ICANN Puts First GDPR Measures Into Place

The GDPR is the ‘first time’ legislation has forced ICANN to make changes, the internet governance body says

Internet governance body ICANN said it has now put preliminary measures into place to comply with the EU’s General Data Protection Regulation (GDPR), as it continues to spar with European regulators and courts about changes to data processing practices that date back nearly 40 years, to the dawn of the internet.

ICANN’s board of directors adopted the organisation’s “Temporary Specification” for GDPR compliance on 17 May, days before GDPR enforcement took effect on 25 May.

ICANN president Goran Marby said the organisation has now updated key policies and has deployed messages to notify users of the changes.

Changes have also been made to all fillable or downloadable forms on every ICANN-supported website, Marby said.

‘We didn’t pay much attention’

“We’ve also rolled out internal changes to the way we handle personal data, from data processing arrangements with vendors to our various personnel policies,” he wrote in a blog post.

Like every other organisation that collects data online, ICANN made the changes to comply with the GDPR, which introduces much stricter controls on how companies process individuals’ personal information.

But in this case, the moves are part of a broader shift that has seen ICANN gradually lose the  protection of the US government and become more directly beholden to  requirements that originate in other parts of the world, such as in the EU.

In 2016, as a result of the scandal around mass data collection exposed by Edward Snowden, the US handed responsibility for key ICANN functions over to a newly formed ICANN non-profit corporation.

ICANN, formed in 1998, has largely set its own rules in the past, aside from occasional intervention by the US government.

As a result, while EU data protection regulators had been advising the body since 2003 on upcoming data protection changes, ICANN didn’t take notice of GDPR’s approach until last year.

Marby acknowledged ICANN’s tardiness at a meeting with government representatives in March.

“GDPR is really the first . . . law that has a direct effect on our ability to make policy,” he said. “This law was designed several years ago. And, apparently, as a community, as an institution we didn’t pay much attention.”

WHOIS changes

One of ICANN’s key internet services, WHOIS, will be required to undergo broad changes to comply with the GDPR.

In its previous form, WHOIS disclosed detailed contact information on website owners to anyone who queried for it, unless those owners paid an additional fee to have the information hidden. Those processes aren’t compatible with the GDPR.

But, as Marby said in a 23 May letter to the European Commission, ICANN hasn’t determined  exactly how it needs to change WHOIS to comply with the law.

ICANN’s authority with registries and registrars around the world rests on its contracts with them, rather than any legal mandate, and Marby said some contractees have informed ICANN they will make changes on their own initiative to comply with the law, even if it means breaking their contracts with ICANN.

Marby said registrars for 5 to 10 percent of top level domains would stop collecting the full set of registration data required by their contracts, with at least one European registrar saying it planned to delete certain personal information it had already collected.

ICANN’s recourse to ensure that WHOIS systems continue operating is to take legal action, but Marby said that could be difficult given a “lack of clarity” around the GDPR.

“The lack of clarity about the interpretation of the law constrains whether ICANN could sustain its position that there is in fact a breach of contract,” Marby wrote.

Legal action

ICANN has, in fact, taken legal action against a German registrar called EPGA that said it planned to stop collecting some registration data in order to comply with the GDPR.

The Regional Court of Bonn quickly responded with a ruling that denied ICANN a preliminary injunction in the matter, saying ICANN’s case had no foundation.

The ruling is the latest move emphasising that ICANN is, indeed, obliged to comply with European law, and must move immediately to do so.

The US-based organisation had previously requested a one-year moratorium on enforcement to allow it to reorganise WHOIS, but European regulators said they had no authority to grant any body immunity from the law.

The European Data Protection Board (EDPB), the GDPR’s successor body to the WP29, which is made up of representatives of national data protection authorities, reiterated this position at its first plenary meeting last month.

It endorsed an earlier statement by the WP29 saying that authorities could choose not to enforce the law strictly if an organisation was in the process of coming into GDPR compliance.

Demonstrating ‘progress’

“Data protection authorities may . . . take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving such complaints,” the EDPB wrote.

Three European Commission Directors General took a similar position in a May letter recently published by ICANN, saying ICANN can avoid enforcement action if it shows “progress” toward compliance.

“In order to avoid enforcement action and allow the Article 29 Working Party (WP29) to provide some assurance in this regard, it will be important for ICANN to provide a clear timeline and show progress towards completion of the process,” wrote Directors General Roberto Viola, Paraskevi Michou and Tiina Astolathe.

Such communications are sharply different in tone from earlier dialogue with the European Commission, in which ICANN appeared to be planning to set its own timetable and terms for GDPR compliance.

Iterative approach

The Commission urged ICANN to adopt an “iterative” approach that could gradually implement changes over a period of months, saying it was “clear” ICANN would not immediately be in compliance with the GDPR when it came into force.

“While it is clear that a complete interim model will not be in force on 25 May, we urge ICANN to keep working beyond that date in an iterative way to incorporate changes on the basis of this ongoing dialogue, as well as input from the community,” they wrote.

“Revising the WHOIS model gives ICANN the opportunity to show leadership and demonstrate that the multi-stakeholder model actually delivers,” they wrote, in reference to ICANN’s private-sector governance model.

Marby said he was “pleased” with the Commission’s “positive feeback”.

He said ICANN is continuing to work on outstanding issues, with one top priority being a “unified access model” permitting access to full WHOIS data by authorised parties such as law enforcement agencies.

ICANN has previously said it expects to take about a year to implement a fully GDPR-compliant WHOIS system.

How much do you know about privacy? Try our quiz!