AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

30 March 2018

Data Protection/Privacy Issues: ICANN-proposed Interim Model

ADOPTED

13Y, 0N, 0A

Alan Greenberg

Bastiaan Goslings

31 March 2018

02 April 2018

04 April 2018

07 April 2018

04 April 2018

ICANN Staff
gdpr@icann.org 

AL-ALAC-ST-0318-02-01-EN

Hide the information below, please click here 

Data Protection/Privacy Issues Update: More Details Published on ICANN-proposed Interim Model

As we prepare for discussions about the European Union's General Data Protection Regulation (GDPR) at ICANN61 next week in San Juan, today we are publishing [PDF, 923 KB] additional details on ICANN's Proposed Interim Model for compliance with the law and ICANN's contracts. We encourage you to review the document and are asking for your feedback.

This is a living document and builds on the summary we published [PDF, 727 KB] on 28 February 2018. It will be updated as our conversations with the community and data protection authorities (DPAs) progress, in particular with respect to competing community views on some elements. This proposal also delves further into each of the key elements of the Proposed Interim Model, community comments received on those elements, and the legal justifications underpinning the model. We hope this will help advance our conversation as we come to consensus on a single, unified interim model.

As I've previously mentioned, our goal is to identify the appropriate balance for a common path forward to ensure compliance with the GDPR while maintaining the existing WHOIS system to the greatest extent possible. With that in mind, the Proposed Interim Model maintains current requirements for the collection of registration data (including registrant, administrative, and technical contact information), but restricts most personal data to tiered/layered access via an accreditation program to be developed in consultation with the Governmental Advisory Committee (GAC), DPAs and contracted parties with full transparency to the ICANN community. Tiered/layered access is a key feature of the model and is a significant change to the current WHOISICANN org has engaged with its community members, including contracted parties, governments, including DPAs, law enforcement, intellectual property representatives, and civil society to address the GDPR's impact on ICANN's contracts, particularly as it relates to the collection, retention, and display of registration data in the WHOIS services.

In addition to the community discussions at ICANN61, I indicated in a blog on 7 March 2018 that we will share this detailed description of the Proposed Interim Model with the Article 29 Working Party. We plan to discuss it in greater detail with them later this month and into April when the Working Party holds its next plenary meeting, after which we hope to publish their feedback.

We welcome your feedback, as well as encourage you to continue dialogue with each other to arrive at consensus on a single, unified interim model. Please share your thoughts by emailing gdpr@icann.org or at the ICANN61 meeting in San Juan next week, where there are several sessions devoted to GDPR. We hope you can participate in the discussions either remotely or in person. And please check back on our Data Protection/Privacy Issues page for the latest updates on this important topic.


FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 


FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

Introduction

Following discussions over the last months, in an attempt to address the upcoming European Union’s General Data Protection Regulation’s impact on ICANN’s contracts and particularly on the collection, retention and display of registration data in the WHOIS services, ICANN published an ‘Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation’ on the 8th of March 2018[1]. The ALAC wishes to thank the ICANN CEO for the opportunity to reflect on the model proposed.

As stated in a blogpost from the CEO on the 21st of March:

‘This next stage is critical to determine what appears in the public WHOIS, including what is collected, escrowed and transferred from registrants to registrars and registries. There are open questions about several elements in the Proposed Interim Model and it's important we determine what are the best ways to answer those in a final model.’[2]

On the 26th of March ICANN sent a letter[3] to the European Data Protection Authorities (DPA’s) requesting specific guidance on the proposed Interim Compliance Model as it relates to the European Union's General Data Protection Regulation (GDPR). In the letter the DPAs are asked ‘to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.’

According to ICANN, absent this specific guidance, ‘the integrity of the global WHOIS system and the organization's ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened.’[4]

The proposed Interim Model

Many gTLD registries and registrars will doubt whether current ICANN policies and contracts requiring them to collect, create, retain, escrow, and publish a variety of data elements related to registry/registrar operations, domain name registrations, and registrants are complaint with the GDPR. Others believe that the rationales provided by ICANN, along with the intended uses are sufficient to justify collection of such elements, subject to limited publication, at least pending formal policy development. So the question is how to interpret and apply the new law to provide clear recommendations on how contracted parties operating in the EU can ensure compliance.

Layered/tiered access to WHOIS data

Notably, to comply with the GDPR the proposed Interim model requires a shift from the current requirement for gTLD registries and registrars to provide open, publicly available WHOIS services to an approach requiring a layered/tiered access model for WHOIS.

The ALAC agrees that the Interim Compliance Model’s tiered access approach accommodates the interests or fundamental rights and freedoms of the data subject reflected in the domain name registration by limiting public access to the entire Thick WHOIS data.

Accreditation program to facilitate access to non-public WHOIS data

Such layered/tiered access for WHOIS means that an accreditation program of some sort for access to partial and/or full WHOIS data needs to be developed. The model suggests that this is to be done ‘in consultation with the Governmental Advisory Committee, data protection authorities and contracted parties with full transparency to the ICANN community’[5]. Apart from the accreditation it also needs to be determined which elements of WHOIS data should only be available to which classes of accredited users.

