European data regulators have torn up the latest proposal by internet overseer ICANN over its Whois data service, sending the hapless organization back to the drawing board for a third time.
In a letter [PDF] to the US-based internet's naming and addressing systems, the chair of the European Data Protection Board (EDPB) makes it plain that even the organization's "interim" plan is fundamentally flawed.
Despite existing solely to develop rules for the internet's underlying infrastructure and possessing a $100m annual budget, ICANN has put itself in the position where it has effectively outsourced decisions over the critical Whois service to a group of bureaucrats in Brussels.
And on several critical issues, the data bureaucrats have gone directly against the stated positions of both ICANN and its most influential members, including its business constituency, intellectual property constituency, as well as external members including the US government and International Trademark Association (INTA).
In what is perhaps the greatest blow to ICANN's credibility, the EDPB undercuts ICANN's legal appeal to a ruling it lost last month in German court, stating clearly that it cannot force people to provide additional "admin" and "technical" contacts for a given domain name – something some were hoping would act as an effective workaround to the privacy law.
That appeal now looks dead in the water, contributing to a series of embarrassing failures on ICANN's part to regain control of its authority over the Whois service.
Here's another No for you
In addition, the EDPB shot down ICANN's argument that different rules apply when a domain name is registered by an individual or a legal entity like a corporation. Not so, said the EDPB, stating that if a personal email address is given for a corporate website it still falls under the GDPR privacy legislation.
On top of that, the letter puts a big question mark over ICANN's claim that it can retain domain data for far longer than the required two-year limit, saying that the organization would have to "explicitly justify and document why it is necessary to retain personal data for this period."
ICANN pays to push Whois case to European Court of JusticeREAD MORE
And it shot down transparent efforts by ICANN and its US-dominated constituents to create an access model that would give intellectual property lawyers the right to see any and all Whois data by noting that "codes of conduct" and "accreditation" models are not a sufficiently strong model for accessing personal data and that ICANN and its registries and registrars will be held legally liable for any subsequent misuse of data.
Critically, however, the letter makes it plain that it has no time for ICANN's claim that it is not a "data controller." ICANN has tried to argue that, by including language in its contracts that force those signing it to say they are data controllers, that it somehow lifts legal obligations on ICANN.
It doesn't, the EDPB letter makes plain, and so ICANN is also on the hook for millions of dollars in fines if it is found not to be compliant with GDPR.
In short, for the third time in a row, ICANN's efforts to retain its existing system by relying on legally questionable, even laughable, arguments has failed. None of this should have come as a surprise to the non-profit organization based in California, but for some reason it has.
Not a new issue
European regulators first warned ICANN no less than 15 years ago that its Whois service needed to be updated to account for people's privacy. But ICANN has persistently failed to update the service, relying on the fact that it is operates under American law and for a long while existed under the direct protection of the US government.
However, the passing of the General Data Protection Regulation (GDPR) in the EU and the decision by the US government to grant ICANN autonomy have changed that dynamic.
GDPR was designed to deal with the massive market in the sale of personal data by internet giants like Facebook and Google, and imposes huge fines on companies that do not get their users' permission before selling personal data.
It should have been obvious that the legislation would also impact the Whois service, which requires anyone buying a domain name to provide their names, address and personal contact details – and then publishes it all on the internet for anyone to see. But having ignored European lawmakers for more than a decade, ICANN was blind to the issue.
It wasn't until a European registry under contract with ICANN simply refused to provide a Whois service – despite threats from the organization's legal team – that the organization finally woke up to the issue. The registry in question told ICANN that it considered the Whois clause in its contract "null and void" because it transparently broke European law.
That was in October 2017, leaving ICANN with just six months until the new law kicked in. Still convinced that European law couldn't impact it, ICANN hired a European law firm to report on the potential impact of GDPR on the Whois service and was stunned to find that it faced multi-million-dollar fines if it didn't make changes to its service.
With only six months to devise a solution and its average policy making process taking 18 months, the organization embarked on a series of doomed efforts to effectively retain its existing system while claiming compliance with the new law.
None of them worked, leading to the ludicrous situation where ICANN's staff and board asked to be granted a special one-year exception to the law: a request that ICANN convinced itself was possible and started aggressively insisting on even as it became clear that the concept was no more than legal fantasy.
When the special "moratorium" request was dismissed (data regulators don't have the power to rescind or ignore existing legislation), ICANN's board then chose to impose a staff-developed "interim" policy that had been universally rejected just two months earlier.
When several large registrars then chose to ignore that enforced policy and implemented their own policies to come into compliance with the new law, ICANN responded by suing one of them in German court in what it hoped would serve as a test case and stamp its authority over the Whois service.
But that approach also backfired when the German court rejected ICANN's arguments, effectively undermining its ability to impose its contract.
Having tried and failed to create its version of Steve Jobs' "reality distortion field", ICANN was left with little choice but to ask the European data regulators that will enforce the law what their views are of Whois and how its fits with GDPR.
Those regulators have responded. No doubt ICANN's staff and board will now try to paint the annihilation of pretty much every position they have adopted as part of a healthy policy process, but the truth is that the chickens have finally come home to roost.
As the EDPB noted in its summary of the letter: "The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring Whois in compliance with European data protection law since 2003." ®