- GAC session at ICANN meeting focuses on GDPR and WHOIS
- Concern that expedited policy process will not focus on accreditation models
- Evidence of brand owner enforcement struggles presented to governments
At this week’s ICANN meeting in Panama, the Government Advisory Committee (GAC) heard from rights holders who have faced significant enforcement challenges following the enactment of the European Union's General Data Protection Regulation (GDPR). Amongst the concerns of brand owners are the difficulties in investigating potential infringement, the lack of response to legitimate data access requests and registers not engaging with the UDRP process.
Last week we explored ICANN’s draft Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data, which outlines how third parties may access non-public WHOIS data in light of the recent changes due to GDPR. Running parallel to efforts around a future access model is an expedited policy development process focused on ICANN’s temporary specification for the treatment of WHOIS data. In Panama earlier today the GAC held a discussion on GDPR, in which fears were raised that the expedited policy development process (EPDP) in place for the latter could overlook access components.
Laureen Kapin, counsel for International Consumer Protection at the US Federal Trade Commission, observed: “In terms of scope, I think the issue we heard very clearly in the session yesterday with the GNSO council is that you are going to have certain folks who are advocating that this EPDP only focus on the current temporary specification.” The US GAC representative voiced concern over this prospect, stating that while they “have seen access and accreditation to be central to what the GDPR model was going to be. there is posturing to not make it the focus of this EPDP. But this has to be a focus. This has to be a deliverable. And if it's not going to be a deliverable at this EPDP, I think we need to seriously look at other alternatives.” India’s GAC representative concurred, stressing: “I totally endorse the point of view of my colleague from the US, that the access and accreditation model is central to any EPDP process which comes into being.”
It appears, then, that governments are keen to ensure that the EPDP focused on the future WHOIS model has access models baked in. One possible approach, floated by a number of participants in the discussion, is the creation of a second temporary specification model which does include an access model, which could be put in place while efforts continue to formulate a longer-term plan.
In the meantime, rights holders are left facing a fragmented system. While it was noted that parties with a legitimate access can currently lodge data access requests with registries and registrars, Steve DelBianco, president and CEO of NetChoice, observed that this comes with the caveat that such requests can be rejected where legitimate interest is over-ridden by the data subject’s rights. He observed: “At this early stage of implementation you can imagine how difficult it is for registries and registrars to make that decision in the absence of legal advice.” What appears to now be happening is that the default response to such requests is no response - the result hindering the ability or brand owners to investigate police misuse.
For example, one counsel noted that Facebook has lodged 1,736 legitimate WHOIS requests with 167 different registrars since GDPR came into enforcement – and has received a response from just three of them. Claudia Selli, EU affairs director at AT&T and chair of ICANN’s Business Constituency, observed that this type of response, and lack of available data, is impacting the company’s investigations, adding that “in cases of cybersecurity risk, the minutes and hours lost in investigations can have serious implications for users globally.”
This lack of co-operation when data is requested is also extending to UDRP actions, with Hogan Lovells’ David Taylor, noting that he has had to go “back and forth with some registrars”, concluding: “Now everything is behind the curtain and this radical change does not have access in sync with it. I have concern over who is benefiting most from GDPR – it is the phishers and infringers.”
The mood of the governments in the session did seem in sync with that of rights holders, with Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, urging them to continue engagement on efforts to formulate a workable model for access, adding: “You can see the challenges we face going after bad actors on the internet and we want to make sure we don’t have an environment that allows them to flourish. The fragmented system in place is already not working and the challenges and harms are going to compound the longer we are in this fragmented environment.”
Later today, cross community sessions will explore the issue of accreditation and access to non-public WHOIS data post-GDPR. Whether an access model will be included in the EPDP remains to be seen, and there is likely to be resistance by some I the ICANN community (whether for reasons of expediency or philosophy). However, it appears to be a cause that the GAC is four-square behind.