I predicted that the ICANN meeting in Abu Dhabi last week would be dominated by discussions centring around GDPR. I was proven correct.
Sure, there were other items on the agenda, some that took me and other attendees a little by surprise. But the topic that dominated the meeting was GDPR.
With the clock ticking the likelihood of ICANN (corporation) and its contracted parties (registrars like us and registries like Verisign) being able to reach agreement in time is slim. For us being able to not only reach agreement on how we’ll handle GDPR in relation to our current contractual obligations and make all the system changes in time is simply not going to happen. And that’s without even talking about the underlying policy changes that will need to happen at some point.
At this stage it’s pretty clear that there are three forks to the GDPR situation:
- Contracted parties’ obligations to comply with the law. It doesn’t matter what is in the current policy or contracts. The law reigns supreme.
- ICANN Corporate’s interaction with contracted parties such as ourselves. Can they realistically penalise us for following the law? If not, how is that going to look?
- The ICANN Community developed policies that touch on GDPR. While the collection, processing and publication of whois data is the most obvious and contentious aspect of this, it’s not the only one.
Throughout the week ICANN senior staff up to and including the CEO Göran Marby were quizzed by both registrars, registries and others about how they were going to handle the impending situation. While they all made overtures about how they couldn’t demand that a registrar or registry break the law, it wasn’t until the penultimate day of the event that Göran made a fairly clear statement about what the organisation would do:
At ICANN60, many community members expressed concerns regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union’s General Data Protection Regulation (GDPR). The contracted parties in particular noted the importance of identifying means to comply with their contractual obligations without running afoul of the GDPR which, beginning 25 May 2018, will include significant monetary penalties for noncompliance. They also indicated that they must begin now with the process of developing, testing and implementing any new solutions that may be necessary if they are to come into compliance with the GDPR by 25 May 2018. Finally, they expressed concern that ICANN Contractual Compliance might find them in breach of their existing contractual requirements related to registration data before clear solutions emerge.
As discussed at ICANN60, the extent of the impact of the GDPR on WHOIS and other contractual requirements related to domain name registration data is uncertain. The ICANN Board, org and community are engaged in multiple efforts to assess the impact of the GDPR on registry and registrar obligations in ICANN agreements and policies, and we continue to work with the Hamilton law firm to understand this impact. At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available. At the same time, we understand that registries and registrars are developing their own models for handling registration data that they believe will comply with the GDPR. We’ve heard some of these ideas as we’ve been engaging and we’d like to understand the details so that we can submit the various models to the Hamilton law firm for further analysis.
During this period of uncertainty, and under the conditions noted below, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible, a contracted party that intends to deviate from its existing obligations must share its model with ICANN Contractual Compliance and the Global Domains Division. To the extent that the party requests confidential treatment, ICANN will remove any identifying information and share only the elements of the model with the Hamilton law firm for the purpose of legal analysis against the requirements of the GDPR. The model should reflect a reasonable accommodation of existing contractual obligations and the GDPR and should be accompanied by an analysis explaining how the model reconciles the two. For clarity, Contractual Compliance would not defer enforcement if, for example, a contracted party submitted a model under which it abandoned its WHOIS obligations. In addition, a model that satisfies the conditions noted here might also require compliance with other contractual obligations or consensus policies, e.g., the Registry Services Evaluation Policy (RSEP). A model may also require further modifications if it is later determined not to comply either with the GDPR or any future community-developed policy.
Detailed guidance regarding the process and eligibility requirements will be provided shortly.
So what does that mean in reality?
At this juncture it’s not 100% clear.
If each and every registrar or registry comes up with its own “model” for complying with GDPR then there could easily be several hundred different ones to assess. That would be a disaster.
There is no way that ICANN can assess hundreds of different models in a timely fashion and definitely not within the timeline that we have left.
Ideally registrars could come up with a couple of models that most of us could follow and then ICANN would have the ability to assess them and give them their “blessing”.
Of course in many respects it doesn’t matter whether ICANN gives us their blessing or not. We, as a company, will need to assess our legal obligations and balance them against our current contractual ones and work out what we can do to be compliant with the law. If ICANN doesn’t like what we do, but our lawyers, and more importantly the DPAs, are happy with how we do things then ICANN is simply going to have to deal with it. And that, rough as it might seem, is the harsh reality.
However the situation is not simply one of compliance with law and contract. There is also a complex operational aspect to this entire mess.
With “thick” registries, such as .org or .club as a registrar we do not rely on the public whois in order to manage domain names for existing and potential clients. We have access to the data we need to do our job via secure and controlled channels.
Unfortunately with .com and .net we still need to access public whois in order to handle transfers and other operations.
How will that play out when public whois changes dramatically?
I have a few ideas about how it might be resolved, but unless there’s “buy in” from a lot of the other registrars any concepts we (or anyone else) might have are purely theoretical.
We will be working closely with our partners in industry to see if this can all be resolved in time, but I suspect we are all in for a rather bumpy ride!