Three reasons ICANN could swing the GDPR ban hammer on day one
While ICANN reckons it will act “reasonably” when it comes to enforcing compliance with its incoming GDPR emergency policy, there are some things it simply will not tolerate.
The policy expected to be approved tomorrow and immediately incorporated by reference into registry and registrar contracts, is a little light on expected implementation timetables, so this week ICANN has been pressured for clarity.
Will Compliance start firing off breach notices on May 26, the day after GDPR comes into effect, if the industry has not immediately implemented every aspect of the new policy?
Attendees at the Global Domains Division Summit in Vancouver managed to get some answers out of general counsel John Jeffrey at a session yesterday.
First off, if you’re a registrar planning to stop collecting registrants’ personal information for Whois, ICANN will not be happy, and you could be looking at a Compliance ticket.
Jeffrey said:
We don’t want any of the contracted parties to stop collecting the data. ICANN is confident that you can continue to collect the data. We will stand in front of you on it, if we can. Do not stop collecting the data. We believe we have a very strong, important point. We hear from the governments that were involved in passing this legislation that it’s important it continues to be collected.
Second, you have to have a mechanism in place for people with “legitimate purposes” to access thick Whois records that contain all the juicy personal information.
Jeffrey said:
We also believe it’s important there’s a need to continue to display information that will be behind that second tier. And we can demonstrate the need to do that as well. This is really important.
And if there was any doubt remaining, he added:
We will enforce on the temporary spec, if it’s approved, if you stop collecting data, or if you don’t provide any mechanism to allow access to it. It’s a very serious concern.
The problem right now is that the Temporary Policy (pdf), still in draft, doesn’t have a whole heck of lot of detail about who should be allowed such access and the mechanisms to enable it.
It says:
Personal Data included in Registration Data may be Processed on the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose Personal Data is included in Registration Data
It goes on to list circumstances where access may be given and types of parties that may need access, but it seems to me to still give registries and registrars quite a lot of responsibility to decide how to balance privacy rights and the “legitimate” data requests.
Those two scenarios — not collecting data and not making it available to those who need it — seem to be the big two zero tolerance areas for ICANN.
Other issues, such as replacing the registrant’s email address in the thin Whois output, also appear to be a pressing concern.
Jeffrey said, noting that providing a way to contact registrants is important for myriad reasons, including UDRP:
Creating the anonymized emails or web forms is another really important aspect but we understand some won’t be able to have that in place immediately.
How long after GDPR Day ICANN starts swinging the ban hammer over the email issue seems to be something ICANN is still thinking about.
That said, Jeffrey said that the organization intends to act “as reasonably as possible”.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
Bureaucrats scrambling to address massive issues created by Eurocrats? That’s a lost battle for everyone else.