ICANN the public interest registery that can’t follow its own rules…
So the Internet Corporation for Assigned Names and Numbers (ICANN) has been having a bit of a hard time of late complying with European law. I say “of late” but the fact of the matter is that ICANN have been in breach of EU law since 1995 when the Data Protection Directive (95/46/EC) came into effect — but for the purpose of this article, we are more specifically talking about their concerns under the General Data Protection Regulation (GDPR).
You see, European Data Protection law requires that personal data should only be processed under specific conditions (we call these principles) and with a specific legal basis (these range from consent to vital interest); and this is a big problem for ICANN because of their controversial WHOIS database.
The WHOIS database is a publicly accessible database containing information about Internet Domain Names. When you register a domain name you are required to provide certain information including a great deal of personal information. It is not enough that the company, organisation or individual who has purchased a domain is provided — you are also required to provide personal details of an Administrative Contact and Technical Contact including name, address, phone number and email address.
This creates issues under EU law because this data is not seen as necessary or proportionate for the purpose of registering an Internet Domain Name. The fact that this information is publicly available creates further issues because personal data should not be disclosed or disseminated without a specific legal bases.
The problem is of the six legal bases available:
Consent, Contract, Public Interest, Vital Interest, Legal Obligation & Legitimate Interest
ICANN’s WHOIS database doesn’t qualify for any. It might potentially qualify for the registrant’s limited personal data (name) (but even that is a stretch for public disclosure) but the disclosure of personal data of other parties would never been seen to be qualified under GDPR and of course as I explained earlier in this article — before we even consider legal bases we need to understand that such processing is not considered as necessary or proportionate which means it could never be considered as “fair” and therefore would never be “lawful” — so the WHOIS database falls at the first hurdle.
ICANN have been warned about this for the last 15 years and EU Regulators have repeatedly told ICANN that the system is in breach of EU law. ICANN have historically refused to acknowledge the validity of the these concerns.
Then came GDPR — with the potential for penalties amounting to 4% of ICANN’s global turnover for a breach and ICANN are a little worried. They were not so worried to attempt to make the WHOIS service compliant before GDPR — no in fact they spent two years doing pretty much nothing. Then as GDPR approached in May this year they scrambled to try to persuade EU Regulators to give them an extra year to fix the problems — EU Regulators refused (and rightly so) on the grounds that they have had 15 years to fix these problems.
ICANN’s response was to attempt to set a precedent by taking a German Registrar to court — they lost, three times…
So ICANN have failed to make WHOIS compliant and they have failed to persuade the Courts that it is legally compliant.
However, what many people may not be aware of is that ICANN have failed at something else…they have failed to follow their own rules. If you go to ICANN’s own WHOIS lookup service here:
Search for information for the domain icann.org and confirm you are not a robot; you will be presented with the following information:
You will note that there is no name or complete address, phone number, fax number or email address for the Registrant Contact, Admin Contact or Tech Contact. Information which ICANN demands with every Internet Domain Name registered but chooses to exempt itself from. ICANN is appealing to European Courts to enforce rules it refuses to follow itself.
Helpfully, ICANN provide an online form where diligent members of the public can report incomplete registration details here:
Being a diligent member of the public, I have personally reported ICANN.org to ICANN for their WHOIS inaccuracy and I would urge readers to fulfil their own civic duty by doing the same.
I will also be looking to file an amicus curiae with the next Court that ICANN appeals to, in order to point out this apparent faux pas.
Perhaps ICANN should consider changing their name to ICANT.
