1

GDPR Domain Industry Playbook

V.1.0

PLEASENOTEASUMMARYISPROVIDEDWITHASEPARATEDOCUMENT

Authors:

JuliaGarbaciok*AndreasKonrad**

MartinLose*ThomasRickert**JanSchlepper**OliverSüme*

*FieldfisherGermanyLLP,Hamburg,Germany,fieldfisher.com**RickertRechtsanwaltsgesellschaftmbH,Bonn,Germany,rickert.net

Illustrations:JefferyFrankenhauser,dougstudio.com

2

1

PartA-Introduction/Scope 7

I. PrincipleofDataMinimization 8

II. Ourapproachtodevelopingadatamodel 9

1. Whatisprocessing? 9

2. Whatislawfulprocessing? 9

3. Risksassociatedwithdataprocessing 10

a) Consent 10

b) Legitimateinterest 11

c) Performanceofacontract 11

4. Compliancerequirements 11

5. Alayeredmodel 12

6. Internationaltransfers 14

PartB–Processingofdatafordomainregistrationsandmaintainingdomainregistrations 15

I. Registrationandmanagementofthedomainname 15

1. Currentdatarecords 15

RegistrantName:Notdisplayedduetoapplicabledataprotectionlaw 20

RegistrantOrganization:Notdisplayedduetoapplicabledataprotectionlaw 20

3

RegistrantStreet:Notdisplayedduetoapplicabledataprotectionlaw 20

RegistrantCity:Notdisplayedduetoapplicabledataprotectionlaw 20

RegistrantState/Province: 20

RegistrantPostalCode:0000 20

RegistrantCountry:NL 20

RegistrantPhone:+00.0000000 20

RegistrantPhoneExt: 20

RegistrantFax: 20

RegistrantFaxExt: 20

RegistrantEmail:email@notdisclosed.local 20

2. ICANNrequirements 20

II. DRL1Registrarandregistrydatawithoutadditionaleligibility/nexuscriteria 21

1. Registrar 22

a) Necessarydatarecord–registrar 22

aa)RegistrationDataRegistrar 22

bb)TechnicalData 23

cc)AccountingData 24

dd)Admin,Tech,andBillingContacts 25

ee)FurtherData 26

b) Reasons 26

aa)Contractprocessing 26

bb)Contacting/Transferissues 26

cc)Abuse 27

dd)Ownershipposition 27

ee)Transfers 27

ff)Result 27

2. Registry 28

a) Necessarydatarecord–registry 28

4

aa)Qualificationofthedomainnameaspersonaldata 30

bb)Result 33

b)Reasons 33

3. Datacontroller 33

a) DefinitionsArt.4no.(7)andno.(2)GDPR 34

b) Jointresponsibility(Art.26GDPRinconjunctionwithArt.4no.(7)GDPR) 34

aa)Hamiltonopinion 34

bb)Comment 35

(i)Distinctionbetweenprocessorandcontroller 35

(ii)Distinctionbetweenjointandco-controller 36

(iii)PurposeofArt.26GDPR 36

(iv)Setofoperations 37

(v)Assessment 37

(vi)Legalconsequence 38

(1) Liability 38

(2) Datasubject’sclaims 39

(3) Fines 39

(4) Agreement 39

(5) Jointcontactpoint 39

(6) Procedurerecord 40

cc)Responsibilityforotherdata 40

III. DRL1registrarandregistrywitheligibility/nexusrequirements 40

1. Obligation 40

2. Purpose 41

3. Responsibility 42

4. Authorization 42

IV. DataEscrow 43

1. Obligation 43

5

2. Purpose/necessity 43

3. Registrar 43

4. Affecteddata 44

5. Responsibility 44

6. Authorization 45

V. EBERO 45

1. Obligation 45

2. Affecteddata 46

3. Responsibility 46

VI. Resellersituation 46

1. Responsibility 47

a) AccountData 47

b) Registrationdata 47

2. Resellerchains 48

VII. DRL2–Transferofregistrantdatatotheregistry 48

1. Authorization 49

a) MitigatingAbuse 49

b) Centralmanagement 50

c) Securityandstability 51

d) Result 51

2. Responsibility 51

3. Risk 52

4. Conclusion 52

VIII. DRL3–Datacollectedbasedonconsent 53

PartC–DisclosureofData 53

I.NoJustificationforaPublicWHOISundGDPR 55

1. LegallyIneffectiveConsent 55

2. NoJustificationunderStatutoryLaw 56

6

II.LegalGroundsforDisclosureofRegistrationDatato3rdParties 57

1. Art.6(1)lit.b)GDPR-PerformanceofaContract–(PrivateSectorOnly) 57

2. Art.6(1)lit.c)GDPR(PublicSectorOnly) 58

3. Art.6(1)lit.f)GDPR–LegitimateInterests(PrivateSectorOnly) 60

a)"LegitimateInterests" 61

b)BalancingofInterests 62

c)NecessityofDataProcessing 63

d)RighttoObject,Art.21GDPR 64

e)Legitimate3rdPartyInterestsforDisclosureofWhoisData 64

4. Otherrequests 65

5. Note:DataSubject´sRights,Art.12etseq.GDPR 65

6. Disclaimer 65

III. InternationalTransferofData 66

1.InternationalDataTransferunderGDPR 66

2.InternationalTransferofWhoisDatatoNon-EULawEnforcementAgencies 67

IV. ProceduralAspects 68

a)CertificationofPublicAuthorities 68

b)CertificationofPrivate3rdParties 70

c)LogicalStructureofaDisclosureProcess 71

V. ProposalofaTrustedDataClearinghouse(TDC) 73

PartD–Outlook 74

PartA-Introduction/Scope

The General Data Protection Regulation (GDPR) poses a challenge for the Registries, Registrars,

Resellers,ICANN,andtheircontractors.

ByMay25,2018,allpartiesneedtobecompliant,whichmeansnotonlythatcontractsneedtobe

reviewed,butalsothattechnicalsystemsneedtoberevisited.

Todate,variouslegalmemorandahavebeensharedandseveralpartieshaveworkedontheirown

compliance, but no industry-wide proposal has been published that allows for a discussion of the

respectiverolesandresponsibilitiesofthepartiesinvolvedaswellasareviewofdataflows.

This paper shall facilitate the process of finding a commonly-adopted data model to allow for

compatibilityofthetechnical,organizational,andlegalmodelsthepartieswilluse.

Thepaper is not tobe construedas legal advice.All parties involvedneed toworkon theirGDPR

complianceindividually,whichgoesfarbeyondthetopicsdiscussedhere.

ThispaperonlydealswiththedataelementswhichICANNcurrentlyrequiresthecontractedpartiesto

process.

Furthermore,thepaperwillonlyaddressthedataflowsinthelightofgTLDdomainnameregistration

services.Thepartiesmightofferadditionalservicesorwishtoprocessadditionaldataelementsfor

theirownbusinesspurposes.Thelegalbasisforsuchprocessingneedstobeassessedbytherespective

partyandmightleadtoadditionalorothertreatmentthandiscussedinthispaper.

Thedatamodeldoesnotreflectanyoutsourcingthepartiesmightengagein.Particularcautionneeds

tobeexercisedwhenusingaRegistryServiceProviderora“Registrarasaservice”model.

Dataflowswillbeanalyzedbearinginmindthepartiestypicallyinvolvedinadomainnameregistration

andasrequiredbyICANNorganizationinitscontracts.Thegraphicbelowshowshowthesepartiesare

related.Dottedlinesrepresentdataflows.ICANN´sCentralizedZoneDataService(“CZDS”)andBulk

RegistrationDataAccess(“BRDA”)havenotbeenassessedinthispapber.However,thesewouldalso

8

needtobereviewed.WeshouldnotethatCZDSiscausingconcerns,asitcurrentlyenablessystematic

harvestingofWhoisdatabasesandleadstohugevolumesofunsolicitedelectroniccommunicationto

registrants.

Note: This illustration includes neither outsourcing, such as RSPs or Registrar-as-a-service

models,norICANN’sCZDSandBRDArequirements.

I. PrincipleofDataMinimizationTheRAandtheRAArequiretheprocessingofnumerousdataelements,notallofwhichconstitute

personaldata.WhiletheGDPRonlyprotectspersonaldata,thepaperincludesalldataelements,in

ordertoallowforaholisticviewofthedataflowsandofferabasisforimplementation.

Whilethecurrently-useddatarecordsarealludedto inthispapertoallowforacomparisonofthe

statusquowiththeproposeddataflows,theapproachhasnotbeentomodifythecurrentsystemby

wayof subtracting certainelements toachieve compliance,but rather theopposite.Basedon the

principleofdataminimization(Art.5(1)lit.c)GDPR),thethoughtprocesswastostartwithwhatis

requiredasaminimum toprovide the servicesand toadequately recognize the rightsof thedata

subjects, while also taking into consideration use cases and interests brought forward by law

enforcement, IP interestsandothergroups,whicharenotpartof thecontractual relationships for

gTLDs.

9

II. OurapproachtodevelopingadatamodelThedatamodelisbasedonananalysisofhowdatacanbeprocessedinalegallycompliantfashion.

Wheredifferentoptionsforprocessingexist,theoptionswiththeleastriskforthepartiesinvolved

shouldbeprioritized.

