ICANN is the Data Controller and ICANN has a problem

This week the following memorandum was published by ICANN regarding the EU GDPR, created by Thomas Nygren and Pontus Stenbeck, Hamilton Advokatbyrå.

ICANN – GDPR_Memorandum – Part 1

The document spells out that ICANN is the data controller when the EU GDPR goes live next year, 25 May 2018.

A lot of it was already covered by earlier by an opinion created for the RDS WG, the WG that is dealing with the WHOIS replacement.

Transfer of Personal Data to Third Countries
Still, some interesting things can be discovered in the memorandum.

Section 3.3 for example.
There are no restrictions per se under the GDPR on the transfer of personal data from one EU member state to another. However, the transfer must comply with the GDPR (i.e., the transfer must be covered by the determined purpose of the processing, the data subject must have been duly informed, etc.). It
should also be noted that a transfer between two different legal entities requires the parties to take safety measures to ensure that the data subject’s rights are upheld (a request for the right to be forgotten would, for instance, require the
controller to take effort to ensure that personal data is cleansed by other legal entities).

If we check the other sections under 3.3 one would get the feeling that transferring PII to a third country outside of the EU would be illegal or at least a complete nightmare for a domain name Registrar or domain name reseller.

I think in a practical sense the only solution to address this issue is to inform the registrant of all the issues around such a domain name registration. I have already laid out the issues there in a previous post.
And I guess as a Registrar we should wish the registrant good luck with it and have them consent to the fact that the Registrar is not liable for any wrongdoings by the Registry in a third country.

The Rabbit hole, more like a black hole.

When it comes to WHOIS and consent, Hamilton is pretty clear in their legal advise:
In our opinion, the current open, publicly available Whois services can only remain on an unchanged basis, i.e., as currently provided by processing the same types and quantities of PII in the same way as today, if any processing of PII carried out in connection in addition to that is based on consent. As discussed above, this would, however, be a complex solution, entailing many technical and organizational challenges, and is unlikely to solve all issues, especially since the
Whois services, about PII, will be dependent upon the registrants providing and withdrawing, their consents.

Most of the ICANN community members look at consent as the silver bullet, and it is my observation their scope is limited to Registry and Registrar contracts. But ICANN itself also processes a lot of data as laid out in the RAA 2013 and goes beyond the RAA 2013 contract.

The WHOIS ARS project was created both in response to recommendations compiled and delivered by the 2012 WHOIS Review Team, under the Affirmation of Commitments (AoC), as well as to address GAC concerns on WHOIS accuracy. ICANN committed to proactively identify potentially inaccurate gTLD WHOIS contact data and forward this information to gTLD Registrars for investigation and follow-up.

ICANN collects and processes WHOIS data. They use third-party vendors to assist them in collection and processing.

  • NORC at the University of Chicago27: Study Design, Sample Selection, and Data Analysis
  • Whibse, Inc28: Parsing
  • DigiCert, Inc29: Email and Telephone Accuracy Testing
  • Universal Postal Union30: Postal Address Accuracy Testing

If ICANN wants to continue this program consent is required. As consent has to be specific, informative, granular and freely, and easy to withdraw this will add at least four or five more checkboxes for a registrant to consent too when registering a domain name.

As a contracted party I was never happy with the fact that ICANN would email registrants to check if an email address was working or not, calling Registrants to check if their phone number was working or not, always felt like an intrusion of privacy. Imagine just going through a divorce, and the phone starts ringing with an unknown caller ID…………..

But it does not stop there. Let’s take a look a the data retention requirements.

1.2.1. Information regarding the means and source of payment reasonably necessary for the Registrar to process the Registration transaction or a transaction number provided by a third party payment processor;

1.2.2. Log files, billing records and, to the extent collection and maintenance of such records is commercially practicable or consistent with industry-wide generally accepted standard practices within the industries in which Registrar operates, other records containing communications source and destination information, including, depending on the method of transmission and without limitation: (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number; and (3) email address, Skype handle, or instant messaging identifier, associated with communications between Registrar and the registrant about the Registration; and

1.2.3. Log files and, to the extent collection and maintenance of such records is commercially practicable or consistent with industry-wide accepted standard practices within the industries in which Registrar operates, other records associated with the Registration containing dates, times, and time zones of communications and sessions, including initial registration.

The amount of PII collected here is astonishing. Undefined, grab as much data as you can for undefined purposes, or very flimsy purposes.
To be shared by ICANN with unknown third parties.

The train of consequences

Currently in progress is the so-called Translation and Transliteration of Contact Information IRT.

The main goal here to translate WHOIS data. The current setup is voluntarily, and that is a good thing as I cannot imagine any Registry or Registrar will translate ANY WHOIS data under the EU GDPR as it would be considered processing and require consent.
It is somewhat funny if a Registry decides to translate the WHOIS data anyways and a registrant has to consent to the fact his data will be translated in more then 100 languages. That will go down well during a domain name registration process.

Registrants better not use a smartphone to register a domain name as it will be sheer impossible to click all the required consent check marks during the registration process.

The reputation of the gTLDS will hit the mud if we would continue down the path of consent and will reflect poorly on ICANN. ICANN would have to be very specific in the RAA to continue the above-mentioned projects. Further more we would need to change the RAA 2013 and a few hundred Registry contracts. This cannot be done before May 25, 2018

Bottom line

ICANN must assess all WG’s and IRTs.
Privacy by Design must be embedded into the PDP process.
At the start of a new PDP, a Data Privacy Impact Assessment should be conducted, always.
ICANN must review all current processes. Currently, the organization is processing way too much information, either by itself or third parties or contracted parties.