ICANN Resolutions » Consideration of the Temporary Specification for gTLD Registration Data (Implementation of GDPR Interim Compliance Model)
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
Whereas, the European Union's General Data Protection Regulation (GDPR) is a set of rules adopted by the European Parliament, the European Council and the European Commission that imposes new obligations on all companies and organizations that collect and maintain any "personal data" of residents of the European Union, as defined under EU data protection law. The GDPR will take full effect on 25 May 2018.
Whereas, the GDPR has given new prominence and urgency to the long-standing debate about WHOIS and data protection and privacy.
Whereas, over the past several months ICANN org has consulted with community stakeholders, contracted parties, European data protection authorities, legal experts, and interested governments to understand the potential impact of the GDPR to personal data that participants in the gTLD domain name ecosystem collect, display and process (including registries and registrars) pursuant to ICANN contracts and policies. ICANN's policies are set by the ICANN community.
Whereas, through an iterative process and with feedback from the community, ICANN org developed a proposed interim model for how ICANN and gTLD registries and registrars could continue to comply with ICANN contractual requirements and community-developed policies in relation to the GDPR (the "Proposed Interim Compliance Model").
Whereas, ICANN org requested and has received guidance from the Article 29 Working Party concerning the Proposed Interim Compliance Model, including areas where ICANN has received governmental advice and input reflecting differing views.
Whereas, the GAC provided advice to the Board in its San Juan Communiqué (15 March 2018) concerning the Proposed Interim Compliance Model. The advice was the subject of an exchange between the Board and the GAC to clarify the Board's understanding of the advice.
Whereas, ICANN org communicated with European data protection authorities and requested adequate time for gTLD registries and registrars to implement the Proposed Interim Compliance Model once additional clarification from the data protection authorities was incorporated into the Proposed Interim Compliance Model.
Whereas, ICANN is continuing to discuss with the ICANN community proposed accreditation models.
Whereas, to cause compliance with the Proposed Interim Compliance Model, ICANN org drafted a temporary specification utilizing the procedure for Temporary Policies established in the Registry Agreement and the Registrar Accreditation Agreement (the "Temporary Specification for gTLD Registration Data" or "Temporary Specification"). A proposed Temporary Specification was shared with the Board and community on 11 May 2018.
Whereas, adopting a Temporary Specification can contribute to the Board's upholding the global public interest. Without a unified policy solution in place at the time that the GDPR goes into full effect, there is a real risk of fragmentation in the collection, processing, and availability of gTLD Registration Data as Registry Operators and Registrars take different paths to bring themselves into compliance with the law. A Temporary Specification instead sets out the unified manner through which Registry Operators and Registrars are expected to collect, process, display and provide access to this data. ICANN org can then enforce compliance against its contracts in case these requirements were not met. A fragmented system would be counter to current WHOIS practice and may cause harm.
Whereas, the Board, at its Vancouver workshop, has engaged in a substantial and robust review over two days regarding a proposed Temporary Specification, including identification of questions and potential improvements, and wants to share with the community the updates to a proposed Temporary Specification generated as a result of the Board's review to date.
Whereas, during May 2018, the Board has received multiple letters from parts of the ICANN community regarding the contents of a draft Temporary Specification.
Whereas, the Board has communicated to the GAC that the Board made a preliminary determination that its approach in a proposed Temporary Specification is inconsistent or could be viewed as inconsistent with certain items of GAC advice in the San Juan Communiqué. The Board provided a scorecard to reflect items of the GAC's advice that the Board may reject because of this.
Whereas, ICANN org continues to engage with the Article 29 Working Party to seek clarity on guidance provided by the Article 29 Working Party about the Proposed Interim Compliance Model.
Resolved (2018.05.13.11), the Board intends to move to a decision on the adoption of a proposed Temporary Specification on gTLD Registration Data (pursuant to the procedures in the Registry Agreement and Registrar Accreditation Agreement concerning the establishment of temporary policies) on or about 17 May 2018. The Board intends to use this additional time to confirm that appropriate modifications are incorporated into a proposed Temporary Specification prior to considering adoption. Upon adoption, a proposed Temporary Specification would be effective for a 90-day period beginning 25 May 2018, and the Board would reaffirm its temporary adoption every 90 calendar days for a total period not to exceed one year.