1. Whatisprocessing?Processingmeansanyoperationorsetofoperationswhichisperformedonpersonaldataoronsets

ofpersonaldata,whetherornotbyautomatedmeans, suchascollection, recording,organization,

structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,

dissemination or otherwise making available, alignment or combination, restriction, erasure or

destruction(seeArt.4no.(2)GDPR).

Ascanbeseenfromthisdefinition,oneneedstorevieweachandeveryprocessfromcollectionto

deletionforeachdataelementandestablishwhatlegalbasis,ifany,thereisforprocessing,i.e.the

processesneedtobeanalyzedatthemicroandmacrolevels.

Togiveafewexamples:Datathatcanbelegallycollectedbyapartyforacertainpurposemustnotbe

transferredtoanotherpartywithoutalegalbasisforthattransfer.Datathatcanlegallybecollected

andusedinternallymustnotbepublishedwithoutalegalbasisfordoingso.

2. Whatislawfulprocessing?

TheGDPRoffersvariousalternativesforlawfulprocessing.ThesecanbefoundinArt.6(1)GDPR,which

readsasfollows:

Processingshallbelawfulonlyifandtotheextentthatatleastoneofthefollowingapplies:

(a) thedatasubjecthasgivenconsenttotheprocessingofhisorherpersonaldataforoneormorespecificpurposes;

(b) processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectispartyorinordertotakestepsattherequestofthedatasubjectpriortoenteringintoacontract;

(c) processing isnecessaryforcompliancewitha legalobligationtowhichthecontroller issubject;

(d) processing is necessary in order to protect the vital interests of thedata subject or ofanothernaturalperson;

10

(e) processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller;

(f) processing is necessary for the purposes of the legitimate interests pursued by thecontrollerorbyathirdparty,exceptwheresuchinterestsareoverriddenbytheinterestsor fundamental rights and freedoms of the data subject which require protection ofpersonaldata,inparticularwherethedatasubjectisachild.

3. Risksassociatedwithdataprocessing

Inthepresentcase,subparagraphs

(a) Consent(b) Performanceofacontractand(f) LegitimateInterest

ofArt.6(1)GDPRcouldbeapplicable.Thelegalassessments1availablehaveprovidedmoredetailson

thistopic,soratherthanreiteratingtheirreasoninghere,wewillsimplybaseourworkonthosethree

alternatives.

Itshouldbenoted,thatArt.6(1)lit.b)GDPRcannotbeusedasalegitimizationforthecurrentsetup

arguingthatICANNrequiresRegistriesandRegistrarstocollectandretainalldataintheircontracts.

This argument would comprise of circular reasoning. What needs to be reviewed is whether the

requirements ICANNpresentsarecompliantwithGDPR´sbasicprinciplesofdataminimizationand

purposelimitation.

Ananalysisofthethreealternativesshowsthattherearedifferentrisksandrisklevelsassociatedwith

eachalternative.

a) Consent

Withrespecttoconsent,thereareseveralfactorstoconsider(seeArt.7GDPR):

• Thecontrollermustbeabletodemonstratethatthedatasubjecthasconsented.• Ifthedatasubject'sconsentisgiveninthecontextofawrittendeclarationwhichalso

concernsothermatters,therequestforconsentshallbepresentedinamannerwhichisclearlydistinguishablefromtheothermatters,inanintelligibleandeasilyaccessibleform,usingclearandplainlanguage.AnypartofsuchadeclarationwhichconstitutesaninfringementofthisRegulationshallnotbebinding(Art.7(2)GDPR).

• Consentcanbewithdrawnatanytimewithoutgivingareason.

1HamiltonOctober2017Memorandum:https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en.pdf;TaylorWessing:https://www.icann.org/en/system/files/correspondence/sheckler-to-swinehart-atallah-29oct17-en.pdf;WSGR:https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf

11

• Consentmustbegivenfreely.Thereisaprohibitionofcoupling.

There are risks associated with proof, such as potentially coupling consent with a domain name

registrationandwithdrawal.

b) Legitimateinterest

FordataprocessingaccordingtoArt.6(1)fGDPR,thereistheriskofobjectionaccordingtoArt.21(1)

GDPR,whichreads:

Thedatasubjectshallhavetherighttoobject,ongroundsrelatingtohisorherparticularsituation,at

anytimetoprocessingofpersonaldataconcerninghimorherwhich isbasedonpoint(e)or(f)of

Article6(1)GDPR,includingprofilingbasedonthoseprovisions.Thecontrollershallnolongerprocess

thepersonaldataunlessthecontrollerdemonstratescompellinglegitimategroundsfortheprocessing

whichoverridetheinterests,rightsandfreedomsofthedatasubjectorfortheestablishment,exercise

ordefenceoflegalclaims.

c) Performanceofacontract

Thereisneitherapossibilityofanobjection,norcananyconsentbewithdrawn.

Insummary:

- theleastriskisinvolvedwithdataprocessingrequiredtoperformacontract;- thesecondbestoptionisdataprocessingclaimingalegitimateinterest,shouldtherebeany,

asthisgivesthedatacontrollerarighttodefenditsposition;- thehighestriskisinvolvedwithconsent,asthewithdrawalmustbeacceptedbythedata

controller.

NOTE:Whenreferenceismadetoperformanceofacontractinthispaper,thismeansperformance

ofthecontractwiththeregistrant,note.g.contractualrequirementsinthecontractswithICANN.

4. CompliancerequirementsICANNhaspublishedastatementonNov.2ndexplainingthatICANNContractualCompliancewilldefer

takingactionagainstanyregistryorregistrarfornoncompliancewithcontractualobligationsrelated

to the handling of registration data, see https://www.icann.org/resources/pages/contractual-

compliance-statement-2017-11-02-en.

ICANNalsoindicatedthatguidanceontheprocessandeligibilitycriteriawillbeprovidedshortly.

12

Intheabsenceofanyguidanceatthetimeofdraftingofthispaper,weassumethat

- ICANNContractualCompliancewillnotonlydefertakingactionbasedonnoncompliancerelatedtoregistrationdata,butwithrespecttoanypersonaldatasubjecttoGDPR.Thispaperreferstoallpersonaldata,andsuchanapproachshouldnotcauseissueswithICANNContractualCompliance.

- ICANNwillsupporttheapproachtakeninthispaper,whichisnottolimitthelegalassessmentofdataprocessingtoonlyonelegalbasis,butinsteadtosupportamodelallowingforbestpossibleriskmitigationandcompliance.

5. AlayeredmodelBasedontheabovefindings,thedatamodeldescribedinthispaperwillbebasedonthreedatarisk

levels (DRL).Minimizing the risk forallparties involved isnecessarynotonly toavoidsanctionsby

authorities,butalsotoensurethatdomainnameregistrationscanbeupheldandtolimittheriskthat

dataelementsmustberemovedfromsystemsoperatedbydifferentparties.Thelevelsare:

DRL1–Lowrisk–Performanceofacontract

DRL2–Mediumrisk–Legitimateinterest

DRL3–Highrisk-Consent

Asafirststep,itneedstobeestablishedwhatdataisnecessaryforregistriestoregisterandresolve

domainnames(“RegistryMinimumDatarecord”),aswellaswhatminimumsetofdataisnecessary

forregistrarstocompletethedomainnameregistrationprocess(“RegistrarMinimumDatarecord”).

ThatdatafallsintoDRL1.

Pleasenotethat thesedatarecordsmayvarybasedontherequirements,particularly thoseof the

registries.Togivejustoneexample:Someregistrieshavenexusorothereligibilityrequirements,while

othersdonot.However,suchdatawouldstillfallintoDRL1,asitisrequiredtoperformthecontract.

Anyadditionalprocessing,suchasthetransferofdatatoanEscrowAgentforbackuppurposes,falls

intotheDRL1categoryasdefinedinthispaper.

13

As a second step, we will analyze what processing can be based on a legitimate interest. This is

particularlyrelevanttothequestionofwhetherornottodisclose/publishdataviaWhois.

Sinceprocessingbasedonconsentbearsahighrisk for theparties involved,andmaynotevenbe

possible for certain types of processing, the model described in this paper will not include any

suggestionsforconsent-basedprocessing.Whileitispossiblethatpartiesinvolvedwillintroducesuch

processing, consent-based processing should not be mandatorily required by ICANN due to its

associatedrisks.

Inthisdocument,youwillfindadescriptionofthejourneyofthevariousdataelements.

Thedata inquestion isasubsetofthedataelementscurrentlyrequiredtobeprocessedbyICANN

contractsandpolicies.

Contained in the document, you will find a proposal for DRL1, DRL2 and DRL3 data, as well as

informationontherolesoftheparties,e.g.whoisdataprocessorandwhoisdatacontroller?This

informationisrequiredtoenablethepartiesinvolvedtoinformthedatasubjectsaccordinglyandto

therebyfulfillinformationandtransparencyrequirements.

Wewillexplainwhywethinkthesolutionofferedisdefendable.However,wedonotclaimthatthe

solutionofferedistheonlyconceivableoption.

