ICANN appeals to Article 29 Working Party for GDPR Enforcement Moratorium hits a snag

ICANN’s begging spree trip to Brussels this week with the European Union’s data protection authorities (DPAs) failed to secure a moratorium to delay the General Data Protection Regulation (GDPR) implementation.

In what is seen as a predictable ICANN-style self-inflicted harm, the organization is now left with less than 30 days to find a solution to comply with the EU data regulation.

Göran Marby, President and CEO said in a blog post that he had repeated his request for a moratorium in a meeting this week with the WP29’s technology subgroup, but intimated that the group’s response confirmed only that “there are still open questions remaining”.

The biggest bone of contention is how to deal with the WHOIS data. The WP29 has made it clear that WHOIS can no longer make such information openly available online once the GDPR comes into force. Whois is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.

“During the discussion regarding the timeline, the DPAs requested information regarding the implementation of anonymized email addresses in WHOIS contact information,” said the organization. “It is clear from our meeting that registrant, administrative, and technical contact email addresses must be anonymized.” added Marby

ICANN behaves somewhat surprised yet its own failure to come up with a solid plan and response despite Europe’s General Data Protection Regulation (GDPR) being approved over two years ago, and despite a decade’s worth of letters from the self-same Article 29 Working Party warning it about how the Whois was not compatible with European law, ICANN just began its GDPR compliance efforts late last year while law comes into force on 25 May.

Without a moratorium on enforcement, however, ICANN has said it believes the thousands of registrars and registries it contracts with will simply cease providing public WHOIS information in order to comply with EU law. That would lead to fragmentation of the system and would cause difficulties for those using it, ICANN argues.

Marby said ICANN would “continue to work with the ICANN Board on the important next steps to be in compliance with the law, together with the community”.

ICANN does not call itself a “data controller”, however the Non-Commercial Stakeholders Group (ICANN-NCUC), who wrote a blunt yet heavily dissenting letter to the Article 29 states “ICANN is a data controller,….ICANN does not acknowledge that it is a data controller and has not appointed a privacy officer as required under the GDPR. However, in its media release, ICANN presents itself as acting to protect the potential use of the WHOIS by third party actors. In presenting this list of ‘potentially averse scenarios’ we believe ICANN is acting as a data controller in seeking to maintain access to the WHOIS for these purposes.”

The journey has been tumultuous for ICANN in designing a GDPR compliant Whois,  recently Stephanie Perrin Resigned from PDP gTLD Registration Data Services

Stephanie said

After much thought, I have decided to resign from this PDP.  I wish you all the very best, and I am certain that the work will speed up considerably without my frequent interventions:-)  I believe this process is fundamentally flawed and does not reflect well on the MS model, so I am afraid that I can no longer, in all conscience, continue to participate.

The Next-Generation gTLD Registration Directory Services to Replace Whois Policy Development Process Working Group (RDS-PDP-WG) had been established to redefine the purpose of gTLD registration data and to consider how to safeguard this data. It is also tasked with proposing a model for gTLD registration directory services that will address accuracy, privacy, and access issues.