As ICANN develops a permanent policy solution to ensure its “Look Up” system remains consistent with the rules of the European Union Global Data Protection Regulation, the IP community should keep a close eye and provide feedback on the new system under design.
As the European Union’s landmark Global Data Protection Regulation (GDPR) was set to go into effect in 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) engaged in a series of important, albeit belated, community consultations, with the objective of resolving perceived community concerns with legal compliance of the “Look Up” system (previously called the “WHOIS” system) with data protection laws, such as the GDPR. The end result of the consultations resulted in ICANN adopting a “Temporary Specification” (Temp Spec) – a new contractual provision allowing its accredited-registrars and registries to perform a wholesale redaction of the registration data that has historically been made available to the public.
The redactions made under the Temp Spec produced significantly less useful data for IP owners: halting the publication of most of the vital elements, such as the email and postal address of the registrant, replacing that specific contact information with the State/Province and Country designations of the registrant and a voluntary listing of an organizational affiliation, while maintaining the publication of the creation and expiration date of the domain name. The Temp Spec also included a new vague standard for allowing access to the redacted data: expressing that the personal data included in registration data may be processed on “the basis of a legitimate interest not overridden by the fundamental rights and freedoms of individuals whose personal data is included in registration data,” and only for the limited set of defined purposes. Moreover, the Temp Spec included a temporary requirement for the purpose of facilitating contact with the domain registrant: an anonymized e-mail address for the registrant – or a web-form posted on the registrar’s website.
In light of these significant alternations to the system, the IP community, and other stakeholders, expressed that the new rules under the Temp Spec and the associated ICANN Compliance function—which has been described as inconsistent at best, and completely ineffectual at worse— have resulted in major problems and complexities for fighting online IP abuse and cybercrime. To help find an effective solution to these problems, ICANN has formed a policy committee to work on developing a permanent policy fix to the issue. IP owners are encouraged to pay close attention to the output of the policy committee to help ensure that a satisfactory end product may be produced through the process.
The GDPR and ICANN
On May 25, 2018, the GDPR went into effect, reflecting a global shift towards comprehensive legislation on data protection in the digital age. The GDPR sets forth new remedies for individuals, and a set of imposed obligations and potential penalties (up to €20 million or 4% of annual revenue – depending on which sum is higher) for organizations which violate the GDPR’s standards for collecting and processing personal data.
As a private, California-based public benefit corporation, ICANN performs a set of technical and administrative functions to coordinate the Internet’s system of unique identifiers and to ensure the security, stability, and resiliency of the system at the overall level. The Domain Name System (DNS) is the logical architecture of the backbone of the Internet – the method by which Internet names and numbers are assigned and routed so computers are aware of each other’s location on the network – thereby enabling Internet users to connect online and conduct commerce and communication.
ICANN has centralized authority over generic top-level Internet domains, such as .COM, .ORG, and .NET, and the organization performs its operational and oversight functions through a series of contracts with Registries, Registrars, and related service providers. When an individual or company registers a domain name, they are required to provide accurate and up-to-date contact information such as name, postal address, email address, and telephone number. This data is subsequently published through the Look Up System, along with supplemental information associated with the domain name – such as the creation date, expiration date, and the name of the registrar that sponsors the domain’s registration.
The Look Up System
This set of registration data for the domain name is maintained and published in real-time through an ICANN-managed Look Up System (previously called the “WHOIS” system). Since the commercialization of the Internet, access to domain registration data has served as a unique and valuable public resource by providing transparency and accountability for the true owner of a domain name, encompassing the websites that are hosted or the emails that emanate from the domain name. A range of third parties, including security researchers, consumers, intellectual property owners and governments, rely upon the Look Up system for a variety of legitimate purposes, including supporting business transactions, intellectual property investigations, and civil or criminal law enforcement actions.
As a result of the implementation of the Temp Spec, third parties, such as IP owners who use the system for a variety of legitimate purposes including to identify infringers, have suffered a visible and harmful fragmentation of data access across the Internet. As highlighted by a report by the International Trademark Association (INTA), and a series of studies by cybersecurity experts, the fragmentation of data access has created a series of deleterious effects on consumer trust and safety, for example by hampering intellectual property investigations, undermining security countermeasures, and creating difficulties in litigation management and conflict resolution. In an effort to mitigate these harms, and to help shed light on navigating under the “darkness” of the new online terrain created by the Temp Spec, INTA published A Toolkit for Intellectual Property Professionals. Meanwhile, ICANN’s Intellectual Property Constituency and other Internet community groups continue to advocate for a permanent replacement policy that will provide meaningful access to nonpublic domain registration data.
