This project studied how standards could assist in providing privacy-compliant ways for personal data holders to release personal information in response to requests from legitimate third parties. The case study we focused on was Internet domain name registration data held by registrars and registries, aka WHOIS, in compliance with policies created by ICANN, the Internet Corporation for Assigned Names and Numbers. ICANN has recently decided to comply with data protection law and close a formerly public directory of registrant data, and is now attempting to develop a simple, unified model for access by third parties. It was hoped that solutions explored in this study would also be relevant for other instances of “subscriber data”, such as the personal data held by Internet Service Providers (ISPs), cellular service providers and others.
The activities of this research project, set against this backdrop of ongoing and intense work at ICANN to meet the data protection requirements of the EU’s recently enacted General Data Protection Regulations, included the following:
- Researching the existing standards literature for materials that could be of assistance in dealing with this challenge;
- Convening a public workshop on October 21 during the scheduled ICANN63 meeting in Barcelona, Spain to discuss the potential for standards and standardization activities to assist with the problem of compliance;
- Consulting experts in the data protection and ICANN environments, to gather their insights into the problem and interest in standardization development;
- Engaging in further research as directed by the results of the first three activities, including potential standards development;
- Providing a final report and recommendations.
Based on our research and especially the results of our ICANN workshop in Barcelona, we decided to shift our standardization focus away from the certification of cybersecurity professionals that needed access to WHOIS data, to more immediately and generally applicable models of data stewardship and access.
The most promising of the various third party disclosure models we reviewed is that of a data trust. This emerging trust conceptl appears to have much to offer not only in the context of WHOIS data, but in a variety of rapidly developing digital environments, particularly ‘smart city’ initiatives and internet of things technologies among other areas where massive volumes of sensitive personal data are generated but currently lack appropriate standards for data protection. How a data trust could be constituted, what standards might be needed, and what oversight mechanisms would work became the focus of this case study.