The ALAC appreciates the suggestion that this intended endeavour be ‘fully transparent’, however it believes that the accreditation mechanism to be applied should be developed by the entire community, in a true multistakeholder fashion. Being ‘transparently’ informed afterwards is not the same as being part of the process and having the opportunity to engage and participate fully. The ALAC is also concerned with regard to the current lack of clarity when it comes to exactly what the layered/tiered model and the associated accreditation process will look like and consist of. The ALAC doubts whether the GAC should be given such a –seemingly- prominent role to establish (‘in consultation’) what the criteria for accreditation should be. Again, this should be a multistakeholder process. However, the ALAC notes that the timelines are very short, and we cannot afford to take years to do this.

A question to be addressed as part of a layered/tiered approach in the Interim Compliance Model is what data elements can continue to be published in the public layer of WHOIS. And who can then access non-public WHOIS data, and by what method? It seems be impractical and unreasonable to require third-parties with a clear legitimate interest to obtain a court order to be granted access to non-public WHOIS data on a case-by-case basis.

Under the proposed approach, which the ALAC agrees with, user groups with a legitimate interest and who are bound to abide by adequate measures of protection, for example law enforcement agencies and intellectual property lawyers, should be able to access non-public WHOIS data based on explicit pre-defined criteria and limitations under a formal accreditation program. This approach attempts to provide a method beyond legal due process to provide continued access to full Thick WHOIS data for legitimate purposes consistent with the GDPR. Those legitimately combatting cyber abuse including spam, phishing and malware distribution must similarly be given appropriate access, but the methodology for doing so, particularly in the short term is less clear and must urgently be addressed.

As stated, the ALAC is concerned however with regard to the development of the accreditation program, the number of remaining open decision items and the very short timeline before the GDPR is applicable.

The ALAC can only stress the importance of further engagement with EU data protection authorities to define and reach agreement on an accreditation approach that satisfies the requirements of the GDPR, which approach could include the certification of codes of conduct or participation in a data protection certification. As legal analysis and response to community comments indicates.[6]

The ALAC would like to see a reflection from the DPAs on which non-public WHOIS data should be accessible to accredited parties, whether there should be different levels of accreditation (levels of ‘layered/tiered access’, i.e. to different sets of WHOIS data) and, if so, what the associated criteria should be, and once a party is accredited how access to (a subset of) WHOIS data is provided and if that could be a form of ‘bulk’ access. 

The Interim Model in the eyes of the ALAC rather casually states that ‘should the accreditation program not be ready to be implemented at the same time as the layered access model, some commentators have suggested “self-certification” as an “interim” solution, however this would raise a number of questions that would need to be addressed to comply with the GDPR’.[7] The ALAC does not believe that self-certification is a practical solution, but also notes that an effective complete shutdown of WHOIS while an accreditation program is being created is not a desirable outcome. The ALAC would like to know from the European DPAs what their position is on this.  

Purposes of processing WHOIS data

As the Interim Model says, aside from a general requirement in the Registrar Accreditation Agreement about the use of WHOIS, there is no existing written policy articulating the purposes of WHOIS[8]. Generally, the GDPR principles relating to processing of personal data require that registrant personal data be processed lawfully and fairly, for a legitimate purpose, and that it be ‘adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.’[9]

Taking into account this purpose limitation, it is first necessary to determine the particular purposes for which the WHOIS system as a whole is intended to be used. ‘Such purposes should not be confused with the actual uses of the WHOIS system’, according to Interim Model[10]. The purposes described in the Interim Model, following community input as well as legal analysis, lead to the conclusion that all Thick WHOIS data should continue to be collected by Registrars when a domain name is registered and that this would be compliant with the GDPR.

‘It is necessary to determine if such purposes of the WHOIS system are compatible with the original purpose of collecting registrant personal data, which is performing the domain name registration under the agreement with the registrant, or whether such purposes will require a separate legal basis from the one that allowed the original collection of registrant data. While the legal basis for the processing for the original purpose is mainly “processing necessary for the performance of a contract”, the purposes of the WHOIS system relies on the legal basis of “processing necessary for the legitimate interests” of the controller(s) of the WHOIS system and third parties that request access to certain WHOIS data, such as law enforcement authorities.’[11]

The ALAC has not been able to reach consensus on whether the continued collection of the complete Thick WHOIS data set can be actually combined with being GDPR compliant. The ALAC therefore urges ICANN to learn what the European Data Protection Authorities think of this, as soon as possible, in response to the Interim Model proposed. If the continued collection of Thick WHOIS data is taken as a starting point, following the purpose description in the Interim Model, the ALAC believes this then should be considered as an interim solution, and there should be a proper analysis and complete Privacy Impact Assessment to determine which data fields are needed for specific legitimate purposes. This analysis should be part of the ongoing ‘Next-Generation gTLD Registration Directory Services to Replace WHOIS’ PDP.

Taking the continued collecting of Thick WHOIS data as a starting point though, and awaiting feedback from the European DPAs on this part of the proposed Interim Model, the ALAC agrees with the categories of data elements in the Interim Model that should (not) be made public, as described in section 7.2.8 of the Model.

