EU Registrars Empowered to Seek New RAA Data Retention Exemption

ICANN’s Board approved the new Registrar Accreditation Agreement (RAA) on June 27th, and its Resolution doing so noted that “the Board has accepted the GAC Advice in the Beijing Communiqué that the “the 2013 Registrar Accreditation Agreement should be finalized before any new gTLD contracts are approved.”” — and cited as a “highlight” that “The 12 Law Enforcement Recommendations that served as the impetus for these negotiations are all addressed” including “new data retention obligations”[1]. However, a newly disclosed June 6th letter reveals that ICANN was already aware that EU-based registrars would have solid grounds to seek an exemption from those very data retention obligations.

That letter[2], sent to CEO Fadi Chehade and Board Chairman Steve Crocker, was signed by Jacob Kohnstamm, Chairman of The Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission.

The letter unequivocally states that “the proposed data retention requirement violates data protection law in Europe” and therefore “relevant registrars targeting individual domain name holders in Europe” would violate data privacy law in 27 EU nations if they complied with it.

These findings were based on two major factors:

  • ·         “The proposed new data retention requirement does not stem from any legal requirement in Europe… Taking into account the diversity of these registrars in terms of size and technical and organisational security measures, and the chance of data breaches causing adverse effects to individuals holding a domain name, the Working Party finds the benefits of this proposal disproportionate to the risk for individuals and their rights to the protection of their personal data.”
  • ·         “[T]he Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement…The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the proposed data retention requirement violates data protection law in Europe.”

The letter also makes this observation:

“The Working Party notes that ICANN has included a procedure for registrars to request a waiver from these requirements if necessary to avoid a violation of applicable data protection law. Such a waiver request can be based on written guidance from a governmental body of competent jurisdiction providing that compliance with the data retention requirements violates applicable law.

In order to avoid unnecessary duplication of work by 27 national data protection authorities in Europe, with this letter, the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe.”

The Data Retention Specification (DRS) of the new RAA did not change in any material way between the June 6th transmittal of the Article 29 WP letter and the Board’s approval of the RAA three weeks later, so the letter appears to provide EU-based registrars with solid grounds for seeking an exemption from the requirements.

The DRS authorizes a registrar to provide written notice to ICANN and request a waiver with a specific term or condition upon:

“receipt of either (i) a written legal opinion from a nationally recognized law firm in the applicable jurisdiction that states that the collection and/or retention of any data element specified herein by Registrar is reasonably likely to violate applicable law (the “Opinion”) or (ii) a ruling of, or written guidance from, a governmental body of competent jurisdiction providing that compliance with the data collection and/or retention requirements of this Specification violates applicable law.”

The Article 29 WP letter fits squarely within the second provision and we expect EU-based registrars to seek exemptions soon after the sign the new RAA. The DRS specifies that after receipt of the waiver request a good faith discussion, ICANN’s General Counsel may grant a temporary or permanent waiver. Once ICANN has granted such a waiver to a registrar based in a particular “jurisdiction” (which may well be interpreted to constitute the entire EU, rather than a particular member nation) ICANN is generally obliged to grant a similar waiver to any other registrar in the jurisdiction.

It is also possible that registrars outside the EU may seek a similar waiver, probably based upon a legal opinion obtained from an EU-based law firm. As noted above, the letter states that compliance would be unlawful for “relevant registrars targeting individual domain name holders in Europe” (emphasis added), and an argument could be made that if a registrar based outside the EU markets extensively to EU registrants, and they comprise some meaningful portion of its customers, it must likewise seek a waiver or risk legal violation – as well as the loss of its EU customers. It also remains to be seen whether, in a world increasingly concerned about cyber-privacy, EU-based registrars will gain a competitive advantage with registrants through their ability to seek waivers – and what the reaction will be from their overseas counterparts, including those in the U.S.

The new RAA will be required for all registrars that wish to sell domains in new gTLDs. In addition, many renewing registry agreements require that they only utilize registrars who have entered into the new RAA once a threshold based upon registrars serving a specified percentage of their registrants is reached.

The dialogue within the GAC, and between it and ICANN’s Board, is already likely to be crowded in the upcoming Durban meeting, given recent actions by ICANN’s New gTLD Program Committee that have frozen hundreds of new gTLD applications – primarily for “closed generics” and for strings involving regulated industries and/or with restricted registration policies – so it remains to be seen whether the possibility of EU-based registrars waiving out of the data retention provisions of the DRS will be added to the lengthy list of agenda matters requiring discussion.

The most ironic portion of the Article 29 WP letter is its objection to “the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement”. ICANN is indeed a private, non-profit corporation and, lacking sovereign or intergovernmental agency authority, must rely solely on contracts to enforce compliance by registries and registrars. And those data retention provisions were inserted at the insistence of law enforcement officials — many of them from EU member nations — and were accepted by ICANN under strong urging from nation states participating in the GAC.  Indeed, had ICANN failed to include them in the final RAA it would undoubtedly have faced strong criticism from the GAC. But now EU registrars can readily arbitrage the differing viewpoints of law enforcement officials and data protection authorities and obtain a waiver from those requirements.

 

Comments are closed.