In what could be viewed as an unprecedented move, ICANN has written to each and every data protection authority in the European Union.
ICANN feels that there is uncertainty about how the General Data Protection Regulation (GDPR) should impact registrars and registries specifically in relation to the collection, processing and retention of domain name registration data aka WHOIS.
Under the current ICANN contracts and policies registrars and registries are obliged to collect quite a bit of information about each and every domain name registration, pass this data to the registries (with the exception of .com and .net) and also retain the registration data for extended periods of time.
The current policies and contracts have been questioned and criticised by data protection authorities in the past, but in light of GDPR, which brings with it sizeable fines, ICANN and its registrars and registries have changed their tone and are now taking data privacy concerns very seriously.
The announcement from ICANN yesterday that outlines the background for the letters underlines the concerns that ICANN has about compliance and “over compliance”:
ICANN is concerned that continued ambiguity on the application of the GDPR to the global WHOIS may result in many domain name registries and registrars choosing not to publish or collect WHOIS out of fear that they will be subject to significant fines following actions brought against them by the European DPAs. ICANN has set out that its 2,500 domain name registries and registrars need clear guidance and a moratorium so that they will not have enforcement actions brought against them while they implement changes to comply with the GDPR.
While the request for clarity is not unreasonable some have questioned whether the DPAs will be in a position to offer any form of moratorium.
Matters are further complicated by the conflicting messages and demands being received from other parts of government and the broader internet community:
At the same time, governments world-wide, law enforcement authorities, and those fighting abuse on the Internet are deeply concerned that blocked access to the global WHOIS may significantly harm the public interest, by blocking access to critical information which allow them to enforce other laws and protect consumers, critical infrastructure and intellectual property rights.
Here’s the letter that was sent to each DPA in full (the example I’m using is that of the letter sent to the Irish Data Protection Commissioner Helen Dixon):
With the clock ticking towards the May 25th deadline it’s unclear how quickly if at all the data protection authorities will respond nor what form that response will take.
From the perspective of the registries and registrars time may already have run out.