz!