- ICANN community groups call for involvement in exploration of GDPR’s impact
- Two gTLDS shut off public access to WHOIS data citing clash with EU law
- Tiered access system likely, with “legitimate interest” required to access data
The Internet Corporation for Assigned Names and Numbers (ICANN) has come under fire for excluding the full community in its exploration of the General Data Protection Regulation’s (GDPR’s) impact on the WHOIS system. ICANN has stated that the regulation could impact its ability to maintain a single global WHOIS system, and now this week two generic top-level domains withdrew public access to registrant information. Trademark counsel should follow the issue closely, as it could lead to the end of WHOIS in its current form and the ability to easily (and cost-effectively) identify the owners of infringing domains. Whatever the outcome, policing activities are set to get harder.
The GDPR, adopted in 2016, becomes enforceable on May 25 2018 uniformly across the European Union. The aim of the regulation is to protect EU citizens and residents from privacy and data breaches, and it therefore requires explicit consent to be obtained for the collection – and use, including publication – of personal data. Crucially, while an EU regulation, it applies to all companies processing and holding the personal data of subjects residing in the EU, regardless of the company’s location. Therefore, ICANN and non-EU registries and registrars are impacted.
For ICANN, the GDPR is set to have a significant impact on WHOIS, with the organisation acknowledging: “Since GDPR will likely effect how WHOIS data is displayed, it could impact our ability to maintain a single global WHOIS system. In turn, this will likely impact either ICANN’s agreements or its ability to enforce contractual compliance of its agreements using a single and consistent approach.” In short, on the face of it, the GDPR could result in WHOIS as we know it coming to an end.
To explore the possible ramifications, ICANN established a Compliance Task Force and in August the Business Constituency (BC) expressed concern with the direction of its efforts. Noting that the task force does not “accommodate full participation from the ICANN community”, the letter argued for the development of a document that defends WHOIS and how the system serves the public interest. It urged the development of “an action plan that will create a narrative to present to regulators that defends WHOIS, and examines how it is consistent with the GDPR”. The Intellectual Property Constituency (IPC) subsequently echoed this call, writing to ICANN earlier this month to urge that it update its plan by focusing on the public interests for maintaining the WHOIS system as well as the centrality of WHOIS to the DNS, “rather than starting out with the assumption that WHOIS is somehow incompatible with the GDPR”.
More recently, on October 13, the registries and registrars stakeholder groups told ICANN that the requirements under GDPR and contracts with ICANN stand in conflict with each other, and expressed frustration at the seeming lack of progress on efforts to reconcile these differences. They too urged an inclusive approach to the development of new policies, threatening: “If we are unable to work together to identify a shared solution, contracted parties must necessarily develop their own approaches to dealing with the conflicts between GDPR and their contractual requirements, which may or may not align with each other.”
Days later, ICANN published a 17 page memo it received from European law firm Hamilton, which it had commissioned to provide an independent legal analysis. The firm notes that “from an outside perspective, the purposes of the data processing within the WHOIs services are currently not entirely clear and transparent”. However, from a data controller perspective it suggests that ICANN, registries and registrars “are all considered to be joint controllers” – meaning that the respective roles do need to be set out (for instance in relevant agreements). As to the current level of consent given by registrants, it notes that this will need to be reviewed to ensure that they are unambiguous, informed and voluntary. And while contact details are required for execution of the agreement, it suggests that making personal information public may not be necessary. In short, the status quo is not GDPR compliant.
Interestingly Hamilton did note that “the use of WHOIS data to investigate fraud, consumer deception, intellectual property violations, or other violations of law” could qualify as a legitimate interest, although this would have to be weighed against the rights and freedoms of the data subject.
Hamilton’s overall conclusion, though, is that “it will not be possible to claim legitimate interest as a legal ground for processing of personal data as currently performed through the WHOIS services on an unchanged basis”. While the current system would be acceptable if based on consent, it notes that this would be a “complex solution”, dependent on registrants providing (and withdrawing) their consents.
Last week, the Non-Commercial Stakeholders Group also waded in on the issue, arguing that the BC and IPC’s positions “involve a misread of the GDPR which, at best, underestimates the risks associated with non-compliance and, at worst, entirely dismisses the public interest in respecting the fundamental right to privacy… It is our view, that in the case of the intellectual property community, they are externalising the risks from their actions onto ICANN and the contracted parties…. ICANN owes no obligation to, and is not responsible for, how or why other parties use WHOIS. To do so would be reckless and expose ICANN, as the data controller, to real liability under the GDPR”.
While ICANN continues its exploration, and the debate escalates, the spectre of contracted parties going it alone in a bid to avoid liability is already becoming reality. Yesterday Domain Incite’s Kevin Murphy reported that two Dutch geo-gTLDs – ‘.amsterdam’ and ‘.frl’ – are refusing to provide public access to WHOIS information, arguing that the provisions in their Registry Agreements are “null and void” under Dutch and European Union law.
One possible outcome to enable compliance is a tiered system that enables registrars to keep on record the details of registrants (that information being required to perform the agreement), this information then being made available to law enforcement if deemed legitimate interest. This is one model suggested by Hamilton and – at this stage – appears to be the more likely outcome. Murphy notes that this is the approach now taken by the ‘.amsterdam’ and ‘.frl’ TLDs, which will provide WHOIS access to vetted individuals such as law enforcement officials. However, if adopted universally, this approach would add a layer of complexity to the policing activities of rights owners, who would have to go through law enforcement authorities to request action against infringing sites.
Under the GDPR, fines of up to €20 million or 4% of group turnover (whichever is larger) can be levied for breaches by both data controllers and processors. The perceived wisdom is that the 4% penalty is unlikely to be widely implemented but that – in order to demonstrate the seriousness of the regulation – an early high-profile party could find itself facing such a fine. ICANN would certainly represent such a high profile name and the spectre of heavy fines are no doubt weighing heavily on both the organisation and its contracted parties. At next week’s ICANN meeting in Abu Dhabi, the GDPR is likely to be the focus of in-depth and emotive discussion, and further jostling for influence.
For rights holders it is a topic worth following because, depending on the approach taken by ICANN, the introduction of GDPR could be a game-changer for both the WHOIS system and the ability of trademark counsel to easily (and cost-effectively) identify the owners of infringing domains and website content.
[Culled from https://www.lexology.com/library/detail.aspx?g=7bd27fa5-613c-4f6c-a876-d72407e58fdf]