Latest news of the domain name industry

Recent Posts

2013 RAA is illegal, says EU privacy watchdog

Kevin Murphy, July 8, 2013, 12:13:37 (UTC), Domain Registrars

European privacy regulators have slammed the new 2013 Registrar Accreditation Agreement, saying it would be illegal for registrars based in the EU to comply with it.
The Article 29 Working Party, which comprises privacy regulators from the 27 European Union nations, had harsh words for the part of the contract that requires registrars to store data about registrants for two years after their domains expire.
In a letter (pdf) to ICANN last month, Article 29 states plainly that such provisions would be illegal in the EU:

The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the proposed data retention requirement violates data protection law in Europe.

The 2013 RAA allows any registrar to opt out of the data retention provisions if it can prove that to comply would be illegal its own jurisdiction.
The Article 29 letter has been sent to act as blanket proof of this for all EU-based registrars, but it’s not yet clear if ICANN will treat it as such.
The letter goes on to sharply criticize ICANN for allowing itself to be used by governments (and big copyright interests) to circumvent their own legislative processes. It says:

The fact that these data may be useful for law enforcement (including copyright enforcement by private parties) does not equal a necessity to retain these data after termination of the contract.

the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.
If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation

So why is ICANN trying to get many of its registrars to break the law?
While it’s tempting to follow the Article 29 WP’s reasoning and blame law enforcement agencies and the Governmental Advisory Committee, which pushed for the new RAA to be created in the first place, the illegal data retention provisions appear to be entirely ICANN’s handiwork.
The original law enforcement demands (pdf) say registrars should “securely collect and store” data about registrants, but there’s no mention of the period for which it should be stored.
And while the GAC has expressly supported the LEA recommendations since 2010, it has always said that ICANN should comply with privacy laws in their implementation.
The GAC does not appear to have added any of its own recommendations relating to data retention.
ICANN can’t claim it was unaware that the new RAA might be illegal for some registrars either. The Article 29 WP told it so last September, causing ICANN to introduce the idea of exemptions.
However, the European Commission’s GAC representative then seemed to dismiss the WP’s concerns during ICANN’s public meeting in Toronto last October.
Perhaps ICANN was justifiably confused by these mixed messages.
According to Michele Neylon, chair of the Registrars Stakeholder Group, it has yet to respond to European registrars’ inquiries about the Article 29 letter, which was sent June 6.
“We hope that ICANN staff will take the letter into consideration, as it is clear that the data protection authorities do not want create extra work either for themselves or for registrars,” Neylon said.
“For European registrars, and non-European registrars with a customer base in the EU, we look forward to ICANN staff providing us with clarity on how we can deal with this matter and respect EU and national law,” he said.

Tagged: , , , , ,

Comments (4)

  1. The legislative base for this is well known and understood.
    I’ve been saying this for many years.
    The only surprising thing is that after years of being a somnolent poodle, the Union’s data protection authorities are finally showing willing to enforce the law.

  2. Volodymyr says:

    I see the proplem of implementing of the law enforcement recomendations to RAA cannot be decided on the way of improving of RAA by ICANN.
    Any data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement shoud be legalized by adapted national law.
    It’s not ICANN’s RAA crysis. It’s the crysis of ICANN attempts to use self-regulation principles to law enforcement sphere, where only national laws can allow to collect data for law enforcement aims.

  3. There is nothing wrong -per se- in using private contractual means to achieve legitimate and proportionate law enforcement goals.
    It only crosses the line when contractual clauses (particularly if they are mandated by some form of regulator) infringe on fundamental rights.
    The law (that is to say Parliament in setting the law, and the courts in enforcing it) is obliged to balance competing rights (e.g. private and family life vs. free expression).
    ICANN does a peculiarly bad job in dealing with that because it doesn’t start at the basics, but simply jerks hither and thither depending on whoever is currently shouting the loudest.

    • Yes, it’s true.
      But it means ICANN cannot do this job, cannot regulate WhoIs in legitimate way. If ICANN can, how to deal with fundamental rights?
      Where is decision of this long ICANN/WP29 discussion?
      What is the basis? Should it to be international agreement later implemented to countries laws?

Add Your Comment