ICANN’s Board approved the new Registrar Accreditation Agreement (RAA) on June 27th, and its Resolution doing so noted that “the Board has accepted the GAC Advice in the Beijing Communiqué that the “the 2013 Registrar Accreditation Agreement should be finalized before any new gTLD contracts are approved.”” — and cited as a “highlight” that “The 12 Law Enforcement Recommendations that served as the impetus for these negotiations are all addressed” including “new data retention obligations”. However, a newly disclosed June 6th letter reveals that ICANN was already aware that EU-based registrars would have solid grounds to seek an exemption from those very data retention obligations.
That letter, sent to CEO Fadi Chehade and Board Chairman Steve Crocker, was signed by Jacob Kohnstamm, Chairman of The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.
The letter unequivocally states that “the proposed data retention requirement violates data protection law in Europe” and therefore “relevant registrars targeting individual domain name holders in Europe” would violate data privacy law in 27 EU nations if they complied with it.
These findings were based on two major factors:
The letter also makes this observation:
“The Working Party notes that ICANN has included a procedure for registrars to request a waiver from these requirements if necessary to avoid a violation of applicable data protection law. Such a waiver request can be based on written guidance from a governmental body of competent jurisdiction providing that compliance with the data retention requirements violates applicable law.
In order to avoid unnecessary duplication of work by 27 national data protection authorities in Europe, with this letter, the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe.”
The Data Retention Specification (DRS) of the new RAA did not change in any material way between the June 6th transmittal of the Article 29 WP letter and the Board’s approval of the RAA three weeks later, so the letter appears to provide EU-based registrars with solid grounds for seeking an exemption from the requirements.
The DRS authorizes a registrar to provide written notice to ICANN and request a waiver with a specific term or condition upon:
“receipt of either (i) a written legal opinion from a nationally recognized law firm in the applicable jurisdiction that states that the collection and/or retention of any data element specified herein by Registrar is reasonably likely to violate applicable law (the “Opinion”) or (ii) a ruling of, or written guidance from, a governmental body of competent jurisdiction providing that compliance with the data collection and/or retention requirements of this Specification violates applicable law.”
The Article 29 WP letter fits squarely within the second provision and we expect EU-based registrars to seek exemptions soon after the sign the new RAA. The DRS specifies that after receipt of the waiver request a good faith discussion, ICANN’s General Counsel may grant a temporary or permanent waiver. Once ICANN has granted such a waiver to a registrar based in a particular “jurisdiction” (which may well be interpreted to constitute the entire EU, rather than a particular member nation) ICANN is generally obliged to grant a similar waiver to any other registrar in the jurisdiction.
It is also possible that registrars outside the EU may seek a similar waiver, probably based upon a legal opinion obtained from an EU-based law firm. As noted above, the letter states that compliance would be unlawful for “relevant registrars targeting individual domain name holders in Europe” (emphasis added), and an argument could be made that if a registrar based outside the EU markets extensively to EU registrants, and they comprise some meaningful portion of its customers, it must likewise seek a waiver or risk legal violation – as well as the loss of its EU customers. It also remains to be seen whether, in a world increasingly concerned about cyber-privacy, EU-based registrars will gain a competitive advantage with registrants through their ability to seek waivers – and what the reaction will be from their overseas counterparts, including those in the U.S.
The new RAA will be required for all registrars that wish to sell domains in new gTLDs. In addition, many renewing registry agreements require that they only utilize registrars who have entered into the new RAA once a threshold based upon registrars serving a specified percentage of their registrants is reached.
The dialogue within the GAC, and between it and ICANN’s Board, is already likely to be crowded in the upcoming Durban meeting, given recent actions by ICANN’s New gTLD Program Committee that have frozen hundreds of new gTLD applications – primarily for “closed generics” and for strings involving regulated industries and/or with restricted registration policies – so it remains to be seen whether the possibility of EU-based registrars waiving out of the data retention provisions of the DRS will be added to the lengthy list of agenda matters requiring discussion.
Comments are closed.