ICANN has made it easier for registries and registrars to opt-out of Whois-related contractual provisions when they clash with local laws.
From this week, accredited domain firms will not have to show that they are being investigated by local privacy or law enforcement authorities before they can request a waiver from ICANN.
Instead, they’ll be also be able to request a waiver preemptively with a statement from said authorities to the effect that the ICANN contracts contradict local privacy laws.
In both cases, the opt-out request will trigger a community consultation — which would include the Governmental Advisory Committee — and a review by ICANN’s general counsel, before coming into effect.
The rules are mainly designed for European companies, as the EU states generally enjoy stricter privacy legislation than their North American counterparts.
European registrars and registries have so far been held to a contract that may force them to break the law, and the only way to comply with the law would be to wait for a law enforcement proceeding.
ICANN already allows registrars to request waivers from the data retention provisions of the 2013 Registrar Accreditation Agreement — which require the registrar to hold customer data for two years after the customer is no longer a customer.
Dozens of European registrars have applied for and obtained this RAA opt-out.
ICANN has approved Moniker’s request for a partial waiver of the Registrar Accreditation Agreement based on European privacy law, despite the fact that the registrar is based in the US.
The data retention waiver for Moniker was one of a few granted to members of the KeyDrive group of registrars that were approved by ICANN yesterday.
KeyDrive is based in Luxembourg, but the waiver request was granted because complying with the 2013 RAA could violate German privacy law and Moniker’s data is stored in Germany.
Registrar’s technical backend services provider as well as data storage and collection occur on servers hosted and operated in Germany, and is subject to German law. Accordingly, ICANN has determined that it is appropriate to grant Registrar a data retention waiver
Group members Key-Systems AG (a German company) Key-Systems LLC (an American company) also received waivers yesterday.
InternetX, part of Germany-based United Internet, and http.net Internet also had their requests approved.
The waiver process was introduced because the 2013 RAA requires registrars to store customer data long after their domains expire, which registrars’ lawyers say forces them to break local laws.
An EU directive implemented in many European countries says that companies cannot store personal data for longer than it is needed for the purpose for which is was collected.
The French registrar OVH has been told by ICANN that it can opt out of a requirement to retain its customers’ contact data for two years after their domain names expire.
The move potentially means many more registrars based in the European Union will be able to sign the 2013 Registrar Accreditation Agreement and start selling new gTLD domains without breaking the law.
ICANN said last night:
ICANN agrees that, following Registrar’s execution of the 2013 RAA, for purposes of assessing Registrar’s compliance with the data retention requirement of Paragraph 1.1 of the Data Retention Specification in the 2013 RAA, the period of “two additional years” in Paragraph 1.1 of the Data Retention Specification will be deemed modified to “one additional year.”
It’s a minor change, maybe, and many EU-based registrars have been signing the 2013 RAA regardless, but many others have resisted the new contract in fear of breaking local laws.
Now that OVH has had its waiver granted, it’s looking promising that ICANN will also start to allow other EU registrars that have requested waivers to opt-out also.
ICANN has been criticized for dragging its feet on this issue, and I gather the OVH is still the only registrar to have been given the ability to opt out.
Registrars based in the European Union are becoming increasingly disgruntled by what they see as ICANN dragging its feet over registrant privacy rules.
Some are even refusing to sign the 2013 Registrar Accreditation Agreement until they receive formal assurances that ICANN won’t force them to break their local privacy laws.
The 2013 RAA, which is required if a registrar wants to sell new gTLD domains, requires registrars to keep hold of registrant data for two years after their registrations expire.
Several European authorities have said that this would be illegal under EU privacy directives, and ICANN has agreed to allow registrars in the EU to opt out of the relevant provisions.
Today, Luxembourgish registrar EuroDNS said it asked for a waiver of the data retention clauses on December 2, but has not heard back from ICANN over two months later.
The company had provided ICANN with the written legal opinion of Luxembourg’s Data Protection Agency
In a snippy letter (pdf) to ICANN, EuroDNS CEO Lutz Berneke wrote:
Although we understand that your legal department is solely composed of lawyers educated in US laws, a mere translation of the written guidance supporting our request should confirm our claim and allow ICANN to make its preliminary determination.
EuroDNS has actually signed the 2013 RAA, but says it will not abide by the provisions it has been told would be illegal locally.
Elsewhere in Europe, Ireland’s Blacknight Solutions, said two weeks ago that it had requested its waiver September 17 and had not yet received a pass from ICANN.
“Why is it my problem that ICANN doesn’t understand EU law? Why should our business be impacted negatively due to ICANN’s inability to listen?” CEO Michele Neylon blogged. “[W]hile this entire farce plays out we are unable to offer new top level domains to our clients.”
But while Blacknight is still on the old 2009 RAA, other European registrars seem to have signed the 2013 version some time ago, and are already selling quite a lot of new gTLD domains.
Germany’s United-Domains, for example, appears to be the third-largest new gTLD registrar, if name server records are anything to go by, with the UK’s 123-Reg also in the top ten.
That comment period is not scheduled to end until February 27, however, so it seems registrars agitated about foot-dragging have a while to wait yet before they get what they want.
A European Union data protection body has told ICANN for a second time — after being snubbed the first — that parts of the 2013 Registrar Accreditation Agreement are in conflict with EU law.
The Article 29 Data Protection Working Party, which is made up of the data protection commissioners in all 28 EU member states, reiterated its claim in a letter (pdf) sent earlier this month.
In the letter, the Working Party takes issue with the part of the RAA that requires registrars to keep hold of customers’ Whois data for two years after their registrations expire. It says:
The Working Party’s objection to the Data Retention Requirement in the 2013 RAA arises because the requirement is not compatible with Article 6(e) of the European Data Protection Directive 95/46/EC which states that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected”
The 2013 RAA fails to specify a legitimate purpose which is compatible with the purpose for which the data was collected, for the retention of personal data of a period of two years after the life of a domain registration or six months from the relevant transaction respectively.
Under ICANN practice, any registrar may request an opt out of the RAA data retention clauses if they can present a legal opinion to the effect that to comply would be in violation of local laws.
The Working Party told ICANN the same thing in July last year, clearly under the impression that its statement would create a blanket opinion covering all EU-based registrars.
But a week later ICANN VP Cyrus Namazi told ICANN’s Governmental Advisory Committee that the Working Party was “not a legal authority” as far as ICANN is concerned.
The Working Party is clearly a bit miffed at the snub, telling ICANN this month:
The Working Party regrets that ICANN does not acknowledge our correspondence as written guidance to support the Waiver application of a Registrar operating in Europe.
the Working Party would request that ICANN accepts the Working Party’s position as appropriate written guidance which can accompany a Registrar’s Data Retention Waiver Request.
It points out that the data protection commissioners of all 28 member states have confirmed that the letter “reflects the legal position in their member state”.
ICANN has so far processed one waiver request, made by the French registrar OVH, as we reported earlier this week.
Weirdly, the written legal opinion used to support the OVH request is a three-page missive by Blandine Poidevin of the French law firm Jurisexpert, which cites the original Working Party letter heavily.
It also cites letters from CNIL, the French data protection authority, which seem to merely confirm the opinion of the Working Party (of which it is of course a member).
EU registrars seem to be in a position here where in order to have the Working Party’s letter taken seriously by ICANN, they have to pay a high street lawyer to endorse it.