The ALAC was not able to reach consensus on the proposed ‘anonymised email address or webform’ (‘Users without accreditation for full WHOIS access would maintain the ability to contact the registrant or administrative and technical contacts, either through an anonymized email, web form, or other technical and legal means’[12]). The ALAC understands the intention to not publish a registrant’s personal email-address, however views differ as to whether that intention is reasonable, implementable or effective. Some accept the requirement to anonymise addresses, but believe that the same address must be anonymised identically for all registrations within and across registrars, and the ability to recognize patterns in registration is essential to both fighting cyber abuse and to protecting against intellectual property violations. Others note that using an anonymous forwarder boils down to sending an e.g. error report ‘into a black hole’ which cannot be debugged and can effectively negate the benefit of publishing any email address. Furthermore any response from the person in question will most likely reveal her/his real email-address (on the other hand one could argue that the sharing by the respondent of this particular contact-detail is by consent).

Continued transfers of all Thick WHOIS data from registrars to registries

ICANN org’s current contracts and policies require registrars to transfer Thick registration data to the registry. This requirement for Thick data is intended to enhance accessibility and enhance stability by having the data at both the registrar and the registry. Additionally, having the full Thick WHOIS data at the registrar and registry allows for redundancy in the system to protect registrants. The GDPR expressly acknowledges processing of personal data “to the extent strictly necessary and proportionate for the purposes of ensuring network and information security” as a legitimate interest[1], which is an interest very similar to the interest in the accessibility and stability of the domain name system as the overarching reason for maintaining a Thick WHOIS system.[13]

The reasoning is seemingly sound, and the ALAC appreciates this legal analysis. However the ALAC was not able to reach consensus on whether the conclusion is indeed in compliance with what the GDPR requires. So this is another issue the ALAC hopes the European DPAs can provide clarity on as soon as possible.

Transfer of full Thick WHOIS data to escrow agents

The approach outlined in the Interim compliance proposal to continue to require registries and registrars to transfer full Thick registration data to data escrow agents for the purpose of protecting registrants in the event of registry or registrar failure or termination makes sense according to the ALAC, assuming full Thick WHOIS data continue to be transferred from registrars to registries as described above. This also fits ICANN’s role to oversee the security and stability of the Internet’s domain name system. In this context the ALAC thinks it is good to investigate whether a data escrow provider in Europe should be designated in order to reduce the risk faced by European registries and registrars escrowing data outside of Europe[14].

In the opinion of the ALAC there is a legitimate basis for the continued requirement for registries and registrars to transfer to data escrow agents full Thick WHOIS data. Because the purpose of processing this data is to protect registrants in the event of loss or unavailability of the registration data from the sponsoring registrar or registry, the full Thick WHOIS data set is necessary to be transferred to the data escrow provider to fulfil this purpose.  

Applying the Interim Model on a global basis?

The option to apply the model on a global basis would recognize that there are data protection regulations similar to the GDPR in other jurisdictions, which in itself suggests that registries and registrars need the flexibility to apply the changes globally. It may also be difficult in practice to apply the changes to collection and processing linked to the European Economic Area (EEA) only depending upon how an individual registry or registrar has set up its systems. In general terms applying the Model globally would ‘promote clarity, predictability and interoperability, which leads to supporting the public interest and the stability of the Domain Name System.[15]

The ALAC did not reach consensus on whether registrars and registries outside of the EE) should be allowed to extend the interim model to registrants outside of the EEA.

Distinction between legal and natural persons

It is not always easy to draw a clear line between personal data relating to natural or to legal persons, for example, in case of natural persons with such a close financial, personal or commercial entanglement with the legal person so that information about the legal person can be related to such natural persons. The registrations of legal persons may include personal data of natural persons, and it may also be difficult in practice to check millions of registration records and distinguish between registrations of legal and natural persons.

The ALAC did not reach consensus on whether the distinction between legal and natural persons should be mandated, and whether the model should in principle be applied to all domain name registration data contained in the WHOIS. There are those who believe that we should ensure that the maximum amount of data not covered by GDPR be available, and that the responsibility of not including personal data within legal person registration should be the responsibility of that legal person.


[1] https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf

[2] https://www.icann.org/news/blog/data-protection-privacy-issues-icann61-wrap-up-and-next-steps

[3] E.g. https://www.icann.org/en/system/files/correspondence/marby-to-wolfsen-26mar18-en.pdf

[4] https://www.icann.org/news/announcement-2018-03-28-en

[5] Interim Model, 7.1.1, page 34

[6] Interim Model, 5.6.12, page 29

[7] Interim Model, 7.2.9.3, page 39

[8] Interim Model, 5.3.1.1, page 7

[9] Artice 5(1)(c) GDPR

[10] Interim Model, 5.3.1.8, page 8

[11] Interim Model, 5.3.1.9, page 7

[12] Interim Model, 7.1.2, page 34

[13] Interim Model, 5.3.4.4, page 14

[14] Interim Model, 5.3.5.2 (community comment), page 15

[15] Interim Model, 5.4.1.2 (community comment), page 19


FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments begins.

Introduction

Following discussions over the last months, in an attempt to address the upcoming European Union’s General Data Protection Regulation’s impact on ICANN’s contracts and particularly on the collection, retention and display of registration data in the WHOIS services, ICANN published an ‘Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s General Data Protection Regulation’ on the 8th of March 2018[1]. The ALAC wishes to thank the ICANN CEO for the opportunity to reflect on the model proposed.