ItisimportanttonotethatwerecommendadatamodelbasedonDRL1tobeenforcedbyICANN.The

recommendationarisesbecausewedonotthinkitisappropriatetocontractuallyrequire(andsanction

in case of non-compliance) contracted parties to take additional risks in the course of managing

domainnameregistrationsandtheiruse.However,thisdoesnotmeanthatweareadvocatingagainst

dataprocessingaccordingtoDRL2andDRL3.AlllegalgroundsmentionedintheGDPRcanbeusedfor

data processing (with the caveat that they are applied in a compliantmanner). Thedatamodel is

designed to be sufficiently open to allow for additional data processing, particularly based on

legitimateinterestswhichapartyorpartiesinvolvedmighthave.Inthispaper,welistseveralcases

wherealegitimateinterestcanbeclaimedtobepresent,butthatlistisnotexhaustive.

14

Thesolutionofferedwillbeopenforcommentandconsultation.Itcouldbeusedonan“as-is”basis

for the interim phase until such time as the policy development process to reflect the GDPR is

completed.Ideally,itwouldbeusedasthebasisforalong-termsolutionforacompliantgTLDeco-

system.

6. InternationaltransfersPleasenotethatthispaperdoesnotelaborateoninternationaldatatransfersandthesafeguardsthat

mustbeinplaceforthosetobelegal.Forexample,usingEUmodelclausesorPrivacyShielddoesnot

maketheprocessingofdatacompliantingeneral,andtheprocessingdescribedinthispaperdoesnot

rendertherequirementforsafeguardstocoverinternationaltransfersredundant.

Inotherwords:WhereverdataistransferredoutsidetheEU,thatneedstobelookedatbothwhenit

comestodatatransfersbetweenregistrants,resellers,registrars,registries,escrowagents,theEBERO

andICANN,andalsowhenitcomestodisclosurerequestswheretherequestorisbasedoutsidethe

EU.

15

Part B – Processing of data for domain registrations andmaintainingdomainregistrations

I. Registrationandmanagementofthedomainname

The first step (see table below) indicates the data required by the various participants in

registeringandmaintainingadomaintocomplywiththeircontractualobligations.

1. Currentdatarecords

In its contracts and policies, ICANN specifies the data to be collected and provided by

participants.Theillustrationbelowshowsthecorrespondingrelevantdata.2

Pleasenotethatnodifferentiationismadehereasbetweenthespecificdatatobecollected

andprovidedbyeachparticipant.

Alldataelementscurrentlyrequired

DomainName

RegistryDomainID

RegistrarWhoisServer

RegistrarURL

UpdatedDate

CreationDate

RegistryExpiryDate

RegistrarRegistrationExpirationDate

Registrar

RegistrarIANAID

RegistrarAbuseContactEmail

RegistrarAbuseContactPhone

Reseller

DomainStatus

RegistryRegistrantID

2https://www.icann.org/en/system/files/files/draft-gdpr-dataflow-template-registration-data-elements-29jun17-en.pdf

16

RegistrantFields• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email 2ndEmailaddress

AdminIDAdminFields

• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email

TechID

TechFields• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.)

17

• Email

BillingIDBillingFields(notapplicabletoallregistries)

• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email

NameServer

DNSSEC

NameServerIPAddress

LastUpdateofWhoisDatabaseOTHER DATA Transfer Contact Driver’s License Transfer Contact Passport Transfer Contact Military ID Transfer Contact State/Government Issued ID Transfer Contact Birth Certificate Registrar Primary Contact Name Registrar Primary Contact Address Registrar Primary Contact Phone Number Registrar Primary Contact Fax Number Registrar Primary Contact Email Address Name and Contact Information of Shareholders with 5% ownership interest in Registrar Full name, contact information, and position of all directors of the Registrar Full name, contact information, and position of all officers of the Registrar Ultimate parent entity of the Registrar, if applicable List of Registrars’ Resellers Registrant IP Address

Maintainer URL The ENS_AuthId identifying the authorization of the registration

18

Last Transferred Date Name Server Status Any other registry data that Registrar submitted to registry operator Types of domain name services purchased for use in connection with the registration “Card on file,” current period third party transaction number, or other recurring payment data Information regarding the means and source of payment reasonably necessary for the Registrar to process the registration transaction, or a transaction number provided by a third party payment processor Log files, billing records and, … other records containing communications source and destination information, including (depending on the method of transmission and without limitation): (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number; and (3) email address, Skype handle, or instant messaging identifier, associated with communications between Registrar and the registrant about the registration

Log files and, … other records associated with the registration containing dates, times, and time zones of communications and sessions, including initial registration Privacy/Proxy Customer contact information Those objects necessary in order to offer all of the approved Registry Services

Inordertofurtherenhanceunderstanding,theabovedataelementscanbecategorizedasshownin

thefollowingillustration.

19

PleasenotethattheAccountHolderDataboxinthegraphicdoesnotconsistofdatathatis

requiredtobeprocessedbyICANN.However,Registrarsdoinpracticesetupaccountsand

hence they process account holder data, which is also used for invoicing and contacting

customers.

We recommend that the thick registry data model not be abandoned. We have also not

recommended any changes to be made to the individual data elements / fields. However, the

analysis below will indicate which of the data elements mentioned above can legitimately be

collectedandhowtheycanbeprocessed.Wheredataelementscannotbeprocessed,fortechnical

reasons,therespectivedatafieldswillbepopulatedwithsyntacticallycorrectplaceholderdata.For

anexampleofsuchplaceholderdata,pleaseseethebelowexample:

20

RegistrantName:Notdisplayedduetoapplicabledataprotectionlaw

RegistrantOrganization:Notdisplayedduetoapplicabledataprotectionlaw

RegistrantStreet:Notdisplayedduetoapplicabledataprotectionlaw

RegistrantCity:Notdisplayedduetoapplicabledataprotectionlaw

RegistrantState/Province:

RegistrantPostalCode:0000

RegistrantCountry:NL

RegistrantPhone:+00.0000000

RegistrantPhoneExt:

RegistrantFax:

RegistrantFaxExt:

RegistrantEmail:email@notdisclosed.local

2. ICANNrequirementsAccordingtothedatamodelproposedwithinthisdocument,ICANNwillandcanspecifythedatato

be collectedwithobligatory effect for theparticipants. This is the casebecause,while thedata in

categoryDRL1isgenerallynecessaryfortherespectiveparticipantstoprovidetheirservice,itisalso

necessaryforthestabilityandfunctionalityoftheoveralldomainsystemandtheparticipantsarein

anycaseobligatedbyICANNtocollectandprovidethisdata.Thus,theprocessingofDRL1datashall

bemandatoryandenforcedbyICANN.

Withregardtotheresponsibilityoftherelevantparticipantsunderdataprotectionlaw,referenceis

madetoClauseIINo.3ofthisdocument.

21

II. DRL1 Registrar and registry data without additional

eligibility/nexuscriteria

Alldatathatthevariousparticipantsareobligedtocollectandprocessforthepurposeofcontract

fulfillmentarecontained inDRL1 (see Illustrationbelow).Adistinctionmustbemadebetweenthe

RegistrarandtheRegistry,which requiredifferentdata for the fulfillmentof their tasks.Here, it is

assumedthattheregistrydoesnothaveanyfurtherspecificrequirementsforaregistration.

Thedataelementsintheredboxesarenotrequiredtobecollected.Thedataelementsinthegreen

boxesshallbecollected.Furthercommentonthedataelementsintheyellowboxwillbeprovided

below.

Authorization

Art.6Ib)GDPRallowstheprocessingofpersonaldataforthefulfillmentorperformanceofacontract

where the party is the contractual person. In this respect, the datamandatorily required for the

fulfillmentoftheregistrationorderarelegitimatelyprocessedthroughArt.6Ib)GDPR.

22

1. Registrar

a) Necessarydatarecord–registrar

Definitionof“necessary”:

Processingisnecessaryforcontractfulfillmentifthecontractcouldnotbefulfilledwithoutprocessing

thedatatothestatedextent.

Theregistraristhecontractualpartneroftheregistrantwithregardtotheregistrationofthedomain.

Withinthescopeoftheregistrant’sorder,theregistrarwillstriveforregistrationwiththerelevant

registryandmaintainsuchfortheregistrantaftersuccessfulregistration.

Thefollowingdataelementsareobligatoryforexecutionoftheorderbytheregistrar:

aa)RegistrationDataRegistrar

DomainName

RegistrarWhoisServer

RegistrarURL

UpdatedDate

CreationDate

RegistryExpiryDate

RegistrarRegistrationExpirationDate

Registrar

RegistrarIANAID

RegistrarAbuseContactEmail,mustberolecontact

RegistrarAbuseContactPhone,mustberolecontact

DomainStatusRegistrantFields

• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.)

23

• Fax(opt.) • Faxext(opt.) • Email

Registrantsmaybenaturalorlegalpersons.Therefore,thequestionarisesastowhetherenterprise

datamustbetreateddifferentlythandatafromprivatepersonsasregistrants.Thedifferentiated

treatment, however, bears significant risksbecauseenterprisenamesmayalso containpersonal

referencesanda self-identificationof the registrant in this respectwouldnot result ina reliable

distributionofdatainventory.Inthisrespect,adifferentiationbetweennaturalandlegalpersons

shouldnotbemade.

However,inputfromDPAsshouldbesoughtastowhetheradistinctioncouldbemadebasedona

self-identification by the registrant. Should that be deemed to be an acceptable safeguard,

differentiatedtreatmentcouldbeconsidered.

