European Commission brushes aside WHOIS data privacy concerns

Earlier this year the Article 29 Working Party, an independent European body advising on data protection and privacy matters, had voiced its concerns regarding proposed changes to the ICANN Registrar Accreditation Agreement (RAA) that would require accuracy checks to be carried out on certain elements of the registrant data contained in domain name WHOIS records at the time of registration and thereafter on an annual basis. In light of this, EU data privacy advocates were dismayed when, at a recent meeting of the European Commission, the concerns raised by the group were unceremoniously swept aside.

The Article 29 Working Party, although technically an independent body, is nevertheless made up of representatives from the data protection authority of each EU member state, the European Data Protection Supervisor and the European Commission. As such, the swift dismissal of the group's concerns by the European Commission's Government Advisory Committee representative, who stated during the European Commission meeting, held on October 16 2012, that "this is not an EU position as such but the position of the advisory committee" before moving swiftly on to other business, came as something of a shock to concerned parties.

The Article 29 Working Party was not alone in expressing its reservations about the RAA amendments, which were echoed in a letter from the Council of Europe to ICANN on October 8 2012. In this letter, the Council's Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data stated that it was "convinced of the importance of ensuring that appropriate consideration be given in the ICANN context to the relevant European and international privacy standards".

On October 9 2012 ICANN CEO Fadi Chehadé sought to allay Article 29 Working Party's fears by stating in a reply to the group that ICANN proposed to adapt its current procedures in order to enable EU registrars to "seek an exemption from these new RAA WHOIS and data protection obligations in the event that the obligations would cause registrars to violate their local laws and regulations". However, registrars from outside the European Union have complained that this would create an unfair two-tiered RAA.

In any event, it is clear that the impending launch of new gTLDs is prompting a serious shake up of notions of how WHOIS data should be collected and diffused. In relation to this, on November 8 2012 ICANN published a resolution promising to:

"launch a new effort to redefine the purpose of collecting, maintaining and providing access to gTLD registration data, and consider safeguards for protecting data, as a foundation for new gTLD policy and contractual negotiations."

Subsequent to the publication of this resolution, ICANN chair Steve Crocker remarked of WHOIS data that "anyone can get at it, it doesn’t matter if you’re competitor or friend or law enforcement, you can get access" and went on to say that "a point of discussion could be: would it make sense to make different levels of access to information available to different people?"

Whilst allowing law enforcement agencies and other authorised parties greater access to otherwise concealed registrant data would no doubt please IP owners seeking to enforce their trademark rights, as well as those hunting cybercriminals, it may not be a proposal that would bring a smile to the face of domainers or data privacy advocates. It will be interesting to see if ICANN and the other interested parties agree on some kind of compromise in relation to WHOIS data before the first new gTLDs hit the internet around mid-2013.

David Taylor and Cindy Mikul, Hogan Lovells LLP, Paris