A report by Khouloud Dawahi
‘’Comprehensive WHOIS policy reform remains the source of long-running discussion and debate related to issues such as purpose, accuracy, privacy, anonymity, cost, policing, intellectual property protection, security, etc.’’ 
The WHOIS and conflicts with data protection and privacy laws debate was revived with the introduction of the new European Union General Data Protection Regulation (GDPR)”.
This report is to inform the NCUC community and others about what was discussed during a recently held webinar on the 4 October 2017 about ICANN’s work in data protection and privacy activities.
The webinar’s agenda consisted of the following:
- The ICANN Organization’s Focus with Respect to GDPR
- Recap of the recent activities
- Update on the Legal Analysis
- The ICANN 60 session in Abu Dhabi
- Community Updates on GDPR Activities and Q & A
ICANN Organization’s Work with Respect to GDPR
Göran Marby, ICANN president and CEO, proceeded with some initial reflections. He stated that ICANN as an ecosystem has entered something it has not dealt with before and apologized for any potential mistake within the process. He highlighted a lesson to be learned for the ICANN community in this context: how to deal with legislators making the laws that will potentially have an effect on ICANN policies. He pointed out that the GDPR was never brought up within the ICANN community; for example, it was not discussed within the GAC even though it should of have been discussed even before the European Commission laid down its proposal because WHOIS was never discussed during the process that lead out to the proposal of the GDPR. This left the ICANN community with one important question to answer: the balance between the existing availability of a WHOIS system and the associated privacy concerns it brings with it. It would have so much easier if the European Commission had worked with ICANN in the beginning. He urged the community to find a better way to deal with future potential similar situations and expressed its eagerness to work forward with the GAC to avoid any future mistakes.
As a consequence, the contracted parties are on the front line of this legislation. In this regard, the ICANN organization understands the concerns of both the contracted parties and the users of WHOIS.
Initial legal reviews and communication with some Data Protection Agencies (DPAs) showcase that compliance with the GDPR will have an impact on the existing WHOIS system. There is an increasing risk that GDPR will result in a limited WHOIS system. For registries and registrars, this regulation will impact how they do their business going forward. He reassured them that ICANN organization understands that non-compliance with the law is not an option for them and that external legal advice received will be shared with them as it comes in.
The GDPR may also require a shift in the way ICANN previously looked at privacy issues.
As for the next steps, the legal analysis commissioned by the GNSO’s Next-Generation Registration Directory Service Policy Development Process Working Group is looking at a WHOIS replacement. ICANN is engaged with other DPAs in Europe on this issue to help understand how the GDPR might impact current gTLD policies. With the impact on the current implementation of WHOIS, the ICANN organization realized that it is not only important to the contracted parties but to other users of the WHOIS information, including rights holders, law enforcement, and DNS abuse researchers who claim they have a need to access WHOIS records. There is a lot of work to do and Marby stressed ICANN’s need for its community engagement and participation in this process.
Theresa Swinehart, Senior Vice President Multistakeholder Strategy and Strategic Initiatives, mapped out ’s activities when it comes to preparing for the GDPR which includes looking at two tracks. One is specifically, how does the GDPR impact the personal data that ICANN collects and processes for internal and external services? The other is putting together the user story matrix, which is the personal data that other participants in the domain name ecosystem claim they have a need to process. She emphasized the importance of engagement and outreach to a range of stakeholders and conducting the legal analysis to furnish the relevant stakeholders with the needed facts and information. The ICANN organization’s work in this area does not replace the existing policy development work underway. It is up to the European DPAs to interpret and enforce the regulation and for the European courts to resolve any disputes in that regard.
As part of the work that was undertaken to prepare for this legal analysis, Swinehart claimed to have worked with the community to help pull together users’ stories how different stakeholders use WHOIS outputs.
ICANN received input from around 12 organizations and individuals across a wide range of users’ types and interested parties. It ended up with 29 user types, 72 different purposes, and 97 different data element. However, the legitimacy of these purposes has not yet been assessed.
Recap of Recent Activities
Theresa Swinehart explained that her engagement activities include contracted parties, the European Commission, the DPAs and other pertinent stakeholders in and beyond the European Union, as there are global implications and ICANN is a global organization.
Update on the Legal Analysis
Theresa Swinehart advised the audience that ICANN engaged Hamilton Advokatbyrå, a specialized European law firm with experience working with European DPAs, to provide legal analysis.
This analysis is intended to serve as a building block for input into community discussion. It does not replace the need for community discussions around how to approach this issue in the ICANN space.
The approach is an iterative one. In its initial phase their work is expected to look broadly at the issues and identify the potential legal conflicts. This will be published and the community will have the opportunity to comment and to provide feedback. This initial phase is expected to be ready for sharing with the community prior to the ICANN 60 meeting in Abu Dhabi. The second phase of the analysis will then dig deeper and answer the questions identified by the ICANN community.
The information and updates will be published on the ICANN data protection and privacy page  in addition to the background information provided to Hamilton Advokatbyrå.
GDPR session at ICANN 60 in Abu Dhabi
Theresa Swinehart explained that as part of the Abu Dhabi meeting, a session will be held at the request of the Business Constituency, on Thursday 2 November at 10:30am. Additional details regarding the format and key objectives of this session will be available shortly.
 Final Issue Report on a Next-Generation gTLD Registration Directory Service (RDS) to replace WHOIS