Fromapracticalstandpoint,itmaybedesirableorevennecessarytohavedifferentcontactdatafor

differentpurposesfromtheregistrant.Thismayinparticularbetrueforcorporatecustomers,where

itisnotpracticaltosendanycommunicationregardingaregistereddomainnametoonecontact

onlyandthereisaneedtodifferentiatewithregardtothenatureofthecommunication,i.e.have

differentcontactsfortechnicalandcommercialmatters.Asalreadystated,thiscouldalsobeinthe

registrant’sowninterests.Suchinterestsforadditionalcollectionandprocessingofdatahavetobe

reviewed by each registrar and do not form the subject of this evaluation. Typically, these are

containedinthesetofdataelementstheregistrarisprocessingforthecustomeraccount.

bb)TechnicalData

Theregistrarcollectsthefollowingtechnicaldatafromtheregistranttopasstheseontotheregistry,

sothattheregistrycansetupdomainregistrationonthetechnicalsideinthecorrespondingtop-level

domainnamespace.

NameServer

DNSSEC

NameServerIPAddress

LastUpdateofWhoisDatabase

24

cc)AccountingData

Inadditiontoregistrationdata,theregistrarwillalsocollectinvoicedataofthecontractualpartner,

whichisnotmandatorilyidenticaltotheregistrantdata.Theaccountdataoftheregistrantoranother

listed obligee under the contract may also be collected and processed. This is necessary for the

collectionofregistrationandprocessingfeesunderthecontract.

Furthermore,theregistrarwillalsoretainavailableincomingpaymentsaswellascorrespondencewith

aregistrantorcontractualpartnerinacustomeraccountorothercustomer-specificdatabase.

Thisdataisnecessaryforproperperformanceofthecontract.Asageneralrule,thispertainstothe

followingdata:

• Bankdata

• Customerdata(insofarasdifferentfromregistrant’sdata)

• Billingdata

ICANNobligation

AspecificationbyICANNonthecollectionandprocessingofthisdataisnotappropriatebecausethis

data isnotnecessary for themaintenanceandstabilityof theDNS.Only the registrar requires the

stated data for its performance of the contract vis-à-vis a contractual partner. In this respect, a

compulsoryspecificationby ICANNtostore thisdata isnotnecessary tomaintain theDNS.To this

extent, collection andprocessingof thedata fields following from thedata retention specification

should not be compulsory under ICANN.Rather, applicable statutory regulations,which should be

applied,existfortherelevantregistrarregardingtheobligationtocollectandretaindata.Thisdata

may be requested from customers, so that no disadvantages should exist, e.g. for prosecution

authoritiesincasesoflegitimatecollectionandstorage.ProcessingatthebehestofICANNmightresult

inajointcontrollersituation(seeICANN3bbb(iv)),withtheconsequencethatICANNwouldbear

liabilityrisksforthesedataelements.This,however,doesnotappeartobeinICANN’sbestinterests.

Specifically,thispertainstothefollowingdataelements:

Any other registry data that registrar submitted to registry operator

25

Types of domain name services purchased for use in connection with the registration “Card on file,” current period third party transaction number, or other recurring payment data Information regarding the means and source of payment reasonably necessary for the Registrar to process the Registration transaction, or a transaction number provided by a third party payment processor Log files, billing records and, … other records containing communications source and destination information, including, depending on the method of transmission and without limitation: (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number, and (3) email address, Skype handle, or instant messaging identifier associated with communications between Registrar and the registrant about the Registration

Log files and, … other records associated with the Registration containing dates, times, and time zones of communications and sessions, including initial registration

BasicSetup:DataRiskLevel1>Registrar

Dataelementsshouldnotbecollectedandprocessed/retainedforICANN

CertaindataelementsareprocessedbytheRegistrarfortheir?Purposeandneedtoberetainedaccordingtoapplicablelaws.NoneedforanICANNrequirement.GoodforICANN;noriskinvolved

Thedata in thedataretentionschedulemaybecollectedandprocessedbyregistrarsaccordingto

applicablelegalrequirements,buttheyshouldnotbemandatedbyICANN.

dd)Admin,Tech,andBillingContacts

Theprovisionofadmin,tech,orbillingcontactdataisnotnecessaryintermsofArt.6(1)lit.b)GDPR,

becausetheyarenotnecessarytoperformregistrationforeithertheregistrarortheregistry.Thedata

fieldscurrentlyrequiredinthisrespectcanbedeletedwithoutsubstitution.

26

ee)FurtherData

Registrarprimarycontact

In light of further data retained by the registrarwith regard to domain registration, the “registrar

primarycontact”datarecordrecordedbytheregistraritselfisstillrelevantunderdataprotectionlaw.

The registrar’s own employee data disclosed here by the registrar itself for contact purposes is

necessaryforfulfillmentofthecontract,inordertooffertheregistranttheopportunityforcontact

withinthescopeofthecontract.

b) Reasons

aa)Contractprocessing

Theregistrarmustbeabletoallocateaspecificdomaintoaspecificcustomerinordertomanageand

process its internalcontracthandling. In this respect, theregistrarmustbeallowedtoallocate the

domainsregisteredthroughitsservicetospecificcustomers,inordertobeinapositiontoallocate

andimplementinquiriesandrequestswithinthescopeofdomainmanagementtotheactualowner

orauthorizedperson.

bb)Contacting/Transferissues

Theregistrarmustfurthermorebeabletocontactitscustomerswithinthescopeofcurrentcontracts.

Withrespecttodomainregistrations,aquickandeasyaccesstoregistrantsisalsonecessarytobeable

toaddressanyproblemsorotheranomalieswithregardtothedomainnamewhichmayarise.3

Thecurrentprocedurefordomainnametransfersviaemailcommunicationcannotbecontinueddue

toGDPRrequirements.Atpresent,emailscanbesenttotheAdmin-Ctogettransfersconfirmed.In

theabsenceofcollectionofAdmin-Cdata,thetransferprocessneedstoberevised.Furthermore,as

PartCofthisdocumentwillexplain,theregistrant’semailaddresswillnolongerbepublished.

We therefore suggest establishing a new system based on secure auth-codes with the option of

revoking transferswithin a reasonable timeframe.As such, thedisclosureof the registrant´s email

addressinapublicWhoisisnolongerrequired.Thisway,theprincipleofdataminimizationisfulfilled.

3Overallinthisrespectseehttps://www.icann.org/resources/pages/gtld-registration-dataflow-matrix-2017-07-24-en

27

Alternatively,transferscanstillbecarriedoutwithouthavinganemailaddresspublishedbymeansof

communicationbetweentheregistrars.SincetheInterRegistrarTransferPolicyallowsforcontacting

eithertheregistrantortheAdmin-Cemailaddress,itwouldneedtobeclarifiedthatonlytheregistrant

emailaddressmustbeusedfortransfers.

We should note that registrars are currently engaged in discussions about newways to facilitate

transfers,andthesediscussionscouldcontributetoasolution.What’smore,adistinctionneedstobe

madebetweentransfersandtrades(ownerchanges),asthesehavedifferent legalandoperational

implications.

cc)Abuse

Thiscategorymayrefertocasesinwhichthedomainisabusedexternallybythirdpartiesortocases

inwhichitissuspectedthattheregistrantitselfisinvolvedinperforminganactofinfringement.The

registrarmustalsobeabletofulfilllegitimateclaimsofthirdpartieswithregardtothedomainorthe

relevantregistrant.Inthisrespect,aneedtoquicklyestablishcontactwiththecustomerfrequently

arises.

dd)Ownershipposition

The registrar has an interest in quickly and directly contacting the registrant in case of disputes

concerning factualand legitimateownershipof theregistrantwithregardtothedomainand/or to

haveownershipconfirmedbythelistedowner.

ee)Transfers

Evenintheeventofatransfertoanotherregistrarandinquiriesorrequestsreceivedinthisrespect,it

maybeintheregistrar’s(andregistrant’s)interestiftheregistrarincaseofdoubtcanquicklycontact

theregistrant.

ff)Result

Forthispartofdomainmanagement,itiscorrespondinglynecessaryfortheregistrartocollectand

storetheregistrant’sfullcontactdata.

Unfeasibledomainregistration

28

Sincetheregistrarhasnoguaranteethataregistrationcaninfactbeperformedbytheregistry,itmay

occurthattheregistrarhasalreadycollectedtheregistrant’sdatabutthatadomainisultimatelynot

registered.

In this case, data collectionmaybe justifiedeven if a registration canultimatelynotbeexecuted,

because the justificationpursuant toArt. 6 I b)GDPRalsoencapsulatespre-contractualmeasures.

Furthermore, the registrar’s effort to register represents the content of the order vis-à-vis the

registrant,sothatcontractfulfillmentmeasuresexistwithregardtofulfillmentofthiscontract,but

notpre-contractualmeasures.

2. Registry

a) Necessarydatarecord–registry

ThroughtherelevantRRA,theregistry istheregistrar’scontractualpartnerandresponsibleforthe

technicalimplementationofdomainregistrationsandtheirmaintenance.Intheprocess,theregistry

reviews the availability of a domain name, registration of a domain name, and subsequently the

technicalavailabilityofthedomainnamethroughtheDNS.

