Update on ICANN data protection issues: Will there be enforcement of data protection law in the future?

By Stephanie Perrin

Readers of this blog may recall that I blogged in August 2015 on my participation with Monika Zalnieriute at the International Working Group on Data Protection in Telecommunications, in Seoul Korea. I was invited back this year for further discussions on ICANN data protection issues, including the new Registration Data Services (RDS) policy development process (PDP) that has been struck to study a potential replacement for WHOIS. (See Stephanie Perrin: ICANN attracts attention of International Working Group on Data Protection in Telecommunications: Yes, the Data Commissioners Care about Privacy at ICANN! August 11, 2015).

It is encouraging to know that data commissioners, who are busy with a myriad of complex international privacy issues brought largely by new technologies and social media, have time to consider the issues we face at ICANN. They are also extremely busy examining the impacts of the new European Data Protection Regulation (see http://ec.europa.eu/justice/data-protection/ for more information about these developments). As described in last year’s blog, the last paper the Working Group (otherwise known as the Berlin Group) published on ICANN was in 2000, but sadly there has been very little progress in improving compliance with data protection law at ICANN. Many of their recommendations are still relevant today. Let’s look at what they recommended back in 2000, with a view to what has happened recently.[1]

  • purposes of the collection and publication of personal data of domain name holders must be specified.

In the current RDS Policy development process, a review of the purpose of the RDS data collection, use and disclosure is being discussed, but at the moment there is really no agreed stated purpose.

  • data collected and made publicly available should be restricted to what is essential to fulfill the purpose specified

It is the view of most of the NCUC members of the RDS PDP that the data collected and made available is excessive and cannot be justified, even if the purpose were properly stated.

  • Any additional data (especially telephone and fax number) – although they might be collected by the registry as necessary with respect to its task – should in such cases either refer to the respective service provider or only be made available with the explicit consent of the data subject.

This is the fundamental argument behind having a restricted WHOIS….make requestors who have a legitimate need for the data, request it from the registries/registrars, stating their purpose.

  • Mandatory publication of telephone and fax numbers of domain name holders would be a problem when private persons register domain names, where the number to be provided might be their home number. The right not to have telephone numbers published – as recognized in most of the national telecommunications data protection regimes – should not be abolished when registering a domain name.

Evidently still not in place, and in fact now cell phones are being proposed in the EWG report.

  • Secondary use incompatible with the original purpose specified (e.g. marketing) should be based on the data subject´s informed consent.

Consent of the data subject is not sought.

  • Technical mechanism to access WHOIS data must be purpose based and limit secondary uses.

Registrars are obliged to put bulk access limitations on the WHOIS data, with exceptions for contractors who have made special arrangements. Purpose limitation is not yet in place.

  • In the absence of globally binding data protection legislation – the registries must develop a uniform standard for the collection and use of personal data of domain name holders, including rules on the purpose of the collection and of the use, and a right to access and correction of personal data.

This is not in place, and there are no obligations in the RAA to advise individuals of their rights under data protection law.

  • Adherence to these regulations should be secured through certification procedures.

Since the policy does not exist, the certification procedures do not cover data protection, only obligations to collect, disclose and retain data, except that there is a requirement to inform registrants if you offer a proxy service and at what cost.

  • Any registrar operating within the jurisdiction of existing data protection laws and any national domain name registration procedures are subject to the existing national data protection and privacy legislation and to the control by the existing national Data Protection and Privacy Commissioners.

The WHOIS conflicts with law procedure does recognize that data protection commissioners are responsible for compliance with relevant law. The procedure has recently been reviewed, and a new process (getting a letter from a body that has authority to enforce data protection law in that jurisdiction) has been proposed. That procedural change has just been submitted to the GNSO for its review. I participated on that WHOIS procedural review, and I must say felt obliged to issue a dissent from the proposal (contained in Appendix 4, available on ICANN’s website at https://www.icann.org/public-comments/iag-whois-conflicts-privacy-2015-10-05-en) but we were not empowered to do anything about the fundamentally flawed policy.

It appears that we are now launching into the fifth major review of WHOIS policy (depending on how you count) with the recommendations of data commissioners as yet unacknowledged by ICANN and its administrative procedures, except for the rather odd exemption and waivers envisaged in the WHOIS conflicts with law policy. This new PDP, however, is examining in great detail all kinds of documentation relevant to WHOIS privacy discussion, including many of the opinions and letters sent by the Data Commissioners. We are hoping for better luck in getting privacy implemented in the new RDS, and if anyone is interested in joining that group or finding out what is going on, please do not hesitate to contact me.

The funding for my hotel in Oslo was provided through the NCUC travel fund, in support of our work in this area. Thanks NCUC!

Stephanie Perrin, NCUC, GNSO Councilor for NCSG

Stephanie.perrin@mail.utoronto.ca

[1] Italicized text is based on the recommendations of the 2000 common opinion, Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet (Crete, 4./5.05.2000) available at https://datenschutz-berlin.de//content/europa-international/international-working-group-on-data-protection-in-telecommunications-iwgdpt/working-papers-and-common-positions-adopted-by-the-working-group

Posted in Uncategorized