Overview

There are several ongoing work streams that are highly relevant to the GAC, which can be distinguished based on whether next steps and outcomes are expected in the short, mid or long term:

• Short-Term
• GAC Advice to the ICANN Board: GAC Members to assess the Board’s adoption of the Temporary Specification; GAC and ICANN Board to continue discussing Advice for which action Board was deferred on 17 May 2017.
• Law Enforcement, Cybersecurity professionals and Intellectual Property Rights holders access to Whois Data under the Temporary Specification: ongoing engagement between contracted parties and law enforcement agencies, as well as cybersecurity and IP interests with ICANN.

• Mid-to-Long-Term
• Implementation and Evolution of ICANN’s Temporary Specification: while Contracted Parties are now required to implement the Specification, ICANN is due to reflect outcomes of its continued engagement with Data Protection authorities, as well as relevant community developments related to important issues that have been flagged for further action
• Policy Development to replace the Temporary Specification: GAC to monitor and contribute to the expected initiation of a new expedited GNSO PDP. A dedicated team of GAC Members has been formed to support this work.
• Development of a Unified Access Model for Continued Access to Full WHOIS Data: GAC to assess ICANN’s draft Framework Elements and weigh in on Community discussions, in particular regarding area for which ICANN identifies a role for the GAC.

GAC Advice to the ICANN Board (Short-Term)

The GAC Advice issued in the San Juan Communiqué (15 March 2018) was subject to an informal consultation between the GAC and the ICANN Board (8 May 2018) which led to the release of an initial Board scorecard (11 May 2018). In response, the GAC requested that the Board defers taking action on advice it could have rejected (17 May 2018). Ultimately, on the same day, the ICANN Board resolved to defer taking action on several pieces of advice, adopting the Temporary Specification for gTLD Registration Data in the meantime.

The ICANN Board has now released its updated scorecard (30 May 2018) on the GAC San Juan Advice as part of a formal resolution. It provides new information on the Board acceptance of part of the Advice, in particular where the GAC Advised the ICANN Board “to instruct the ICANN Organization to […] reconsider the proposal to hide the registrant email address”. The GAC and ICANN Board are still due to engage further on the consideration of the Advice on which action was deferred by the ICANN Board.

In this context, a mapping (27 May 2018) of the Temporary Specification to the relevant GAC Advice was prepared to assist with GAC Members’ assessment of the Temporary Specification, as well as for preparation of future engagement of the GAC with the ICANN Board, or within a potential new GNSO PDP (see below). The ICANN Organization also published a comparison between the Temporary Specification and the Interim Compliance Model on which it is based.

Law Enforcement, Cybersecurity professionals and Intellectual Property Rights holders access to Whois Data under the Temporary Specification (Short-Term)

During the GDD Summit in Vancouver (14-17 May), in a session called “Registration Data Services (WHOIS) Access Post GDPR” several Registries and Registrars indicated their intentions to have procedures and systems in place to ensure that legitimate requests made by law enforcement for access to non-public WHOIS data could be addressed.

A number of challenges were identified in relation to the definition of law enforcement, the jurisdiction of a requesting agency, and the absence of a centralized accreditation mechanism. Registries and Registrar report being engaged with law enforcement agencies to address these matters and implement the provisions of the Temporary Specification, in particular:

• Section 4.4.9 which includes “Providing a framework to address appropriate law enforcement needs” as a legitimate purpose for “Personal Data included in Registration Data” to be “Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data”
• Appendix A Section 4 which mandates “reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR.”

Regarding Cybersecurity professionals’ access, the Security and Stability Advisory Committee of ICANN (SSAC) released an Advisory Regarding Access to Domain Name Registration Data (14 June 2018) with recommendations to address the loss of a “reliable, consistent, and predictable access to domain name registration”, which the SSAC sees as essential for “the identification and mitigation of various types of Internet abuse and technical problems”.

The AntiPhishing Working Group (APWG) sent its Public Whois Attributes Securely Hashed (WhASH) proposal (4 June 2018) to the ICANN CEO, Chair of the Board, and Chairman of SSAC. It suggests that in order to both comply with the GDPR and address the need of security professionals and investigators, personal data included in WHOIS records should be displayed in encrypted form, as opposed to not be displayed at all.

Regarding IP Rights holders, the BC/IPC have continued developing their WHOIS Accreditation and Access model and recently circulated version 1.6 of its draft (18 June 2018).

Implementation and Evolution of ICANN’s Temporary Specification (Mid-Term)

Effective 25 May 2018, gTLD Registries and Registrars are required to abide by the terms of the Temporary Specification, subject to contractual compliance enforcement by ICANN. This contractual document implements ICANN’s Proposed Interim Model for Compliance with GDPR (8 May 2018).