29

Thefollowingdataiscompulsoryfortheregistrytoperformregistrationandtomaintainthesame,

andmustbecollectedbytheregistrarandtransferredtotheregistry:

RegistrationData-Registry

DomainName

RegistryDomainID

RegistrarWhoisServer

RegistrarURL

UpdatedDate

CreationDate

RegistryExpiryDate

Registrar

RegistrarIANAID

RegistrarAbuseContactEmail,mustberolecontact

RegistrarAbuseContactPhone,mustberolecontact

DomainStatus

Fromadataprotectionperspective,onlythedomainnameisrelevantfortheregistryaspotentially

involvingpersonaldata.

However,apolicydevelopmentprocessinvolvingallICANNstakeholdershasconfirmedbywayofa

consensus policy that is binding for all contracted parties, that a thickWhois model should be

maintainedbyallregistries.Thelogicbehindthisembracesarchivalandrestorationpurposesaswell

astheobjectiveofimprovingdataquality.WeareseekinginputfromtheDPAsastowhethersuch

apolicycanbeusedasa justificationforthetransferofregistrantdatafromtheregistrartothe

registryandforsucharequirementtobeenforceablebyICANN.Thatdoesnotmeanthatsuchdata

shouldbeavailableviaapublicWhoisservice.

Thesameappliestotechnicaldatawhichisrequiredfortheregistrytoperformregistrationandto

maintaintheconnection:

30

NameServer

DNSSEC

NameServerIPAddress

LastUpdateofWhoisDatabase

Theremainingdata,inparticularthedatapertainingtotheregistrar,doesnotconstitutedatathatis

identifiableorthatpertainstoanidentifiednaturalperson.Assuch,thisdataiscurrentlynotrelevant

underdataprotectionlaw.

aa)Qualificationofthedomainnameaspersonaldata

AdomainnamemaybepersonaldataintermsoftheGDPR.Thedifferentiationprocessinvolvedin

determining whether the relevant domain represents personal data causes major problems in

practice4;assuch,weareconsideringalldomainnamestobepersonaldatawithinthescopeofthis

paper.

4SeealsoHamilton,December2017Memorandum,paragraph2.18.2:https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en.pdf

31

PursuanttoArt.4no.(1)GDPR,“personaldata”meansany informationrelatingtoan identifiedor

identifiablenaturalperson(“datasubject”);anidentifiablenaturalpersonisonewhocanbeidentified,

directlyorindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,

location data, an online identifier or to one ormore factors specific to the physical, physiological,

genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.

Adomainnameisdatathatisallocatedtoaspecificpersonorenterprise.Assoonastheownerofa

domainisanaturalperson,thedomainnamethereforeconstitutesdatapertainingtoanidentifiable

naturalperson.Thefactthattheidentificationoftheregistrantunderthemodelshownhereisnot

easilypossiblefortheregistryitselftoidentifyhasnoeffectonthequalificationaspersonaldata.

Inthisrespect,theEuropeanCourtofJustice(ECJ),whenconsideringasimilarcasesituation5–the

storageofdynamicIPaddressesofvisitorsatwebsitesofofficialauthorities–ruledthat,withregard

to thequalificationaspersonaldata, it is irrelevant that thisdatacannotbeallocated toanatural

personbythecollectingorstoringentityitself.PursuanttothejudgmentoftheECJ,theidentifiability

ofthepersonbehindthedataisalreadysufficient.Withregardtothevariantofanofficialauthority

storingthedynamicIPaddress,referencewasmadetothedisclosureoftheconnectiontoanatural

person in particular through the information processes vis-à-vis the relevant telecommunication

provider.

Followingthislineofreasoning,adomainnameisalsodatathatinthepresentmodelcanbedisclosed

bytheregistrar.

By limiting theprotectionof theGDPR tonaturalpersons (seepreviousdefinitionofArt.4no. (1)

GDPR),onlydomainnameswithnaturalpersonsasregistrantswouldbesubjecttotheprotectionof

the GDPR. However, this gives rise to potential allocation problems on several levels. Firstly, the

registrydoesnotknowwhethertheregistrantofadomainnameisanaturaloralegalperson.Inthe

presentmodel,thisdisclosureisonlypossiblefortheregistrartoundertake.

Evenwithaclearallocationofthedomainnametoanaturalorlegalperson,thedomainnameitself

maycontainnamecomponentsofanaturalpersonandthuspersonalreferences.Furthermore,the

protective scopeof theGDPRmayalsobeopenwith regard to legalpersons, if and insofaras the

5ECJ,judgmentof19October2016,C-582/14

32

enterprisenameofa legalperson itselfmaycontainnamecomponentsenablinganallocationtoa

naturalperson.

ItshouldbeclarifiedthatRecital14doesnotchangethisresult.Ithasthefollowingwording:

The protection afforded by this Regulation should apply to natural persons,whatever their

nationality or place of residence, in relation to the processing of their personal data. This

Regulationdoesnotcovertheprocessingofpersonaldatawhichconcernslegalpersonsandin

particularundertakingsestablishedaslegalpersons,includingthenameandtheformofthe

legalpersonandthecontactdetailsofthelegalperson.

ThescopeofRecital14maystillbeopenforinterpretation.However,itisouropinionthatitdoesnot

contradicttheconclusionsasdetailedabove–i.e.thateventhedomainnameofalegalpersoncanbe

deemedasconstitutingpersonaldataincertaincases.

Recital14shallnotlimittheprotectionofrightsofindividualswithregardtotheirdata.Lookingata

domainnameregisteredonalegalpersonwhoseentitynameisconstitutedbythename(orpartsof

it)ofanaturalperson:itisclearthatsuchanamecanalsobeusedtoidentifythepersonbehindthe

entity´sname.EventhoughRecital14limitstheapplicabilityofGDPRtothelegalpersonitself,this

doesnothindertheapplicabilityandneedforprotectionofthenaturalpersonbehindthelegalperson.

This is true in particularwith regard to small legal persons consisting possibly of just one natural

person.

Also, ina judgmentof theECJof9November2012,CaseC-92,93/09, theCourtof Justice ruled in

paragraph 53 that the protection of Articles 7 and 8 of the Charter of Fundamental Rights of the

EuropeanUnion(hereinafterreferredtoas"theCharter")isinparticularsubjecttotheprotectionof

small legal persons (one person enterprises / sole proprietorships). Article 7 and 8 of the Charter

specificallyprotect“Respectforprivateandfamilylife”and“ProtectionofPersonalData”,sothatit

canbepresumedthatRecital14relatesonlytodatarelatingexclusivelytolegalpersonsandnotto

naturalpersons.

This is also covered by the view that data can have a double character. As such, data can have a

connectiontothelegalpersonontheonehand,butontheotherhandalsoaconnectiontothenatural

33

personconcerned,sothatatleastthereferencepointtothenaturalpersonisprotectedbyGDPR.6

Duetotheextremedifficultiesindefiningtheboundaries,wethereforetreatalldomainnamesasif

theywerepersonaldata.

TheprocessingofthedomainnameforDNS(SEC)andapublicWhoisisrequiredfortheexecutionof

thecontractualrelationshipwithinthescopeofArt.6(1)lit.b)GDPRandisthereforepermissible.

bb)Result

Basedontheseuncertainties,alldomainnamesmustbetreatedasiftheyconstitutepersonaldatain

termsofGDPR.This,ontheonehand,specificallycircumventspotentialdelimitationproblems,while

on theotherhandensures sufficientdataprotectionunder theGDPR for eachdomainname. The

domainnamesonDNSserversareequallyaffectedbythis.

b)Reasons

The authorization to process this data follows from Art. 6 (1) lit. b) GDPR, because the data are

compulsoryforcontractfulfillment–registrationandallocationofthedomainnametoaspecificIP

address.

Thelisteddataarecompulsoryfortheregistrytoregisterandconnectthedomain.Registrationand

connectionofthedomainisnotpossiblewithoutreceivingthedomainname.Consequently,thisalso

appliestomaintainingtheallocationofthedomainaswellasprocessingthedomainnameonDNS

servers,theoperationofwhichisalsotechnicallycompulsoryforcontractfulfillment.

3. DatacontrollerWithinthescopeofthesuggesteddatamodel,thequestionarisesastowhotheresponsibleentityis

forprocessingDRL1registrationdata,inparticularbecauseonlyverylimiteddataareforwardedby

theregistrartotheregistryinordertobestimplementtheprincipleofdataminimization.Indetail,the

question arises as towhether joint or separate control exists on the side of the registrar and the

registry,orwhetheraprocessorsituationexists.

6Paal/Pauly;Datenschutzgrundverordnung,Art.4,Rn.5f.;Ehmann/Selmayr,Datenschutzgrundverordnung,Art.4,Rn.11;Gola,Datenschutz-Grundverodnung,Art.4,Rn.22f.

