Collaboration across the Atlantic: Data Protection & Internet Policy - Transcript

Listen to the approx 20-minute discussion here or download the audio for later

Transcript

THOMAS RICKERT: Hello everyone. This is Thomas Rickert, Director, Names & Numbers with eco, and I'm in Abu Dhabi with Christian Dawson.

CHRISTIAN DAWSON: Hello, how are you doing? My name is Christian Dawson, and I'm Executive Director of the Internet Infrastructure Coalition, or i2Coalition.

RICKERT: You might ask yourself: Why are you hearing this? And actually, eco and i2C go back many years. And we've been working with Christian and his colleagues, even prior to i2C being set up, to discuss how we can potentially collaborate. There is an MoU existing between eco and i2C. Which means we've been working quite complementarily for the last couple of years. And Christian, you might want to enlighten our audience about what we did a couple of days back in Brussels.

DAWSON: Absolutely. The Memorandum of Understanding, or MoU, that we've had in place for a while, mostly focuses on policy sharing. So we'll set up calls and talk about what's going on in Europe and what's going on across the Atlantic in North America, because both of our groups work heavily on policy. But most of the portfolio that eco has is European based, and most of the portfolio that i2Coalition has is North American, although not exclusively.

RICKERT: I think that's a great summary. And you might ask yourself, what do I get extra that I didn't get before? Because actually a number of organizations are already a member of both i2C and eco, and primarily what we've done so far is that i2C would have special offerings for the primarily Northern American audience and we would usually do our thing for a European audience. What's new is actually an offering whereby we would shed light on European policy developments for an American audience and explain the concept for somebody who doesn't have a European background, and vice versa. This means that companies operating in both geographic regions will hugely benefit from us coming up with tailor-made offerings for specific policy topics. We're going to discuss this a little bit more as we move on. But we're going to create new fora where thoughts can be exchanged and where we can work complementarily, because there are some duplications of our efforts and we want to use our resources wisely. Therefore, we think we can increase our impact by this partnership. 

DAWSON: Absolutely. It'll go quite well beyond information sharing, to new content creation, and really spending more time giving perspectives on how things look from our different vantage points. One of the things that I think is interesting is we're here at ICANN 60 in Abu Dhabi, and we're spending a lot of time talking about GDPR and how it impacts the Names and Numbers community. This is a clear example of the type of thing that I think a partnership with our organizations can achieve; that we're doing better work together than we can do alone. Because the GDPR looks very different from a North American perspective than it does from a European perspective, I'm sure. By collaborating, by information sharing, by doing content together, we can better serve the needs of all of our members.

RICKERT: And for those who haven't yet heard the acronym GDPR...

DAWSON:...you will!... 

RICKERT: ... let me decipher: that's General Data Protection Regulation. It's a regulation that was established by the European Union almost two years back and it had a two-year implementation phase. Which means that, as of May 25th 2018, everyone who deals with European data subjects, i.e. natural persons, needs to be compliant with this regulation. And there's a lot of discussion in the domain industry at present, because nobody really knows how to become compliant. And I think that this is particularly challenging for companies that are not in the EU, because the data protection concepts laid down in the GDPR – which to a huge extent are no news to European companies – are completely new concepts for non-European companies. 

Just to illustrate why this is relevant and important to you if you're not based in the EU: The way the GDPR is set up is that whoever does business, not only on an occasional basis with European customers or data subjects, as the GDPR says, needs to be compliant. And those who are doing business into the European Union need to appoint a representative in one of the European member states to whom enforcement authorities, for example, can go, or to whom people can go and ask for certain documentation that will be required under GDPR. And these new concepts sort of need to be filled with life, and also there needs to be thought leadership when it comes to shaping policy or contractual compliance in the ICANN arena. And we're going to be at the forefront of that, and we are already, actually. We started discussions with ICANN on this quite some time ago to come up with a cohesive solution for contracted parties.

DAWSON: What I think might make sense is for us to talk about GDPR sort of writ large from a global perspective, and then narrow in on the specific things that we're dealing with here at ICANN that are specific to the Names and Numbers community. You know, we work at i2Coalition, as you do at eco, with a bunch of global organizations. And though most of our portfolio is North American policy, GDPR is becoming increasingly relevant, because these businesses are going to need to comply. The bottom line is if you do not, and you do business in the European Union, you're going to see giant fines. 

