A major deliverable of this project was a public workshop on privacy standards in the context of disclosure of WHOIS data, that we convened in conjunction with the ICANN annual general meeting in Barcelona, October 20-25 2018.
The goals of that workshop were the following:
- To discuss the issue of standards as a way of meeting privacy compliance requirements, and explore whether stakeholders at ICANN were interested in standards development;
- To activate interest in civil society stakeholders in Canada, in what appears at first glance to be a rather abstruse topic unrelated to privacy protection;
- To explore the risks at ICANN in the models currently being discussed to meet the standard of GDPR, in particular relating to disclosure of personal information;
- To discover any other potential issues where further research would be beneficial to this project on standards development.
We invited representatives of a number of stakeholder groups to participate, focusing on those who were struggling to meet GDPR compliance (the contracted parties), representatives of the Cybercrime fighting community both within companies (Microsoft) and in associations (the Anti Phishing Working Group), the Security and Stability Advisory Committee of ICANN (SSAC), and representatives of Canadian Civil Liberties groups. Ayden Ferdeline of the NCSG did an excellent job moderating the meeting and keeping us on time. We had to do some real-time juggling of the agenda to accommodate various individuals being double booked in other meetings, but the event unfolded seamlessly.
Based on the input received, we reached the following conclusions:
- Further standardization in ISO could possibly be useful to improve privacy management standards, but in the current climate of frenzied application of the GDPR (not just at ICANN but globally) it was a non-starter in terms of getting people and organizations to contribute time and money.
- The IETF is continuing work on RDAP, and the recent trial, pending requirement to implement RDAP at ICANN, and potential application to replace WHOIS was focusing the standards attention there.
- While we cannot expect ICANN to turn on a dime and abandon a twenty year history of basically ignoring data protection law, nevertheless progress in embracing the details and realities of data protection law has been depressingly slow. As Elliot Noss noted in his remarks, we were barely having an intelligent discussion of the issues at the EPDP in October. Embarking on a process of privacy standards development seemed beyond a faint hope.
- Data trusts are a rather new idea, although certain kinds of repositories have existed for years (e.g. credit reporting agencies, cancer registries). Some are governmental, some operate for profit, but all attempt to share personal information for the “public good” although this term is perhaps more applicable in a health reporting environment than a for profit situation. ICANN has a unique, multistakeholder (MS) model of a potential digital trust, where the data is not collected but the disclosure mechanisms could be controlled and managed in a MS policy environment, but with independent oversight by a Board, and the participation/oversight of data protection commissioners. This concept seemed attractive, if it could potentially relieve contracted parties of the burden of compliance verification, meet the requirements of data protection authorities (who could be represented in the Board or certify the resultant code of practice by which the trust operated), and relieve ICANN of further liability.
- A further benefit of a data trust is that it could exist in Europe, thus solving an adequacy issue that ICANN would probably face as a California institution, and it could have a close relationship to existing law enforcement criminal intelligence sharing organizations such as Europol and Interpol, who have existing well established data protection procedures for information sharing.
We decided to focus our efforts on researching different models of data trusts, and applying potential working models to the situation at ICANN. Once we determine what is necessary for compliance with the GDPR (it is not clear to the NCSG that this has emerged from the EPDP) there could be more interest in specific standards. In the meantime, it is clear that the concept of data trusts could benefit from legal analysis and determination of roles and responsibilities. This could result eventually in a standardization activity.