As stated in a blogpost from the CEO on the 21st of March:

‘This next stage is critical to determine what appears in the public WHOIS, including what is collected, escrowed and transferred from registrants to registrars and registries. There are open questions about several elements in the Proposed Interim Model and it's important we determine what are the best ways to answer those in a final model.’[2]

 

On the 26th of March ICANN sent a letter[3] to the European Data Protection Authorities (DPA’s) requesting specific guidance on the proposed Interim Compliance Model as it relates to the European Union's General Data Protection Regulation (GDPR). In the letter the DPA’s are asked ‘to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.’

According to ICANN, absent this specific guidance, ‘the integrity of the global WHOIS system and the organization's ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened.’[4]

The proposed Interim Model

Many gTLD registries and registrars will doubt whether current ICANN policies and contracts requiring them to collect, create, retain, escrow, and publish a variety of data elements related to registry/registrar operations, domain name registrations, and registrants are complaint with the GDPR. So the question is how to interpret and apply the new law to provide clear recommendations on how contracted parties operating in the EU can ensure compliance.

Layered/tiered access to WHOIS data

Notably, to comply with the GDPR the proposed Interim model requires a shift from the current requirement for gTLD registries and registrars to provide open, publicly available WHOIS services to an approach requiring a layered/tiered access model for WHOIS.

The ALAC agrees that the Interim Compliance Model’s tiered access approach accommodates the interests or fundamental rights and freedoms of the data subject reflected in the domain name registration by limiting public access to the entire Thick WHOIS data.

Accreditation program to facilitate access to non-public WHOIS data

Such layered/tiered access for WHOIS means that an accreditation program of some sort for access to full WHOIS data needs to be developed. The model suggests that this is to be done ‘in consultation with the Governmental Advisory Committee, data protection authorities and contracted parties with full transparency to the ICANN community’[5]. Apart from the accreditation it also needs to be determined which elements of WHOIS data should only be available to accredited users.

The ALAC appreciates the suggestion that this intended endeavour be ‘fully transparent’, however it believes that the accreditation mechanism to be applied should be developed by the entire community, in a true multistakeholder fashion. Being ‘transparently’ informed afterwards is not the same as being part of the process and having the opportunity to engage and participate fully. The ALAC is also concerned with regard to the current lack of clarity when it comes to exactly what the layered/tiered model and the associated accreditation process will look like and consist of. Timelines are very short. The ALAC doubts whether the GAC should be given such a –seemingly- prominent role to establish (‘in consultation’) what the criteria for accreditation should be. Again, this should be a multistakeholder process.

A question to be addressed as part of a layered/tiered approach in the Interim Compliance Model is what data elements can continue to be published in the public layer of WHOIS. And who can then access non- public WHOIS data, and by what method? It seems be unpractical and unreasonable to require third-parties with a cear legitimate interest to obtain a court order to be granted access to non-public WHOIS data on a case-by-case basis.

Under the proposed approach, which the ALAC agrees with, user groups with a legitimate interest and who are bound to abide by adequate measures of protection, for example law enforcement agencies and intellectual property lawyers, should be able to access non-public WHOIS data based on explicit pre-defined criteria and limitations under a formal accreditation program. This approach attempts to provide a method beyond legal due process to provide continued access to full Thick WHOIS data for legitimate purposes consistent with the GDPR. 


As stated, the ALAC is concerned however with regard to the development of the accreditation program, the number of remaining open decision items and the very short timeline before the GDPR is applicable.

The ALAC can only stress the importance of further engagement with EU data protection authorities to define and reach agreement on an accreditation approach that satisfies the requirements of the GDPR, which approach could include the certification of codes of conduct or participation in a data protection certification. As legal analysis and response to community comments indicates.[6]

The ALAC would like to see a reflection from the DPA’s on which non-public WHOIS data should be accessible to accredited parties, whether there should be different levels of accreditation (levels of ‘layered/tiered access’, i.e. to different sets of WHOIS data) and, if so, what the associated criteria should be, and once a party is accredited how access to (a subset of) WHOIS data is provided and if that could be a form of ‘bulk’ access. 

The Interim Model in the yes of the ALAC rather casually states that ‘should the accreditation program not be ready to be implemented at the same time as the layered access model, some commentators have suggested “self-certification” as an “interim” solution, however this would raise a number of questions that would need to be addressed to comply with the GDPR’.[7] The ALAC would like to know from the European DPA’s what their position is on this.

Purposes of processing WHOIS data

As the Interim Model says, aside from a general requirement in the Registrar Accreditation Agreement about the use of WHOIS, there is no existing written policy articulating the purposes of WHOIS[8]. Generally, the GDPR principles relating to processing of personal data require that registrant personal data be processed lawfully and fairly, for a legitimate purpose, and that it be ‘adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.’[9]

Taking into account this purpose limitation, it is first necessary to determine the particular purposes for which the WHOIS system as a whole is intended to be used. ‘Such purposes should not be confused with the actual uses of the WHOIS system’, according to Interim Model[10]. The purposes described in the Interim Model, following community input as well as legal analysis, lead to the conclusion that all Thick WHOIS data should continue to be collected by Registrars when a domain name is registered and that this would be compliant with the GDPR.

