This year marks 4 years since the GDPR entered into force: A regulation that has sent waves across Europe and beyond by restating EU data protection principles in place since 1995 and giving real enforcement powers to data protection authorities. Since data protection became a compliance issue for ICANN in 2018, the community is still discussing how to reconcile different interests at stake in 2022: domain name holders, contracted parties, rightsholders, law enforcement and governments, as evident during ICANN73. Access to accurate registration data has also become a political issue, with the EU negotiating its update to cybersecurity legislation - the NIS 2 Directive that puts a considerable emphasis on access to accurate, complete and potentially verified registration data. The root cause of registration data accuracy being on the agenda of EU policymakers: ICANN’s GDPR compliance activities that put WHOIS behind a locked door. Is there a registration data accuracy problem within the ICANN community and why does it matter? What is the role of ICANN when it comes to ensuring third-party access to registration data? And is there a chance that ICANN could put its GDPR compliance discussions behind anytime soon?
GDPR v ICANN
After the EU GDPR entered into force in 2018, ICANN put in place the Temporary Specification for gTLD Registration Data that requires ICANN contracted parties, i.e. gTLD registries and registrars, to restrict public access to domain name holders’ personal information. This was a significant change to the way WHOIS information in gTLDs was (ab)used before ICANN’s decision to reinforce respect for domain name holders’ rights to privacy and data protection.
Furthermore, EU data protection authorities have continuously expressed their concerns regarding the unlimited publication of WHOIS information on the internet since 2003 (!). These concerns were reiterated in 2006 and 2014 by the WP29, the predecessor of the European Data Protection Board (EDPB). In fact, the claim that unlimited access to WHOIS information is by default the best for cybersecurity has been challenged by inter alia ICANN studies and testimonials from EU ccTLDs that have complied with data protection rules for decades, without any evidence of widespread abuse within their zones. Furthermore, EU ccTLDs are consistently considered to be the champions in their efforts to keep their zones safe and secure, without compromising respect for data protection.
Since ICANN-enacted policies are general and adopted for all contracted parties across the board (irrespective of their place of establishment), EU GDPR-related changes are global and affect all gTLD registries and registrars, bringing in voices from other parts of the global multistakeholder community, who have previously unjustifiably benefited from openly accessible WHOIS and the absence of respect for the rule of law.
In 2022, the importance of “WHOIS data” for law enforcement activities, intellectual property (IP) enforcement activities, as well as for any third party with an interest to contribute to overall cybersecurity online (read between the lines: commercial cybersecurity service providers) is still being cited as the public interest that ICANN should preoccupy itself with, ignoring all other legitimate public interests that ICANN may have the remit and interest in pursuing, such as respect for rule of law and other fundamental rights (beyond IP rights protection), and most importantly the overall stability and resilience of the DNS.
System for Standardised Access to registration data
According to the Governmental Advisory Committee (GAC), centralised and standardised access to registration data controlled and processed by contracted parties is a “public policy priority”.
Due to this pressure from governments, as well as from “business, security, law enforcement” and rightsholders, the Final Report of the GNSO EPDP Phase 2 includes recommendations on the development of a System for Standardised Access to registration data (SSAD), a mechanism intended to centralise requests for non-public registration data. Due to the “resource investment and complexity that would likely be required to implement the SSAD-related policy recommendations in a timely and predictable manner”, the ICANN Board requested the elaboration of an Operational Design Phase (ODP) to inform its deliberations, including whether the recommendations are in the best interests of both the ICANN community and ICANN Org itself.
On 25 January 2022 ICANN Org published its final output to the SSAD ODP. According to the findings of the ODP, there is still a lot of uncertainty when it comes to the viability of such a centralised system. ICANN Org has estimated that the development and implementation of the SSAD will cost from 20 to 27 million USD, while the operation cost will range from 14 million to 106 million USD, depending on the options for users’ accreditation and verification. On top of everything, legal uncertainty regarding cross-border data transfers adds another complexity for the viability of the SSAD, amongst other things.
There are voices in the GAC calling for ICANN Org to take care of the entire funding of the SSAD, including the accreditation of its users. Considering the significant costs it may entail, the ICANN Board reserves the need to conduct additional considerations before deciding if the recommendations on the SSAD within the ODP are within “the best interests of ICANN and the ICANN community”, which could call other measures of public interest into question.
It looks like the SSAD might be quite a questionable endeavour after all, putting at risk the purpose of ICANN to coordinate the management of the technical elements of the DNS and to ensure its stable and secure operation.