As a result, Whois services will dramatically change as Registries and Registrars implement the tiered- or layered-access model that was required for compliance with GDPR and show publicly only a subset of gTLD Registration Data.

A number of items in the Temporary Specification are identified as “Important Issues for Further Community Action” to be resolved “as quickly as possible after the effective date of the Temporary Specification” including:

• Continuing community work to develop an accreditation and access model that complies with GDPR
• Addressing the feasibility of requiring unique contacts to have a uniform anonymized email address across domain name registrations at a given Registrar
• Consistent process for continued access to Registration Data, including non-public data, for users with a legitimate purpose on a mandatory basis for all contracted parties.
• Distinguishing between legal and natural persons to allow for public access to the Registration Data of legal persons
• Confidentiality of queries for Registration Data by law enforcement authorities and balancing limitations in terms of query volume against realistic investigatory cross-referencing need

Additionally, per its 1-year action plan shared with DPAs (20 April 2018), and subsequent discussions with the GAC (8 May 2018), the ICANN Organization has indicated that the Temporary Specification may evolve over time as required.

This is also recognized in the ICANN Board resolution and the Temporary Specification (section 8.2) which indicate in particular that it could “make adjustments based on further inputs from the Article 29 Working Party/European Data Protection Board, court order of a relevant court of competent jurisdiction concerning the GDPR, applicable legislation or regulation, or as a result of the Board-GAC Bylaws Consultation”.

Several developments are currently ongoing relating to the interpretation of relevant Data Protection law:

• ICANN sent a follow-up letter (10 May 2018) to the Article 29 Working Party seeking greater clarity and guidance on a number of issues, including some stemming from the Art. 29 letter or meetings between ICANN Org and Art. 29.
• On 25 May, ICANN has indicated filing legal action in Germany, seeking a court ruling to ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR. This developed further to date, including ruling by a regional court (30 May 2018) and appeal by ICANN (13 June 2018).

Policy Development to Replace the Temporary Specification (Mid-Term)

The GNSO Council has started discussion initiation of a new PDP (see outcomes webinar on 21 May and Council meeting of 24 May 2018), and is considering options as to the composition of the WG that would be able to deliver of Policy with one year (as required per the Temporary Policy). GAC Participation and/or input in such a process is seen as critical by the GAC Leadership. A call for volunteers to join a GAC Team to support such work has been issued by the GAC Chair on 23 May 2018.

One key policy element expected by several constituencies including Law Enforcement, Cybersecurity and Intellectual Property Rights practitioners will be the definition of relevant accreditation models to enable access to non-public data for legitimate interests. The IPC and BC have been leading community discussions on a proposed model covering the needs of IP and Cybersecurity practitioners. A number of GAC and PSWG Members are following this effort on the accred-model@icann.org mailing list (see mailing list archives).

Law Enforcement agencies are not associated with this specific model due to the specificity of requirements applicable to them, such as confidentiality of requests or how validation of requesters may be accomplished.

In the meantime, a group of Contracted Parties, in collaboration with ICANN Org, have been exploring technology enabling layered access to gTLD Registration Data, namely RDAP, the WHOIS replacement protocol developped at IETF. The RDAP Pilot Program which started on 5 Sep. 2017,  has seen its pace and stakes increased as a result of the adoption of the Temporary Specification which mandates its outcome to be delivered by 31 July 2018 (Appendix A, section 1.1 of Temporary Specification) for implementation of the new protocol by Contracted Parties by the end of 2018.

Development of a Unified Access Model for Continued Access to Full WHOIS Data (Mid to Long-Term)

On 18 June 2018, the ICANN organization published a draft Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data for Community discussion. Building on the model developed to comply with the GDPR as well as Community input to date, the framework lays out a series of central questions to help frame discussions about how such an access model may work, including how and which users with a legitimate interest can gain access to non-public registration data.

The GAC may wish to assess this framework and weigh in on Community discussions, in particular regarding area for which ICANN identifies a role for the GAC.

Relevant documentation is maintained by ICANN on the Data Protection/Privacy Issues section of its website. Below is a selection of resources that may be most relevant to GAC Members.

ICANN Board Decisions and ICANN Org Documentation

• Temporary Specification
• Temporary Specification (17 May 2018), implementing the Proposed Interim Compliance Model (8 March), including a comparison between the two.
• Plan of Action to Implement GDPR Interim Compliance Model as shared with DPAs (20 April 2018) or later revised (24 May 2018) and shared with the European Commission (23 May 2018), or initially discussed with Contracted Parties during ICANN61 (15 March 2018)
• Draft Mapping of Temporary Specification to ICANN Contracts and Policies (12 June 2018)

• Proposed Compliance Models
• Comparison chart (20 April 2018) of Proposed Interim Model with input received from Art. 29 WP, Berling Group and the GAC
• Proposed Interim Model or Cookbook (8 March 2018)
• Proposed Interim Model Summary Description (28 February 2018)
• Proposed Item Models (12 January 2018)