34

a) DefinitionsArt.4no.(7)andno.(2)GDPRController is the person that alone or jointly with others determines the purpose and means of

processing.Processing,inturnis“anyoperationorsetofoperationswhichisperformedonpersonal

dataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording,

organization,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosureby

transmission, dissemination or otherwise making available, alignment or combination, restriction,

erasureordestruction”.

b) Jointresponsibility(Art.26GDPRinconjunctionwithArt.4no.(7)GDPR)

JointControllers:DataRiskLevel1

Controller

Theprerequisiteforajointresponsibilityofregistry,registrar,andICANNisthatalljointlydetermine

thepurposesandmeansforprocessing.

aa)Hamiltonopinion

The Hamilton opinion commissioned by ICANN states that, due to the complexity of processing

structures, it is recommended that joint responsibility between ICANN, registrar, and registry be

35

assumed (October 2017 Memoradum gTLD Registration Directory Service and the GDPR, Part 1,

Section 3.7.3). This also results in themost extensive liability, which also sufficiently satisfies the

interestsofsupervisoryauthorities.

bb)Comment

PursuanttoArt.4no.(7)GDPR“controller”meansthenaturalorlegalperson,publicauthority,agency

or other body which, alone or jointly with others, determines the purposes and means of the

processingofpersonaldata;wherethepurposesandmeansofsuchprocessingaredeterminedby

UnionorMemberStatelaw,thecontrollerorthespecificcriteriaforitsnominationmaybeprovided

forbyUnionorMemberStatelaw.

Art.26GDPRspecifiesthejointresponsibilityintermsofspecifyingthemannerinwhichthosejointly

determiningthepurposesandmeansofprocessingshallberesponsible(“JointController”).Decision-

makingpowerconcerningpurposeandmeansofprocessingisdecisivefordeterminingresponsibility.

(i)Distinctionbetweenprocessorandcontroller

Incontrasttojointcontrollers,processorsdonothavefreedomtomakedecisionswithregardtothe

purposesandmeansofprocessing,butactforthecontractorwithadutytocomplywithinstructions.

Insofarastheagentshaveoptionstoselectordesignthepurposeormeansofprocessing,theyare

considered to be controllers jointly with the contractor and correspondingly have additional

obligations.7

Thepurposeof processing is an “expected result that is intendedor guides planned actions”. The

meansofprocessingisthe“typeandmannerinwhicharesultorobjectiveisachieved”8.

Processorsmustbedistinguishedfromjointcontrollersbasedonthefollowingcriteria:

• Apersonthathasnolegalorfactualinfluenceonthedecisionconcerningthepurposesforandmannerinwhichpersonaldataisprocessedcannotbeacontroller.

• Apersonthataloneorjointlywithothersdecidesonthepurposesofprocessingisalwaysacontroller.

• Thecontrollermayalsodelegatethedecisionconcerningthemeansofprocessingtotheprocessoraslongascontent-relateddecisions,e.g.concerningthelegitimacyofprocessing,arereservedforthecontroller.

7KlabundeinEhmann/Selmayr„Datenschutz-Grundverordnung“Art.4marg.no.298Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.16,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf

36

• Processorsareindependentlegalpersonswhoaredifferentfromthecontrollerandwhoprocessdataonbehalfofthecontroller(s)withoutdecidingonthepurposesofprocessing.9

(ii)Distinctionbetweenjointandco-controller

ItcanalsonotbeassumedthatICANNandthecontractedpartiesareco-controllersfortheprocessing

ofdata,ratherthanjointcontrollers.Aco-controllershipwouldrequiretwoormorepartieswhichare

completelyindependentofoneanother,cooperativelyworkingtogetherintheprocessingofdatabut

fordifferentpurposes.

Asdiscussedbelow,theprocessingofregistrationdataiscoveredbytheoverarchingpurposeofthe

registrationofadomainnamebyallthreepartiesinthisprocess.

(iii)PurposeofArt.26GDPR

The regulation is to primarily serve the protection of the rights and freedoms of data subjects.10

Specifically with regard to complex constellations, a clearer allocation of responsibilities is to be

guaranteedfordatasubjects.Inmorecomplexroleallocations,e.g.intheareaofdomainregistration

withseveraldistributionlevels,thedatasubject’srightofaccessandotherrightsaretobeguaranteed

acrosslevels.11

“Thedefinitionoftheterm“processing”listedinArticle2lit.boftheguidelinedoesnotexcludethe

optionthatdiverseactorsparticipateindiverseoperationsorsetsofoperationsinconnectionwith

personaldata.Theseoperationscanbeexecutedsimultaneouslyorindiversestages.Insuchacomplex

environmentitisevenmoreimportantthatrolesandresponsibilitiescanbeeasilyallocatedtoensure

that the complexityof joint control doesnot result in an impractical divisionof responsibility that

wouldaffecttheeffectivenessofdataprotectionlaw.”12

Recital79GDPRfurthermoreclarifiesthattheregulationistosimplifymonitoringbythesupervisory

authorities.

Thefactualcontrolofthedataprocessaswellascontroloverexternaleffectsvis-à-visthedatasubject

isdecisivewhenreviewingresponsibility.

9Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.18,39,40,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf10BertmanninEhmann/Selmayr“Datenschutz-Grundverordnung”Art.26,marg.no.111Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.27,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf12Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.22,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf

37

Only the registrar appears vis-à-vis the registrant, as it coordinates the complete handling and

maintenanceoftheregistration.Theregistryhandlestechnicalimplementationoftheregistrationand

reviewsspecialrequirementsconcerningregistration(eligibilitycriteria),insofarassuchexist.

Equaldistributionisnotnecessarywhenallocatingresponsibility.

(iv)Setofoperations

Furthermore,processingshouldnotbeartificiallydivided intosmallerprocessingsteps,butcanbe

uniformlyconsideredasasetofoperations.Inthisrespect,datacollection,passingontotheregistry,

reviewandimplementationandongoingmanagementoftheregistrationcanbeconsideredasoneset

of“domainregistration”operations,becauseitpursuestheoverallpurposeofregisteringthedomain

foranewregistrant.

This also applies if diverse agencies pursue different purposes within the processing chain, when

engagedinthedetailofsmallerprocessingstepsonamicrolevel.Onamacrolevel,thesamepurpose

ispursuedoverallwithall small steps in the chain, so that auniformsetofoperations specifically

applieshere(Art.29GroupWP169,p.25).

Differentiation is required when considering the operation of collecting and processing the data

collectedby the registrar from itscustomers inorder tocreatean invoice, tomaintainacustomer

account, and to manage the contractual relationship with its customers. This data fulfils another

purposethatisnotcodeterminedbytheregistry.

(v)Assessment

Registry,registrar,andICANNmustbeassessedasjointcontrollersforthesetofoperationsofdomain

registration (Art. 4 no. (7) GDPR). Due to the factual and legal separation between registrar and

registry,adomainregistrationcanmandatorilybeperformedonlybybothentitiesjointly.

In this respect, itmust be assumed that registrar and registry jointly determine the purposes and

meansof processing that are compulsory for domain registrationoverall. In this respect, both are

responsibleforthissetofoperationspursuanttoArt.4no.(7)and26GDPR.

This also corresponds to the legislative intent to have clear and simple regulations concerning

responsibility in caseofmultiple participants and complexprocessing structures, and toprevent a

splittingofresponsibilitiestoprotectthedatasubjectsinsofaraspossible.

38

PursuanttoArticle1Section1.1oftheICANNbylaws,ICANNhasresponsibility:

“toensurethestableandsecureoperationoftheInternet'suniqueidentifiersystemsasdescribedin

thisSection1.1(a)(the"Mission").Specifically,ICANN:

(i)CoordinatestheallocationandassignmentofnamesintherootzoneoftheDomainNameSystem

("DNS")andcoordinatesthedevelopmentandimplementationofpoliciesconcerningtheregistration

ofsecond-leveldomainnamesingenerictop-leveldomains("gTLDs").Inthisrole,ICANN'sscopeisto

coordinatethedevelopmentandimplementationofpolicies:

• Forwhichuniformorcoordinatedresolutionisreasonablynecessarytofacilitatetheopenness,interoperability,resilience,securityand/orstabilityoftheDNSincluding,withrespecttogTLDregistrarsandregistries,policiesintheareasdescribedinAnnexG-1andAnnexG-2;”

Asalreadystated,ICANNfulfilsthisresponsibilityamongotherthingsbycontractuallyspecifyingfor

thevariousparticipantsthedatawhichmustmandatorilybecollectedandretained.Withthese

legitimateprovisions,ICANNspecifiesapurposefortheprocessingoperationoverallandthus

becomesjointcontrollerinadditiontoregistryandregistrar.

ItshouldbenotedthatICANN´sresponsibilityisunaffectedbythefactthatcertainrequirements

havebeendiscussedbymanystakeholdersorhavebeenacommunityeffort.Suchjointdiscussionor

draftingofcertainpoliciesofrequirementsdonotaffectICANN´sroleastheentityultimately

requiringthecontractedpartiestoactinaccordancewiththepoliciesissuedbyICANN.

(vi)Legalconsequence

Asalegalconsequence,Art.26GDPRreferencesthatthecontrollersreachaclearunderstandingin

particularwithregardtotheirperformanceoftheirdutiesundertheGDPRaswellastheirjointcontrol

andmustdiscloseit.

(1) Liability

Thequestionarisesastohowregistryandregistrarunderjointcontrolareliableforpossiblebreaches

intheprocessingoperation.

39

(2) Datasubject’sclaims

Pursuanttojointresponsibility,thedatasubjectinaccordancewithArt.26(3)GDPRmayasageneral

rulefullyassertitsclaimsvis-à-visallcontrollers,regardlessofthecontractualallocation.

Evenwithacleardistributionof theresponsibilitybetweenthecontrollers,bothare liablevis-à-vis

externalpartiesfortheoverallprocessingoperation.

