EU Data Chair Weighs In Against ICANN
- by Ray Schultz , July 6, 2018
The head of the European Data Protection Board (EDPB) has come out against ICANN’s attempt to force a domain registrar to submit personal data on admin and technical personnel, saying that it conflicts with the GDPR.
In a letter dated Thursday, EDPB chair Andrea Jelinek writes that registrants should not be “required to provide personal data on individual employees (or third parties).”
The Regional Court of Bonn, Germany had rejected a motion by ICANN demanding that the registrar EPAG collect the name, mail address, email address, voice telephone number and other data on domain name registrants.
ICANN, a nonprofit facilitator of domain name operations, filed an appeal, but “that appeal now looks dead in the water,” the UK’s Register writes.
The personal data is needed for “the legitimate purposes” of consumer protection and investigation of cybercrime, ICANN had argued.
Observers are watching the case closely because of the potential impact on WHOIS, the database of all registered domains.
The defeat contributes to “a series of embarrassing failures on ICANN's part to regain control of its authority over the WHOIS service,” the Register adds.
In its “guidance” the DEP objects to ICANN’s retention of data.
“So far ICANN is yet to demonstrate why each of the personal data elements processed in the context of WHOIS must in fact be retained for a period of 2 years beyond the life of the domain name registration,” Jelinek writes.
In addition, Jelinek reiterates that ICANN should take care not to conflate its own purposes” with those of third parties.
ICANN had asked for an advisory on several issues. Jelinek concluded by saying, the EDPB is confident that “the guidance contained in this letter…will enable ICANN to develop a GDPR-compliant model for access to personal data accessed in the context of WHOIS.”
For my part, I think the position of ICANN and the EU is not being accurately reported.
The EU chappie has possibly got no clue what happens when you allow people to stay invisible but control Web domains, and use them for public and commercial activities
The same chappie would not begin to suggest that car owners should not be registered, nor hoteliers, publicans, or restaurant owners.
There is a significant difference between the requirement of registration and the requirement of publication.
Perhaps, if no data harvesting and no advertising is going to be conducted on the domain, the privacy of the owner should be respected.
But on the other hand, if any commerce is to be conducted, or public service (a published website), then registration does seem to be reasonable for the purposes of protecting the public and governing.
For my part, I think the position of ICANN and the EU is not being accurately reported.
The EU chappie has possibly got no clue what happens when you allow people to stay invisible but control Web domains, and use them for public and commercial activities
The same chappie would not begin to suggest that car owners should not be registered, nor hoteliers, publicans, or restaurant owners.
There is a significant difference between the requirement of registration and the requirement of publication.
Perhaps, if no data harvesting and no advertising is going to be conducted on the domain, the privacy of the owner should be respected.
But on the other hand, if any commerce is to be conducted, or public service (a published website), then registration does seem to be reasonable for the purposes of protecting the public and governing.