The Internet Corporation for Assigned Names and Numbers, better known as ICANN and responsible for managing the internet’s naming system, is in the process of updating its Registrar Accreditation Agreement (RAA). Many of the changes it has been negotiating are at the behest of law enforcement and the Governmental Advisory Committee.
Now the Article 29 Working Party of the European Union (a group comprising representatives of the data protection authority of each EU member state) has written to ICANN with its reservations. At issue are two particular points: the annual re-verification of contact details, and a new data retention proposal.
On the former, the Working Party seems to have two problems. Firstly, it notes that the WHOIS database is “being harvested on a large scale and abused for spamming. In other words, the way the system is designed provides a strong incentive for natural persons to provide inaccurate contact details.”
Secondly, however, it is concerned about illegal mission creep. The purpose behind collecting the data is to be able to contact a person who can resolve issues associated with the domain records. Since then, ICANN has noted that, “Over time, WHOIS data has been increasingly used for other constructive and beneficial purposes...” But the Working Party says that neither this nor the fact that law enforcement is requesting the change can “legitimize the collection and processing of personal data for those other purposes.”
In short, the new requirement to collect and publish re-verified contact details in the publicly accessible WHOIS database is “excessive and therefore unlawful.”
The Working Party’s second concern is over data retention. ICANN’s proposal is that all the registration details (not just those published in the public WHOIS database, which could include credit card details) are retained after registration. This requirement, notes the Working Party, “does not stem from any legal requirement in Europe, but again, is explicitly introduced by ICANN to accommodate wishes from law enforcement.” The Working Party strongly objects to this saying that if such is required, it is up to “national governments to introduce legislation” rather than “by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.”
It concludes that since “there is no legitimate purpose, and in connection with that, no legal ground for data processing, the proposed data retention requirement is unlawful in Europe.” In reality, these two concerns are an embarrassment for ICANN rather than a show-stopper. It doesn’t ultimately need Europe’s approval, although the lack of it could cause further problems for the internet.