Inthisrespect,Art.82(4)GDPRmandates jointandmultiple liability forthedatasubject’srightto

compensationandsupplementstheliabilityregulationsofArt.26(3)GDPR.Thefactualresponsibility

maybeadjustedonlyinterpartes.Therefore,havingclearallocationsbetweenthepartiesisevenmore

importantinterpartes.

(3) Fines

However,suchjointandmultipleliabilitydoesnotapplytofinesunderArt.83(4)lit.a)GDPR.Inthis

respect,registryandregistrarareliablepursuanttotheirroleallocationforbreachesintheirareaor

againstdutiesundertheGDPR,whichwereincumbentuponthemwithinthescopeofthecontractual

basis.

(4) Agreement

Jointcontrollersmustfurthermorespecify,inatransparentform,whofulfillswhichdutiesvis-à-visthe

datasubjects,aswellaswhothecontactpointfordatasubject’srightsis(Art.26(1)p.2GDPR).

However,thedatasubject isauthorizedtoaddressanyoftheparticipatingresponsibleagenciesto

assertitsrights,regardlessofthespecificationconcerningcompetence(Art.26(3)GDPR).

TheagreementistoregulatethespecificcontrollersthataretofulfillthedutiesprescribedbyGDPR.

PursuanttoRecital79GDPR,thefollowingmustbespecificallyregulatedinatransparentform:

• howtherelationsandfunctionsofthecontrollersamongeachotheraredesigned,• howrolesaredistributedbetweencontrollerstofulfilldatasubjectrightsofregistrants,• onwhichcontrollerssupervisoryauthoritiesexecutesupervisoryandmonitoringmeasures.

Allcontrollersmustfulfill informationobligations independentlyfromeachother.However,Art.26

GDPRsuggeststhatmultiplecontrollersfulfillinformationobligationscentrally.

(5) Jointcontactpoint

GDPRsuggeststhatajointcontactpointissetupfordatasubjects;however,thisisnotcompulsory.It

issuggestedthatthiscontactpointislocatedattheregistrar,becausetheregistrarmaintainscontact

withtheregistrant.

40

(6) Procedurerecord

Further,pursuanttoArt.30GDPR,eachcontrollermustseparatelylistitsjointcontrollersintherecord

ofprocessingactivities.

cc)Responsibilityforotherdata

Responsibilityforcustomerdatacollectedbytheregistrarmerelyforitsownpurposesliessolelywith

theregistrar.Inthisrespect,nojointdecisionismadeconcerningthepurposesofprocessing.Here,

onlytheregistrardeterminesthepurposeofprocessing.

CantheRegistraradddataelements?

NoinvolvementofRegistry,ICANN,orEscrowAgents

Attheirownrisk

III. DRL1registrarandregistrywitheligibility/nexusrequirements

1. ObligationSpecificrequirementsthatarenecessaryforregistrationundertherelevantTLD(e.g..law,.nrw,.berlin,

etc.)exist.Inthisrespect,thereareTLDswitheligibilityrequirements(e.g..law,.versicherung,.autos,

.organic and .bank) where verification of the admission as an attorney or similar is necessary for

registration authorization under the TLD, e.g. for .law/.abogado. Additionally, there are TLDswith

nexus requirements (e.g. .berlin and .paris), where a geographical reference must be given for

registration authorization under the relevant TLD. Today, there aremore than 200 gTLDs that are

markedas“restricted”.Inthisrespect,additionaldataisnecessaryfortheregistriesinordertoreview

41

theregistrationauthorizationundertheseTLDsorhavethevalidationdonebyavalidationagentacting

ontheirbehalf.

EvenmoredataelementswhichdonotbelongtoDRL1canbeaddedbytheregistry.However,all

registryrequirementsgoingbeyondtheminimumdatasetneedtobeexplicitlyspelledoutintheRRA.

WherenosuchrequirementexistsintheRRA,theregistrarwillnotcollectortransfertotheregistry.

2. Purpose

The purpose of these additional requirements for the registration authorization is to protect the

requirementsoftherelevantTLDsystem.Forexample,onlyadmittedattorneysandprofessionallegal

associations(lawfirms,lawschools,barassociations,andcourts)arepermittedandrecognizedunder

theeligibilityrequirementsfortheTLD“.law”and“.abogado”.Thiscreatesanexclusiveonlinespace

forInternetusersthatpromotestrustintheprofessionallegalassociationandoffersInternetusers

thesecurityoflocatinginformationonrecognisedattorneysandprofessionallegalassociations.

TLDswithnexusrequirementscreateanonlinespaceforInternetusersinwhichtheycantrustthat

therelevantoffershaveageographicalreferencetotherelevantTLD.

The purpose of the respective additional necessary data resides specifically in maintaining the

exclusivityoftheserelevantonlinespacesandofofferingsustainableaddedvaluetoprovidersand

usersoftheseoffersbymaintainingquality.

42

Here, the relevant verification requirements aredependenton the respectiveTLDand the specific

requirementsoftheverification.DuetothemultitudeofTLDsandtheirrequirements,itisnotpossible

heretoenumerateallTLDsandtheiradditionalrequirements forregistrationauthorization ineach

individual case; hence, we can only offer an abstract and generalized illustration for additional

requesteddata.

3. ResponsibilityTheresponsibilityfortheadditionalrequesteddataforverificationoftheregistrationauthorization

lies with the registry because the registry specifies the requirements concerning the relevant

verification.Thisalsoappliestooutsourcingofthereviewofrequirementsspecifiedbytheregistryto

avalidationagent.Becauseevenifthereview,whenusingavalidationagent,isnotperformedbythe

registryitself,itisinanycaseperformedonbehalfofandattheinstructionoftheregistryvis-à-visthe

validation agent. The validation agent in this respect is the processor of the registry in terms of

performingthereviewoftheverificationoftheregistrationauthorization.

When collecting and transmitting the additional requested data, the registrar also acts exclusively

uponinstructionoftheregistry,sothattheregistrarisalsoprocessoroftheregistryforthisadditional

data.Theregistrardoesnothaveitsowninterestsintheseadditionaldataoranydiscretionofitsown

concerningthepurposeormeansofcollectionandtransmissionoftheadditionalrequesteddata.

4. AuthorizationThe registries are authorized to demand all data required to review the registration authorization

pursuanttoArt.6(1)lit.b)GDPR.

Theadditionalrequesteddataisalsojustifiablynecessarydata.Incomparisontothedatarequiredby

ICANNforallregistries,theadditionaldatarequiredherebytheregistriesisjustifiablyrequireddata

because the respective additional required data for the relevant TLDs with eligibility/nexus

requirementsarerequiredspecificallytoperformtheregistrationauthorizationundertheseTLDs.In

the process, these additional requirements specifically fulfill the purpose of creating an exclusive

onlinespaceinwhichprovidersaswellasuserscanprofitparticularlyfromtheexclusivityofthisonline

spaceandtheresultingtrustintherelevantoffers.Therequirementsforadditionaldataaretherefore

fullyjustified.

43

UndertheprincipleofdataminimizationpursuanttoArt.5(1)lit.c)GDPR,contractperformancealso

requires a transmissionof theadditional data requestedby the registry to the same,because this

constitutes a compulsory prerequisite to review the registration authorization. It is not feasible to

outsourcethereviewoftheregistrationauthorizationtotheregistrarinsuchawayastoallowthe

registrar to independently determine themeans and purposes of the collection of the additional

requirements for the registration authorization nor to undertake an independent review of the

additionalrequirementsunderitsownbehestunderdataprotectionlaw,because,inthisrespect,itis

incumbentupontherelevantregistry itself toensuretheexistenceoftherequirementsdemanded

itselffromtheregistrationauthorization.

Furthermore,inthisrespectitisalsonecessarythattheregistryincaseofnotificationofapossible

caseoffraudisabletoreviewtherelevantauthorizationcriteriabasedonthesubmitteddocuments.

IV. DataEscrow

1. ObligationBasedonClause3.6oftheRAA2013,theregistrar(forgTLDs)isobligatedtopassonthedataretained

withregardtotheregistereddomaintoaneutralthird-party(“escrowagent”).Alldatastoredatthe

relevantregistrarshallbecontinuouslypassedon.BasedonClause2.3oftheRAinconjunctionwith

the“specification2”oftheRA,theregistryisobligatedtopassitsownretaineddataontoanescrow

agent.

2. Purpose/necessityICANNisresponsibleforthesecurity,stability,andresiliencyoftheDNS.Tomeetthisresponsibility,

ICANNamongotherthingsimposedthestatedobligationsonthebasisoftheregistry/registrardata

escrow program. This is intended to specifically create a protection for registrars against loss or

unavailabilityofthedomainregistrationdata.

3. RegistrarDataispassedontosafeguardthedomainsystemintheeventthataregistrarfailsduetoanerror,

problem,orpossiblediscontinuationofbusiness.Alossofdomainregistrationsorallocationproblems

inlightofaspecificdomainforacertainperiodistobeprevented(cf.RegisterFly),becausetheclear

allocationisalsocompulsory,nottomentionworthyofprotectionforeconomicreasons.

Thesameappliestotheregistrydataavailableattheregistry.

44

4. AffecteddataTofulfillthepurposeofsafeguarding,itisofcoursenecessarythatallregistrationdataretainedbythe

registrarwith regard to the registereddomains is transmitted to thedesignated thirdparty. In the

presentmodel,thedatacollectedandstoredinDRL1isspecificallyreducedtotheabsoluteminimum

quantitynecessary.Inthisrespect,logically,thetransmissionofallthisdataisalsocompulsoryinorder

toachievethepurposeofsafeguardingintheeventofaloss.Thisappliesequallytothedataretained

bytheregistry.