The thing is that a lot of people are just becoming aware or have not yet become aware of their requirements, are just starting to do the complex data mapping exercises that are going to get them to try and figure out how to comply and how to not be in a position to receive huge European Union fines. And there are a lot of people that are scrambling or will soon find themselves scrambling to meet the May 25th 2018 deadline. There are, I would say, probably more North American businesses that are unaware or thinking that it doesn't matter to them, and are slowly waking up to it. And over time, they're going to find that they're in big trouble. We are trying our best, trying to get them the information that they need and the clarity they need to try and start those data mapping exercises, so that they're not in hot water come May 25th.

RICKERT: Yeah. And I guess that you know nobody really knows what's to be done. So, we're trying to give guidance on the steps that need to be taken, both in-house as well as with the support of external consultants, to get up to speed and become compliant. Just to give you an example: Thus far, everyone who has been a data processor on behalf of the data controller – let's say somebody who's doing I.T. services for somebody else – could lean back, because the only person in the game that was subject to liability was the data controller. Under the new regime, both the data controller as well as the data processor are responsible for everything being compliant. So that's new, but also there are increased transparency, documentation, and information requirements.  You need to let the customer know upfront what exactly is going to happen with his or her data all the way through. 

What the companies need to do is actually take every data element and establish what's done with it, and then check whether there's a legal basis for collection, processing, transfer, revealing, and even erasure and deletion of those data elements. What you need to come up with is what's called “the record of processing activities,” and actually both the company itself as well as the representative for non-European companies must be able to forward that inventory to authorities upon request. And that's quite a big thing. 

The bottom line is that, if you collect data from your customers, called personally identifiable information or PII, you need to know about this. You need to do some research and make sure that you're OK. Chances are, you're not! And you're going to need to change some of your collection or at least your practices about how you explain what you're doing with the data you're collecting. 

Now, let's talk about how that impacts the Names and Numbers community. When you sign up for a domain name, you provide the registrar who you are purchasing the domain from with a lot of personal identifiable information, your PII. A lot of the questions that we have right now concern what is going to need to change with how that information then gets processed. As it stands right now, that data makes it to a few different players. First of all, it is at some point transferred between the registrar – the organization that you purchased the domain from – and the registry. The registry generally is the operator of the third level domain – for instance, .com, .net, .org, .photography are examples of TLDs. The operators of those systems are interoperating with the registrar, and there may be some information exchange between those two parties. That's being looked at. But also, what's being looked at is how that information is then presented to the world. Because, indeed, part of your personally identifiable information gets published through a record called whois. Do you want to talk a little bit about that? 

RICKERT: Yeah, and I guess that's where the complexity starts. The whois requirement, i.e. the requirement to publicize pretty much all the data that the registrar collects from the registrant, plus Admin-C data, plus Tech-C data, plus Billing-C data, is a contractual requirement coming from ICANN. ICANN will send breach notices to those registrars or registries that do not process the data in the way ICANN tells them to do so. So what we're facing today – and this is sort of brand new news – the Dutch Data Protection Officer has actually sent a letter to the operators of .Amsterdam and told them that the way they do whois is not legal. Well, certainly this is under the existing legal regime and not yet under GDPR, but the legal principles remain mainly unchanged.

This means we can expect some enforcement action by the data protection authorities, and even if the data protection authorities do not want to sanction companies that provide illegal whois access, or that otherwise infringe upon the data subjects’ rights, they can be forced to do so, because under the new law, data protection authorities can be sued for inaction by aggrieved data subjects. So there's going to be a vicious circle whereby everybody needs to take action. And what we're currently trying to do is actually rework all the individual steps that Christian outlined, i.e. the data being collected by the registrar, being passed on to the registry, being passed on to the Escrow Agent, revealed to the certain parties, and the like, to see what is actually legitimate, what collection processing might be excessive, and how the system needs to be tweaked to become compliant. Here we see that the contracted party is between a rock and a hard place. They're either facing sanctions from ICANN or they're facing sanctions from the outside world, and even worse, ICANN itself may face sanctions, because I'm sure they will be deemed to be a data controller. 

DAWSON: Now let's talk a little bit about that for a second, because isn't it true that ICANN is actually saying that they are not a data controller?

