A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.
The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.
In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:
The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”
The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.
Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.
The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.
But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.
The Working Party is clearly a bit miffed at the snub, telling ICANN this month:
The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.
the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.
It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.
ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.
Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.
It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).
EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.