2017-11-01 GDPR/WHOIS
مشورة GAC
2017-10-01 GDPR/WHOIS
ICANN60 Abu Dhabi Communique
تحقق الإجماع
2017-11-01 GDPR/WHOIS
a. The GAC advises the ICANN Board that:
- the 2007 GAC WHOIS Principles (attached) continue to reflect the important public policy issues associated with WHOIS services. Accordingly, ICANN should take these issues into account as it moves forward with its planning to comply with the European Union’s General Data Protection Regulation (GDPR). In these principles, the GAC has notably recognized that WHOIS data (also known as Registration Directory Services) is used for a number of legitimate activities, including:
- Assisting law enforcement authorities in investigations and in enforcing national and international laws, assisting in combatting against abusive use of internet communication technologies;
- Assisting businesses, other organizations, and users in combatting fraud, complying with relevant laws, and safeguarding the interests of the public;
- Combatting infringement and misuse of intellectual property; and
- Contributing to user
confidence in the Internet as a reliable and efficient means of information and communication by helping users identify persons or entities responsible for content and services online.
Board Understanding Following GAC-Board call
The Board understands that the GAC wishes for the ICANN Board to:
- Take the GAC WHOIS Principles into account as it moves forward with planning to comply with the European Union’s General Data Protection Regulation (GDPR).
The Board understands that the GAC has recognized that the WHOIS data is used for a number of legitimate activities, including:
- Assisting law enforcement authorities in investigations and in enforcing national and international laws, assisting in combatting against abusive use of internet communication technologies;
- Assisting businesses, other organizations, and users in combatting fraud, complying with relevant laws, and safeguarding the interests of the public;
- Combatting infringement and misuse of intellectual property; and
- Contributing to user confidence in the Internet as a reliable and efficient means of information and communication by helping users identify persons or entities responsible for content and services online.
Board Response
The Board accepts this advice and directs the ICANN org to continue to seek to maintain the existing WHOIS services to the maximum extent consistent with GDPR compliance. The Board also acknowledges that the WHOIS/RDS data is used for many legitimate activities, such as those described by the community in the user stories posted on the Data Protection and Privacy webpage.
The Board welcomes the GAC’s full engagement with the community on the GDPR-related discussions and is committed to continuing to facilitate this discussion in a transparent way. The Board appreciates the GAC’s articulation of the important public policy interests served by legitimate and proportionate use of WHOIS/RDS data, including this Advice and the GAC’s contribution to ICANN’s ongoing public consultation.
The Board is aware of the independence of data protection authorities in the European Union, and the Board particularly seeks and appreciates GAC and individual GAC member assistance to secure the full participation of European data protection agencies in ICANN efforts to identify and agree on a GDPR compliance model that facilitates continued access to registrant information by those with a legitimate and proportionate interest in processing WHOIS/RDS data. This kind of participation is critical in maintaining a common approach to access to WHOIS/RDS data across the gTLD ecosystem that strikes the right balance among important public interests, including fundamental individual liberties.
Accordingly,
b. the GAC advises the ICANN Board that:
- as it considers how to comply with the GDPR with regard to WHOIS, it should use its best efforts to create a system that continues to facilitate the legitimate activities recognized in the 2007 Principles, including by:
- Keeping WHOIS quickly accessible for security and stability purposes, for consumer protection and law enforcement investigations, and for crime prevention efforts, through user-friendly and easy access to comprehensive information to facilitate timely action.
- Keeping WHOIS quickly accessible to the public (including businesses and other organizations) for legitimate purposes, including to combat fraud and deceptive conduct, to combat infringement and misuse of intellectual property, and to engage in due diligence for online transactions and communications.
In order to promote the public interest, and in response to the ICANN CEO’s invitation to contribute questions pertaining to legal advice on the interpretation and application of the GDPR,
Board Understanding Following GAC-Board call
The Board understands that the GAC wishes for the ICANN Board to:
- As it considers how to comply with GDPR with regard to WHOIS, use its best efforts to create a system that continues to facilitate the legitimate activities recognized in the 2007 GAC WHOIS Principles.
The Board understands that the GAC has recognized that these legitimate activities include:
- Keeping WHOIS quickly accessible for security and stability purposes, for consumer protection and law enforcement investigations, and for crime prevention efforts, through user-friendly and easy access to comprehensive information to facilitate timely action.
- Keeping WHOIS quickly accessible to the public (including businesses and other organizations) for legitimate purposes, including to combat fraud and deceptive conduct, to combat infringement and misuse of intellectual property, and to engage in due diligence for online transactions and communications.