Resolved (2018.05.13.12), the Board's initial considerations of a proposed Temporary Specification are focused on the following elements:
Whether the modifications in a proposed Temporary Specification to existing requirements concerning the processing of personal data in registration data are justified and an immediate establishment of a proposed Temporary Specification is necessary to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet.
Whether a proposed Temporary Specification is as narrowly tailored as feasible to achieve the objective to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet.
Resolved (2018.05.13.13), the global public interest is served by the implementation of a unified policy governing aspects of the gTLD Registration Data when the GDPR goes into full effect.
Resolved (2018.05.13.14) the Board directs the ICANN President and CEO, or his designee(s), to continue to support the Board in discussion across the ICANN community regarding the refinements made prior to the Board's consideration of a proposed Temporary Specification for adoption. The ICANN President and CEO, or his designee(s), are directed to share with the ICANN community the updates to a proposed Temporary Specification generated as a result of the Board's review to date.
The European Union's General Data Protection Regulation (GDPR) will go into effect on 25 May 2018. The GDPR is a set of rules adopted by the European Parliament, the European Council and the European Commission that will impose new obligations on all companies and organizations that collect and maintain any "personal data" of residents of the European Union, as defined under EU data protection law. The GDPR impacts how personal data is collected, displayed and processed among participants in the gTLD domain name ecosystem (including registries and registrars) pursuant to ICANN contracts and policies. Modifications need to be made prior to 25 May to allow ICANN and gTLD registries and registrars could continue to comply with ICANN contractual requirements and community-developed policies in relation to the GDPR. Though there has been significant work across the ICANN community to reach a compliance model, ICANN-adopted policies need to be updated to allow compliance with the GDPR. A full community-developed consensus policy is not yet available. Without a unified applicable policy in place, there will be fragmentation in how ICANN's contracted parties implement their own compliance programs in relation to gTLD Registration Data. As such, a unified applicable policy is needed in place prior to 25 May 2018, and doing so is in the public interest. The public interest is not served if the ICANN Board fails to take action on this critical issue.
ICANN org's agreements with registries and registrars require compliance with Board-adopted temporary policies or specifications. To develop a temporary policy or specification, at least two-thirds of the Board must vote to approve the temporary specification, and the changes in the specification must be justified and "necessary to maintain the stability or security of Registrar Services, Registry Services or the DNS or the Internet." The temporary policy or specification must be as narrowly tailored as feasible to achieve those objectives.
ICANN org, in consultation with the Board, has been exploring the possibility of a temporary policy or specification as a mechanism to implement the Interim GDPR Compliance Model. A draft of a proposed Temporary Specification for gTLD Registration Data ("Temporary Specification") was released to the Board and the community on 11 May 2018. That proposed Temporary Specification is drafted to establish temporary requirements for how ICANN and gTLD registries and registrars will continue to comply with existing ICANN contractual requirements and community-developed policies in relation to the GDPR.
The Board has been in workshop since 11 May 2018, and has used the time since the publication of a proposed Temporary Specification to engage in substantial discussion with ICANN organization, which has resulted in additional proposed changes. Also since the 11 May 2018 publication, the ICANN Board has received letters from multiple parts of the ICANN community, regarding the contents of the draft Temporary Specification.
The Board has identified that because of the significance of the Board approving a Temporary Specification, it is appropriate for the Board to take additional time prior to adoption, both for the Board's review and to have opportunities to discuss with the ICANN community on the contents of a proposed Temporary Specification. The Board has also identified that taking action on a Temporary Specification is within the public interest, because of the need for a uniformly applicable policy drafted to achieve compliance with the GDPR. It is important that a Temporary Specification be adopted so that it can be in force on 25 May 2018.
The work towards development of a Temporary Specification is consistent with ICANN's mission "[…] to ensure the stable and secure operation of the Internet's unique identifier systems […]". As one of ICANN's primary roles is to be responsible for the administration of the topmost levels of the Internet's identifiers, facilitating the ability to identify the holders of those identifiers is a core function of ICANN.
