Despite long-standing data protection compliance discussions by the ICANN community since the advent of the GDPR, and the finalisation of the NIS 2 Directive that was a direct EU response to deal with the “unintended” consequences of the GDPR on the WHOIS, there is still no end in sight to the debate over how to reconcile the multistakeholder model with legislative obligations put forward across national jurisdictions. The GDPR’s implementation is still a work in progress, while the NIS 2 accuracy obligations applicable to all registries operating in the EU are still considered to be too abstract to be able to have an impact on ICANN policy development. One is clear: TLD registries must respect national and regional legislation, irrespective of what is happening at ICANN.
What’s new with the WHOIS?
We have written extensively on the status of GDPR compliance at ICANN, including access to non-public registration data by third parties (see for example here, here and here). A few notable updates from the ICANN76 discussions include a new acronym, potential for a new Policy Development Process (PDP) and a pause in the work of the GNSO Accuracy Scoping Team.
New acronym
ICANN76 will go down in history with (another) acronym change: the centralised/unified system to process registration data access requests across contracted parties, previously known as the “Unified Access Model” (UAM) and the “System for Standardized Access” (SSAD) have now transformed into the “Registration Data Request Service” (RDRS). The RDRS will be designed as a test pilot based on voluntary participation by willing registrars to first offer the “bare minimum” of the previously planned SSAD that was deemed to be too costly. The system should be able to accept requests from access seekers and route them to the relevant registrars by late June 2023 (registry requests are excluded from the service). The aim is to launch the system in November 2023, after which the RDRS will be monitored for the period of two years, with a view to re-initiate discussions regarding the SSAD. The launch of the RDRS may be accompanied by another Policy Development Process to make its use mandatory for all ICANN accredited registrars, which the GAC seems to be strongly in favour of. The responses to the access requests via the RDRS would need to be assessed by each registrar individually, based on local data protection and other relevant legislation. Registrars would also need to verify the authenticity of these requests according to their internal processes. It is not clear what the benefits of such a system are beyond offering a one-stop shop mechanism for access seekers.
Accuracy scoping team
In September 2022, the GNSO Accuracy Scoping Team formed to substantiate the term “accuracy” in the context of ICANN contracts with registries and registrars, issuing its Interim Report covering a “current description” of accuracy and possible ways to measure the current state of accuracy that do not require access to registration data, by inter alia running a survey across registrars. In November 2022, the GNSO Council adopted a motion to pause the work of the scoping team. This was inter alia due to the absence of a Chair of the group, as well as the lack of clarity from the GNSO on how the work of the scoping team will be incorporated in on-going policy development work. The bigger question here is whether the work of the scoping team would still be relevant by the end of the NIS 2 transposition deadline.
The impact of NIS 2 on geoTLDs and DNS abuse discussions
While the multistakeholder community is still figuring out how to address data protection, and in the long-run the data accuracy obligations under the NIS 2 Directive that affect all registries operating in the EU, the contracted parties, such as geoTLDs are already faced with the dilemma of how to achieve compliance with EU legislation whilst staying competitive with the rest of gTLDs. The NIS 2 Directive makes a reference towards the policies developed within the multistakeholder model only in passing and within its non-legislative part. However the real difficulty is that the ICANN community has still not figured out a data protection compliance that works for all its diverse corners. There is also an increasing concern over the proliferation of registration data accuracy regimes across the EU, pending the implementation work that has now started within EU Member States. The proliferation of diverging accuracy regimes is seen as an administrative burden for operators that could essentially hamper the accessibility of domain names by end-users and the user-friendliness of the domain name registration process. EU geoTLDs may be at a significant disadvantage in comparison to the rest of gTLDs, as a result of the NIS 2’s implementation that does not take into account the multistakeholder solutions.
Although the NIS 2 Directive makes a direct link between the importance of accurate registration data for the purposes of tackling DNS abuse, there is still no direct evidence that cleaner zones (such as European ccTLDs) can be solely attributed to strict registration data verification procedures. Other factors may contribute to the lack of DNS abuse, such as registration policies, overall abuse-response and mitigation policies, and the pricing of domain names. In addition, the uncertainty with some of the accuracy-related provisions in NIS 2, such as the prohibition to duplicate data collection by registries and registrars, may force more registries to adopt a ‘thin’ registry model with no collected registration data beyond purely technical data needed for a domain name to be accessible online.
Conclusion
We are yet to see what NIS 2 impact will be on the ongoing GDPR-compliance work at ICANN, and most importantly, if the developments on the multistakeholder model can be taken into account by the EU Member States that are in the process of implementing the NIS 2 legal requirements into their national legislation. The ICANN discussions have not yet offered any answers to the questions posed by EU policymakers, while EU geoTLDs are considering moving towards a thin registry business model that would shield them from any excessive regulatory burden, while retaining competitiveness with non-EU actors.