‘It is necessary to determine if such purposes of the WHOIS system are compatible with the original purpose of collecting registrant personal data, which is performing the domain name registration under the agreement with the registrant, or whether such purposes will require a separate legal basis from the one that allowed the original collection of registrant data. While the legal basis for the processing for the original purpose is mainly “processing necessary for the performance of a contract”, the purposes of the WHOIS system relies on the legal basis of “processing necessary for the legitimate interests” of the controller(s) of the WHOIS system and third parties that request access to certain WHOIS data, such as law enforcement authorities.’[11]

The ALAC has not been able to reach consensus on whether the continued collection of the complete Thick WHOIS data set can be actually combined with being GDPR compliant. The ALAC therefore urges ICANN to learn what the European Data Protection Authorities think of this, as soon as possible, in response to the Interim Model proposed. If the continued collection of Thick WHOIS data is taken as a starting point, following the purpose description in the Interim Model, the ALAC believes this then should be considered as an interim solution, and there should be a proper analysis and complete Privacy Impact Assessment to determine which data fields are needed for specific legitimate purposes. This analysis should be part of the ongoing ‘Next-Generation gTLD Registration Directory Services to Replace WHOIS’ PDP.

Taking the continued collecting of Thick WHOIS data as a starting point though, and awaiting feedback from the European DPA’s on this part of the proposed Interim Model, the ALAC agrees with the categories of data elements in the Interim Model that should (not) be made public, as described in section 7.2.8 of the Model.

The ALAC was not able to reach consensus on the proposed ‘anonymised email address or webform’ (‘Users without accreditation for full WHOIS access would maintain the ability to contact the registrant or administrative and technical contacts, either through an anonymized email, web form, or other technical and legal means’[12]). The ALAC agrees with the intention to not publish a registrant’s personal email-address, however it notes that using an anonymous forwarder boils down to sending an e.g. error report ‘into a black hole’ which cannot be debugged. Furthermore any response from the person in question will most likely reveal her/his real email-address. On the other hand one could argue that the sharing by the respondent of this particular contact-detail is by consent.

Continued transfers of all Thick WHOIS data from registrars to registries

ICANN org’s current contracts and policies require registrars to transfer Thick registration data to the registry. This requirement for Thick data is intended to enhance accessibility and enhance stability by having the data at both the registrar and the registry. Additionally, having the full Thick WHOIS data at the registrar and registry allows for redundancy in the system to protect registrants. The GDPR expressly acknowledges processing of personal data “to the extent strictly necessary and proportionate for the purposes of ensuring network and information security” as a legitimate interest[1], which is an interest very similar to the interest in the accessibility and stability of the domain name system as the overarching reason for maintaining a Thick WHOIS system.[13]

The reasoning is seemingly sound, and the ALAC appreciates this legal analysis. However the ALAC was not able to reach consensus on whether the conclusion is indeed in compliance with what the GDPR requires. So this is another issue the ALAC hopes the European DPA’s can provide clarity on as soon as possible.

Transfer of full Thick WHOIS data to escrow agents

The approach outlined in the Interim compliance proposal to continue to require registries and registrars to transfer full Thick registration data to data escrow agents for the purpose of protecting registrants in the event of registry or registrar failure or termination makes sense according to the ALAC, assuming full Thick WHOIS data continue to be transferred from registrars to registries as described above. This also fits ICANN’s role to oversee the security and stability of the Internet’s domain name system. In this context the ALAC thinks it is good to investigate whether a data escrow provider in Europe should be designated in order to reduce the risk faced by European registries and registrars escrowing data outside of Europe[14].

In the opinion of the ALAC there is a legitimate basis for the continued requirement for registries and registrars to transfer to data escrow agents full Thick WHOIS data. Because the purpose of processing this data is to protect registrants in the event of loss or unavailability of the registration data from the sponsoring registrar or registry, the full Thick WHOIS data set is necessary to be transferred to the data escrow provider to fulfil this purpose.  

Applying the Interim Model on a global basis?

The option to apply the model on a global basis would recognize that there are data protection regulations similar to the GDPR in other jurisdictions, which in itself suggests that registries and registrars need the flexibility to apply the changes globally. It may also be difficult in practice to apply the changes to collection and processing linked to the European Economic Area only depending upon how an individual registry or registrar has set up its systems. In general terms applying the Model globally would ‘promote clarity, predictability and interoperability, which leads to supporting the public interest and the stability of the Domain Name System.[15]

Distinction between legal and natural persons

It is not always easy to draw a clear line between personal data relating to natural or to legal persons, for example, in case of natural persons with such a close financial, personal or commercial entanglement with the legal person so that information about the legal person can be related to such natural persons. The registrations of legal persons may include personal data of natural persons, and it may also be difficult in practice to check millions of registration records and distinguish between registrations of legal and natural persons.

The ALAC does not think that the distinction between legal and natural persons should be mandated, and the model should in principle be applied to all domain name registration data contained in the WHOIS.


