On December 6th, Chairwoman of the Article 29 Data Protection Working Party Isabelle Falque-Pierrotin submitted a letter to Cherine Chalaby and Goran Marby of ICANN, expressing — in no uncertain terms — the challenges to and expectations of the organization in light of the impending General Data Protection Regulation (GDPR) law that will come into force May of 2018.
The letter states that the compliance and data privacy issues that now lie before ICANN are neither new nor revolutionary and that the global domain name body has been notified of such compliance issues before the GDPR was even conceived. Falque-Perrotin makes clear all parties involved have no choice but to become compliant in 2018.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation put forth and adopted by the European Union in April 2016. It is intended to strengthen and unite data protection for all members of the European Union, dealing particularly with the export of personal data.
It applies to all companies that process and hold the personal data or subjects residing in the European Union, regardless of the company’s own origin or location.
How could the GDPR affect you?
Under the existing 2017 Global Amendment to Registry Agreements, ICANN requires that registries impose an obligation on registrars to obtain consent for the publication of personal data in WHOIS directories from individual domain name holders. However, according to Falque-Perrotin, in order to be compliant with the GDPR, registries cannot require consent to the publication of private data as a precondition of receiving a domain name, as is currently the case.
Further, registrars must not claim that such publication is contractually mandated, as the registrants are not a party to these contracts. As it stands, were the GDPR to go into effect tomorrow, most registries and registrars would find themselves either out of compliance with the new law and subsequently on the hook for millions of euros in fees, or out of compliance with their ICANN registry agreement which could result in a suspension of services.
As such, the affected parties have urged ICANN to amend its Registry Agreement so that they can remain compliant. ICANN has responded by suspending its contract compliance activities surrounding WHOIS, and by asking registries and registrars to submit working models for how they plan to become compliant with the GDPR. Domain name registrants do not need to take any action under the GDPR.
Individuals, major global brands, and others who are domain name registrants may face their own respective challenges with the regulation with regard to data management more generally — such as accessing WHOIS information for infringing domains — but as domain name registrants they will not be subject to enforcement actions.
What does this letter mean for ICANN?
The letter notes that the current ICANN WHOIS contractual requirements are already only questionably compliant with the existing European Data Protection Directive established in 1995 and that ICANN has been warned of such several times, beginning in 2003. Falque-Perrotin then emphasizes that the intended purpose of the public WHOIS directories can be achieved via layered access to the personal information, such that law enforcement can still have access to all relevant data.
The outcome of EU’s notification to ICANN is far from certain. WP29 reiterates that it is open to dialogue with ICANN in order to ensure a smooth transition, and the registries, registrars, and other affected parties will continue to lobby ICANN for faster adaptation.
Global brands, while not personally accountable to the new law, may take this opportunity to consult with their legal departments to communicate the latest developments in ICANN and to double check that they will not be negatively impacted when the GDPR comes into force on May 28, 2018.
The letter draws a hard line for ICANN: there will be no workaround to the GDPR. The registries and registrars must either be compliant by May 2018 or face the consequences, and ICANN must make certain that its own contractual WHOIS requirements of these companies remain legal under the new law.