Contractual compliance and accuracy
Access to non-public WHOIS cannot be discussed without the closely intertwined issue of ensuring that any registration data (which ultimately can be accessed) is accurate. Otherwise, the whole purpose of the immense public interest in identifying a perpetrator, a respondent, or a “trustworthy” source behind an internet resource becomes moot.
The issue of ensuring the accuracy of registration data is not new, irrespective of the most recent GDPR compliance efforts by ICANN. However, in light of the upcoming EU NIS 2 Directive that puts a special emphasis on ensuring access to “accurate and complete”, as well as potentially verified registration data, the ICANN community is facing a new challenge, since the EU NIS 2 Directive aims to harmonise the legal basis for domain name registries and registrars to be able to collect and process personal information for the purposes of cybersecurity.
While the EU NIS 2 Directive attempts to “solve” some of the issues regarding WHOIS access in the post-GDPR era, it should be recalled that it is (only ?) a special law in the context of information security. It can in no way overrule the overarching EU data protection framework, which is enshrined in the fundamental rights framework and derives from the highest form of EU legislation.
Most importantly, it will not create a blanket and legitimate legal basis for access to personal information, despite its intentions. Each case of personal information disclosure must be uniquely decided on a case-by-case basis, and it will be up to each Member State to provide guidance on what it means in the context of the NIS 2 Directive.
If anything, the NIS 2 Directive will create another layer of complexity for all registries and registrars. This includes ICANN contracted parties that would need to comply not only with the EU legal framework but also with whichever contractual requirement (and policy) ICANN imposes on them as a result. It is also important to keep in mind that the public policy and legislative aspect will always overrule private contractual requirements imposed by ICANN Org. This puts the whole ICANN community work on accuracy and WHOIS in a peculiar situation.
On top of all the difficulties in wrapping up GDPR compliance without breaking the internet, ICANN Org is also facing the issue of measuring accuracy across its contracted parties. According to statements made during the ICANN73 meeting, the scope of ‘accuracy’ within gTLD registration data is still not entirely clear, but it is definitely more than purely syntax checks and includes the identification of domain name holders. This was allegedly confirmed by ICANN compliance to the GAC representatives, as evident from ICANN73 discussions.
Can ICANN solve the accuracy problem?
When it comes to the issue of ‘accuracy’, ICANN is facing another complexity, i.e. the question of the proactive processing of millions of registration data records for the purposes of assessing its accuracy levels and ultimately ensuring compliance with its contracts.
According to ICANN Org officials and Board members, clarity needs to be sought from the EU data protection authorities. In the current circumstances, ICANN Org can only access registration data in response to a complaint of inaccuracy, on a case-by-case basis. On top of everything, there seems to be a lack of clarity on the role of ICANN Org when it comes to data processing activities, e.g. whether ICANN can be considered a joint controller for registration data collected and processed by contracted parties. The question of contractual compliance and the enforcement of accuracy obligations is also linked to (the lack of?) legitimate interest of ICANN Org in conducting proactive large-scale scans of personal information of primarily unsuspecting domain name holders. Two magic words of “legitimate interest” were mentioned a few times during ICANN73, when WHOIS and data accuracy were discussed, with some stakeholders arguing for and others against such a privilege.
Again, it is worth pointing out that the concept of legitimate interest does not give a carte blanche for any party to ignore the data protection framework and rights of data subjects. Any large-scale surveillance activities, for any reason, have been consistently struck down in the EU courts.
The question of joint controllership status for ICANN Org, however, seems to have been decided negatively, as ICANN Org is seeking regulatory confirmation for its controller status (i.e. a concrete legal basis). During ICANN73, the ICANN Org representative directly addressed this question to the European Commission’s GAC representative by reinstating ICANN Org’s lobby activities in the context of the NIS 2 Directive negotiations. According to this statement, ICANN Org has put forward proposals in the context of the NIS 2 Directive to “make ICANN legally responsible for the disclosure of data”.
There is a lot to unpack in this statement. First of all, it seems that ICANN Org is struggling to acquire controller status for registration data that must in principle be determined by its actual activities, rather than a formal requirement (e.g. a contract). Hence, ICANN cannot retrospectively solve this by negotiating a contract with its contracted parties, and formally acquiring such a status.
Second, ICANN Org is essentially seeking formal recognition of its role by a regional regulator, which is not an entirely comfortable position for ICANN for many reasons. Most importantly, such recognition might jeopardise the viability of the multistakeholder model in the long run, by requiring a special legal basis for ICANN to be able to continue its globally-setting policy work for contracted parties.
Finally, it can be assumed that the accuracy problem cannot be measured by ICANN Org yet. As a result it is not clear whether and to which extent any problem with accuracy needs to be solved.