[1] https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf

[2] https://www.icann.org/news/blog/data-protection-privacy-issues-icann61-wrap-up-and-next-steps

[3] E.g. https://www.icann.org/en/system/files/correspondence/marby-to-wolfsen-26mar18-en.pdf

[4] https://www.icann.org/news/announcement-2018-03-28-en

[5] Interim Model, 7.1.1, page 34

[6] Interim Model, 5.6.12, page 29

[7] Interim Model, 7.2.9.3, page 39

[8] Interim Model, 5.3.1.1, page 7

[9] Artice 5(1)(c) GDPR

[10] Interim Model, 5.3.1.8, page 8

[11] Interim Model, 5.3.1.9, page 7

[12] Interim Model, 7.1.2, page 34

[13] Interim Model, 5.3.4.4, page 14

[14] Interim Model, 5.3.5.2 (community comment), page 15

[15] Interim Model, 5.4.1.2 (community comment), page 19

16 Comments

  1. Krishna Seeburn

    Is ICANN at least following the PII of the US government that's been in place for a while. The interim model is there and i understand there is an interest to look at the ICO model in a later stage. How much time will ICANN take to implement even the slightest of that interim model proposed? 

    There is need for compliance, accountability etc., which is needed has the board considered those properly in a time line that would not put icann org in trouble? 

  2. Lutz Donnerhacke

    The GDRP issue is not new. I already made a proposal which was rejected. So let me summarize it again:

    • Acknowledge the fact, that legal systems do differ in different parts of the world.
    • Accept the fact, that legal systems evolve (rather quickly), so any solution may be invalidated at any unforeseen time.
    • Therefore: Do not collect or store data at points where the data was not generated. This solves the problem of transferring personal data from one jurisdiction to another.
    • Try to find out, which use cases are really existent. Which data should be available and for whom. Be honest.
    • Whois does offer a redirection scheme: A whois server can respond with partial information and point to a different server to get more information.
    • Favor an ultra thin whois:
      • Every response contains only the information about the contract local to the queried server.
      • Start always at whois.iana.org (which is already implementing such a thin whois there).
      • Do not stop at the registry level. The registry should respond with the contract details and a referral to the accredited registrar, who was registering the object.
      • Include registrar level whois into the Registrar Accreditation Agreement. Allow subdelegation to resellers for whois data. In the case of subdelegation, the whois response at registrar level should contain the reselling contract details and the referal to the reseller-whois.
      • If the reseller or the registrar is unable to run the whois service according to the ICANN enforced Service Level Agreements, they have to use the upper level whois and clear all the legal issues themselves.
    • Now back to the Law Enforcement Agencies and their private operated surroundings: They have to follow the whois referral tree down to the registrar/reseller whois. It's likely, that they will not have access to the data, they want, if they are querying from a foreign country. So they do have to use the legal ways to ask the LEA in the destination country. In order to ease this process, all contract based referal data should not be hidden. This might be part of the contracts. End customer data should be handled according to the local law.


    BTW: This solves all those problems with the (new) European Law (as well as the existing laws, i.e. in Germany).

    1. Krishna Seeburn

      Totally in favour of that.  But i don't think ICANN org is ready at this stage for GDPR. I appreciate the interim model but at the end if they get it right and the a part of the community has been appealing for good sense for years. I hope we cross that bridge.

      ++1

  3. Holly Raiche

    I largely support this latest version of the Interim Model, noting the following:

    While this is called an ‘Interim Model’, a ‘final’ version will require the completion of the PDP on Registration Directors Services (RDS) and consequent changes to the RAA and Registry-ICANN contracts – potentially years away.  Therefore, this Model should be as close as possible to requirements not only of the GDPR but other similarly structured privacy regimes in many other jurisdictions throughout the globe.

    This Model identifies five areas where there are still competing views, and where the ALAC should provide input, as follows:

    1. 1.     whether or not registrars must continue to collect the contact details for administrative and technical contacts and transmit them to the registry and escrow provider;

    The Model – in my view – appropriately – says that the purpose limitation of the GDPR is a foundational principle that must be addressed in this Model.  The Model (in Clauses 7.2.1-7.2.5) does address the many purposes for which the data (including personal data) is collected, retained and transmitted to the registry and escrow provider, and I support the collection of the Model’s conclusions on both the need to collect “Thick WHOIS” data, for its retention and for its distribution to registry and escrow providers.

    1. 2.     whether or not anonymized email addresses should be substituted for the email addresses for registrant, administrative, and technical contacts in public WHOIS;

    As the Model notes, publication of WHOIS data that contains all personal data is not ‘appropriately minimized’ in line with the purposes for data collection since the purposes ‘can be satisfied with less personal data’ made available (Clause 5.5.15) I agree, therefore, with the use of proposed anonymization of publically available email addresses for the registrant.

    1. 3.     whether or not registries and registries should be permitted to optionally apply the model on a global basis;

    The Model’s recommendation is that the Model apply to the collection and processing linked to the European Economic Area, with application of the Model beyond that area as optional. I would ague, as set out in the paper, applying the Model globally would ‘promote clarity, predictability and interoperability’ of the management data.  Further, it could be technically and administratively difficulty to administer two systems of management of registration data.  It would also recognise that data protection provisions, very similar to those in the GDPR exist in other jurisdictions including Canada, South American and much of the Asia Pacific region.  From an end-user perspective, providing different levels of data protection disadvantages Internet Users outside of the European Economic Area.

