Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year
How do we say this nicely? You need help
Ooops, we're gonna sail right past that deadline
Ten days later, during which time it is unclear whether ICANN even asked the European authorities whether such an idea was possible, ICANN's CEO then put the request into a formal letter to all 28 European DPAs.
And somehow – despite those authorities giving no indication that such an approach was even possible – the idea of a moratorium became the central component of ICANN's efforts to become compliant with the law.
In its summary of the subsequent meeting with WP29 earlier this week, US-based ICANN makes no mention of its core request for a moratorium and when we asked the organization whether it had made the request and what response it had received, it responded that it was "provided feedback from the DPAs and agreed there remain open questions."
What we now know is that the DPAs were much more blunt in their response: "The GDPR does not allow national supervisory authorities to create an 'enforcement moratorium' for individual data controllers."
Amazingly, it isn't just this concept of a moratorium where ICANN has deluded itself into believing a different version of reality.
Despite the clear guidance of the DPAs and even of its own external legal counsel that it specifically hired to advise it on how to become GDPR compliant, ICANN has also persuaded itself that it was going to be able to publish people's email addresses.
In its proposed interim solution, ICANN said it would change the Whois service to create either a web form through which you can contact a domain name owner, or an anonymized email address for every domain name owner so people's real email addresses are not published online.
But that approach was attacked by a number of groups during ICANN's recent meeting in Puerto Rico, who argued that they didn’t believe that was necessary and that it would indeed be possible to publish email addresses.
The argument for going against what appears to be a clear GDPR requirement – not publishing people's personal information without permission – was two-fold: that because it was useful for some people (law enforcement, for example) to have that information that it was "not proportionate" to remove it; and that it was necessary to distinguish between "legal and natural persons."
This position – which was seemingly developed exclusively by US lawyers, none of whom are expert in European law – was then reiterated in several of ICANN's constituencies, inadvertently highlighting a persistent complaint against ICANN as an organization: that it has been captured by American corporate interests.
When ICANN went to its meeting with the WP29 earlier this week, it took five letters, four of which made the exact same point claiming that the law did not say what it said.
You could argue that ICANN was simply reflecting the views of its constituent groups but unfortunately that isn't true.
Two of the five letters came from groups that are not a part of ICANN – the International Trademark Association and the US government; two came from groups that exist within a larger group (the GNSO); and ICANN did not gather the views of its other groups – who would likely have disagreed with the conclusions put forward.
ICANN's staff was, in effect, promoting a single distinct voice – that of American intellectual property lawyers – in four different packages.
But none of that mattered because the Article 29 Working Party – which had already explicitly warned ICANN in a letter "not to conflate its own purposes with the interests of third parties" – simply laughed the idea out the room.
ICANN was forced to admit as much in its summary of the meeting when it noted: "The DPAs requested information regarding the implementation of anonymized email addresses in WHOIS contact information. It is clear from our meeting that registrant, administrative, and technical contact email addresses must be anonymized."
What makes ICANN's delusional behavior all the more remarkable is that its CEO – who started the job two years ago – was himself a European regulator. Prior to taking the job, he spent six years as Director-General of the Swedish Post and Telecom Authority, a fact he has raised repeatedly in discussions over GDPR.
During meetings in Puerto Rico last month, Marby appeared to have a good handle on what had gone wrong and what needed to be done to make ICANN compliant with GDPR.
"We were late. Terribly late," he said in response to someone asking how ICANN had left itself only a few months to address the issue when it had been in place for years.
He went on: "GDPR is really the first – my understanding, is really the first law that has a direct affect on our ability to make policy." And he noted: "This law was designed several years ago. And, apparently, as a community, as an institution we didn't pay much attention. We started very late."
Marby also recognized that ICANN itself was on the chopping block if it didn't find a solution soon.
He told the world's governments: "One of the things that we realized during that is that ICANN actually is some sort of data controller in this. That means that I'm legally bounded. I have to make a decision about this."
He even recognized that, as a data controller, ICANN faces enormous fines if it didn't fix Whois in time. "There is a very big institutional problem, I believe, if we don't comply to this law," he said. "In budget terms, a big fee could be put upon us if we fail in this. I don't remember the number now, but it's actually a substantial amount of money."
It would be €20 million ($24.2m) given the fact that ICANN is acutely aware that it is breaking the GDPR with its Whois service and so would face the higher rate of fines that European authorities are entitled to levy against organizations.
And yet, rather than recognize itself as a data controller and so risk facing massive fines, ICANN's own staff continue to promote a different story: that it is, in fact, not a data controller.
In an FAQ on its site, ICANN says in impenetrable legalese that it won't be a data controller by dint of the fact that it will simply write in its new contracts with registries and registrars that they accept that they are "acting independently as a data controller with respect of Whois data." That is despite the fact that it will be ICANN that decides the policies that govern Whois.
Is that claim equally as delusional as ICANN's insistence that it is possible to have a moratorium, or that it can still publish people's email addresses?
According to one of its own constituencies, yes it is. "ICANN is a data controller," the Non-Commercial Stakeholders Group said in a formal letter provided to WP29. "ICANN does not acknowledge that it is a data controller and has not appointed a privacy officer as required under the GDPR. However… we believe ICANN is acting as a data controller in seeking to maintain access to the Whois."
One thing is for certain: ICANN CEO Goran Marby should stop listening to whoever he is relying on for advice because they led him down a rabbit hole for the past six weeks – time that should have been spent fixing a problem of ICANN's own making.
We have asked ICANN for an explanation for how it arrived at the concept of a moratorium and for any related documentation. We will update this story if it gets back. ®
Below is the full statement that the Article 29 Working Party provided to us over Whois:
WP29 statement regarding WHOIS
WP29 recognizes the important functions fulfilled by the WHOIS service.
WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003 (see WP29 opinion of 2003 available here). ICANN’s GDPR compliance process appears to have been formally initiated in the course of 2017, which may be part of the reason why stakeholders are concerned over the entry into application of the GDPR on 25 May 2018.
The GDPR does not allow national supervisory authorities nor the European Data Protection Board (the WP29 will become the EDPB on 25 May 2018) to create an “enforcement moratorium” for individual data controllers. Data protection is a fundamental right of individuals, who may submit complaints to their national data protection authority whenever they consider that their rights under the GDPR have been violated.
Data protection authorities may, however, take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving such complaints.
As expressed also in earlier correspondence with ICANN (including this letter of December 2017 and this letter of April 2018), WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.
The WP29 recognizes the recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system. The WP29 will continue to monitor ICANN’s progress closely and its members may engage further with ICANN to ensure that the legal requirements under EU data protection law are properly addressed.