-
Communiqués
More
-
Correspondence
More
-
Itemized Advice
More
-
Principles & Guidelines
More
2019-10-06 - Domain Name Registration Directory Service and Data Protection
GAC Advice
2019-10-06 - Domain Name Registration Directory Service and Data Protection
ICANN66 Montreal Communique
Consensus met
2019-10-06 - Domain Name Registration Directory Service and Data Protection
Letter from ICANN CEO to GAC Chair regarding the EPDP Phase 1 Implementation Scheduler (6 January 2020)
With regard to Phase 1 of the EPDP,
a. The GAC advises the Board to:
i. Take all possible steps to ensure that the ICANN org and the EPDP Phase 1 Implementation Review team generate a detailed work plan identifying an updated realistic schedule to complete its work and provide and inform the GAC on the status of its progress by January 3, 2020;
With regard to Phase 2 and the conclusion of the EPDP,
The GAC recognizes the considerable efforts undertaken by all participants within the EPDP. Nevertheless, there will likely be a significant time between finalization of the Phase 2 policy recommendations, implementation of Phase 1 and Phase 2, and the construction and deployment of any new Domain Name Registration System and Unified Access Model. Consequently,
b. The GAC advises the Board to:
i. Instruct the ICANN organization to ensure that the current system that requires “reasonable access” to non-public domain name registration is operating effectively. This should include:
– educating key stakeholder groups, including governments, that there is a process to request non-public data;
– actively making available a standard request form that can be used by stakeholders to request access based upon the current consensus policy; and
– actively making available links to registrar and registry information and points of contact on this topic.
ii. Instruct ICANN Compliance to create a specific process to address complaints regarding failure to respond to, and unreasonable denial of requests for non-public domain name registration data, and monitor and publish reports on compliance with the current policy as part of their regular monthly reporting.
Rationale
Consistent with our prior advice, we take this opportunity to issue further guidance as the progress of the development and implementation of the EPDP activities have raised concerns.
The GAC has consistently advised on the necessity of finding a swift solution to ensuring timely access to non-public registration data for legitimate third party purposes that complies with the requirements of the GDPR and other data protection and privacy laws, in view of the significant negative impact of the changes in WHOIS accessibility on users with legitimate purposes.
The GAC has previously noted that such legitimate purposes include civil, administrative and criminal law enforcement, cybersecurity, consumer protection and IP rights protection. The GAC also notes that the European Data Protection Board, in its guidance, has expressly encouraged ICANN and the community to develop a comprehensive model covering the entirety of the data processing cycle, from collection to access.
As already highlighted in the GAC’s San Juan and Kobe Communiqués, the GDPR provides for mechanisms to balance the various legitimate public and private interests at stake, including privacy and accountability. We note that the legitimate interests reflected in ICANN’s Bylaws are consistent with the recitals to the GDPR, which provide examples such as “preventing fraud”; “ensuring network and information security,” including the ability to resist “unlawful or malicious actions” and reporting possible “criminal acts or threats to public security” to authorities (see GDPR Recitals 47, 49 and 50).