    1. 4.     whether or not the model should apply to contact details supplied by registrants who are legal persons; 

    I agree with the Model’s conclusion that the Model will apply to all domain name registration data that is contained in WHOIS  - including data about both natural and legal persons.  As is argued, registration data of legal persons can contain personal data of natural persons – covered by the GDPR protections.  Further, it is noted it may not be easily manageable to differentiate in the administration of data between the two. (Clause 5.4.2.3-5.4.2.6)

    1. 5.     which elements of WHOIS data should be published in public WHOIS while an accreditation program for layered/tiered access is being developed.

    Given the extensive (if foreshortened) consultation with the Community, legal and subject matter experts,  and data protection authorities, it makes sense to follow the suggested ‘Minimum WHOIS Output Fields (Attachment 3) on what information in the WHOIS data fields is displayed, and what is not displayed.

    The Model also poses two very important issues for end users: who can access non-public WHOIS data, and how the Model will be enforced.

    What the Model suggests is that non-public data can only be accessed by a defined set of third party requestors approved under a formal accreditation process., with pre-defined criteria and limitations.  There is further suggestion that there could   be a ‘Code of Conduct’ for access.  Further access could be provided as long as the access complies with GDPR or other relevant legislation. (Clause 7.2.9)  And that the suggestion is that these processes would be worked out between GAC and relevant EU data protection authorities.

    This raises very serious questions for the At-Large Community:

    • How is this ‘formal accreditation process’ developed? Specifically, what communities in ICANN will be involved – including the At Large Community
    • What role, if any, will ALAC play in an accreditation process
    • Will there be blanket access for those accredited, or different levels of access, depending on the requestor
    • If registrars/registries are permitted to provide access to other data (as suggested above) who will determine whether that access complies with the relevant data protection law.

    The other issue is how ICANN will implement compliance with the Model.  The paper suggests it will be through amendments to existing arrangements with registries and registrars. (Clause 7.2.11)  While contractual negotiations are generally conducted privately, with the importance of the issues raised, will there be any opportunity for input by the other ICANN stakeholders?

    1. Alan Greenberg

      Holly, thank you for taking a stab at the issues that we need to address. Although I personally do not agree with some of your 'answers', it is a good start at the list of questions.

  4. Lutz Donnerhacke

    Holly, you are missing the point. It's not a question any more if the Interim Model is acceptable for us or not.

    The real question is, if the whole system conforms to the laws or not. And - sorry - it fails to comply the laws since years.

    The Interim Model does not even touch the relevant parts:

    • It still proposes to collect data without explicit use cases (reasons to collect).
    • It still insists in transferring data from one legislation area to another (which is prohibited).
    • It still hides the amount of data collected by introducing artificially access layers to the data.
    • It still obstructs the use cases, which historically caused the creation of the Whois itself, by anonymising the necessary data.
    • It still extends the workload for the involved parties, by insisting on correcting data in remote copies not maintained by the data holder itself.
    • It still fails to provide solid data for the law enforcement agencies, because it still hides the reseller chain in favor of accepting faked data from the criminal subject itself.
    • It still fails to protect the customer from the misbehaving law enforcement agency especially their commercially operated surroundings.

    So in summary, it's not acceptable at all.


    1. Alan Greenberg

      I am afraid that I agree with Holly.

      Whether the model is in conformity with the law remains to be seen. If it is not, it will need to be adjusted.

      But that is not the subject of THIS discussion.

  5. Alan Greenberg

    To build on Holly's list of issues for the ALAC to weigh in on, here is my summary.

    The ALAC and At-Large are divided on whether the proposed Interim Model meets the requirements of the GDPR and specifically whether the rationals for collecting various data items are specified in sufficient detail and are sufficiently compelling.There are also differing views on whether the transport of data to Registries in compliance with "thick whois" rules is GDPR compliant.In the absence of concerns over privacy, ICANN has previously determined that the thick WHOIS model is the one that should be used and we should not re-litigate that here. We have similarly decided that single points of failure must be avoided and all data must be escrowed in case of any of multiple forms of failure. All data items have proven useful in the past (that was the result of ICANN's earlier work). Whether it can be justified in the current situation is the question.

    All of these issues will need to be judged by DPAs and to the extent that they make clear statements, we will have to abide by them.

    The ALAC has the responsibility to look at all issues from and end-user perspective. We also have concerns for registrant issues, but where they differ we support users.

    1. I'll start with Holly's issues, and like here will give my personal opinions.

    1.     whether or not registrars must continue to collect the contact details for administrative and technical contacts and transmit them to the registry and escrow provider;

    It is not clear that the current list of contacts is the correct one, but pending the outcom of a PDP, the current ones will suffice and I see no reason to restrict their use.

    2.     whether or not anonymized email addresses should be substituted for the email addresses for registrant, administrative, and technical contacts in public WHOIS;

    I am fine with anonymized addresses, but only if the same real address translates to the same anonymized address if all cases (within and across registrars). That grouping of registrations has proven critical to cyber abuse investigators and must not be lost.

    In addition to cyber abuse issues, the UDRP and URS rely on tha ability to recognize prior patterns (ie someone who has regularly tried to masquerade as a particular target).