• Statement from Contractual Compliance (2 November 2017) deferring taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data

• Legal Analysis Memoranda by Hamilton Advokatbyrå
• gTLD Registration Directory Services and the GDPR – Part 3 (21 December 2017)
• gTLD Registration Directory Services and the GDPR – Part 2 (15 December 2017)
• gTLD Registration Directory Services and the GDPR – Part 1 (16 October 2017)

• Legal Action
• On 25 May 2018, ICANN has announced filing legal action in Germany, seeking “a court ruling to ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR”. The other party this lawsuit, EPAG, a Tucows-owned Registrar based in Bonn, Germany has released a Statement on ICANN’s Legal Action. The introductory paragraph of that statement reads, “This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to our contracts. While we look forward to defending our position in court, the below is intended to provide some context and insight into the dispute.” The statement also provides this party’s perspective on several requirements of the Temporary Specification it disputes.
• On 30 May ICANN announced that a regional court in Bonn “ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR”. ICANN also indicated that "While [it] appreciates the prompt attention the Court paid to this matter, the Court's ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings," and that "ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services."
• On 13 June 2018, ICANN announced that it has appealed a decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against a tucows-affiliated Germany-based registrar to reinstate the collection of administrative contact and technical contact data for new domain name registrations.
• On 7 June 2018, tucows sent a letter to ICANN’s CEO explaining why it believes it can’t comply with three specific areas of ICANN’s Temporary Specification: collection of Admin and Tech contacts data, data transfer to registries and the required public display of certain fields which may contain personal data.

GAC Positions and Documentation

• Mapping (27 May 2018) of the Temporary Specification to the ICANN61 San Juan Advice

• GAC Advice in the ICANN 61 San Juan Communiqué (15 March 2018) was the subject of an informal consultation between the GAC and the ICANN Board (8 May 2018) which led to the release of the Board’s scorecard (11 May 2018). In response, the GAC requested that the Board defers taking action on advice it could have rejected (17 May 2018). The ICANN Board released its updated scorecard (30 May 2018) as part of a formal resolution.

• GAC Feedback (8 March) on the Proposed Interim Model for GDPR Compliance

• A Law Enforcement expert considerations document (16 February 2018) was circulated to the GAC following the Intersessional PSWG meeting in Brussels (12-13 February) identifying specific needs and challenges to be addressed in the implementation of any GDPR-compliant Whois system and proposing guidelines to support implementation of the necessary features of an accreditation, authentication and access system, including:
• Permanent law enforcement access to non-public Whois data on a query basis without the need for justification of each individual request
• Centralization of credentials for accredited users (to be assigned and maintained by one entity)
• Centralization of access to ensure continued access to data regardless of location of storage, while minimizing the need for international bulk data transfers
• Confidentiality of law enforcement requests
• Capability to cross-reference current and historical whois data
• Safeguards to ensure accountability and purpose limitation

• GAC Comments (29 January 2018) on the proposed interim models for compliance with GDPR including:
• Highlights of the legal analysis supporting ICANN’s goal to maintain the WHOIS to the greatest extent possible
• Concerns and disagreement with some conclusions of the legal analysis relating to hiding the Registrant email and the need for legal process to support law enforcement requests for non-public Whois data
• A review of each of the 3 proposed models with recommendations
• A proposed fourth compliance model calling for: a differentiated treatment of natural and legal person’s data; longer data retention periods; the developement of an accreditation system for all parties with a legitimate need to access non-public data, including mandatory self-certification arrangements in the interim; a strict application of the model to parties covered within the scope of the GDPR, while others would keep an open Whois

• GAC Advice in the ICANN60 Abu Dhabi Communiqué (1 November 2017) accepted per the ICANN Board’s scorecard (4 February 2018) touched on 4 areas including:
• the continued relevance of the 2007 GAC Whois Principles;
• Accessibility of Whois for recognized users with legitimate purposes;
• Lawful availability of Whois data for the needs of consumer protection and law enforcement, as we as the public;
• Involvement of the GAC in the design and implementation of any solution and transparency of ICANN in this process.

