What’s Next for WHOIS: ICANN Board Approves EPDP Phase 1 Final Report

The ICANN board held a special meeting on May 15, 2019, during which it approved twenty-seven of the twenty-nine policy recommendations in the EPDP Phase 1 Final Report. The Phase 1 report represents the start of the ICANN community’s bottom-up consensus-driven policymaking effort to reinvent WHOIS (now called “registration data”) in a way that complies with the EU’s General Data Protection Regulation (GDPR). This report, combined with Phase 2 of the EPDP, will replace the Temporary Specification, which was an emergency measure passed by the ICANN board to bring registration data into compliance with GDPR in the short term while the community developed consensus policy to replace it.

Phase 2 of the EPDP has already begun work on establishing a framework within which entities with a lawful basis to access registration data may do so.

What’s in the Policy?

The board was expected to rubber-stamp most of the EPDP’s recommendations as it has historically approved bottom-up consensus policy recommendations, and it mostly did so. Acting as a final “sanity check,” and with a fiduciary duty to ICANN (the legal entity) and in the public interest as a California Nonprofit Public Benefit Corporation, the board declined to adopt just two of the twenty-nine recommendations in the Phase 1 report.

MarkMonitor’s recent webinar describes the changes to which registration data is publicly available under the current Temporary Specification, and which will be available under the new Registration Data Policy (the working title at ICANN). To highlight a few key changes:

  • The administrative contact will cease to exist
  • Registrars are no longer required to offer registrants the ability to designate a technical contact.
  • The technical contact, if registrars choose to support it, is limited to three fields: Name, Phone, and Email
  • Of the thirty-one fields available in WHOIS (not counting separate fields for Phone/Fax Extension), only three are required under the Registration Data Policy. For visual learners:

1 Public WHOIS

What’s Not in the Policy?

Purpose 2 was a highly controversial topic during Phase 1 of the EPDP, with intellectual property owners, governments, cybersecurity experts, and consumer protection advocates calling for explicit recognition of their purposes for processing registration data, as outlined in the Temporary Specification and as required by GDPR.

On the other side of the conversation were advocates seeking to minimize ICANN’s role in these affairs, and some registries and registrars who desired greater legal certainty before acknowledging that they could lawfully provide access to this data to third parties. The stalemate was resolved in the Final Report with a hybrid “placeholder” Purpose 2 which acknowledged ICANN’s role to coordinate a secure, stable, resilient DNS (as outlined in its Mission and Bylaws), by facilitating third party access, without explicitly naming types of third parties.

Recent public correspondence between ICANN and the European Commission (EC) made it clear that improved clarity was required to distinguish ICANN’s purposes from third party purposes, so the board rejected and remanded this purpose for further development.

The board then partially rejected Recommendation 12, which would have allowed registrars to mass-delete all data currently contained in the Organization field. Recommendation 12 was concerning to many in the ICANN community who struggled to understand concerns that this field, which is meant solely for legal entity names, could contain personal data and therefore must be purged.

Cautioning that deleting this data altogether, “may result in loss of identifying information about who the registrant is,” the board still approved the part of Recommendation 12 that requires the Organization field to be redacted from public view. The result is that the Organization field will only available at the registrar’s discretion upon request, or on a “need-to-know basis” to be determined in Phase 2.

What’s Next?

The board’s rejection of any part of consensus policy passed by GNSO supermajority is a rare occurrence (this may be the first time it has happened), and triggers a consultation with the GNSO Council on the rejected recommendations (https://www.icann.org/resources/pages/bylaws-2018-06-22-en#annexA1 ICANN Bylaws, Annex A-1, Section 6.c.), after which the GNSO can affirm or modify the recommendations to send them back to the board.

The approved recommendations move to Implementation at ICANN, and in this case registrars and registries must come into compliance with the new policy before February 29, 2020, with the board-given caveat that, “Given the complexity of the implementation, and the possibility of additional input on the recommendations from DPAs or other sources, there is a potential that this date may not be
met.” In the meantime, registrars and registries may continue to operate as they currently do under the Temporary Specification’s rules.

MarkMonitor continues to advocate for intellectual property owners, consumer protection, and cybersecurity, including working toward a unified access model for registration data in Phase 2 of the EPDP. If you have any questions, suggestions, or would like to get involved, we would love to hear from you. Please contact your MarkMonitor CSM and/or contact me directly.