scyther5 / iStockphoto.com
ICANN’s interim proposal for making the Whois system compliant with the new General Data Protection Regulation (GDPR) in the EU has failed to impress European data regulators.
The European Data Protection Board (EDPB), which is an independent European body, published its letter to ICANN on Thursday, July 6.
Under the Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.
ICANN approved a temporary solution for storing registration data in May, a week before the GDPR came into force, to comply with the new regulation. During the same month, it wrote to the EDPB to seek clarification on its obligations under the GDPR.
Personal data processed through Whois can be made available to third parties with “a legitimate interest in having access to the data”, the EDPB’s response said, but registrants should not be required to provide personal data identifying third parties to fulfil the “administrative or technical functions on behalf of the registrant”.
The EDPB also said it is for ICANN to determine and justify the appropriate data retention period.
However, it added that ICANN has yet to demonstrate why each of the personal data elements processed in the context of Whois “must in fact be retained for a period of two years beyond the life of the domain name registration”.
It requested that ICANN re-evaluate its proposed retention period of Whois data.
In its letter, the EDPB said ICANN must take further steps to become compliant with the GDPR.
WP29 was an advisory group made up of a representative from the data protection authority of each EU member state. It has been succeeded by the EDPB.
Meanwhile, ICANN is embroiled in a legal battle with domain name registrar EPAG in Germany. ICANN requires full Whois data to be collected, and ordered registrars to continue collecting administrative and technical data after the GDPR came into effect in May.
But EPAG said it would delete the contact information for new domain name registrations following the introduction of the new regulation.
Whois, ICANN, European Data Protection Board, data protection, GDPR, WP29, INTA, data retention