Welcome to the GAC website! Effective 18 December 2018, this site is the GAC’s sole web resource for news and information about GAC activities. If you have difficulty finding any current or past GAC information, please email gac-staff@icann.org.

GAC Advice

The GAC provides advice to the ICANN Board on policy matters where there may be an interaction between ICANN’s policies and various laws, international agreements and public policy objectives. GAC Advice is communicated to the ICANN Board through either a Communique or a formal piece of Correspondence. This area of the website provides you with full access to both types of GAC Advice as well as the comprehensive historical list of GAC advice provided to the Board and links connecting that advice to its outcome using the ICANN Board Advice Registry tool.

GAC Advice

Reference No. :

2019-03-14 - WHOIS and Data Protection Legislation

First Delivered 14 Mar 2019 via :

ICANN64 Kobe Communique

Consenus:

Consensus met

2019-03-14 - WHOIS and Data Protection Legislation

a. The GAC advises the Board to:

  1. Take necessary steps to ensure that the GNSO EPDP on the Temporary Specification for gTLD Registration Data institutes concrete milestones, progress reports and an expeditious timeline, similar to Phase 1, for concluding Phase 2 activities;
  2. Take necessary steps to ensure that the scope of phase 2 activities is clearly defined with a view to expeditious conclusion and implementation
  3. Make available the necessary resources for Phase 2 to expeditiously advance on the complex legal issues deferred from Phase 1
  4. Consider instituting additional parallel work efforts on technical implementations, such as that carried out by the Technical Study Group, for purposes of informing and complementing the EPDP’s Phase 2 activities;
  5. Facilitate swift implementation of the new Registration Directory Services policies as they are developed and agreed, including by sending distinct parts to implementation as and when they are agreed, such as the questions deferred from Phase 1;
  6. Consider re-starting implementation processes for relevant existing policies, such as the Privacy Proxy Services Accreditation Issues Policy.

 


Rationale

The GAC has consistently advised on the necessity of finding a swift solution to ensuring timely access to non-public registration data for legitimate third party purposes that complies with the requirements of the GDPR and other data protection and privacy laws, in view of the significant negative impact of the changes in WHOIS accessibility on users with legitimate purposes. The GAC has previously noted that such legitimate purposes include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection.

The GAC also notes that the European Data Protection Board, in its guidance, has expressly encouraged ICANN and the community to develop a comprehensive model covering the entirety of the data processing cycle, from collection to access. As already highlighted in the GAC’s Puerto Rico Communiqué, the GDPR provides for mechanisms to balance the various legitimate public and private interests at stake, including privacy and accountability. We note that the legitimate interests reflected in ICANN’s Bylaws are consistent with the recitals to the GDPR, which provide examples such as “preventing fraud”; “ensuring network and information security,” including the ability to resist “unlawful or malicious actions” and reporting possible “criminal acts or threats to public security” to authorities (see GDPR Recitals 47, 49 and 50).

The GAC will closely monitor and assess the progress reports prepared by the GNSO EPDP, and reserves the possibility of providing further guidance if the pace of progress so requires.

The GAC notes that the time and resources necessary to complete Phase 2 are considerable and require focused scoping of the activity to ensure the expeditious conclusion of the activity. The GAC would therefore encourage a judicious definition of the scope of the Phase 2 efforts, giving consideration to elements that could be provided by Community efforts in parallel and may not need to be included in the scope, such as accreditation models.

The GAC received a briefing on the work of the Technical Study Group. The GAC considers that the development of options for technical implementation demonstrates how a future system for RDS access could be implemented, also with a view to data security and privacy considerations. The Phase 2 considerations could benefit from further exploration of technical implementation options. In addition, engaging in such considerations in parallel can help ensure that policies - once agreed - are swiftly put into practice.

The GAC is of the opinion that the Privacy Proxy Services Accreditation Issues Policy (PPSAI) remains highly relevant and implementation efforts should continue as appropriate, in parallel with the ongoing policy development work. The implementation of the PPSAI need not be deferred until the completion of the EPDP.

