On January 24, 2018, ICANN’s Business Constituency (BC) and Intellectual Property Constituency (IPC) co-hosted an event to discuss the EU’s General Data Protection Regulation (GDPR) and its implications on access to the WHOIS database. ICANN’s CEO and General Counsel joined the discussion, as did stakeholders from across the ICANN community. The event was timely and well attended with over 200 participants attending in-person or virtually. ICANN is seeking community input on a proposed interim GDPR compliance model by Monday, January 29, 2018. Although a number of stakeholders have called on ICANN to extend its impending comment deadline, it has yet to do so. ICANN did agree to delay its own decision-making deadline from January 31 until sometime in mid-February. Given the fast-moving deadlines, it will be important for all stakeholders to understand the proposed models.

Background

As we have written about elsewhere, the GDPR has a significant potential to impact the ability of law enforcement, cybersecurity professionals, consumer protection agencies, IP rights holders, businesses, and individual consumers, to access accurate and reliable WHOIS data. These parties need quick and reliable WHOIS data access to investigate and stop crimes, online frauds, cybersecurity attacks, and infringement, gain accurate and timely information about the real parties behind a particular website, and ensure a stable, trustworthy, and resilient Internet. The GDPR is a broad regulation designed to protect the personally identifiable information of individuals in the EU, by limiting the collection and use of such data to the minimum needed to achieve specific legitimate purposes. It is only belatedly that Internet stakeholders have begun to grapple with its implications on WHOIS. There is substantial disagreement within the ICANN community about how to achieve the appropriate balance between domain name registrants’ privacy rights and the legitimate interests of the many users who rely on, and a have a legitimate need, to access WHOIS data. ICANN is currently seeking input on which interim model to implement ahead of the May 25, 2018, effective date of GDPR. The ICANN organization has published three models, and to date, the ICANN community has developed five models proposing different ways to comply with the GDRP.

Key Takeaways from the GDRP Event

1. Users’ Access to WHOIS is Already Changing

Already, the WHOIS landscape is beginning to change as registrars begin unilaterally implementing their own changes to how they provide WHOIS service in order to comply with GDPR. For example, many third parties rely on “bulk access” to WHOIS (also known as “Port 43” access) to investigate crimes, online abuses and frauds. For example, law enforcement or consumer protection agencies are often able to conduct what are known as reverse WHOIS lookups. These bulk searches enable parties to connect the dots by analyzing patterns across the WHOIS data to shut down phishing attacks, fraudulent schemes, and other serious crimes. GoDaddy, the world’s largest registrar, and one of the key providers of bulk access to WHOIS has unilaterally decided to redact information in these kinds of searches and limit their availability to certain white-listed parties. If registrars and registries continue to cut off bulk access, users will no longer be able to perform reverse domain name registration lookups, and access historical WHOIS data.

2. ICANN’s Reliance on the Legal Analysis By the Hamilton Law Firm Is Not Sacrosanct

ICANN commissioned three public legal memos from the Swedish Hamilton law firm, which have served as basic guidance to ICANN and the community on GDPR compliance issues. Hamilton’s advice has also served as the foundation for ICANN’s three proposed GDPR compliance models. Many have raised questions and concerns about possible errors and omissions in these memos. For example, with respect to the scope of the GPPR, Hamilton makes the incorrect assumption that any entity that may be located in the European Union is covered by the GDPR. In fact, many other legal opinions point out that the GDPR applies only to European data subjects and processing that physically occurs within the EU. In addition, Hamilton suggests that all registrants should be treated the same, whether they are natural persons or legal persons (e.g., corporation or other legal entity). Only natural persons are covered by the GDPR. Although the GDPR recognizes that obtaining consent from data subjects is a legitimate way to process data, Hamilton concluded that consent is not a viable legal basis for processing personal data. In fact, there are many examples of publishing an individuals’ data based on consent. As a result of these flawed basic assumptions, many in the community fear that ICANN and contracted parties may move to over-comply with the requirements of GDPR, to the detriment of those who rely on access to WHOIS data. ICANN itself acknowledged during the discussion that it disagreed with certain elements of Hamilton’s analysis, and deviated from it in several ways in developing its three compliance models. Clearly, the Hamilton analysis should not be treated as sacrosanct, and the community should seek additional legal analysis from a broader array of eminent experts in European privacy law.

3. Procedural Concerns

Many at the meeting raised process concerns about the manner that ICANN is handling the GDPR issues. ICANN recently stated that it “will continue to refine the potential models based on feedback.” It is not clear why ICANN has not implemented its usual public comment process, which includes forty days to comment, with a detailed background and rationale for ICANN’s next steps in response to community input. ICANN also announced that it “will settle on a single model [and] publish next steps.” In response, participants at the event expressed strong concerns that ICANN’s process for handling this matter is a top-down decision rather than the usual bottom-up decision-making process. Although ICANN recently stated that its interim model “will not replace multi-stakeholder policy development and implementation activities that are underway,” these processes could take years to complete, and there is a real risk that whichever “interim” model ICANN implements will become the de facto permanent solution for years to come, regardless of multi-stakeholder input or needs.

The impending January 29, 2018, deadline leaves very little room for stakeholders to provide meaningful input to ICANN to craft an appropriate compliance model.

4. Reviewing the Compliance Models

Ultimately, ICANN must choose a single interim compliance model, and it will be important that such model provide as much access to WHOIS data as possible. The idea of each registrar and registry complying with WHOIS under multiple compliance models would create unpredictability, and harm consumers, and all others who rely on ready access to WHOIS data. And as ICANN’s CEO noted during the discussion, at the end of the day, “only European courts can say” whether a particular WHOIS model will be compliant.

The five different community-developed compliance models vary widely. Some models propose that all current data in WHOIS continue to be collected by registrars but vary in terms of what would be public versus non-public (e.g. the Coalition for Online Accountability model, the AppDetex model, iThreat model, and ICANN redaction model), while others aim to significantly limit was data is collected by registrars in the first place (e.g., the eco model).

It is a positive sign that ICANN confirmed that it is not set on its own three models, but is open to considering a hybrid model, which might take elements from the community models. This makes sense, as certain community models provide some excellent suggestions including how WHOIS users can use self-certification or reasonable accreditation approaches to access the data quickly and easily.

Next Steps

The IPC, BC, and other stakeholders have asked ICANN to extend the comment submission deadline to allow them more time to analyze and comment on the different models. ICANN has not yet agreed to this extension but announced it would give itself more time to pick a model. Originally, it would have announced its decision only two days after receiving community input. This issue is important enough to take the time to get right. The BC and IPC will continue to work to educate and seek input from affected stakeholders. All affected parties must engage and weigh in by the deadline.