Board Response
The Board accepts this advice and welcomes the GAC’s full engagement with the community on the GDPR-related discussions and is committed to continuing to facilitate this discussion in a transparent way. In a 21 December 2017 blog from the ICANN org President and CEO, as well as in other fora, Göran Marby has emphasized that the organization has made it a high priority to find, to the greatest extent possible, a path forward to ensure compliance with the GDPR while maintaining proportionate access to WHOIS/RDS data for legitimate purposes. This remains a critical point on the path to find workable solutions to ensure both compliance with the law and ICANN’s contracts.
c. the GAC also advises the ICANN Board to:
- seek information from its outside counsel tasked with providing guidance on GDPR issues that
addresses the following issues:- What are the options under the GDPR to ensure the lawful availability of WHOIS/RDS data for consumer protection and law enforcement activities? In particular, are there changes to policy or the legal framework that should be considered with a view to preserving the functionality of the WHOIS to the greatest extent possible for these purposes and others also recognized as legitimate? This question includes tasks carried out in the public interest and tasks carried out for a legitimate purpose, including preventing fraud and deceptive activities, investigating and combatting crime, promoting and safeguarding public safety, consumer protection, cyber-security etc.
- What are the options under the GDPR to ensure the lawful availability of WHOIS/RDS data for the public, including businesses and other organizations? This question includes tasks carried out in the public interest and tasks carried out for a legitimate purpose, including preventing fraud and deceptive activities, investigating and combatting crime as well as infringement and misuse of intellectual property, promoting and safeguarding public safety, consumer protection, cyber-security etc.
Board Understanding Following Board-GAC Call
The Board understands that the GAC wishes for the ICANN Board to:
- Seek information from its outside counsel that addresses the following issues:
What are the options under the GDPR to ensure the lawful availability of WHOIS/RDS data for consumer protection and law enforcement activities and for the public, including businesses and other organizations? In particular, are there changes to policy or the legal framework that should be considered with a view to preserving the functionality of the WHOIS to the greatest extent possible for these purposes and others also recognized as legitimate? This question includes tasks carried out in the public interest and tasks carried out for a legitimate purpose, including preventing fraud and deceptive activities, investigating and combatting crime, promoting and safeguarding public safety, consumer protection, cyber-security etc.
Board Response
The Board accepts the advice and notes that the ICANN Org has submitted these questions to the Hamilton firm and received a response.
The GAC’s questions regarding GDPR were shared with the Hamilton firm to consider as part of its next legal analysis. See: https://www.icann.org/en/system/files/files/gdpr- legal-analysis-part2-draft-questions-15nov17-en.pdf.
Hamilton replied to the questions in its second analysis, available here: https://www.icann.org/en/system/files/files/gdpr- memorandum-part2-18dec17-en.pdf.
The Board also acknowledges that the community has had access to legal input from a variety of qualified experts in EU data protection law. Because GDPR is principles-based rather than prescriptive, the Board also notes that differences of opinion and approach are reflected in these various inputs. These differences underscore the importance of direct participation by the GAC as well as relevant data protection authorities in ICANN’s dialogue with the community regarding GDPR compliance in the context of WHOIS/RDS data.
Finally,
d. the GAC also advises the ICANN Board that:
- it is urgent to address these issues and that the GAC should be fully involved in the design and implementation of any (including interim) solution and requests that ICANN practice transparency vis-à-vis the multistakeholder community in its GDPR activities.
Board Understanding Following Board-GAC Call
The Board understands that the GAC wishes for the ICANN Board to:
- Address these issues and to involve the GAC in the design and implementation of any (including interim) solution and to practice transparency with regard to the multistakeholder community in GDPR activities
The Board understands that the GAC views the continued and lawful availability of WHOIS/RDS data for consumer protection, intellectual property rights protection and law enforcement activities as a vital public concern. The Board also understands that the GAC wishes the Board to strive to explore all possible mechanisms under the GDPR to ensure this data remains available for legitimate activities that protect the public and promote a safe, secure, and trustworthy online environment.
Board Response
The Board accepts this advice and welcomes the GAC’s full engagement with the community on the GDPR-related discussions and is committed to continuing to facilitate this discussion in a transparent way. The Board is aware and receiving updates from the organization on the ongoing facilitation, under the guidance of Göran and GAC leadership, on a variety of topics that are of interest to the GAC. The organization is grateful for the opportunity to hold these ongoing dialogues. One example of this is the regular calls between the ICANN org and the GAC about GDPR. These calls provide the opportunity to discuss the context of different issues.
عرض الأسباب
This advice reflects the view of governments that the continued and lawful availability of WHOIS/RDS data for consumer protection, intellectual property rights protection and law enforcement activities is a vital public concern and that ICANN should strive to explore all possible mechanisms under the GDPR to ensure that this data remains available for legitimate activities that protect the public and promote a safe, secure, and trustworthy online environment.