A Permanent Solution?
Currently, an effort to replace the Temp Spec with a permanent policy is underway through an expedited ICANN Policy Development Process. At the conclusion of Phase One of the process, the ICANN Board adopted policy recommendations which defined specific purposes and legal bases for the processing of registration data, including data collection, retention, escrow, and transfer of data, while essentially enshrining as policy the rules produced under the Temp Spec.
Currently, the policy committee is deep into Phase Two of the process, which includes an examination of the various costs and benefits of designing a new Look Up system that will provide standardized access to nonpublic registration data, while taking into consideration issues such as which parties may be granted access to particular registration data under certain circumstances.
The policy work is proceeding based on the methodology of creating “Building Blocks” (in effect, placeholders that will form the basis of the committee’s formal policy recommendations) to establish baseline definitions and the necessary elements of a standardized system for access to data. For example, these concepts include developing “Accreditation Authorities” to “accredit” users of the system, and “Authorization Providers” to make final determinations on the appropriate lawful basis for providing access to the nonpublic data.
In the absence of specific recommendations from the European Data Protection Board (EDPB) on the appropriate contours of the system, the policy committee is proposing three varying models for the standardized system of access, including:
- a Centralized Model, where the decision on whether to disclose data would be made by the entity responsible for managing a centralized “gateway”;
- a Decentralized Model, where each contracted party will continue to be responsible for receiving and responding to requests for disclosure, but through a new standardized set of procedures for data requests and responses; and
- a Hybrid Model, where requests for data access are received through a central gateway, but where the decision on whether to disclose data would remain with the relevant contracted party.
The Lingering Issue of Liability
To inform their decision-making process, the policy committee has issued questions to the ICANN Board of Directors to help ascertain the level of responsibility that the ICANN organization is willing to assume in terms of accepting legal liability for data disclosures under the system in light of the GDPR. The Board responded to the policy committee by indicating that if a policy recommendation emerged from the process that placed the responsibility on ICANN for one or more operational functions within the standardized access system, the Board would likely adopt such a recommendation.
Meanwhile, the ICANN organization has taken an independent line of communication with the EDPB in the hopes of receiving clear advice on developing the contours of the new system that would comply with the legal requirements set forth under the GDPR. ICANN has published a paper with the questions that it raised on developing a Look Up system that centralizes responsibility for disclosure of nonpublic registration data under a structure where ICANN operates as a central gateway for authorized data to pass through to third party requesters. Under this ICANN-proposed approach, the gateway operator would not make the decision to authorize disclosure of nonpublic data, and that responsibility would fall to an “Authorization Provider” to determine whether or not the criteria for disclosure has been met under applicable law. If a disclosure request is authorized and authenticated under this approach, then the gateway operator would request the data from the contracted party and then disclose the relevant data set to the requester (such as an IP owner).
The Belgian Data Protection Authority has responded to ICANN’s letter, encouraging ICANN to continue ongoing efforts to design a comprehensive system for standardized access. However, the Belgian DPA did not provide stated answers to the questions raised by ICANN, but rather expressed in clear terms that “it is not the role of a supervisory authority to validate or approve the suitability of organizational or technical measures” under consideration by a controller as part of its compliance obligations.
While some incremental progress has been achieved by the policy committee, a number of gating issues remain open for resolution, such as the overall structure or model of the new system. In 2020, the first major milestone for the policy committee includes the publication of its Initial Report for public comment. The IP community is strongly encouraged to review and provide comments on the Initial Report, which is expected to be published in the first quarter of the year on the ICANN website. The policy committee will examine the feedback it receives from the public and take relevant ideas into consideration as it fashions the completion of its Final Report. In the interim period, IP professionals may apply to join the Intellectual Property Constituency of ICANN, which has several representatives serving on the policy committee.
Image Source: Deposit Photos
Image ID: 70235131