by Stephanie Perrin – On November 26-28 2017, I attended the meeting of the International Working Group on Data Protection in Telecommunications (IWGDPT or Berlin group) in Paris, France. The group has had data protection issues at ICANN on the agenda for the past three years (see my earlier blogpost on the 2015 Seoul Korea meeting). NCUC sponsored me to attend this meeting, and to update the group on what is happening at ICANN. Since ICANN had sent a number of people to attend the Data Commissioners Conference in Hong Kong in September, with several speaking on a panel dealing with ICANN data protection issues, the leadership of the Berlin group was aware of the new concern being demonstrated by ICANN as they prepare for the implementation of the General Data Protection Regulation (GDPR).
The Dutch Data Protection Commission has been very much engaged at the Berlin group, and they recently issued a statement concerning ICANN’s failure to comply with current law with respect to WHOIS (see the announcement on that decision). It is worth noting here that this decision states clearly that ICANN cannot rely on “legitimate interest”, “required for the performance of a contract” or consent, as grounds for unlimited disclosure of personal data in WHOIS. It is clear that they believe tiered or layered access, which facilitates speedy access for legitimate law enforcement investigations, is the preferred method to release personal data in WHOIS.
The Berlin group issued its first comment on WHOIS in 2000. You can find their reports and statements, as well as important correspondence, here. Three papers were approved at this meeting, and are now being circulated for further comment to the members of the International Conference of Data Protection and Privacy Commissioners (ICDPPC), which is the procedure the group follows with its papers. There are now 120 data protection authorities, world wide, and the Berlin Group and the ICDPPC represent the broadest global membership of these authorities.
Members of NCUC are currently working on a position paper on ICANN and compliance with the GDPR. I will post a further blog when the draft paper is ready, describing some of the issues. In the meantime, those wishing to follow privacy matters at ICANN should keep an eye on the regular GDPR updates, which appear here.
Stephanie.perrin at mail.utoronto.ca
(Posted by Renata Aquino Ribeiro)