ICANN Looks For Guidance As GDPR Deadline Looms

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

The US-based domain name coordinator has acknowledged it will not be able to obtain an official exemption from EU data protection rules

The US body that supervises the administration of domain names has acknowledged that it will not be possible to obtain a one-year exemption from fines under the EU’s General Data Protection Regulation (GDPR), which it had sought with the backing of the US government.

In a letter last week to EU regulators, ICANN acknowledged they “do not currently have the authority to provide forbearance to ICANN” while it implements a plan for GDPR compliance.

ICANN, which carries out its functions under an arrangement with the US government, said in the letter that it would now seek other assurances that could allow its registrars and registries to keep operating its WHOIS service without the risk of fines after GDPR enforcement begins on 25 May.

WHOIS displays contact information for people and organisations that have registered domain names, but the way it operates is illegal under the GDPR, and could expose registrars and registries to crippling fines.

Revised plan

ICANN’s board met in Vancouver, Canada, earlier this month, and on Monday the organisation  published a revised version of its temporary specification for allowing registrars and registries to operate without conflicting with EU data protection regulations.

The plan has not been approved by EU regulators, and the US government, which wants information such as email addresses to continue being displayed, has not given it the nod either.

ICANN chief executive Goran Marby said the ICANN board plans to formally adopt the temporary plan this week.

In the meantime, he said the organisation hopes to receive more feedback from EU data protection agencies, whose activities are coordinatd by the Article 29 Working Party (WP29).

“We still hope to receive a response to our letter to the Article 29 Working Party that provides us with more clarity and guidance to inform the specification,” he wrote in a blog post.

Exposure

In an earlier post, Marby explained that the temporary plan allows registrars and registries to continue collecting personal data, but restricts access to it.

Law enforcement agencies and intellectual property lawyers, for instance, would be required to request access to the full data through a special process. Users could also be contacted via an anonymised web form.

But even if it suffices for GDPR compliance, the plan is expected to take months to implement.

As such, ICANN is seeking ways it can assure registrars and registries that they won’t face GDPR fines in the short term. If it can’t, ICANN fears its contractees will make changes on their own to avoid fines.

In a letter to WP29 last week, Marby acknowledged the group had “indicated that you do not currently have the authority to provide forbearance to ICANN organisation while it seeks to implement its plan of action”.

safe harbourNo exemption

He posed a range of questions to regulators, many of which concerned ways ICANN could be assured of WHOIS being exempt from fines.

In one section, he asked whether ICANN’s plan of action would suffice “for fines not to be immediately imposed”.

In another, he asked whether the WP29 could “issue a statement according to which the national supervisory authorities will not enforce the GDPR against ICANN and the contracted parties for a certain period of time”.

One question asked whether other EU data protection agencies were planning to take a similar approach to France’s CNIL, which has said it does not plan to immediately impose fines, but is rather looking to encourage compliance.

The WP29, which is to be renamed the European Data Protection Board (EDPB) on 25 May, has consistently declined to provide any assurances that ICANN could be exempt from fines.

“The GDPR does not allow national supervisory authorities nor the European Data Protection Board… to create an ‘enforcement moratorium’ for individual data controllers,” the WP29 said in a statement. “Data protection is a fundamental right of individuals, who may submit complaints to their national data protection authority whenever they consider that their rights under the GDPR have been violated.”

Mitigation

But the group said it was common practice to take various mitigating factors into account when determining a regulatory response, including “measures which have already been taken or which are underway”.

“The WP29 recognises the recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system,” the group stated.

It added it would “continue to monitor” ICANN’s progress and that member agencies may “engage further” with ICANN to ensure compliance with EU law.

The WP29 said it has been advising ICANN on GDPR compliance since 2003, providing a link to its guidance from the period.

However, US-based ICANN only began its GDPR compliance efforts late last year.

In September 2017, the body hired European law firm Hamilton Advokatbyrå to review its position, The Register reported.

How much do you know about privacy? Try our quiz!