Now GNSO mulls emergency response to GDPR deadline
ICANN’s GNSO Council is thinking about deploying a never-before-used emergency mechanism to develop a Whois privacy policy in response to GDPR.
With the May 25 deadline for compliance with the EU’s General Data Protection Regulation fast approaching, the community is scrambling to figure out how it can bring ICANN’s policies and therefore its contracts into line with the Draconian privacy provisions of the new law.
Currently, ICANN contracts with registries and registrars demand the publication of full Whois records, something GDPR will not permit, so each company in the industry is busily figuring out how its own Whois database will comply.
Fearful of a “fragmented” Whois, ICANN’s board of directors is considering deploying its own top-down emergency measure — called a Temporary Policy in its contracts — to ensure uniformity across its contracts.
CEO Goran Marby revealed to DI earlier this month that a Temporary Policy was being considered, and he and other members of the board confirmed as much to GNSO leadership during a telephone briefing last week.
(It should be noted that the call took place prior to the receipt last week of guidance from the EU Article 29 Working Party, which prompted ICANN to start mulling legal options as one way to buy the industry some time to comply post-May.)
The call (recorded here with password Eur3wiEK
and summarized in this letter (pdf)), focused almost exclusively on how the Council could respond to a board-mandated Temporary Policy, with the board suggesting a GNSO Expedited Policy Development Process might be the best way to proceed.
A Temporary Policy would expire within a year, so the GNSO would have to come up with a formal Consensus Policy within that time-frame if ICANN were to have any hope of having a uniform view of Whois across its contracts.
The Temporary Policy is a “strong option” for the board, and a “highly likely or likely” outcome, but nothing has been formally decided, the GNSO leaders heard from ICANN vice-chair Chris Disspain. He was briefly challenged by Marby, who appeared somewhat more committed to the move.
While the GNSO Council has not yet formally decided to deploy the EPDP, it appears to be the most-feasible option to meet the deadline a Temporary Policy would impose.
It is estimated that an EPDP could take as little as 360 days, compared to the estimated 849 days of a regular PDP.
The EPDP cuts out several of the initial steps of a regular PDP — mainly the need for an Initial Report and associated public comment period — which by my reading would shorten the process by at least 100 days.
It also seems to give the GNSO some wriggle room in how the actual policy creation takes place. It appears that the regular “working group” structure could be replaced, for example, with a “drafting team”.
If the EPDP has the Temporary Policy and WP29 guidance as its baseline for discussions, that could also help cut out some of the circular argument that usually characterizes Whois discussions.
Aware that the EPDP is a strong possibility, the Council is currently planning to give itself a crash course in the process, which has never been used before by any iteration of the Council.
It’s uncharted territory for both the GNSO and the ICANN board, and the only people who seem to have a firm grasp on how the two emergency mechanisms slot together are the ICANN staffers who are paid to know such things.
UPDATE: A couple of hours after this article was published, ICANN posted this three-page flow-chart (pdf) comparing EPDP to PDP. Lots of luck.
Recent Comments