I’m angry, frustrated and unhappy.
Due to ICANN.
ICANN has put us and other European Union based registrars in an utterly ridiculous situation.
We are expected to ask ICANN for permission to comply with Irish and EU data privacy law.
Or put another way, an Irish company is obliged to jump through hoops with a California based corporation in order to be able to operate within Irish law.
How does that work?
On what planet does that even make any sense?
Of course this didn’t come “out of the blue” and we have been engaged with ICANN and others on this subject for the better part of two years at this stage.
I’ll try to break it down.
Any company that wants to sell domain name registrations under gTLD domains, such as com, net, org, info, biz etc, needs to be either accredited directly with ICANN or acting as an agent or reseller of an ICANN accredited registrar.
In common with a lot of hosting companies we started out as a reseller. Over time it became evident to us for a number of reasons that cutting out the middleman was the logical thing to do. So we got directly accredited with ICANN.
The contract we signed, which is a bit like a “license” is the Registrar Accreditation Agreement or RAA for short. The version we’re signed on to is the 2009 one. (As an aside we actually signed the 2001 version but switched to the 2009 because we felt it was appropriate)
I won’t bore you with all the back and forth that went on over the last 2 years or so as governments and law enforcement pushed ICANN to change the contract terms. I went into some of the nastier implications of some of their “asks” back in 2012.
Eventually registrars and ICANN staff reached an agreement, which was a compromise, and a new contract was published.
However the new contract has issues if you’re based in the EU.
The central tenet of data privacy law is summed up in Article 6(e) of the European Data Protection Directive 95/46/EC which deals with retention of data (emphasis added):
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected
Which under Irish law is Data Protection (Amendment) Act 2003:
“Article 4 (e). preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored”
However ICANN explicitly demands that registrars retain the data for way longer.
While one could argue that the amount of data collected is excessive, the law does allow for it, as long as the registrant ie. the person registering the domain name, is made aware of it. The problem, however, is with the period of time they want the data to be held.
It’s simply too long.
The legislation does not specify a specific time period. We must rely on “purpose”. And simply put (again) asking a registrar to hold on to all the data for that length of time is not allowed.
Since I’m not a lawyer and the ultimate arbiter of all things related to data protection and privacy in Ireland is the Data Protection Commissioner I reached out to them last year before ICANN had finalised all the language in the contract. (NB: the bit we care about didn’t change) And they provided a very helpful and clear response:
We note the ICANN Data Retention Specification section 1.1 requirement to retain registration data “for the duration of the Registrar’s sponsorship of the Registration and for a period of two additional years”. Why do ICANN specify two additional years – what is the justification, the purpose, and why is it neccessary for that purpose ? We note the ICANN Data Retention Specification section 1.2 requirement to retain certain other registration data for 180 days. For 1.2.1 we would recommend holding this data for 13 months to allow credit card chargebacks. For 1.2.2, why do ICANN specify 180 – what is the justification, the purpose, and why is it neccessary for that purpose ? Also, as any individual seeking to register a domain name with you should be properly informed of collection, processing, and retention periods for their personal data, these periods should also be made clear to them at the time of registration.
Put another way, without any rationale for the data being held for so long they had issues with it.
And they’re not alone.
The Art. 29 Data Protection Working Party, which has representatives of the data protection authorities of all 28 member states of the European Union, has written to ICANN on several occasions telling them clearly that the 2013 RAA is not compatible with EU law.
They also made it very clear that they didn’t think it was reasonable to ask every EU based ICANN accredited registrar to jump through hoops to get an exemption to the clauses.
What did ICANN do about it?
Short answer – nothing.
They’ve all but ignored the letters from the Article 29 Working Party and are forcing EU based registrars to follow a rather broken process to get an exemption. To date only one registrar has been “granted” a provisional waiver, yet I know that a much larger number of companies have applied for one.
Blacknight was the first registrar to seek an exemption under the process.
We submitted our request for a waiver, as per the ICANN process. with the legal opinion of legal counsel on September 17th of last year.
They eventually replied on October 25th and asked us to provide more information. However they’re asking for something we simply cannot give them ie. explicit timelines. The law doesn’t provide them so unless we signed the contract, that we already know is illegal, and ended up being investigate by the DPC or sued by a client, there’s no actual legal “test” that we can apply. In fact our legal counsel’s opinion stated this and tried to use the only vaguely similar bit of case law that we could find.
It didn’t help.
Of course to make it all the more “interesting” ICANN won’t let registrars on the 2009 contract offer new TLDs. So if you want to get a .bike or a .guru domain name you have to use a registrar who has signed the 2013 contract.
So this is an interesting problem.
We, as an Irish company, wholly Irish owned and operated, find ourselves unable to trade and compete effectively due to a California corporation’s inability to deal with EU (and Irish) law.
The only way that we can offer new top level domains is to either:
- sign the contract “as is” when we know that it’s not compatible with Irish law
- sign the contract “as is” and ignore the bits we don’t like
- adjust our request for a waiver by providing time periods for retention that we “feel” are reasonable enough to not cause issues with the law
- stop selling gTLD domain names
- sue ICANN for loss of earnings
- take the entire thing to court to get a ruling
I don’t like any of these options and I don’t think they’re reasonable.
Why is it my problem that ICANN doesn’t understand EU law?
Why should our business be impacted negatively due to ICANN’s inability to listen?
ICANN is not a legislative body and its track record in dealing with data privacy issues is far from exemplary.(I’ve cited a few examples in my slidedeck:
And while this entire farce plays out we are unable to offer new top level domains to our clients.
ICANT COPE WITH ICANN!