Three years after the EU GDPR entered into force, the ICANN community is still debating the emergency measures with regard to data protection of gTLD registration data. Before the GDPR, gTLD registration data was publicly available, but the accuracy of this data is an issue that the community was facing long before that. In 2021, the Expedited Policy Development Process (EPDP) moved on to Phase 2A, with one main issue in focus: the distinction between natural and legal persons in the domain name registration process. Meanwhile, the EPDP’s previous Phase 1 and Phase 2 policy recommendations are facing further implementation challenges: inter-dependencies between issues in different phases and disagreements on issues of importance to the Governmental Advisory Committee (GAC). On top of everything, other regulatory developments, such as the EU NIS 2 Directive proposal, could have a further impact on the outcomes of the EPDP, with some constituencies calling for a halt to the EPDP Phase 2 recommendations. Registration data accuracy discussions are also steadily picking up, in light of the EU NIS 2 proposal.
Distinction between legal and natural persons
The GAC is continually concerned over the lack of differentiation between legal and natural persons when it comes to publicly available registration data in the EPDP recommendations. According to the briefings that the GAC received at ICANN71, the registration data of legal entities is consistently claimed not to be protected by the GDPR (ignoring the CJEU case-law on the matter, which confirms it is more nuanced than such a simple distinction). The preliminary EPDP recommendation on the issue retains a mere possibility for registries and registrars to differentiate between registrations of legal and natural persons, but they are not obliged to do so. The GNSO has been asked to monitor relevant developments, including NIS 2, to determine whether any changes to the EPDP are necessary.
Contracted Parties, particularly registrars, are those who would need to bear the burden of implementing the required distinction between legal and natural persons, while still being subject to the GDPR and other national data protection frameworks. They have identified technical difficulties in making such a change which, though it seems simple on paper, the benefits of such a change remain unclear.
The GNSO leadership is currently looking to initiate a scoping exercise on registration data accuracy work within the community. Many questions for future work on accuracy are still open beyond its scope: e.g. team composition and the timing of when the work will be launched. The date for the scoping work to be initiated has been provisionally set to August 2021, after EPDP Phase 2A is concluded.
According to the GAC, “the accuracy of domain name registration data is fundamental for maintaining a secure and resilient DNS” (EPDP Phase 2 Minority Statement). A similar sentiment has been transposed to the EU NIS 2 Directive proposal, that echoes the GAC concerns within the EPDP: data accuracy, the distinction between natural persons and legal entities, as well as ensuring access to registration data to an undefined group of so-called “legitimate access seekers” (Article 23).
The European Commission’s representatives have previously reassured the ICANN community that the NIS 2 Directive proposal (and specifically Article 23) is not meant to replace the multistakeholder process within the EPDP but rather help operators by creating a necessary legal basis for registries and registrars to keep collecting, processing and publishing domain name registration data (while mostly ignoring how the GDPR is implemented by European ccTLDs). During the joint session between the GAC and the GNSO, the European Commission representative clarified that legitimate access seekers in the context of access to registration data should include cybersecurity researchers and intellectual property rights “enforcers”. The Commission representative also urged the ICANN community to address the accuracy issue, as it is not solely linked to GDPR compliance but also to contractual obligations with ICANN.
It is questionable if technologically neutral and general regional legislation, coupled with the principle of subsidiarity (Directive vs Regulation) and the supremacy of EU primary law (EU Charter of Fundamental Rights) can bring relief to purely contractual enforcement issues within ICANN.
Data is still missing
During the GAC’s joint session with the GNSO, there were calls for data on the existing accuracy levels, in particular, the current percentage of accurate registration data, as well as the needed threshold for the data to be considered accurate.
To get more clarity on the associated issue, the registrars are also working on a “Registrant WHOIS Experience” study to better understand the current reality and whether “unredacted registration data in the WHOIS/RDAP continues to contribute to harm, enable fraud, or increase abuse”, as identified by the Security and Stability Advisory Committee. Back in 2007, the SAC023 concluded that the “appearance of email addresses in the WHOIS contributed to receipt of spam- virtually assuring spam delivery to these email addresses”. The results of the study are expected to be presented at the ICANN72 meeting.
It is clear that a lot has changed since 2007. However, it is important to base any policy development process on facts and evidence, especially when that policy change could come with an increased liability risk and potentially a technical burden on operators (similarly, the introduction of Article 23 in the NIS 2 Directive proposal should also have been more clearly substantiated, beyond a general statement that it is better for security).
Or is it really missing?
Having observed the EPDP discussions for over three years, the ICANN community is struggling to reconcile the many interests at stake. Despite the fact that a lot of substantial work has already been done, the implementation of policy recommendations from previous phases has been slowed down by minority statements, calls for the ICANN Board to address public interest concerns in the GAC, and despite good intentions, by recent regulatory developments in the EU.
On the other hand, there are already existing practices and examples to follow from European ccTLDs who are already compliant with the GDPR and who, in fact, did not face many significant changes to their registration data availability policies when the GDPR entered into force, including questions on access. European ccTLDs do not have a unified approach to their registration processes either: it is deeply rooted in national specifics and jurisdictions and, as stated in our previous blogpost, diversity within ccTLDs is not a bug but a feature.
Perhaps, the policy recommendations coming out of the ICANN PDPs need to offer more flexibility to operators to consider national developments, needs and specifics as well, whilst the DNS is subject to increasing regulatory attention. So far this approach has worked for ccTLDs, and more can be learned from these experiences.