Article 29 Working Party To ICANN – EU Registrars Exempt From Data Retention Requirements

The 2013 RAA was approved by ICANN’s board of directors less than a week ago.

The new contract introduces a number of new obligations on ICANN accredited registrars, among them are several related to data validation, verification and retention.

The Article 29 Working Party, however, has written to ICANN and made it very clear that it views these requirements to be unlawful. While the letter dates from earlier this month the text of the contract was not changed drastically prior to its acceptance by ICANN’s board.

The letter makes reference to the new exemption process that ICANN introduced with this version of the contract, which allows registrars to gain exemptions if contractual obligations conflict with local law. And what is sure to be welcomed by EU based registrars is the letter’s aim – to avoid duplication of work by data protection authorities (and registrars):

In order to avoid unnecessary duplication of work by 27 national data protection authorities in
Europe, with this letter, the Working Party wishes to provide a single statement for all
relevant registrars targeting individual domain name holders in Europe

Here’s the letter’s full text:

Subject: Statement on the data protection impact of the revision of the ICANN RAA
Dear Mr Crocker and Mr Chehadé,
In the context of ICANN’ s revision of the Registrar Accreditation Agreement (RAA) and the
final RAA Proposal1, the Working Party on the Protection of Individuals with regard to the
Processing of Personal Data (Article 29 WP)2 wishes to provide a harmonised statement
concerning compliance with European data protection law.
Following up on our letter of 27 September 20123 and previous contributions to the process of
collecting and disclosing WHOIS data4, this statement specifically addresses the legitimacy of
the data retention obligation for registrars, contained in the new RAA.
The Working Party notes that ICANN has included a procedure for registrars to request a
waiver from these requirements if necessary to avoid a violation of applicable data protection
law. Such a waiver request can be based on written guidance from a governmental body of competent jurisdiction providing that compliance with the data retention requirements violates
applicable law.
In order to avoid unnecessary duplication of work by 27 national data protection authorities in
Europe, with this letter, the Working Party wishes to provide a single statement for all
relevant registrars targeting individual domain name holders in Europe.
The final proposed Data Retention specification roughly distinguishes between name and
contact details for the domain name holder (specified in 1.1.1 to 1.1.7) and all other types of
data a registrar might collect (specified in 1.2.1 to 1.2.3), such as logfiles and billing records
containing the ‘means and source of payment’, logfiles about the communication with the
registrar including source IP address, telephone number, e-mail address, Skype handle or
instant messaging identifier, as well as the date, time and time zones of communications.
Registrars are required to keep the first category of personal data for a period of two years
after the contract for the domain has been ended. The second category of personal data must
be retained for six months after the contract has ended.
The first category of data includes payment data, defined as: ‘card on file’, current period
third party transaction number, or other recurring payment data.
The proposed new data retention requirement does not stem from any legal requirement in
Europe.5 It entails the extended processing of personal data such as credit card and
communication data by a very large number of registrars. The fact that these data may be
useful for law enforcement (including copyright enforcement by private parties) does not
equal a necessity to retain these data after termination of the contract. Taking into account the
diversity of these registrars in terms of size and technical and organisational security
measures, and the chance of data breaches causing adverse effects to individuals holding a
domain name, the Working Party finds the benefits of this proposal disproportionate to the
risk for individuals and their rights to the protection of their personal data.
Secondly, the Working Party reiterates its strong objection to the introduction of data
retention by means of a contract issued by a private corporation in order to facilitate (public)
law enforcement. If there is a pressing social need for specific collections of personal data to
be available for law enforcement, and the proposed data retention is proportionate to the
legitimate aim pursued, it is up to national governments to introduce legislation that meets the
demands of article 8 of the European Convention on Human Rights and article 17 of the
International Covenant on Civil and Political rights.
The fact that these personal data can be useful for law enforcement does not legitimise the
retention of these personal data after termination of the contract. Because there is no legal
ground for the data processing, the proposed data retention requirement violates data
protection law in Europe.
In general, we repeat that the problem of inaccurate contact details in the WHOIS database
cannot be solved without addressing the root of the problem: the unlimited public
accessibility of private contact details in the WHOIS database. In that light, the Working
Party welcomes the growing number of registries in Europe that are offering layered access to
the WHOIS data.
Yours sincerely,
On behalf of the Article 29 Working Party

Here’s the original document: Statement on the data protection impact of the revision of the ICANN RAA

Related articles

• ICANN approves 2013 RAA (domainincite.com)
• New RAA ushers in big changes (and demands) on domain name registrars (domainnamewire.com)
• New Domain Name Registrar Accreditation Agreement Approved by ICANN Board (circleid.com)
• ICANN Board Set To Approve New RAA (internetnews.me)