GAC Advice

2018-03-15 GDPR and WHOIS

The GAC highlights the importance of complying with the European General Data Protection Regulation (GDPR), which protects the privacy of natural persons and allows for the processing of and access to data for legitimate purposes.

The GAC encourages ICANN to continue its efforts to ensure full and timely compliance with GDPR while involving the multi-stakeholder community and European data protection authorities.

The GAC reiterates its previous advice, including the Abu Dhabi Communiqué, to maintain, to the greatest extent possible, the current structure of the WHOIS, while ensuring full and timely compliance with GDPR.

The GAC does not envision an operational role in designing and implementing the proposed accreditation programs but reiterates its willingness to advise the Board and engage with ICANN Org and the community on the development of codes of conduct from a public policy perspective.  

The GAC notes the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS. Regarding the proposed draft interim model, consistent with the GAC’s comments to ICANN filed on March 8, 2018, 

a. the GAC advises the ICANN Board to instruct the ICANN Organization to:

1. Ensure that the proposed interim model maintains current WHOIS requirements to the fullest extent possible;
2. Provide a detailed rationale for the choices made in the interim model, explaining their necessity and proportionality in relation to the legitimate purposes identified;
3. In particular, reconsider the proposal to hide the registrant email address as this may not be proportionate in view of the significant negative impact on law enforcement, cybersecurity and rights protection;
4. Distinguish between legal and natural persons, allowing for public access to WHOIS data of legal entities, which are not in the remit of the GDPR;
5. Ensure continued access to the WHOIS, including non-public data, for users with a legitimate purpose, until the time when the interim WHOIS model is fully operational, on a mandatory basis for all contracted parties;
6. Ensure that limitations in terms of query volume envisaged under an accreditation program balance realistic investigatory cross-referencing needs; and
7. Ensure confidentiality of WHOIS queries by law enforcement agencies.

Furthermore,

b. the GAC advises the ICANN Board to instruct the ICANN Organization to:

1. Complete the interim model as swiftly as possible, taking into account the advice above. Once the model is finalized, the GAC will complement ICANN’s outreach to the Article 29 Working Party, inviting them to provide their views;
2. Consider the use of Temporary Policies and/or Special Amendments to ICANN’s standard Registry and Registrar contracts to mandate implementation of an interim model and a temporary access mechanism; and
3. Assist in informing other national governments not represented in the GAC of the opportunity for individual governments, if they wish to do so, to provide information to ICANN on governmental users to ensure continued access to WHOIS.

Rationale

The core mission of ICANN is to “ensure the stable and secure operation of the internet’s unique identifier systems.”^[1] Accordingly, ICANN’s Bylaws include a commitment to preserve and enhance “the operational stability, reliability, security, global interoperability, resilience, and openness of the DNS and the Internet.”^[2] ICANN’s commitments and required reviews emphasize that it must “adequately address” issues related to “consumer protection, security, stability, resiliency and malicious abuse.”^[3] 

The current WHOIS system helps achieve many such public policy interests, including enhancing trust in the DNS, ensuring consumer protection, protecting intellectual property, combating cyber-crime, piracy and fraud, to cite but a few of the elements highlighted already in the GAC’s 2007 WHOIS Principles. 

The GDPR provides for mechanisms to balance the various legitimate public and private interests at stake, including privacy and accountability. We note that the legitimate interests reflected in ICANN’s Bylaws are consistent with the recitals to the GDPR, which provide examples such as “preventing fraud”; “ensuring network and information security,” including the ability to resist “unlawful or malicious actions” and reporting possible “criminal acts or threats to public security” to authorities.^[4]

Regarding registration data specifically, ICANN’s Bylaws recognize that WHOIS data is essential for “the legitimate needs of law enforcement” and for “promoting consumer trust.”^[5] These rules reflect the nature of the Internet as a public resource whose governance not only serves the interests of the private parties operating the DNS but also serves a number of important public policy interests.

ICANN’s new interim proposal suggests significant changes to the WHOIS system, including masking several categories of previously public information. The GAC is concerned that the interim model may not maintain the current WHOIS system to the fullest extent possible and that these changes are not supported by the necessary analysis and supporting rationale which poses the question whether the choices reflected in the current proposal are required by the law. As it stands, the proposed system risks hindering the efforts of law enforcement, intellectual property and other actors in combatting illicit activities and mitigating DNS abuse.

A rationale is required for the decision to hide certain WHOIS data elements from the public database. Firstly, there is no need to hide non-personal information (including information related to legal entities), such as the name (to the extent they are legal entities, e.g., companies or organizations) or the Administrative and Technical contact’s state/province and country. Secondly, when it comes to personal data, the GDPR permits its processing, including publication, under certain circumstances. As clarified by the Article 29 Working Party, publication of some personal data is not excluded, as long as this is justified in light of the legitimate purposes pursued with the WHOIS directory and is based on a legal ground, such as performance of a contract or the legitimate interests pursued by the controller or by a third party. In particular, publication of the registrant’s email address should be considered in light of the important role of this data element in the pursuit of a number of legitimate purposes and the possibility for registrants to provide an email address that does not contain personal data. Finally, legal entities are explicitly excluded from the remit of GDPR.

************

[1] ICANN Bylaws Article One, Section 1.1, Mission. 

[2] ICANN Bylaws Section 1.2 (a) Commitments and Core Values.

[3] See ICANN Bylaws Section 4.6 (d), Specific Reviews, Competition, Consumer Trust, and Consumer Choice Review.

[4] See GDPR Recitals 47, 49 and 50. 

[5] ICANN Bylaws, Registration Directory Services Review, §4.6(e).