ICANN’s Whois proposal fails to impress European data regulators
11-07-2018
rbfried / iStockphoto.com
ICANN has asked for feedback on its proposal for a possible unified access model to the Whois system, in an effort to engage with data protection authorities and be compliant with the newly implemented General Data Protection Regulation (GDPR) in the EU.
Under ICANN’s Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.
The organisation shared the news on Monday, August 20.
In June, ICANN published its “Framework Elements for a Unified Access Model for Continued Access to Full Whois Data” to “deepen” its understanding of the EU’s GDPR.
ICANN’s framework aims to provide a method for registries and registrars to offer access to full Whois data for legitimate purposes, such as actions taken by law enforcement, while also having adequate protection for personal data in line with GDPR.
Now, ICANN has published its “Draft Framework for a Possible Unified Access Model for Continued Access to Full Whois Data – For Discussion", which is a working draft intended to facilitate further discussions.
Feedback will be important as ICANN continues to work with the European Data Protection Board (EDPB), an independent European body, to gain clarity on the legal implications of such a mechanism, the organisation said.
It added that legal certainty is necessary to enable data controllers to ascertain whether a unified access model can be implemented.
ICANN explained that the working draft outlines “basic parameters” based on ICANN’s current understanding of GDPR.
The proposal is seeking to discover “whether it is possible to develop an automated and unified approach across all gTLD registrars and registry operators in a manner consistent with the GDPR, including the obligations placed on data controllers”.
The unified access model is not intended to replace ICANN’s temporary specification for gTLD registration data which was approved on May 25, the same day GDPR came into force.
In May, ICANN wrote to the EDPB to seek clarification on its obligations under GDPR. The EDPB responded to ICANN’s letter last month, stating that ICANN must take further steps to become compliant with the EU’s regulation.
The temporary specification allows access to non-public Whois data for those with legitimate purposes but, this week, ICANN said that registry operators have “differing approaches to meeting that requirement”.
ICANN is currently embroiled in a legal battle with domain name registrar EPAG over the retention of data under GDPR. The lawsuit, which was filed on the day that the new regulation came into effect, has been referred to the Higher Regional Court in Cologne, Germany.
Those interested in sharing their input with ICANN have been invited to send comments to gdpr@icann.org.
ICANN, gTLD, domain names, General Data Protection Regulation, unified access model, data protection, Whois data, European Data Protection Board
