International Working Group on Data Protection in Telecommunications Continues to Follow ICANN
On April 8-10, I had the pleasure of attending the meeting of the International Working Group on Data Protection in Telecommunications (IWGDPT) in Budapest, Hungary. The group had put on the agenda the proposal to develop international standards for the accreditation of third party access to personal data in the context of Internet services, primarily ICANN’s WHOIS. Such a standard would also be useful to accredit those who wish to gain access to ISP subscriber data; the difficulty of ascertaining who wants what data, whether they should be permitted access, and what the expected management standards are for such indirect processing of personal data is a known problem, and one that has been addressed in the General Data Protection Regulation (GDPR) in Article 42. NCUC very kindly paid for my hotel accommodation, and a connecting air ticket to Brussels; ICANN was already sending me to Brussels for the face to face meeting of the WHOIS 2 Review team from April 16th -18th , so I could attend this meeting at little extra cost.
Readers are probably aware that the Berlin group released their working paperi on ICANN and privacy issues on March 9, 2018, just in time for the San Juan meeting and our discussions of GDPR compliance. While the working paper is not focused on the GDPR, because this group of data protection authorities is a global one not a European one, it is certainly the case that those who worked on and reviewed the paper are well aware of the upcoming enforcement challenges which were due to arrive on May 25, 2018. I think it is fair to say that many of the EU members who attended this meeting were rather focused on their own challenges in reviewing and commenting on their national legislation, as very few countries have managed to get their updated data protection laws through their respective parliaments in time for the coming into force of GDPR. This is similar to the situation that member states (and other countries who were seeking a determination of “adequacy” under Directive 95/46) faced back in 1998, when the EU Data Protection Directive came into force.
Some members of other stakeholder groups at ICANN have attempted to downplay the importance of the Berlin group’s paper. I would respectfully submit that this is utter rubbish. ICANN has been complaining for months that it really needs detailed advice on how to comply with the GDPR. It has now received an 11 page document which addresses many, although not all, of the complex issues that are nested inside the longstanding WHOIS debate. As you will know from my previous blogs on this issue, this is not the first time that the IWGDPT or the Article 29 Working Party have attempted to draw ICANN’s attention to its data protection obligations, it is merely the latest and the most detailed (see the appendix to the Working Paper for a shortlist of this correspondence).
One of the more frustrating aspects of the current GDPR crisis that ICANN has been struggling with, is the repeated assertions from folks who should know better in senior management, that the GDPR was a complete surprise, that these data protection obligations are new, and that the data protection commissioners are not well informed about ICANN and its role. The GDPR passed in 2016 after years of fractious and well-publicised debate, during which US multinational corporations played an active role in Brussels to influence outcomes. While the size of the fines might be a surprise, the requirements were not. Furthermore, the NCSG and its precursor the NCUC have been bringing data commissioners and their staff to ICANN meetings for the better part of two decades. I myself spoke at an ICANN privacy workshop in 2005 while working for the Privacy Commissioner of Canada and said pretty much the same things I say today. More importantly, Giovanni Buttarelli, now the European Data Protection Supervisor and arguably one of the most important data protection commissioners in the world, came to an ICANN meeting in 2004 when he was working in the Italian Data Protection Authority. He returned in 2017 to the meeting in Copenhagen March 13th and repeated the same messages, yet even then the response from ICANN to the upcoming challenges was still not swift and effective. One wonders why.
To suggest that the Berlin group, or any other data protection supervisor, does not understand ICANN’s business is frankly rather insulting. Of course, they do depend on ICANN being frank with them about their data practices, absent a particular investigation or complaint that would permit them to enter the premises and demand documents. Data protection authorities are like any other investigative branch, except that their mandate is perhaps much broader than many others (e.g. a health protection branch, a telecommunications regulatory authority) in that any type of personal data gathering in any field is within their scope (e.g. banking, telecommunications, health, e-commerce, grocery marketing, labour relations, etc.) Naturally, they need to hire experts to assist them in investigations, and most medium to large data protection offices have a dedicated team of information technology experts to help with data mapping and understanding complex risk assessments that are put before them. The Berlin group itself was founded back in 1983, at a time when most data protection authorities were European, and were focused on human rights law. The founders recognized the challenges that information technology (IT) was already bringing to the field, and they encouraged participation of technical experts in order to analyse proactively the new developments that were coming quickly with the Internet. This is why they were quick to recognize the issues at ICANN, and released their first paper on ICANN and WHOIS in 2000.
We have also heard recently among parts of the ICANN community that data commissioners have clearly not talked to law enforcement or their governments, or they would realize that law enforcement needs access to WHOIS data. In actual fact, one of the thorniest issues for all data protection authorities is always dealing with their own governments on matters of surveillance, cryptography and anonymity, criminal procedure, and legal authorities. To suggest that data protection authorities are not capable of understanding how to analyse the need for WHOIS data, and the proper procedures which should be followed in accessing sensitive data such as address, phone number, and political or religious interests is naïve. One of the more well-publicized and long standing arguments between DPAs and their governments was the Passenger Name Record (PNR)ii file which has been going on for nearly two decades. Wherever there is a balance to be struck between public safety and fundamental rights, it is the job of data protection authorities to intervene on the side of the individual, but with due consideration for their important role as legal authorities.
Returning to the matter of accreditation of third parties to access WHOIS data, I am pleased to report that the University of Toronto’s application for funding under the Privacy Commissioner of Canada’s grants and contributions program has been accepted for 2018. I am the Co-investigator on this project, which aims to hold a workshop in Barcelona at the ICANN general meeting in October, to discuss the development of international standards on accreditation and expected management practices for third parties who access WHOIS data. While this project will take years, not days (as would have been required to come up with an interim solution prior to the coming into force of GDPR) it is in our view necessary to deal with the following questions:
- What identification does a firm or an individual need to provide in order to access data that has been protected in a tiered system?
- What kind of purpose or need statement should be required?
- What standards of data protection (e.g. data collection limitation, data retention, disposal, onward transfer, transparency to the individual(s) concerned) are required?
- What oversight is necessary, and who bears the cost?
These are not easy questions at any time, but they are particularly difficult in the ICANN context as we try to put the WHOIS genie back in the bottle. Businesses have been constructed on a premise of free and effectively unlimited access to personal data, so it is hard to even get some parties to accept that name address and phone number are sensitive information. However, we need to start to take a disciplined approach to the matter, and it appears that we will get considerable interest from data protection authorities in the project. Stay tuned for future blogs on this project, as we get further ahead in gathering the existing literature, relevant standards, and best practices. If you are interested in assisting or participating, please contact me.
The spring IWGDPT meeting was a great opportunity to update a group of global data commissioners on our work, and we look forward to staying in touch with them and seeking advice as the whole WHOIS stream of work moves forward. To keep up with all things privacy, watch the NCUC/NCSG websites and blogs for updates.
i Working Paper on Privacy and Data Protection Issues with Regard to Registrant data and the WHOIS Directory at ICANN (Paris (France), 27./28. November 2017) https://www.datenschutz-berlin.de/working-paper.html
ii See for instance Opinion 7/2010 on European Commission’s Communication on the global approach to transfers of Passenger Name Record (PNR) data to third countries, http://www.dataprotection.ro/servlet/ViewDocument?id=723