*******

15 May 2019
Board Scorecard related to: 

a. The GAC advises the Board to:

  1. Take necessary steps to ensure that the GNSO EPDP on the Temporary Specification for gTLD Registration Data institutes concrete milestones, progress reports and an expeditious timeline, similar to Phase 1, for concluding Phase 2 activities;

Board Understanding Following Board-GAC Call

Board Response

The Board understands that the GAC wishes for the ICANN Board to take necessary steps to ensure that the GNSO EPDP on the Temporary Specification for gTLD Registration Data institutes concrete milestones, progress reports, and an expeditious timeline for activities in Phase 2 of the EPDP. The Board acknowledges the GAC’s previous advice on the necessity of finding a swift solution to ensuring timely access to non-public registration data for legitimate third-party purposes that complies with the requirements of the GDPR and other data protection and privacy laws.

The Board also acknowledges that the GAC has previously noted that such legitimate purposes include, for example, civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection. The Board acknowledges that the European Data Protection Board has encouraged ICANN and the community to develop a comprehensive model covering the entirety of the data processing cycle.

The Board also notes that the GAC has stated that the legitimate interests reflected in ICANN’s Bylaws are consistent with the recitals to the GDPR. The Board understands that the GAC will closely monitor and assess the progress reports prepared by the GNSO EPDP, and that the GAC reserves the possibility of providing further guidance if the pace of progress so requires. The Board notes the GAC’s statement that the time and resources necessary to complete Phase 2 are considerable and require focused scoping of the activity to ensure the expeditious conclusion of the activity.

The Board understands that the GAC encourages a judicious definition of the scope of the Phase 2 efforts, with consideration to elements that could be provided by Community efforts in parallel and may not need to be included in the scope, such as accreditation models.

The Board understands that the GAC received a briefing on the work of the Technical Study Group and that the GAC considers that the development of options for technical implementation demonstrates how a future system for RDS access could be implemented, also with a view to data security and privacy considerations.

The Board understands that the GAC believes Phase 2 considerations could benefit from further exploration of technical implementation options and that engaging in such considerations in parallel can help ensure that policies are swiftly put into practice.

The Board understands that the GAC is of the opinion that the Privacy Proxy Services Accreditation Issues Policy (PPSAI) remains highly relevant and implementation efforts should continue as appropriate and do not need to be deferred until the completion of the EPDP.

The Board acknowledges this advice and while it cannot guarantee the end result, because the EPDP is a community procedure that determines its own processes, the Board does support the request that the second phase of this policy development institute concrete milestones and progress reports. The Board shall convey the request via its Liaisons to the EPDP and via its communications with the GNSO Council. The Board notes that ICANN org is also providing support to the EPDP Phase 2 to support its work.

 

 

Board Scorecard related to: 

a. The GAC advises the Board to:

ii. Take necessary steps to ensure that the scope of phase 2 activities is clearly defined with a view to expeditious conclusion and implementation

Board Understanding Following Board-GAC Call

Board Response

The Board understands that the GAC wishes for the ICANN Board to ensure that the scope of the EPDP Phase 2 activities is clearly defined, with a view to expeditious conclusion and implementation.

 

The Board acknowledges this advice and while it cannot guarantee the end result, because the EPDP is a community procedure that determines its own processes, the Board does support the request that the second phase of this policy development institute concrete milestones and progress reports. The Board shall convey the request via its Liaisons to the EPDP and via its communications with the GNSO Council. The Board notes that ICANN org is also providing support to the EPDP Phase 2 to support its work.

Board Scorecard related to: 

a. The GAC advises the Board to:

iii. Make available the necessary resources for Phase 2 to expeditiously advance on the complex legal issues deferred from Phase 1

Board Understanding Following Board-GAC Call

Board Response

The Board understands that the GAC wishes for the ICANN Board to make available the necessary resources for the EPDP Phase 2 to expeditiously advance on the complex legal issues deferred from Phase 1.

