|
The European Commission recently released technical input on ICANN’s proposed GDPR-compliant WHOIS models that underscores the GDPR’s “Accuracy” principle—making clear that reasonable steps should be taken to ensure the accuracy of any personal data obtained for WHOIS databases and that ICANN should be sure to incorporate this requirement in whatever model it adopts. Contracted parties concerned with GDPR compliance should take note.
According to Article 5 of the regulation, personal data shall be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.” This standard is critical for maintaining properly functioning WHOIS databases and would be a significant improvement over today’s insufficient standard of WHOIS accuracy. Indeed, European Union-based country code TLDs require rigorous validation and verification, much more in line with GDPR requirements—a standard to strive for.
The stage is set for an upgrade to WHOIS accuracy: ICANN’s current approach to WHOIS accuracy simply does not comply with GDPR. Any model selected by ICANN to comply with GDPR must be accompanied by new processes to validate and verify the contact information contained in the WHOIS database. Unfortunately, the current Registrar Accreditation Agreement, which includes detailed provisions requiring registrars to validate and verify registrant data, does not go far enough to meet these requirements.
At a minimum, ICANN should expedite the implementation of cross-field validation as required by the 2013 RAA, but to date has not been enforced. These activities should be supplemented by examining other forms of validation, building on ICANN’s experience in developing the WHOIS Accuracy Reporting System (ARS), which examines accuracy of contact information from the perspective of syntactical and operational validity. Also, validation and accuracy of WHOIS data has been a long-discussed matter within the ICANN community—with the 2014 Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service (RDS) devoting an entire chapter to “Improving Data Quality” with a recommendation for more robust validation of registrant data. And, not insignificantly, ICANN already has investigated and deployed validation systems in its operations, including those in use by its Compliance department to investigate accuracy complaints.
Despite its significance to the protection and usefulness of WHOIS data, the accuracy principle is surprisingly absent from the three WHOIS models presented by ICANN for discussion among relevant stakeholders. Regardless of which model is ultimately selected, the accuracy principle must be applied to any WHOIS data processing activity in a manner that addresses GDPR compliance—both at inception, when a domain is registered, and later, when data is out of date.
All stakeholders can agree that WHOIS data is a valuable resource for industry, public services, researchers, and individual Internet users. Aside from the GDPR “Accuracy” principle, taking steps to protect the confidentiality of this resource would be meaningless if the data itself were not accurate or complete.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
The ICANN WDPR should satisfy the accuracy requirement for data controllers.
WHOIS ARS, this program needs an overhaul. First of all, ICANN should use third-party processors which are privacy shield certified, the majority is not. Putting these third-party vendors right into the data controller spot, which is going to be fun May 2018.
As the purpose is beyond the intent, registrants should consent to the fact that their data is being used for this program and consent to the fact they might get emailed and or receive automated phone calls from ICANN, and consent to all the other forms of processing under this program. Tho I wonder if registrants would appreciate the fact that a simple gTLD registration would require 11+ checkboxes to consent too.
Crossfield validation, while many online retailers use voluntary validation to make sure that the ordered products are shipped to the correct address, one has to wonder which legal basis we would require within in an ICANN/Registrar context.