Join ICANN and see the world. Last Thursday in Vancouver the ICANN Board gave its response to Article 29’s and the Government Advisory Committee’s representations about the GDPR, which comes into effect in less than one week. In essence ICANN stuck two fingers up at both of them: Governments and privacy regulators.
In a world in which the internet plays such a central, even all-pervasive role, and driven as it is by the financial self-interest of Registries, Registrars and the co-dependent ICANN bureaucacy, ICANN has no authority or legitimacy to tell Governments and lawfully appointed regulators to get lost. But they just did.
So mark 17th May 2018 in your diary. It could turn out to be the day ICANN finally pressed the self-destruct button. Don’t ask me what the outcome will be as the whole edifice starts slowly to unfurl. “Messy” is the only word that springs to mind. But unfurl it will. In the end democratic Governments will have their way, and undemocratic ones will fly in on their coat tails, grateful they didn’t have to do any of the heavy lifting.
So what was decided?
A “Temporary Specification” (TS) was approved by the ICANN Board and it will now be incorporated into all Registry Agreements.
It does not require the email of the Registrant to be visible to the public. That removes an important tool used hitherto on a large scale by law enforcement and the wider internet security industry.
The TS does not require a distinction to be made between legal or natural persons i.e. between private individuals and companies or other organizations.
Here are the main provisions
What will disappear from public view?
- Registrant and technical/admin contact name
- Registrant address
- Registrant and technical/admin contact email address
- Registrant and technical/admin fax and/or phone numbers
How do you get access to what will become non-public data?
To enable WHOIS users to contact Registrants:
- Registries must direct users to the registrar for a method to contact the registrant.
- Registrars must create an anonymised email or a web form to enable users to contact the registrant, and the technical and admin contacts. There is no requirement that a unique email address be attributed to each registrant, which would have enabled users to identify other domains registered by the same registrant.
- Registrars must offer registrants an opt-in to have their data included in a public WHOIS, and they may (note “may) offer an opt-in for admin and technical contacts.
Registrars and registries are required to provide reasonable access to non-public data to third parties with legitimate interests, “except where overridden by interests or fundamental rights and freedoms of data subjects”. Quite how “legitimate interests” will be defined and how they will be acknowledged as having one is yet to be defined.
Registrars are also required to provide access where “the Article 29 Working Party/European Data Protection Board (comprising the EU Member States’ data protection authorities), a relevant court, applicable legislation or regulation provides guidance that the provision of data to specified classes of users is lawful”.
There is no uniform or centralized mechanism at this time to get access to such data, though the ICANN Board is urging the “ICANN community” to come up with a model expeditiously. No deadline has been set. No one knows when this will happen.
Please can we have more time?
Although Article 29 has no authority to suspend anything, individual DPAs could, in practice, decide not to take out enforcement proceedings.
I guess deferment or suspension has a great deal of practical appeal although there is bound to be a degree of hesitation and scepticism because of ICANN’s behaviour so far. Everybody knows ICANN has a unique talent for making sure nothing happens quickly. The world must run at their pace and everybody else can whistle. Yet hubris is charging at speed over the virtual hill.