ICANN Fails To Secure Moratorium On GDPR Enforcement

Matthew Broersma,
Web adress, Internet © Pavel Ignatov Shutterstock 2012

With one month to go, a meeting with EU data protection agencies has only led to more negotiations

The European Union’s data protection advisory body has declined as yet to grant ICANN a requested one-year extension on compliance with the EU’s General Data Protection Regulation (GDPR), which comes into force next month, following a meeting this week with ICANN chief executive Goran Marby.

A document published by ICANN also indicated that the US government is directly opposed on soem points to advice given by the Article 29 Working Party (WP29), an EU advisory body made up of national data protection agencies, on ways in which ICANN’s WHOIS system can be brought into line with the GDPR.

Marby said in a blog post that he had repeated his request for a moratorium in a meeting this week with the WP29’s technology subgroup, but said the group’s response confirmed only that “there are still open questions remaining”.

WHOIS provides contact information on organisations or individuals who have registered web addresses, and is notably used by law enforcement authorities and intellectual property bodies to track down those resposible for abuses.

Compliance

The WP29 has made it clear that WHOIS can no longer make such information openly available online once the GDPR comes into force.

ICANN had taken the position that some information, such as email addresses, didn’t necessarily need to be withheld, but at this week’s meeting the WP29 confirmed that “registrant, administrative, and technical contact email addresses must be anonymised,” Marby wrote.

He said several letters had been presented to the subgroup by hand, including a letter from the US government which also states that a short-term moratorium on GDPR enforcement for WHOIS and its users is “imperative”.

The letter outlines an interpretation of the GDPR directly opposed to that of the WP29 on some points, stating, for instance, that it is “questionable” whether email addresses must be excluded from the public WHOIS in order to comply with the GDPR.

The US government also takes a broader view of ICANN’s mission than that stated by the WP29, arguing that the interests of third parties such as security and intellectual property organisations are a legitimate part of that remit.

Privacy in the balance

“The WP29 guidance does not recognise the necessary balance between privacy and the legitimate purposes for data processing,” the letter reads. “Regrettably, this guidance will likely empower companies to provide less WHOIS information (and perhaps none at all) even though it is not necessary under EU law.”

Marby said ICANN would “continue to work with the ICANN Board on the important next steps to be in compliance with the law, together with the community”.

The organisation, which maintains internet systems under the auspices of the US government, is planning to implement measures including an authentication system by which certain users, such as law enforcement bodies, can gain access to complete WHOIS contact details. It believes that and other compliance mechanisms can be in place within a year.

Without a moratorium on enforcement, however, ICANN has said it believes the thousands of registrars and registries it contracts with will simply cease providing public WHOIS information in order to comply with EU law. That would lead to fragmentation of the system and would cause difficulties for those using it, ICANN argues.

ICANN only began its GDPR compliance efforts late last year. The law comes into force on 25 May.

How much do you know about privacy? Try our quiz!