Initial report on bringing WHOIS inline with GDPR open for comment

A special working group charged with coming up with changes to the Whois service that bring it in line with the General Data Protection Regulation (GDPR) published its initial report on 21 November 2018 and opened it up for public comment. The Initial Report responds to the call to answer a set of questions and determine if the Temporary Specification for gTLD Registration Data should become a General Data Protection Regulation (GDPR)-compliant ICANN Consensus Policy as is, or one with modifications.

The Expedited Policy Development Process (EPDP) working group have been working tirelessly in face of tremendous time pressures, outside scrutiny and entrenched opinions. This initial report is very welcome, but is still the first stage of a long and arduous process. The Temp Spec expires on 25 May 2019. Consensus on key matters has to be achieved in order for ICANN’s GNSO policy making body to make a recommendation to the Board. The divisive nature of some of the discussions so far does not make consensus a foregone conclusion. There are near irreconcilable differences. The registries and registrars are ranged to the left, seeking to limit their exposure and be compliant with whatever local interpretation of GDPR their courts apply; civil society representatives want very strong privacy to protect netizens; brand and law enforcement representatives argue that timely access to accurate information is essential to protect consumers and brand values; and Governments speak from both sides of their mouths – they want their citizens’ data to be nurtured whilst their agencies have unfettered access.

Many of the difficult issues remain to be decided after the public feedback has been received, including whether there can or should be a distinction made between the treatment of registrants depending on their geographic location, and whether the (optional) organization field should remain open or whether the risk that some registrants may have included personal data in this field warrants requiring it to also be redacted. There is also little to please trademark owners yet. Whilst there is a recommendation to keep the Temp Spec’s existing “reasonable access” obligations in place, the lack of criteria or guidance on what is reasonable has led to fragmented handling, which has hampered access, in practice, to the Whois information vital to enforcing against abusive registrations; and brand owners must wait for the next stage of the EPDP’s work to conclude before we know how this will be addressed.

We are not optimistic on access, and hope that ICANN itself might help discussions along by creating and operating a universal Whois so at least the process of accessing data is simpler for trademark owners, law enforcement and others with a legitimate need for accurate registrant information in a timely fashion. In Barcelona, the contracted parties expressed their cautious support for this notion, and ICANN staff seemed to be in favour of exploring further, but recent correspondence to the EPDP working group on identifying controllership suggests that ICANN Org may not be willing to assume this level of potential liability.

To read the full report and comment, please see:
https://www.icann.org/public-comments/epdp-gtld-registration-data-specs-initial-2018-11-21-en