• Article 29 Data Protection Working Party responds to ICANN’s request for guidance
  • Highlights a number of concerns over proposed model for GDPR compliance
  • Does not address enforcement moratorium request, increasing fears over WHOIS access

The Article 29 Data Protection Working Party (WP29) has written to ICANN to provide guidance on its proposed interim model for ensuring that the treatment of WHOIS data is compliant with the General Data Protection Regulation (GDPR). While welcoming ICANN’s efforts to date, it raised a number of concerns with the proposed approach and did not address the request for a moratorium on enforcement.

We recently featured a guest analysis from Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, which warned that the trademark community will “likely be subject to an indefinite blackout period” of WHOIS as a result of ICANN efforts to comply with the GDPR. While the community has weighed in on ICANN’s proposed interim model for compliance, one voice that has been missing has been that of European data protection authorities (DPAs). At the end of March, ICANN wrote to DPAs for feedback, stating: “Absent this specific guidance, the integrity of the global WHOIS system and the organisation's ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened.”

Last night, ICANN published a letter from the Article 29 Data Protection Working Party (WP29) providing some of the guidance it was seeking. While welcoming the decision of ICANN to propose an interim model which involves layered access, as well as an “accreditation program” for access to non-public WHOIS data, the WP29 raises a number of concerns with the proposal.

Article 5(1)b GDPR provides that personal data shall be “collected for specified, explicit and legitimate purposes”. In its opinion, the WP29 states that ICANN’s interim model does not achieve this (for example, noting that providing “legitimate access” to “accurate, reliable and uniform registration data”, for example, does not amount to a specified purpose). It therefore advises ICANN to revisit its current list of purposes (which currently include “supporting a framework to address issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection; and providing a framework to address appropriate law enforcement needs”).

Drilling down, the WP29 welcomes the move to significantly reduce the types of personal data that shall be made publicly available via WHOIS, as well as the possibility of a future “accreditation program” for access to non-public WHOIS data. However, it notes that “important details remain absent regarding the circumstances in which access will be provided, to what extent and under which conditions and safeguards”. It therefore stresses that ICANN has more work to do to develop “appropriate policies and procedures applicable to incidental and systematic requests for access to WHOIS data, in particular for access by law enforcement entities”.

In particular, it states that clarification is needed on “how access shall be limited in order to minimise risks of unauthorised access and use (eg, by enabling access on the basis of specific queries only as opposed to bulk transfers and/or other restrictions on searches or reverse directory services, including mechanisms to restrict access to fields to what is necessary to achieve the legitimate purpose in question)”.

Additionally, ICANN’s proposed interim model would require registrars to retain registration data for two years beyond the life of the domain name registration, although a 60-day period had previously been mooted. As such the WP29 queries the two-year timeframe, urging ICANN to re-evaluate this proposed retention period “and to explicitly justify and document why it is necessary to retain personal data for this period”.

In short, while the tone of the letter suggests that the layered approach receives a philosophical thumbs up, more detail is required and questions remain as to how – and whether – different parties (including intellectual property enforcers) will gain access to non-public data.

For its part, ICANN has accepted an invitation to meet with the WP29 Technology Subgroup in Brussels on 23 April for further discussions (the meeting taking place just a month before GDPR becomes enforceable). However, Göran Marby, ICANN president and CEO, expressed disappointment that the WP29 did not respond to ICANN’s request for a moratorium on enforcement of the law until a model is implemented: “Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”

The positive is that ICANN does seem determined to avoid a situation in which WHOIS becomes fragmented, but it warns: “Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented until the interim compliance model and the accreditation model are implemented.”

ICANN concludes that such a fragmented environment would hinder the ability of law enforcement to get important information, as well as “stymie trademark holders from protecting intellectual property”. For now, then, it will be a case of continuing dialogue with DPAs and the ICANN community. In the meantime, the prospect of WHOIS going dark for a period after May 25 remains very real.