ICANN 62 was held last month in Panama City. Within the ICANN meeting cycle, this was a ‘Policy Meeting’ intended as a smaller event focusing on DNS policy discussions. The dominant topics were whois and data privacy, and in particular, the European General Data Protection Regulation (GDPR), which came into effect on 25 May 2018.
What is the GDPR?
The GDPR is a fairly standard set of privacy regulations covering the use of personal data on European citizens. It has just a few notable features: first, as an EU regulation, it must be implemented by all EU countries; second, it provides for very large penalties for those who violate it, possibly up to 4% of a company’s global turnover; and third, it is intended to apply to every company in the world, and to every European citizen regardless of residency.
The apparent targets of GDPR are multinational organizations whose main business is in data collection, such as social network operators. The effect is that for those who operate in Europe, through local companies or offices, compliance is essential. For others who have no legal presence in Europe, the regulation will be difficult or impossible to enforce; however this has not stopped an almost global response to the GDPR.
Who is affected?
In the case of APNIC, our data collection practices already comply with modern privacy requirements, including those of Australia and the GDPR. In any case, APNIC registration services relate to very few Members or customers in Europe, and even fewer of those affected are individual European citizens.
In the case of companies that do operate services in Europe, a great deal of work has been done to ensure GDPR compliance. Among these companies are ICANN and many ICANN-contracted parties such as DNS registries and registrars; because the majority of these do operate services for a global audience.
It’s not surprising then that recent ICANN meetings, including ICANN 62, have been dominated by whois and data privacy discussions. The scope of the GDPR, its global scale, and the size of its penalties, have effectively consumed the attention of almost the entire ICANN community.
The impact on whois
The impact of the GDPR is not limited to those companies operating services, or to their customers. Also affected are online data services that have global importance to the Internet, including whois, the registry service that records the authorized holders of individual domain names and IP address blocks. Whois is a public service, and one that is used not so much by those who are listed as resource holders (that is, the ‘subjects’ of whois data), but potentially by any Internet user who needs to identify those resource holders.
For example: when an Internet user experiences a problem with a given domain name or IP address block and needs to find the person responsible for those resources, whois can provide that information. That person (the resource holder) may be a deliberate offender who is launching an attack or sending unsolicited communications, or they could be the victim of malware or a simple technical mistake. Regardless of the cause, the problem they have caused can represent a minor inconvenience or a major crisis — for an individual, an entire network, or a critical service such as the DNS itself. And whatever the impact, the problem could be hard or impossible to solve without the information that whois provides.
Since the GDPR became effective, many Internet organizations have expressed concerns about its impact. These include the global Forum of Incidence Response and Security Teams (FIRST), numerous CERTs, and ICANN itself; responding on behalf of Internet engineers, law enforcers and cybersecurity specialists. The broader point is that security incidents affect all Internet users, and anything that hampers response to those incidents should be a concern to us all.
What about the ICANN Policy Development Process (PDP)?
An ICANN meeting, normally, is a great example of Internet governance in action, through open policy development processes that welcome all stakeholders to participate. It is this multistakeholder approach that has allowed the Internet to keep growing and evolving as a uniform global service, without becoming fragmented or misdirected. And this same multistakeholder approach exists in many forms outside of ICANN — for example, the RIRs, the IETF, and also the Internet Governance Forum (IGF), which take a similar approach to their deliberations.
In the case of the GDPR, the ICANN community has found its own PDP challenged by a regulation that demands mandatory compliance by affected parties. There is an irony here because Europe has been a strong supporter of the multistakeholder model. Had the basic elements of the GDPR been highlighted early as policy issues in the ICANN PDP, the EU legislators would certainly have heard very strong and convincing concerns about their possible impact on the Internet. However, the public obligations associated with the whois databases apparently did not attract the attention of European legislators when they drafted the GDPR; and the GDPR discussions did not attract serious attention from the Internet community until quite late.
The Internet’s multistakeholder model works best when participants from all interested groups work together in an open, collaborative way to deliver policy outcomes that achieve broad consensus across the community. And the consensus so far is that personal privacy should not remove a person’s obligation to be identifiable and contactable via whois, as a holder of public Internet resources. For the time being however, the GDPR is now in force and being implemented widely, and we have to hope that its adverse impacts on public whois services will be contained.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.