 

The Board acknowledges this advice and appreciates the need to ensure that necessary resources are available for the EPDP Phase 2, including expert legal resources. While it is ultimately up to the EPDP to “expeditiously advance on the complex legal issues deferred from Phase 1”, the Board will ensure, subject to normal budgetary prudence, that there is support for the work of the EPDP in sorting through these legal issues.

Board Scorecard related to: 

a. The GAC advises the Board to:

iv. Consider instituting additional parallel work efforts on technical implementations, such as that carried out by the Technical Study Group, for purposes of informing and complementing the EPDP’s Phase 2 activities;

Board Understanding Following Board-GAC Call

Board Response

The Board understands that the GAC wishes for the ICANN Board to consider instituting additional parallel work efforts on technical implementations for purposes of informing and complementing the EPDP’s Phase 2 activities. The Board acknowledges the GAC’s advice and notes that the Technical Study Group was formed by the CEO and not the Board.

The Board is following the work of the Technical Study Group, which is intended to inform the work of the EPDP and not to replace it.

 

 

The Board acknowledges this advice and understands that the GAC is requesting the ICANN Board to do all that it can, within its authority and remit and subject to budgetary constraints, to facilitate the work of the EPDP, including through “parallel efforts” such as the Technical Study Group (TSG). The Board notes that the TSG presented a Draft Technical Model at ICANN64 and received community feedback. The TSG has since completed its work and published TSG01, Technical Model for Access to Non-Publlic Registration Data. ICANN will share the model with the European Data Protection Board (EDPB) and solicit the EDPB’s feedback on specific questions related to the model. ICANN will also present the model to the European Commission before that.

In regard to any other “parallel efforts”, the Board will consider those as necessary but reiterates that it will take actions only within its authority and subject to budgetary considerations; the Board will not take any action that would undermine or replace the work of the EPDP.

Board Scorecard related to: 

a. The GAC advises the Board to:

v. Facilitate swift implementation of the new Registration Directory Services policies as they are developed and agreed, including by sending distinct parts to implementation as and when they are agreed, such as the questions deferred from Phase 1;

Board Understanding Following Board-GAC Call

Board Response

The Board understands that the GAC wishes for the ICANN Board to instruct the ICANN org to facilitate swift implementation of the new Registration Directory Service policies as they are developed and agreed. The Board understands this includes sending distinct parts to implementation when they are agreed, such as questions deferred from Phase 1.

The Board accepts this advice and will do what it can, within its authority and remit, and in light of other relevant considerations, to facilitate swift implementation of new registration data directory services policies, and if possible, send distinct parts to implementation as and when they are agreed.

Board Scorecard related to: 

a. The GAC advises the Board to:

vi. Consider re-starting implementation processes for relevant existing policies, such as the Privacy Proxy Services Accreditation Issues Policy.

Board Understanding Following Board-GAC Call

Board Response

The Board understands that the GAC wishes for the ICANN Board to consider re-starting implementation processes for relevant existing policies, such as the Privacy Proxy Services Accreditation Issues Policy.

 

The Board accepts this advice. The Board believes that waiting to proceed with implementation of Privacy Proxy Services Accreditation Issues (PPSAI) Policy until the completion of the RDS EPDP is a prudent course of action. This is because the same issues that need to be resolved to finalize PPSAI implementation are under active discussion, such as controller/joint controller/independent controller issues and providing access to non-public personal contact details consistent with GDPR. This course of action will allow ICANN org and the broader community to focus resources on ensuring that GDPRcompliant requirements are finalized for existing contracted parties before proceeding to implement similar requirements for a new category of contracted parties.

During the implementation phase of the EPDP ICANN org will be reviewing all ICANN policies and services which may be impacted by the new Consensus Policy and will work with the GNSO and the community to identify the appropriate course of action