• GAC Principles regarding gTLD WHOIS Services (28 March 2007)

GAC/ICANN Engagement Record

• Board updated scorecard (30 May 2018) on the GAC San Juan Advice

• Board-GAC informal consultation (8 May 2018) regarding Advice in the San Juan Communiqué

• Joint GAC/ICANN call (21 February 2018) to discuss status of compliance model development and the envisioned interim model
• GAC Clarifying Questions (17 December 2017) following the 27 November Joint GAC-ICANN Organization Call on GDPR Announcements and response by ICANN (22 February 2018)
• Joint GAC/ICANN call (27 November 2017) to facilitate a dialogue prior to further actions being taken  by either party, during which ICANN described its approach to the matter and highlighted the importance of GAC input

Data Protection Authorities Input

• European Data Protection Board Statement on ICANN/WHOIS (27 May 2018) indicating that the GDPR does not allow an “enforcement moratorium” (despite ICANN’s request to all European DPAs on 26 March 2018). It also recognizes “recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system” and pledge to continue monitoring ICANN’s progress as “its members may engage further with ICANN to ensure that the legal requirements under EU data protection law are properly addressed”.
• Art. 29 Working Party letter to ICANN (11 April 2018) welcoming the proposed Interim Model and including detailed input on areas for which it deems of “utmost importance that ICANN either reconsider or further evaluate its current”
• Berlin Group Working Paper (9 March 2018) on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory at ICANN
• Art. 29 Working Party letter to ICANN (6 December 2017) reiterating its position that “unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive” and suggested that “at first glance” ICANN and Registries are to be deemed joint controllers under European data protections laws, and that purposes of Whois directories can be achieved via layered access, including access for law enforcement authorities. ICANN responded (15 January 2018).
• Dutch DPA announcement (30 October 2018) of its ruling that unlimited publication of Whois data by the .amsterdam and .frl New gTLD Registry Operators violates Dutch privacy law, while recognizing that publishing only limited WHOIS-data of private domain name registrants would be in accordance with current privacy laws. This announcement has been the suject of ·       correspondence between these registries (9 October 2017) and ICANN (25 October and 1 November 2017).
• Article 29 Working Party Statement (6 June 2013) on the data protection impact of the revision of the ICANN RAA and follow-up letter (8 January 2014)
• Letter from the Article 29 Working Party to ICANN (22 June 2006) calling for privacy enhancing ways to run the Whois directotries
• Privacy Commissioner of Canada letter (12 July 2006) related to the purpose of Whois and meeting the needs of law enforcement through a tiered approach
• Article 29 Working Party Opinion (13 June 2003) on the application of the data protection principles to the Whois directories

GAC Members and Observers

• Council of Europe

• Bureau of the Committee of Convention 108 letter and comments (29 January 2018) on ICANN’s proposed interim models
• Secretariat of Cybercrime Convention Committee letter and comments (29 January 2018) on ICANN’s proposed interim models

• European Union

• EU Commission letter (17 May 2018) providing Input on the Proposed Temporary Specification for gTLD Registration Data and ICANN’s response (23 May 2018) asking guidance and assistance on “potential avenues available for ICANN to be viewed under the law as the coordinator for the WHOIS system” and reporting intentions to develop a unified access model to provide access to non public data.
• European Union input (7 February 2018) on the proposed compliance models (including consideration of purpose definition, data collection, data retention, publication of data, access by law enforcement and accuracy of data). See ICANN’s response (8 March 2018).
• European Commissioners letter (29 January 2018) identifying consideration that should be taken into account by ICANN to ensure quick access to WHOIS for public interest purposes in full compliance with data protection rules. See ICANN’s response (8 March 2018)

• Europol (European Cybercrime Centre (EC3) Advisory Group on Internet Security)
• Statement (2 April 2018) assessing that ICANN’s Whois Proposed Interim Model for GDPR Compliance will inhibit the Cybersecurity Community’s Role in Data Protection
• Letter (26 January 2018) including a Statement on the Indispensable Role of Whois for Global Cybersecurity

• United Kingdom

• National Crime Agency Feedback (29 January 2018) on ICANN’s Proposed Interim Models

• US Government

• Comments (20 April 2019) in response to Article 29 Working Party’s Guidance Letter regarding Whois and GDPR
• Comments (29 January 2018) on the Proposed Interim Models

GNSO Discussions regarding Policy Development related to WHOIS/GDPR

• Extraordinary GNSO Council meeting (12 June 2018) dedicated to Expedited PDP discussion
• ICANN Board/GNSO discussion (5 June 2018) addressing a number of open questions regarding scope, timing and participation in an Expedited PDP.
• GNSO Council meeting (24 May 2018) which included a continued discussion of Expedited PDP Consideration
• GNSO Council webinar (21 May 2018) which initiated discussion of potential Expedited PDP to replace ICANN’s Temporary Specification
• GNSO Council Options document (10 May 2018) addressing Expedited PDP Work Team composition and potential Expedited PDP timeline

Other Relevant ICANN Community Contributions

• Draft IPC/BC WHOIS Accreditation and Access Model v1.6 (18 June 2018)
• SSAC Advisory Regarding Access to Domain Name Registration Data (14 June 2018)
• APWG’s Public Whois Attributes Securely Hashed (WhASH) proposal (4 June 2018)
• Online Coalition for Accountability (16 February 2018) on the specific issue of the Registrant’s Email address becoming non-public data)