Latest news of the domain name industry

Recent Posts

EU body tells ICANN that 2013 RAA really is illegal

Kevin Murphy, January 29, 2014, 16:27:31 (UTC), Domain Registrars

A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.

The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.

In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:

The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”

The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.

Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.

The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.

But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.

The Working Party is clearly a bit miffed at the snub, telling ICANN this month:

The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.

the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.

It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.

ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.

Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.

It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).

EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.

Tagged: , , , , , ,

Comments (3)

  1. Avri Doria says:

    I am very grateful that the Article 29 Data Protection Working Party has continued to pay attention to this issue. The EU has a lot to teach about proper regard for privacy in the laws it has crafted. It would behoove us at ICANN to learn from them. I am hoping that this time we will see the GAC representatives from the EU countries support this as GAC advice.

    The original GNSO policy was created to prevent registrars from falling afoul of their national law. It was not created to help them only after they had been pinched and ruled against. Once again we see an ICANN implementation that misses the point of the policy.

    In closing, this is so important in the protection of endangered registrants that again I can only thank them for their persistence.

    avri

  2. Eberhard says:

    When I read “protection of endangered registrants” it makes me think of Chinese panda bears.

    I think the protection of endangered species, and other environmental issues, are much more important than silly EU data protection laws.

  3. It is not like the Registrar negotiation team had not told ICANN the very same thing the day the demand came to the table.
    The only reason we finally accepted this requirement in the RAA was because ICANN gave us the waiver process. Little were we to know that the only way they’d grant the waiver was to ask for an exemption that would just allow us to violate the law a little less…

Add Your Comment