It appears that the European Commission (EC) is not very impressed with a quickly prepared 12-point proposal by ICANN to resolve the conflict between the domain name system’s Whosis service and the GDPR which will officialy be launched in May 2017. “Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches,” wrote Roberto Viola, director-general of technology and communications for the EC.
The GDPR prohibits, among other things, sharing personally identifying information (PII) with third parties without user consent. While domain anonymization services have long been popular for the privacy-minded to avoid having information shared publicly, this type of opt-in protection is not adequate for compliance with the GDPR. Likewise, the length of time for which data is stored after domain registrations expire is also a point of contention.
ICANN has yet to implement a coherent solution for maintaining privacy of domain registrant records in accordance with the EU GDPR (General Data Protection Regulation). The organization published four original plans as temporary fixes, along with eight plans submitted by outside organizations like the EFF earlier this month (Excel download). A response from the European Union found the plans underwhelming (PDF), underscoring the need to urgently address compliance with the pending regulation.
ICANN Please delay your decision till you have fixed your proposal!
The EC in the letter to ICANN has also hinted to ICANN not to rush but to hold off any decisions on the model
The proposed models are therefore considered as a helpful step forward and the Commission welcomes the efforts currently under way to reach out to and engage in a dialogue with the data protection authorities. At the same time, given the importance of determining the best approach in light of the important interests at stake and the many stakeholders concerned, we consider that it would be better to delay ICANN’s final decision on the interim model while keeping the current momentum, so that it is possible to arrive at a good solution for all parties involved.
Deferring the decision until after ICANN61 would allow for discussion with all stakeholders involved as well as the data protection authorities, which can only usefully take place now that concrete models have been put forward for
On observations on the different models, the EC stated
Commission takes note of the efforts of ICANN to develop a layered approach as regards the access to the data in the WHOIS directory, which could help to address a longstanding request of the EU Member States data protection authorities.
However, given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches. The Commission therefore encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs and interests. Not all of the relevant design elements are necessarily linked to any specific model. For instance, different data retention periods have been chosen for the different models, without any particular justification. The same holds true for the conditions
for access to non-public data. While we fail to understand why a certain retention period or certain access criteria are linked to a particular model, it is clear that, as retention and access (but also the initial data collection) are all forms of data processing, their scope and limits will be determined by factors such as the legitimate purpose, legal basis and proportionality of processing.
ICANN will have to struggle though the next 2 months to com up with something acceptable to EU.