- ICANN IPC president provides exclusive update from ICANN 62 on GDPR and WHOIS
- Concerns over development of a mandatory framework for access to WHOIS data
- Outlines next steps and likely “frenzied pace” to develop report and recommendations
The recent ICANN meeting in Panama saw the impact of European General Data Protection Regulation (GDPR) on WHOIS access, and the policing headache this has caused for rights holders, take centre stage. In this exclusive guest post, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, discusses the key takeaways for trademark owners.
The 62nd public meeting of ICANN took place in Panama City, Panama, from June 24 through 28 2018. ICANN 62 represented the first ICANN meeting held after the May 25 2018 effective date for fines under the GDPR. Accordingly, the impact of GDPR on the WHOIS system for accessing domain name registration data was at the forefront of this meeting. Access to non-public WHOIS data for brand protection purposes is critical, and over-compliance with GDPR has significantly disrupted such access. Below, we discuss the recent key takeaways from ICANN 62 with respect to the WHOIS system and outline the next steps for brand protection, post-GDPR.
The Temporary Specification and Expedited Policy Development Process
Mere weeks prior to the meeting, ICANN adopted a Temporary Specification for gTLD Registration Data aimed at continuing the WHOIS service, subject to substantial limitations in the absence of clear legal precedent or guidance for GDPR compliance for ICANN, registry operators, and registrars.
The passage of the Temporary Specification triggered the initiation of an expedited policy development process (EPDP) to create Consensus Policy on the subject matter of the Temporary Specification. During ICANN 62, substantial time was devoted to developing the terms of the EPDP charter, including the composition of the EPDP team and its scope.
There appeared to be general agreement that all of the content of the body of the Temporary Specification would be in scope for the EPDP, including the discussion of access reflected in Section 4 of the Temporary Specification. In particular, this section provides that “Registrar[s] and Registry Operator[s] MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder.” This provides a minimum basis for obtaining access to non-public data, but of course there are no minimum criteria by which individual registry operators or registrars must evaluate and respond to access requests.
Thus, although this section deals with access generally, it does not refer to a unified system of authenticated access – which it seems contracted parties still wish to remove from the EPDP scope and deal with in a separate (much slower) process. During ICANN 62, contracted parties confirmed their position that the material in the annex to the Temporary Specification does not constitute part of the Temporary Specification itself (and therefore would not be considered part of the mandatory EPDP scope). The annex includes text calling on the community to devise a unified framework for access to nonpublic WHOIS data. Thus, it is critical for many in the community, including the brand owner community, that access be considered as within the scope of the EPDP.
Ultimately, as a contractual matter, the community has until May 17 2019 to adopt a consensus policy to replace the content of the Temporary Specification (as the moniker “temporary” suggests, it can only remain in effect for one year from approval by the ICANN Board). More specifically, the EPDP is intended to conclude within twelve months, although there would likely be a gap between completion of the EPDP and the expiration of the Temporary Specification given the delay in launching the EPDP. It is also unclear whether the EPDP also encompasses an appropriate implementation period for any policy recommendations – meaning implementation could take additional time to complete, resulting in a post-Temporary Specification environment with no enforceable rules or requirements for the collection, retention, and display of WHOIS data (including access to any non-public data).
Obviously, this would be a major setback, particularly if the community is even able to reach agreement regarding a harmonised framework for access to non-public data.
Efforts to develop a unified model for access to non-public WHOIS data
In this vein, during ICANN 62 the community also discussed the recently-published ICANN proposal for a “Unified Access Model” for non-public WHOIS data. In the course of the meeting, the ICANN CEO presented three scenarios that would eventually define how the community can move forward with developing a model for access to non-public WHOIS.
The first scenario is that the European Data Protection Authorities give good legal guidance that allows ICANN and the community to build an access model based on legal certainty about legitimate purposes and parameters of access. The second scenario is that the same authorities say that a unified access model is not legally permitted, resulting in disparate, disjointed access mechanisms and procedures from each contracted party.
Finally, the authorities may say nothing, creating risk and legal uncertainty for the community, and thereby undermining ICANN’s ability to apply or enforce any uniform system of access, since any contracted party that believes such a mechanism would break the law cannot be forced to implement it. Given these uncertainties, the brand community remains concerned that it may be challenging to develop and implement a harmonized and mandatory framework for access to non-public WHOIS data. In any case, we support discussions regarding access to continue in the context of the EPDP which will commence shortly.
The Generic Names Supporting Organization (GNSO) Council, which is managing the EPDP, is currently in the process of finalising the EPDP team based on selections from the various ICANN community stakeholder groups and constituencies. It is also in the process of identifying a chair to lead the EPDP team – a role that will require extensive substantive knowledge regarding the GDPR and other privacy laws, WHOIS, and the many legitimate purposes for access to WHOIS data, including intellectual property and law enforcement, as well as experience with ICANN policy development processes and consensus building mechanisms. The final charter for the EPDP is likely to be adopted during the Council’s meeting on July 19 2018.
Once the EPDP commences, it will work at a frenzied pace, aiming to deliver an initial report by the time of the next in-person ICANN meeting in Barcelona, Spain that begins on October 20 2018. Our hope is that the report will not only cement requirements for registrars to collect all current WHOIS data fields, but will also develop a proposed access model, drawing from existing community and ICANN work, such as the Accreditation and Access Model primarily drafted by members of the ICANN Intellectual Property Constituency and Business Constituency.
The continued security and stability of the Internet may depend on the success of the EPDP, and the ability of the community to agree that continued processing and access to WHOIS data for legitimate purposes including consumer protection and intellectual property rights enforcement is vital for the overall continued health and safety of the online ecosystem.