RICKERT: Well they've been saying that for quite a while, or at least they haven't been brave enough to confess that they are a data controller. But both the RDS Working Group, as well as a legal assessment that has been commissioned by ICANN itself, clearly indicate that ICANN is the data controller, at least for certain data elements. 

There are many uses for whois that are practical and useful and necessary for the continued operations of the Internet. So that poses a problem. This Next-Gen RDS Working Group is working on trying to build a new system to replace the whois system, eventually, that will not only be GDPR compliant, but potentially have a system in place to have gated access to information. Then rather than publishing information to the world, you're publishing it only to certain parties that are registered to receive that data. Perhaps law enforcement and anti-abuse, and technical operators who require the data to continue Internet operations. We have not gotten there. There is a system that has been built called RDAP that is technically capable of running this new system. Ultimately, what the Next-Gen RDS group comes up with will hopefully be implemented on an RDAP-based system and it will all replace whois, so we won't have this crisis. But it's not going to get here soon enough. 

RICKERT: That's correct and I'm glad that you make this point about RDS, because there's one important distinction to be made when whois is discussed. We need to distinguish between whois, the protocol, and the whois database that's behind it. And when we're looking at GDPR compliance, we need to establish what data can legitimately be collected and how it can be legitimately processed, and RDS will be a great way to offer gated access for the data that we can confirm to be legitimately collected and processed in a certain way. We can expect that to take the whois discussion to the next level.

But let me spend a few sentences on saying what might happen to you if you don't comply. Because there are severe sanctions, as Christian mentioned earlier. And those are up to 10 million Euros or two percent of the global annual turnover for minor breaches – for example, if you do not appoint the representative that we made reference to earlier in our conversation, that would be up to 10 million or 2 percent global turnover. For more serious breaches, it can be up to 20 million Euros or up to 4 percent of the global annual turnover. And as you know, there are enough companies in this arena that are not that much afraid of the 20 million but even – more seriously – about the 4 percent of the global annual turnover. 

And looking at what you can do, I think we should briefly touch upon two concepts that come into play. One is that you can collect and process data that you require to fulfill the contract. Here, there are certain data elements that you need. To illustrate this, if you order a book online, then certainly the vendor needs to know to what address the book needs to be shipped. And then he can use that address for invoicing purposes. But apart from bookkeeping requirements that might lead him to need to archive that data for a certain period, he might need to delete it afterwards. That's an angle from which we can look at domain registrations as well – what do we need to fulfill the contract? And the second most important case for this would be consent. You can ask the user to consent to certain data processing if you tell them exactly what's going to happen based on that consent, but that consent can be withdrawn at any time without giving reasons. So the operators need to carve out that information on the databases, out of Escrow, and what have you – which is challenging in the de-centralized way of storing data, and also that consent needs to be fully informed, and there are some conditions to that. The question therefore is, can we get valid consent for treating the data the way we're doing now? And what do we do if the user withdraws his or her consent?

DAWSON: These are complex things that you need to figure out. I want to close by saying that, as somebody trying to bring the North American perspective to this important issue, you need to remember that this is not just for European companies. This is for any company that is doing business in Europe. And those are very different things. So pay attention to this. You've got some work to do! 

RICKERT: Exactly. And I think we've almost taken up the time that we were granted for this interview. It was a great pleasure. And I think we should do it again, shouldn't we?

DAWSON: I think we should definitely do it again. Thank you for your time, Thomas.

RICKERT: Thanks for having me. I appreciate it. 

Thomas Rickert has been a lawyer with Schollmeyer & Rickert since 1998; in 2002 he moved from managing director to managing partner, and the firm was renamed to include his surname. He specializes in trademark, domain, copyright, and media protection law. He was chairman of INHOPE Association's Executive Board from 2003-2005, which unites various organizations fighting against illegal Internet content. He is Director of Names and Numbers at the eco Association and is a Member of the Content Advisory Board of NamesCon and WorldHostingDays.

Christian Dawson is the Co-Founder of the Internet Infrastructure Coalition (i2Coalition) where he works to make the Internet a better, safer place for the businesses that make up the Cloud. He is a staunch advocate for Internet freedom as a tool for social and economic growth by fostering the growth and expansion of the Internet economy. Dawson served as the Chairman of the i2Coalition Board from 2012 to 2016. As of January 2016, Dawson has joined the i2Coalition in a full-time position as its first Executive Director.