Tomorrow I’ll be heading off to Abu Dhabi in the United Arab Emirates. Much as I’d love to be escaping the Irish winter for the warmer climes of the UAE I’m actually heading over there to participate at the ICANN meeting.
However this time round I suspect that most other topics will take a back seat to the current “elephant” GDPR.
If you’re in business and don’t know about GDPR yet then I’d suggest you try to get up to speed on it fairly quickly. The Irish Data Protection Commissioner has put together a lot of helpful resources over on the aptly named GDPR and You site.
We’ve talked a bit about GDPR in the past (and will be doing more in the future) and I recently did a podcast with Andrew over on Domain Name Wire on the subject. Put simply GDPR (General Data Protection Regulation) is a complete overhaul of EU data protection law and when it is enforced next year will cover all residents of the European Union. If you’re a business in the EU or doing business with the EU you’ll need to be compliant.
So what’s going on with ICANN?
Well there’s the rub.
ICANN’s relationship with privacy as I’ve mentioned several times in the past has always been a little bit “messy” (and I’m trying to be diplomatic!).
The current situation is that domain name registrars (such as ourselves) and domain name registries (like Verisign who run the .com registry) operate under a contract from ICANN. You can think of it as a form of “license” if you wish.
Those contracts consist of two parts. The first and most obvious part is the contract itself and the second bit is what is called “consensus policy”. That second bit is in constant evolution, as the internet and how we use it evolves so do the challenges, opportunities and threats. So domain name transfers, for example, are covered by a policy which was developed by the “ICANN Community”.
And it’s partially here that the issues around GDPR come into play.
Whois data is the most obvious and problematic set of policies and contractual obligations when it comes to GDPR. Sure, a company like ourselves has to examine and deal with GDPR and how we can be compliant across all aspects of our relationships. However it is only in a limited set of scenarios where there’s a clear conflict between what we need to do to comply with the law and what we need to do in order to remain compliant with our contracts and current policies. Hello ICANN!
So what’s the current state of play?
Well that’s a constantly moving target, but it’s pretty safe to say that even ICANN itself has finally recognised that the current whois is no longer viable.
But what can they do?
That’s where it gets sticky and, quite frankly, messy.
If, hypothetically, ICANN were to grant all registrars and registries based in the EU special provisions around WHOIS then many people would be delighted. There are precedents. Both the .cat and .tel domain name registries have special exemptions in their contracts with ICANN which allow them to display a minimal data set to the public when private individual’s domains are involved. Law enforcement agencies and consumer protection agencies can get access to all the data they want, but they have to go through a specific process. Sure, they might have to work a little harder to get the data they’re looking for, but they can get it.
And if you look at ccTLDs like .ie or .fr the amount of data made public is pretty low, especially if the domain is registered to an individual.
But ccTLDs are country specific and governed (usually) by the laws of one country.
The global internet is far from uniform and has to work across national boundaries. We as a company have clients in 130+ countries around the globe and while we do not have offices outside Ireland at present we still have to operate legally in any market we sell into. (And I am simplifying here quite a bit)
When you look at the global domain name market, which is just a part of the overall internet, there are plenty of big players who have a strong presence in multiple countries. GoDaddy, for example, is an American company. They sell domains and hosting around the world. Would they be able to get the same kind of waivers as a “more” European company such as ourselves? Should they be able to? How would that work for their national government?
It’s not a simple subject and when you put this all against the backdrop of 20+ years of “open whois”, cyber crimes, global threats from terrorism and so much more you quickly realise that not only are there competing interests and concerns, but that it’s a far from simple topic.
However ICANN (the corporation) is going to need to address this issue with registrars and registries.
In the last few weeks the tensions have increased. Two of the European based registries have unilaterally decided to make their WHOIS output compliant with GDPR without getting any changes to their contract with ICANN. ICANN is apparently threatening them with contract breach, which could escalate to termination. To add to the “fun” the domain registry is actually run by the government of the city of Amsterdam. So it’s not just ICANN vs a European company.
Meanwhile ICANN has received the first in a series of legal opinions that attempts to address the current policies and contracts versus the legal requirements under GDPR.
If it wasn’t so serious I’d be reaching for my popcorn.
So against this backdrop I’ll be heading to ICANN 60 where you can be sure that GDPR is going to be getting plenty of attention, though whether or not any solutions or paths forward will emerge is debatable.
You can find the full schedule for ICANN 60 here and most sessions will be available to follow online via audio and sometimes video stream. There will be plenty of other topics under discussion during the meeting, so if you GDPR and whois doesn’t interest you there are plenty of other topics that might.