Governments Race to Help ICANN Comply With GDPR
Governments want to maintain the Whois database as much as possible while complying with the EU general data protection regulation as quickly as possible, and they spent most of their time in Governmental Advisory Committee (GAC) meetings at the Monday to Thursday Panama ICANN policy meeting scrambling to figure out how to accomplish that. ICANN, not in compliance with the EU privacy law, approved a "temporary specification" to enable tiered access to domain name registrants' data in the Whois database (See 1805140001), and floated a proposed unified access model for allowing those with a legitimate interest to access non-public personal data (see 1806060004). Also in the works is an "expedited policy development process" (EPDP) that aims to replace the specification within one year. Under pressure from law enforcement, network security, intellectual property and other interests, governments are pushing to determine their role in the processes and their positions.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The temporary specification doesn't address several GAC recommendations, said Kathrin Bauer-Bulst, European Commission deputy head-unit for the fight against cybercrime and child sexual abuse, and co-chair of the GAC public safety working group. They include how to obtain access to non-public data, which is currently left to contracted parties -- registries and registrars -- to decide, and how to address law enforcement needs for Whois access. Law enforcement agencies are now seeing "information redacted for privacy" when they seek Whois data, and many are unaware they can ask for non-public data and don't know whom to ask, said working group co-chair Laureen Kapin, FTC counsel for international consumer protection.
Many questions remain about the expedited policy process and ICANN's proposed unified access model, the U.S. representative said: "Timing is of concern." The U.S. believes finding a mechanism for legitimate access to Whois data is the highest priority, she said. The EPDP is still "up for grabs," said Kapin. Many details, such as its scope, composition and timeline, haven't been determined, she said.
The Generic Names Supporting Organization plans to issue a preliminary report on the EPDP in four months, Kapin said during a continued discussion Tuesday. There appears to be a split between those who want the policy development process to focus solely on the current temporary specification and those who want it also to consider how to grant access to non-public data and accredit those allowed such access, she said. The issue will be to what extent the very fast process will grapple with those questions, she said. The European Commission and other GAC members want a comprehensive rather than a partial approach that covers access and accreditation. The GNSO is developing the documents that will initiate the EPDP but hasn't settled on their substance, said Heather Forrest, vice-chair of ICANN's Intellectual Property Constituency, Tuesday at a GAC-GNSO meeting.
At a GAC-ICANN board meeting Wednesday, governments pressed board members for information on, among other things, what procedures will be used to develop and implement unified Whois access and in what time frame. ICANN has no idea now how it will develop the unified access model, said CEO Göran Marby. It depends on what legal guidance it receives from European data protection authorities and whether their advice is timely, he said. The key issue for the Oct. 20-25 Barcelona meeting is whether the guidance is available, he said.