    Moreover, I believe that the real addresses must be available to law-enforcement.

    3.     whether or not registries and registries should be permitted to optionally apply the model on a global basis;

    Applying the model across all jurisdictions adds a level of simplicity. But only if GDPR were the only privacy law in the world. There are and will be differences, potentially including the requirement to publish certain classes of data (comparable to how the EU requires that commercial web site include information about who the owner is). So any implementation WILL be table-driven and conform to multiple rules. Access to WHOIS data is critical to fighting cyber abuse and we should not cripple it without due cause.

    4.     whether or not the model should apply to contact details supplied by registrants who are legal persons; 

    Again, I feel we should restrict access only where needed due to law. It is correct that that the data of a legal person may include personal imformation, but it is the responsibility of that legal person to comply, not ICANN or contracted parties.

    5.     which elements of WHOIS data should be published in public WHOIS while an accreditation program for layered/tiered access is being developed.

    I don't believe that self-accreditation will work. But I also fear a complete blockout of WHOIS while we built a proper accreditation system. ICANN's suggestion that this could be done on a registrar by registrar and registry by registry basis is, in my mind, not workable.

    UDRP and the transfer policy rely on access to data which will not be public.

    This issue is a strong argument why ICANN and its contracted parties should have a waiver to not comply while the program is bring developed (with a strict time limit).

    Other questions that ALAC needs to weight in on.

    6.    How many levels should the "tiered" access mechanism support.

    The interim model implies just 1. Public data, and everything. I believe that we must have a far more granularity.to be able to specify exactly which elements various groups can get to.

    7.   Bulk access

    I believe that this must be allowed for specialized uses many abuse control methodologies depend on it, including the reputation services which all user browsers depend on.

    .  

  6. Lutz Donnerhacke

    Anonymous addresses, which are only forwarders, cause problems for the (original) use case of Whois: Fixing errors in DNS and reachability.

    In short: We have a problem with a zone, so I want to reach for the zone-c. I do not care, if it's a role address or a personal one, but I can digg deeper into this address, if I have also problems sending email to this address. Using an anonymous forwarder will allow me to send the error report into a black hole, which I can't debug.

    OTOH: Any response from the person in question will reveal the real address in almost all cases. So the "anonymity" is only a one shot protection.

    In general I oppose any "thick whois" proposal. It is illegal.

  7. Seun Ojedeji

    I appreciate the balanced view reflected in the final draft. Thanks

  8. Sebastien Bachollet

    My comments following the last version of the ALAC comments regarding GDPR:

    with a cear legitimate interest ==> with a clear legitimate interest (L is missing in clear)

    I am not sure that we answered the question
    "A question to be addressed as part of a layered/tiered approach in the Interim Compliance Model is what data elements can continue to be published in the public layer of WHOIS."

    How can we imagine than 2 months before implementation European DPAs will take a decision (in giving an advice) that ICANN was (and is) not able to take on time?

    Legal persons are not concern by the GDPR. Data from all the legal person must be accessible publicly.

    SeB

    1. Alan Greenberg

      Where did you see "cear"? It is in the First Draft, but was fixed in the Draft for Vote.

      True. We did not address that question. Probably too late now unless someone wants to take a stab at it quickly.

      "Legal persons are not concern by the GDPR. Data from all the legal person must be accessible publicly."

      I happen to agree, but not all do. The last version said we could not reach consensus on this.



      1. Sebastien Bachollet

        Yes it is fixed

        OK

        OK

        Thanks

        SeB

  9. Carlton Samuels

    I read the entire thread and the arguments in the EWG are reprised! The more things change, the more they remain the same....

    Lutz's comments might cause heartburn but if you look at what ICANN is asking the DPAs - and what is sought in relief - it seems to me that there is a real possibility of a rejection without comment.

    Carlton

  10. Holly Raiche

    I have to ask why Lutz is asserting that ANY Thick WHois proposal is illegal.  Purpose is indeed something that needs clarification, but first please realise we are not talking about the purpose of collection for just registrars.  We are talking about the collection of data in accordance with ICANN's purposes - since the collection of data is in accordance with the registrars' contracts with ICANN.  And that purpose is broader.  It is not just about collection for contact by registrars; it is about the need for data in cases of dispute, or when a name is somehow abused/lost whatever and the data needs to be held by ICANN - and then the name reurned/reallocated. The RDS WG went through in great detail on why the data is collected on behalf of ICANN.  So I am not as uncomfortable with the Thick Whois data being collected.  The actual access to that data is, for me, the real issue, and in the case of the Model, where I have reservations - which is why I have made comments on the accreditation and access issues.  Indeed, if the DPAs are concerned, my suggestion is that it will have more to do with access and accreditation.

  11. Carlton Samuels


    Not sure how the circle will be squared.

    What we know is the DPAs have,  for years been telling ICANN that the WHOIS framework is contrary to law on several grounds. For years they were, well, let's say politely ignored. 

    The proposed Interim Model addresses some bases for the condemnation. The tricky one that I see still sticking out is the DPA's assertion that registrants are coerced into agreeing to the demand to collect and publish PIIs in order to acquire a domain name, in their view an illegal act under EU law. 

    So what will any self-respecting DPA do now? Hmmmmmm...

    -Carlton