An annual meeting of the Internet Corporation for Assigned Names and Numbers (ICANN) ended Friday without resolving a looming standoff between European privacy law and ICANN rules that help right holders identify IP infringers on the web.
The conflict centers around the European Union’s General Data Protection Regulation, or GDPR, which takes effect in May 2018 and strengthens restrictions on how companies may gather and use EU citizens’ personal data.
Those restrictions cut against ICANN rules that domain name registries—the private companies that operate the .coms and .orgs of the world—publish personal information on everyone who registers a website, often called “WHOIS data.” (That data can be masked, but doing so often involves using a paid service and there still are ways to access the personal information.)
ICANN is the California-based nonprofit that oversees the naming system that allows the web to operate. Registries that do not conform to its rules can have their contracts with ICANN canceled, and the conflict has put them in the position of having to choose between their contractual obligations and EU law. So far, it’s been reported that two Dutch registries have argued the GDPR nullifies the WHOIS requirement.
The clash between the GDPR and the WHOIS protocol was one of the main issues looming over the weeklong ICANN general meeting, which was held in Abu Dhabi and ended Friday. A group of government representatives met to discuss the issue on Tuesday.
“This is causing the biggest kind of conflict between how ICANN is trying to operate itself as a super-national organization and actual local law,” Michael Adams, co-manager of Mayer Brown’s global brand management and internet practice in Chicago, said in an interview this week.
Adams underscored that having accurate WHOIS information is critical for IP attorneys and brand enforcers to even get to the right party when they find infringing content online.
“There’s tremendous, tremendous cybersquatting and infringement on domain names,” he added.
But the meeting ended without much clarity on where the fight will end up. On Thursday, ICANN’s Governmental Advisory Committee adopted a 16-page communique underscoring that WHOIS data has a number of legitimate uses—including assisting law enforcement and combating infringement and misuse of intellectual property.
The advisory committee also recommended that ICANN “seek information from its outside counsel to ensure the lawful availability” of WHOIS data for consumer protection and law enforcement activities.
The same day, ICANN issued a statement saying that amid the legal uncertainty around the issue, it would “defer taking action against any registry or registrar for noncompliance” with the WHOIS requirements—within some limitations.
It also said it would continue to work with the Swedish law firm Hamilton Advokatbyrå to seek advice on how registration data can be handled in ways that still comply with the GDPR. ICANN announced that it had engaged the Hamilton firm in September.
The next meeting of ICANN is set to be held in March 2018 in San Juan, Puerto Rico, just two months before the GDPR is set to go into effect.