by Olga Kyryliuk
On 2 February 2018, ICANN President and CEO Goran Marby, along with General Counsel and Secretary John Jeffrey held a webinar (announcement, recording and materials) during which they updated the community on recent developments regarding GDPR compliance models, privacy and Whois. Goran Marby mentioned that GDPR will affect us all and thanked everyone for high quality input on potential compliance models (around 65 comments received), while encouraging the community to keep conversations going.
In his turn, John Jeffrey presented a Chart and a Working Draft Non-Paper with Selected Interim GDPR Compliance Models and Comments. He noted that during a short period of time best efforts were undertaken to synthesize provided data, though it would be wrong to expect all of them to be correct, as every time something is adjusted. The matrix showcases five GDPR compliance models proposed by the community and three (1, 2A, 2B, 3) ICANN models. Even though being different, all of them are coming from the same base and centering around single type of matrix information set. The key points are layered/tiered access and support for a continued collection, transfer and escrow of the full thick Whois data.
There were no indications received from the DPAs yet regarding this approach to keep the full thick Whois model. In model 1, ICANN would try to remain as close to the current Whois model as possible, recognizing that some of its elements might not be consistent with GDPR. The question of whether these changes would apply only to the European Economic Area or globally is still pending, as well as whether the interim changes should apply to registration of natural persons only or cover legal persons as well. More analysis is also needed to clarify whether or not the registrant email address should be included in the public Whois; the approach differs in the proposed models. The purpose of this non-paper is not to be conclusive, but while illustrating differences and similarities, drive toward finding a final interim compliance model. Summarizing the non-paper presentation, John Jeffrey welcomed any thoughts and suggestions as to how to improve the matrix.
After this presentation the floor was opened for questions, which varied from whether ICANN is a data controller to what is the legal justification for applying GDPR to domain names outside the EU.
Regarding ICANN’s bilateral cooperation with Article 29 Working Party, G. Marby mentioned that for the last 6 months he encouraged everyone to have their own contact with Article 29, which he believed to be important for all parts of the community in order to tell the reasoning behind their views on GDPR. ICANN tried to build good relations with Article 29, but he also expressed hope that same was done by other members of the community.
As to the models that received the most support from contracted parties, G. Marby fairly clarified that it is not a popularity contest, since at the end we are talking about compliance with a law. ICANN constructed a process for collecting input, tried to make it transparent, and to have the best legal discussion while looking at different components of different proposals. Mr. Marby mentioned that he himself talked to many parts of the community that have not been on speaking terms for a long period of time. And after all these months he is in favor of the community to come together and discuss the last components of what has been elaborated till now.
ICANN CEO repeatedly pointed out that the discussions are not only about compliance with law in Europe, but also with respect to ICANN contracts. He also said that ICANN is getting closer to where a decision has to be made. Though, whatever the solution would be, it will take some time for the contracted parties to implement. At the same time the community has to continue important policy discussions, with this being a reason for the solution to we are discussing now just an interim one.
Regarding ICANN’s role as a data controller, J. Jeffrey noted that there has never been a question whether ICANN is a controller or not, but rather how it is classified as a controller (joint controller, co-controller, etc.). ICANN has actual control of the data only in exceptional cases, i.e. audits, inspections, compliance, transitioning of domain names. It is also important to realize that ICANN, registries and registrars have different purposes when dealing with registrants’ data.
Regarding possible specific guidance from the Article 29 Working Party on Whois, G. Marby stated that DPAs cannot give specific advice before they make a decision, but that will change with the GDPR in late May . ICANN is trying to build relations with Article 29 to share the information about Whois and ICANN policies, while trying to be as neutral as possible. The Article 29 Working Party is a committee of data protection authorities of the EU member states, established under Article 29 of the EU Data Protection Directive 95/46, the Directive that is currently in place which the Regulation will replace in May. The GDPR gives the Working Party more authority, turning them into the Data Protection Board
As for the ICANN time frame for GDPR compliance, J. Jeffrey pointed at the May 25 coming into force of the Regulation. In addition, he said that the time issue is currently discussed with contracted parties, given that an appropriate model is still not in place. ICANN is also trying to communicate with the authorities to determine whether there could be additional time before the law would be applied to Whois; answers to these questions are not expected in the short run.
Explaining compliance models Goran Marby gave a very interesting analogy of a pizza, saying that if you look at the matrix, you may notice that it is constructed in a way that you can take something out and put something in. Content on a pizza is decided by community. There are different parts of that pizza. ICANN tries to take away as few toppings as possible, and want to be compliant with a law. If you look at the ECO model and compare it to ICANN model 2B, they are quite close in some features. In the ECO model some things are optional, and if they become a standard feature, that would actually bring them together. ICANN model starts with Hawaii, then you take away the pineapple and get another pizza with another name. That’s how close the different models are. Moreover, it’s very important that you can pick and choose.
According to Goran Marby, there is no particular deadline for publishing an interim model, but it is expected to be released in mid-February. There is an ongoing dialogue with the Article 29 group, and ICANN is also waiting for different community stakeholders to talk among themselves.
As to the possibility to use both the ICANN chosen model and the ones submitted by the community, ICANN CEO was pretty clear that for transparency and clarity reasons there can only be one model. This is not a policy, but interim solution. The policies can never supercede any local law. G. Marby expressed his delight that the comments received, drew a clear line between compliance and policy issues, as well as reiterated his hope for the community to enhance policy work. He referred to proposals for e-privacy legislation in Europe that ICANN also probably has to be aware of.
As to ICANN reaction if its chosen model is not deemed by contracted parties to conform with GPDR, G. Marby mentioned that most of the models contain same solution to a problem. Differences between models are not that big. In terms of compliance there is a big line between a current version of Whois and a new one, which is tiered or layered access. Hard to say it is only one model to be chosen, as something might be added or taken away. At the moment efforts are aimed at finding proper balance between compliance with law and policy set by the community. At the same time, J. Jeffrey noticed that ICANN can’t guarantee every contracted party will agree with selected approach or will believe they are in compliance with it. Thus, we need to clarify on what has to be done if there is disagreement as to the application of a model. No matter what interim model ICANN selects, it can’t force contracted parties to violate law. If contracted parties would believe themselves to be in violation of the law, ICANN will ask them to provide their reasoning and prove through documentation. Feedback is welcomed, if there are feasible concerns right now.
Goran Marby also noticed that the policy set by the community is deemed to be in violation with GDPR, that’s why it is a compliance issue. And that’s the whole exercise ICANN is going through. It is important for the community to look at the policies under the impact of GDPR and other parts of legislation. In his turn, John Jeffrey pointed out that Whois is much older than ICANN, and its historical origins have been incorporated through the agreements. There is no community policy on Whois, but rather a set of practices and contractual terms that are no longer consistent with the European law. And this is why all this discussion about transforming the Whois policy to meet the legitimate purposes is happening.