March 20, 2017 | Article

ICANN’S WHOIS Database, The Next Frontier: EU Data Protection

by: Abigail Slater, Internet Association General Counsel

IA attended ICANN58 in Copenhagen last week and was grateful to the ICANN board and staff to be included in a panel discussion with EU data protection commissioners and the Council of Europe.  The purpose of the panel was to discuss EU data protection principles and their application to the WHOIS database in particular.

For those who work in the domain name system (DNS) space, the publicly available WHOIS database is the glue that holds the internet together.  It is probably the most centralized function in an otherwise decentralized network, and it needs to be.  Imagine a world in which we had no way of pinning down who owns a website: is it the company that has poured billions of dollars (or any other currency) into building the business, or is it a Russian cyber hacker?  Thanks to WHOIS, we can sort the good guys from the bad.  WHOIS also plays a critical role in defending the network from attack, including denial of service attacks.  And we know that when the DNS is under attack, many of the internet applications we have come to rely on to get through the day can be badly impacted, sometimes even on a global scale.  

image

Because the WHOIS database is so critical to the DNS, it was even included in the 2009 Affirmation of Commitments between the U.S. government and ICANN, which have since become part of ICANN’s bylaws.  The Affirmation of Commitments laid the foundation for last year’s successful transition of ICANN’s IANA function from U.S. government control to the multistakeholder ICANN community, an important goal supported by the Internet Association and its members.  

WHOIS serves an important – even critical – role in holding the internet together, but it’s not perfect. Among the loudest critics of WHOIS are EU privacy enforcers who are concerned that a publicly available database containing personally identifiable information (“PII” in privacy-speak) is a red flag under EU data protection law.  This concern came to the fore at ICANN this week when several EU data protection commissioners and the Council of Europe came to ICANN for the first time.  On the panel, the EU privacy advocates explained at a high level the data protection principles they apply in their roles.  They also explained that these principles are soon to be backed up by massive fining powers (up to 4 percent of global revenues) when a new EU data protection law kicks in next year, making it time for the ICANN community to sit up and listen to them.  Unfortunately, however, the data protection officials did not apply those principles to ICANN in general or WHOIS specifically.  

Also on the panel, Internet Association argued that in order to join issue with the ICANN community on WHOIS and to provide legal certainty to businesses, guidance from the data protection commissioners beyond talking about general principles should be provided soon (and preferably before massive fines are levied).  We also argued that we live in a world of competing equities, and while data protection is an important equity, so is the stability and security of the DNS from a DoS attack – something that has equally negative consequences for consumer privacy.  Similarly, there are important equities at stake in WHOIS beyond data protection, since it is a key tool used to combat fraud and trademark infringement.  Ultimately, however, the number one equity at ICANN – ICANN’s core mission – is protecting and preserving a stable and resilient DNS.  At the end of the day, this is the equity that comes before all others and WHOIS is the glue that binds the DNS together.  

The EU data protection enforcers’ position raises several questions for the ICANN community: how will their law apply to WHOIS?  What is its reach?  What data is implicated when much of WHOIS is populated by technical jargon and not sensitive personal data?  Will the data protection commissioners take into account the critical role that WHOIS plays under ICANN’s bylaws in holding the DNS together when they enforce their data protection law?  Will they weigh competing equities such as protecting the network from DoS attacks and other forms of fraud and abuse?

We are grateful to ICANN for including us in this important discussion and we look forward to hearing more from the ICANN community and staff on this issue.  As the IANA transition taught us, having an honest, bottom-up conversation about important issues is the best and only path forward for the community and its stakeholders.

Barriers to digital trade threaten U.S. internet’s success abroad

IA recently completed its yearly assessment of barriers to digital trade that American exporters face around the globe. In comments to the Office of the United States Trade Representative (USTR), IA identified over 100 government measures in more than 40 foreign markets that are limiting, restricting, or outright blocking American internet-enabled exporters. Barriers to digital Read more »

Internet Association Applauds Signing of California State Senator Bradford’s SB 182, Which Helps Ridesharing Drivers By Easing Administrative Burdens and Protecting Their Privacy

On October 13, Governor Jerry Brown signed into law Senate Bill 182, a bill which marks a big step forward for ridesharing in California. SB 182 will ease administrative and financial burdens on transportation network company (TNC) drivers by allowing them to obtain only a single business license in order to operate in the entire Read more »

Cloud First Must Be More Than A Slogan

Internet Association believes in the power of cloud computing to improve government processes and maximize the impact of each taxpayer dollar. IA is proud to represent world-class cloud providers with a relentless focus on helping federal, state, and local governments do just that. That’s why it was disappointing to see the Securities and Exchange Commission Read more »

Latest News

Washington, DC — Internet Association President & CEO Michael Beckerman issued the following statement on the publication of the “Restoring Internet Freedom Order” that will gut net neutrality protections for consumers, startups, and other stakeholders: “The final version of Chairman Pai’s rule, as expected, dismantles popular net neutrality protections for consumers. This rule defies the Read more »

Read more news »

Stay Updated

Send me IA updates
I'm a member of the press