ALAC: EPDP Phase 2 (SSAD) (R-3)
| Date Issued | Reference ID | Current Phase |
|---|---|---|
| AL-ALAC-ST-0821-01-01-EN (R-3) | Closed |
Description:
Should regulations comparable to those related to domain name registration data in the NIS2 proposal be adopted by the European Union Council and Parliament, the ICANN Board should immediately consider initiating a targeted GNSO PDP to ensure that all ICANN registrars are subject to comparable rules. This will provide fairness within the registrar community and ensure that we do not end up with registrars outside of the EU being able to provide higher levels of anonymity to those registering domains in support of DNS abuse and other fraudulent or illegal activities. This last advice is not directly related to the SSAD, but the lack of an SSAD (or equivalent) implies that we need to maximize the amount of information legally published in the non-redacted RDDS. This is in line with ICANN’s original intent of “maintaining the existing WHOIS system to the greatest extent possible”.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | This Advice item is now closed |
| Phase 2 | AP Feedback | The ALAC notes that the advice to request a GNSO Issue Report was not for immediate action, but at a future date should specific things happen. The ALAC is aware of its ability to request an Issue Report and in fact has done so twice. The difference is that such a request does not provide certainty that a PDP will be initiated while a comparable Board request does provide such certainty. In light of the Board's noting its ongoing focus on NIS2 issues and the EPEP Phases 2A recommendation, the ALAC is prepared to withdraw this item of advice and re‐issue it should the situation warrant it in the future. This withdrawal notwithstanding, the ALAC reminds the Board of the original ICANN intent to keep WHOIS/RDDS as open as possible while in compliance with GDPR, and that should it prove that factoring in NIS2, GDPR in fact allows more publication that we currently see in the RDDS, policy may well be needed to ensure that such openness is not restricted to contracted parties subject to NIS2. |
| Phase 2 | AP Feedback | Understanding confirmed by ALAC. This Advice item will now be closed as there is no action for the ICANN Board. |
| Phase 2 | Board Understanding | The Board understands that the ALAC is recommending that the Board request an Issue Report. The intention is to require all ICANN-accredited registrars to follow an ICANN policy containing requirements similar to the final NIS2 Directive, whatever its requirements are when NIS2 is finalized. The Board notes that the ALAC is also able to request an Issue Report. Like others in the community, the Board is looking at the potential implications of the proposed NIS2 Directive, which contains text implicating policies, procedures, and obligations relating to domain name registration data. Whether NIS2 will provide the required certainty for all actors involved (registrants, access seekers, and contracted parties) remains unclear; the proposed Directive is being negotiated in line with the EU ordinary legislative procedure. The Board will continue to follow the community’s work on these important issues and track legislative and regulatory developments on these topics. The Board also notes that the EPDP Phase 2A recommended that “Noting the current discussions and expected adoption of the Revised Directive on Security of Network and Information Systems (“NIS2”), the EPDP Team strongly encourages the GNSO Council to follow existing procedures to identify and scope possible future policy work following the adoption of NIS2 to assess whether or not further policy development is deemed desirable and/or necessary." |
| Phase 2 | AP Feedback | (1) NIS2 is currently subject to ongoing discussions within the EU. The Directive eventually adopted by the EU will need to factor comments received as well as being the result of negotiations between the EU Parliament and Council. Without knowing the exact outcome of all of these processes, we cannot be more definitive. However, by “comparable” the ALAC means to say NIS2 regulations, as eventually adopted, that govern how domain name registration data is processed. (2) Yes, that is exactly what the ALAC is recommending. It is expected that the implementation of the NIS2 Directive will provide much of what the GAC/SSAC/ALAC and certain GNSO Constituencies were trying to achieve with the EPDP. It is crucial that all contracted parties, not only those subject to EU regulation, meet these new standards. Without that they become havens for domains registered for fraudulent and/or abusive behaviour. (3) The ALAC is not aware of any other laws/regulations where this is currently applicable. The ALAC notes that the EPDP has effectively already applied EU personal data privacy regulations across the entire ICANN contracted party ecosystem. As an example, GDPR has geographic limitations and its personal privacy regulations only apply to registrants in certain areas and registrars who explicitly target such registrants. The EPDP applied no such geographic limitation, treating all registrants world-wide under the same rules. To be clear, if in the future, the question arises as to whether some specific regionally applicable law/regulation should be incorporated into ICANN policy, that would have to be considered on a case-by-case basis. |
| Phase 2 | Phase Update | Clarifying Questions sent to Advice Provider |
| Phase 2 | Clarifying Question | 1) Can the ALAC please clarify the meaning of “regulations comparable to those related to registration data in the NIS2 proposal”? Does “comparable” mean identical to, or merely concerning the same subject matter as Article 23 of the proposed NIS2 Directive, as adopted by the European Commission? 2) Is the ALAC recommending that the ICANN Board consider initiating a PDP with the aim of requiring all ICANN-accredited registrars to follow an ICANN policy containing requirements that are similar to the final NIS2 directive, whatever its requirements are when NIS2 is finalized? 3) Is this advice, with respect to providing fairness across jurisdictions, limited to the proposed NIS2 Directive, or does the ALAC believe this principle applies with respect to any other laws, in Europe or elsewhere? |
| Phase 2 | Phase Change | Now Phase 2 |
| Phase 1 | Phase Update | Acknowledgement sent to ALAC |
