ICANN, data protection and the GDPR

22 Mar 2018 16:30h - 18:15h

Event report

[Read more session reports from the WSIS Forum 2018]

The moderator, Mr Tarek Kamel, senior adviser to the President and CEO for government engagement at ICANN, started by explaining that the aim of the session was to present and discuss the interim model for compliance with the GDPR that has been developed by the ICANN community.

Ms Theresa Swinehart, senior adviser to the President and CEO of ICANN on global strategy, set the scene by clarifying that compliance with the GDPR brought challenges to the company, especially concerning the WHOIS service, a decentralised mechanism that is publicly available and provides personal data on domain name registrants. Swinehart added that law-enforcement officials, trademark owners, and cybersecurity researchers might also have legitimate interests in accessing the data. She said the community had come up with an interim model for tiered access that should be further developed, and that ICANN was also in touch with governments and data protection authorities looking for a solution that could be operational by the deadline, May 25.

Mr William J. Drake, international fellow and lecturer at the Department of Communication and Media Research at the University of Zurich, reminded the audience that the first function of the WHOIS service was a narrow technical one, namely, to identify the parties to be reached out to in order to ensure stability of the infrastructure and continuity of the operation. He said that other uses were not part of the discussion in the original bottom-up definition process. He added that current uses of the service cannot be confused with its purpose, mainly now that human rights are in ICANN’s bylaws. He called for more involvement from privacy and data protection stakeholders, so that ICANN does not end up running a repository to be used by third parties, out of its scope and mandate.

Mr Paul Mitchell, senior director of technology policy at Microsoft, said that the GDPR is more closely attached to the European authorities and people, but it impacts all over the world. He highlighted that Microsoft does not see a contradiction between full compliance with the GDPR and legitimate access to WHOIS, which is an important tool to make sure the system is safe. Mitchell concluded by saying that the development of the tiered access model was highly unlikely to be an operational solution with the involvement of stakeholders such as the Governmental Advisory Committee (GAC), Article19 working party, and data protection authorities, however critical and complex that model might be on the way to a permanent solution.

Dr Chérif Diallo, Senegal Ministry of ICT and ICANN GAC deputy chair, said there are many cases in which African registrants must be compliant with the GDPR, and that authorities in Africa were already working with European authorities. He mentioned that a lot of discussion is still necessary for the interim model to achieve its balance of providing privacy in general and only revealing information in legitimate cases. Diallo recommended the development of national digital strategies, new legal frameworks that take the GDPR in consideration while promoting digital services in Africa, and capacity building to protect citizens and especially kids, women, and vulnerable groups.

Mr Bakarr Tarawally, Sierra Leone Ministry of ICT and GAC member, highlighted that the last data protection legislation in his country dated back to the 1950s, in the colonial period. He said the situation had improved, with governments consulting with European specialists and drafting new legislation. He said that the Economic Community of West Africa States (ECOWAS) recently came up with legislation signed by heads of state and that Africa has to look into cybersecurity and data protection. Tarawally said that his role in the Ministry of ICTs is to make sure that government initiatives in this direction are integrated and address data protection issues.

Mr Peter Micek, general counsel at Access Now, mentioned a helpline the organisation offers for media defenders and activists who have recently been attacked online and offline. Micek stressed that the attacks stem from the exercise of freedom of expression, but are often perpetrated through privacy invasion, including obtaining information of registrants through the WHOIS service. For him, confidence, and the ability of users to trust in the legitimacy of institutions are at stake in this attempt to reconcile data protection and privacy rights with the WHOIS service, and that it is in interest of ICANN to identify which data is essential to collect so that it can carry out its operation.


By Clement Perarnaud