Europe fires back at ICANN's delusional plan to overhaul Whois for GDPR by next, er, year
How do we say this nicely? You need help
Special report On March 26 – two months before new privacy protections come into effect in Europe – Goran Marby, CEO of DNS overlord ICANN, sent a letter [PDF] to each of Europe's 28 data protection authorities (DPAs) asking them to hold off punishing it over Whois.
Whois is a set of databases of domain-name owners, overseen by ICANN, and it contains people's personal information such as their names and contact addresses. As it stands, it is not compatible with Europe's General Data Protection Regulation (GDPR), which kicks in on May 25. Flouting the rules may result in fines. Something therefore has to be done. ICANN isn't quite sure what to do yet, hence its request for a stay of enforcement.
Then the request for a moratorium was inserted into a letter to Europe's Article 29 Working Party – a group comprising all the DPAs – on April 12. "We must again stress the need for a moratorium on enforcement in order for us to act to protect Internet users globally," Marby wrote [PDF] to the group's chairwoman Andrea Jelinek.
The same day, ICANN published a blog post built around the proposed moratorium, warning that without it "the Whois system will become fragmented." And again the next day, in another update, Marby spoke of "the need for additional time… including a moratorium on enforcement."
In the meantime, the organization started figuring out the fastest way it could come up with a solution to become compliant with the incoming privacy safeguards, and reached the conclusion that by using a special process, it could do the work within a year.
Ready to go
And so that open-ended moratorium became fixed: a one-year extension for ICANN to introduce its new system. ICANN then solicited input from other groups – including the US government – to back up its idea and took a series of letters along with a proposed timeline showing a one-year moratorium to a meeting of the Article 29 Working Party (WP29) in Brussels.
The letters repeatedly reference that suspension, sometimes using different language. For example, the Intellectual Property Constituency describes [PDF] it as a "forbearance on penalties." As does the International Trademark Association, which – even though it is not a constituency within ICANN - complains [PDF] that the WP29 has yet to get back to ICANN confirming the forbearance. The US government mentioned [PDF] the moratorium no less than four times in its letter.
There was however a big problem with this whole effort: there can be no such thing as a moratorium on regulations that are already in place.
In a new statement, provided by the Article 29 Working Party to The Register on Thursday following its meeting with ICANN earlier this week, the group is clearly baffled by ICANN's repeated requests for something that doesn't exist.
"The GDPR does not allow national supervisory authorities nor the European Data Protection Board to create an 'enforcement moratorium' for individual data controllers," the statement notes. "Data protection is a fundamental right of individuals, who may submit complaints to their national data protection authority whenever they consider that their rights under the GDPR have been violated."
ICANN had made the concept of a moratorium the central pillar of its effort to become compliant with the law. But its entire strategy was built on a fantasy. So where did this concept come from? Who was advising the organization that this was even a viable approach, let alone the best one to adopt?
Despite the GDPR legislation being finalized in May 2016, it wasn't until September 2017 that ICANN finally started taking it seriously when it hired a European law firm, Hamilton Advokatbyrå, to look into the issue.
The next month, the organization started panicking when Hamilton told ICANN that it and all its contracted parties were going to be breaking Euro law come May 2018 and could be fined millions of dollars over its Whois service.
Whois publishes the details of who owns every domain, including their name, home and email address, and phone number. That approach is fundamentally inconsistent with GDPR because it doesn't give anyone the right to say what is done with their personal data. In other words, Whois will be illegal in under 30 days from now.
So was it European law experts Hamilton that wrongly advised ICANN that it could request for a "moratorium" over the new law until it came up with a new solution?
It seems unlikely given their expertise and the fact it was them that first warned ICANN that it had wrongly persuaded itself that it was not affected by the new law.
What seems more probable is that ICANN's staff and management board simply persuaded themselves that they could stall for time for no reason other than the fact that it would be convenient for them.
At ICANN's recent meeting in Puerto Rico around March 10, the organization attempted to gain approval of its "interim model" that it had put forward less than two weeks earlier.
That plan failed miserably, and the transcripts of sessions at that meeting revealed when the idea of a moratorium appeared. One of the most critical sessions at the meeting [transcript] was between ICANN's board and its Governmental Advisory Committee (GAC) on the afternoon of Tuesday, March 13.
In its interim model, ICANN had asked the GAC to be responsible for coming up with its most critical component – an "accreditation program" that would decide who could legally gain access to the Whois information. The GAC rejected that responsibility largely because within ICANN every major decision is supposed to be decided by all the different groups (of which there are, roughly, five).
But during the lengthy meeting, much of it focused on GDPR, there was no mention of a moratorium, nor of asking the European authorities to give ICANN a special extension.
The first mention of any kind of delay came in a comment by an ICANN board member two days later at a public forum [transcript] – by which point it had become clear that ICANN's proposed interim model was not going to be approved in time.
American lawyer and ICANN board member Becky Burr took many of the questions relating to GDPR and told attendees on Thursday, March 15 that the organization was "in discussions with the Data Protection Authorities in Brussels" and expected to have "further discussions the last week of May."
She then raised the prospect of a moratorium when she noted "there is some hope that the DPAs would be able to communicate effectively with respect to their appetite for any kind of delay in the process and that we will all know much more after those discussions."
Which strongly suggests that when ICANN's staff and board realized it was going to be impossible to hit the May 25 deadline, it decided – by itself – that the best solution was simply to ask the DPAs for a delay.