ICANN's mission to ensure the security and stability of the operation of the Internet's system of unique identifiers has led to the obligations associated with providing WHOIS that are in ICANN consensus policies and contracts that ICANN has with registries and registrars. These policies and contractual obligations govern the collection, retention, escrow, transfer, and display of WHOIS registration data, which includes contact information of natural and legal persons as well as technical information associated with a domain name. Through these policies and contracts, ICANN sets the minimum requirements for WHOIS, ensuring the availability of WHOIS information to mitigate attacks that threaten the stable and secure operation of the Internet and to serve the public service uses above.
WHOIS is not a single, centrally managed database. Rather, registration data is held in disparate locations and administered by multiple registries and registrars. They each set their own conventions for the WHOIS service, consistent with the minimum requirements established in their contracts with ICANN.
Many gTLD registries and registrars are concerned about whether ICANN policies and contracts requiring them to collect, create, retain, escrow, and publish a variety of data elements related to registry/registrar operations, domain name registrations, and registrants are in conflict with the GDPR.
To ensure continued availability of WHOIS to the greatest extent possible and other processing of gTLD registration data while complying with the GDPR and avoid fragmentation of the WHOIS, a proposed Temporary Specification will provide a single, uniform interim model to ensure a common framework for registration data directory services. To continue this public service and maintain the security and stability of the Internet, a proposed Temporary Specification will allow for continued provision of WHOIS services via ICANN's contracts with domain name registries and accredited registrars.
As required when a temporary policy or specification is adopted, upon adoption, the Board will also take action to implement the consensus policy development process. The Board will consult with the GNSO Council on potential paths forward (e.g. Expedited Policy Development Process) for considering a proposed Temporary Specification in a consensus policy development process which must be concluded in a one year time period.
The Board is aware that some parts of the ICANN community has begun work to define an Accreditation Model for access to personal data in Registration Data. The Board encourages the community to continue this work, taking into account any advice and guidance that Article 29 Working Party or European Data Protection Board might provide on the topic.
The Board is also taking action today to confirm that Board will continue to move forward with the Bylaws Consultation meeting between the GAC and the Board to address elements of a proposed Temporary Specification that are inconsistent or could be viewed as inconsistent with items of the GAC advice in the San Juan Communiqué. Article 12, Section 12.2(a)(ix) of the ICANN Bylaws permits the GAC to "put issues to the Board directly, either by way of comment or prior advice, or by way of specifically recommending action or new policy development or revision to existing policies." The Bylaws require the Board to take into account the GAC's advice on public policy matters in the formulation and adoption of the polices. If the Board decides to take an action that is not consistent with the GAC advice, it must inform the GAC and state the reasons why it decided not to follow the advice. Any GAC advice approved by a full consensus of the GAC (as defined in the Bylaws) may only be rejected by a vote of no less than 60% of the Board, and the GAC and the Board will then try, in good faith and in a timely and efficient manner, to find a mutually acceptable solution. Taking steps to move forward with the Board-GAC Bylaws Consultation process will have a positive impact on the community because it will assist with resolving the advice from the GAC concerning ICANN's approach for enforcing compliance with agreements with registries and registrars in relation to the GDPR.
The Board's action today is intended to support the continued security, stability or resiliency of the DNS, as it provides some certainty to the ICANN community that a Temporary Specification will be in place prior to 25 May 2018. Upon adoption, a proposed Temporary Specification will assist in maintaining WHOIS to the greatest extent possible while the community works to develop a consensus policy. While not initiated by today's decision, the expected initiation of focused consensus policy development work to consider a proposed Temporary Specification is anticipated to have an impact on financial resources as the research and work progresses. If the resource needs are greater than the amounts currently budgeted to perform work on WHOIS- and GDPR-related issues, the President and CEO will bring any additional resource needs to the Board Finance Committee for consideration, in line with existing fund request practices.
This is an Organizational Administrative Function of the Board for which public comment is not required, however the proposed Interim Compliance Model proposed to be implemented through a proposed Temporary Specification has been the subject of comments from the community over the past several months (https://www.icann.org/resources/pages/gdpr-legal-analysis-2017-11-17-en). The Board actions approved today help serve the public interest and further the requirement in ICANN's Bylaws to "assess the effectiveness of the then current gTLD registry directory service and whether its implementation meets the legitimate needs of law enforcement, promoting consumer trust and safeguarding registrant data." [Bylaws Sec. 4.6(e)(ii)]