Inthiscontext,however,itisnotnecessarytotransmitcustomeraccountdataretainedbyaspecific

registrarforitscustomersforhandlingthecontractualrelationshiptotheescrowagent.Intheevent

thataregistrarfails,theretaineddatafromtheescrowagentmustbetransmittedtoICANNoranother

registrar.

5. ResponsibilityAsdescribed,ICANNbearsresponsibilityforthesecurity,stability,andresiliencyoftheDNS.Inthis

respect, ICANNdeterminesthepurposeoftheprocessingoperation“dataescrow”.Theregistrarin

thisrespectimplementstherequirementsofICANNandmerelyhastheinterestoffulfillingitsown

contract vis-à-vis ICANN concerning data transmission to the escrow agent, but has no real own

interestwithregardtosecurityandstabilityofthedomainsystemintheeventofitsfailure.Thisapplies

equallytotheregistry.

Withregardstoregistraraswellasforregistryescrows,escrowagentsasdatacontrollersaretherefore

processorsforICANN.

ItshouldbenotedthatICANNmustonlypassondatareceivedfromtheescrowagenttoagaining

registrarortheEBEROafterhavingverifiedthatthegainingentityisGDPRcompliant.

45

ProcessorController

6. AuthorizationDataforwardingtotheescrowagentrequireslegallegitimacy.Thespecificrequirementsaredeemed

tobelegitimatebecausetherequirementsofICANNvis-à-vistheregistrarandregistryarenecessary

tosafeguardthedomainsystem.Inthisrespect,dataforwardingbytheregistrarandtheregistryto

theescrowagentsisnecessaryforfulfillmentofthecontractandjustifiedthroughArt.6(1)b)GDPR.

V. EBERO

1. Obligation

Asalreadystated,ICANNisresponsibleforsecurity,stability,andresiliencyoftheDNS.ICANNwishes

tomeet this responsibilitywith EBEROs. In caseof emergencyeventsof a registry failure, EBEROs

providethebackendservicesfortheoperationofaTLDoriginallyprovidedbytheregistry.

Inemergencyevents,thedataarchivedbytheregistryattheescrowagentistransmittedtothesame

uponinstructionbyICANNandfromittotheEBERO.

Assoonasandinsofarasanyemergencyeventoccursthataffectsdataofdatasubjectsthatisretained

attheescrowserviceandfallsundertheGDPR,aGDPR-compatibleEBEROisnecessary.

46

2. AffecteddataPursuanttothedatamodelpresentedherebyus,theescrowagentretainsonlythedatadepositedby

theregistryitself(seeabovePartBII.2.).Tofulfillthepurposeofguaranteeingtheoperationofthe

registry,itisofcoursenecessarythatalldatathenretainedattheescrowagentistransferredthrough

ICANN to thedesignatedEBERO. In the suggestedmodel, thedata collectedand stored inDRL1 is

reducedtotheabsoluteminimumquantitynecessary.Inthisrespect,thetransferofallthisdatais

logicallyalsocompulsoryinordertosafeguarditintheeventofafailure/fault.

3. ResponsibilityTheresponsibilitywithregardtoalldatatransferredtothedesignatedEBEROlieswithICANN.The

EBERO in this respectwill also become active at the instruction of ICANN and does not have any

discretionofitsown,sothattheEBEROisactiveasaprocessorofICANN.

ProcessorController

VI. ResellersituationInsofarasthedomainregistrationorderisreceivedbytheregistrarthroughareseller(oramultitude

ofresellers),variousdataprocessingoperationswithvariousresponsibilitiesexist.

47

1. ResponsibilityTheresellercollectsthesamedataattheregistrantthattheregistrarwouldalsocollectdirectly13and

thusinparttakestheplaceoftheregistrar.However,theresellershouldnotandcannotreplacethe

registrarbecauseonly the registrar is accreditedandalso contractually affiliatedwith the relevant

registries.

Accordingly, theresellerenters intotherelationshipwiththecustomer insteadof theregistrarbut

cannotreplaceitwithregardtodomainregistration.Therefore,itmustbequalifiedasaprocessorof

theregistrar.

ProcessorController

a) AccountData

Inthisregard,thecontractualpartner’saccountdataiscollectedbytheresellerinitsowninterestand

forthepurposesofperformingitscontractualrelationshipwiththecontractualpartner.Accordingly,

theresellerhereisthesolecontrollerfordataprocessing.

b) Registrationdata

Theresellercollectsregistrationdatafromtheregistrantforthepurposeofdomainregistration.Inthe

process,theresellercollectssolelythedatanecessaryforregistration.Therelevantregistryandthe

registrardecideuponwhichdataistobecollectedandthereforetheychieflydecideonthepurposes

ofdataprocessing.

13SeeabovePartBII.1.

48

Accordingly,theregistry,theregistrar,andICANNarejointcontrollers,evenincaseswhereresellers

areinvolved.

Joint responsibilitywith theresellerwouldherenotbe in thereseller’sbest interests,becausethe

reseller does not codetermine the purpose of processing but only executes that which the other

participantsrequireinthisrespect.

Theresellercollectsthisdatainsteadoftheregistrarandthusonitsbehalf;intheprocess,itactsonly

upontheregistrar’sinstructionandtransmitsthecollecteddataforregistrationtoit–atransmission

which can only be performed by the registrar. In this respect, the reseller is a processor for the

registrar.

2. Resellerchains

Intheeventofmultipleresellersinsequence,theresellerindirectcontactwiththeregistrantisthe

processor and the registrar is the contractor as described above. The additional resellers utilized

betweenthetwoare thereforesubcontractorsof therespective reseller,becauseallparties in the

chain are merely active pursuant to the original instruction of the registrar with regard to the

registrationdata.

VII. DRL2–Transferofregistrantdatatotheregistry

IntheDRL2category,asdistinctfromthepresentmodelforDRL1,amoreextensivetransmissionof

datafromtheregistrartotheregistrytakesplace.Inthismodel,theregistrymightwishtoreceiveall

theregistrantfields:

RegistrantFields• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country

49

• Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email

Theremaybeotherdata that the registrymay claim tobe able toprocess, basedona legitimate

interest.Here,wehaveusedtheexampleofsecuritycheckstoestablishpatternsofabusive/criminal

behaviorandstabilityoftheDNS.Thelistisofcoursenotexhaustiveandcanbeaddedtoonacase-

by-casebasisasrequiredbytherespectiveregistry,aslongasthecriteriaoflegitimateinterestare

met.

1. Authorization

The data listed here are not data that are obligatory for contract fulfillment under the model

suggested.A justificationofthisprocessingunderArt.6(1)b)GDPRasdatanecessaryforcontract

fulfillmentisthereforenottakenintoconsideration.

ThisdataisthusprocessedbasedonArt.6(1)lit.f)GDPR.

PursuanttoArt.6(1)lit.f)GDPRprocessingisnecessaryforthepurposesofthelegitimateinterests

pursuedbythecontrollerorbyathirdparty,exceptwheresuchinterestsareoverriddenbytheinterests

orfundamentalrightsandfreedomsofthedatasubjectwhichrequireprotectionofpersonaldata,in

particularwherethedatasubjectisachild.

Thepermissibilityofprocessingthereforedependsonthelegitimateinterestsofthecontroller,which

musttakeprecedenceintheprocessofbalancingthedatasubject’sprotectedinterests.

Various purposes are considered by the registries, inwhich a balancing decision of the legitimate

interestsprevailsovertheprotectedinterestsofnon-processing.

a) MitigatingAbuse

Alegitimateinterestoftheregistrytoalsoreceivetheregistrant’sdatalistedabovemayfollowfrom

thefactthatcertainpatternsattheregistereddomainsmustbereceivedforasuccessfulmitigationof

abusewithinthescopeoftheregistrationofdomains.Forthispurpose,itmaybespecificallynecessary

50

thattheregistryreceivedataofallregistrantsfromvariousregistrars.Otherwise,aneffectiveabuse

controlcouldnottakeplace,becausetheindividualregistrarscouldonlyreviewtheirownregistrants’

data for possible abuse. Extensive monitoring and sustainable recognition of patterns would be

impossible.Pursuant toRecital47p.6GDPR, theprocessingofpersonaldata to theextent that is

compulsoryforthepreventionoffraudconstitutesajustifiedinterestoftherelevantcontroller.

Additionally,allregistrieshavevaryinglegalrequirementsandrestrictionsfortheregistrantslaidout

intheirAcceptableUsePolicies(“AUP”).Inmanycases,theregistriesthemselvesaretheonlyproper

partytocontrolandenforcecompliancewiththeAUPunderthelawsoftheapplicablejurisdiction,as

most registrars offer domain name registrations from many different registries, including many

differentAUPandjurisdictions.

b) Centralmanagement

Thecentralmanagementintermsoftheequivalenttoacommercialregister, landregister,orbirth

register,aswellas thepatentand trademark register,mayalsobe regardedasanother legitimate

interest.Insofarastheregistrydesiresthecentralmanagementofthedataofallregistrants,thiscould

bedefinedasacentralmanagementlocationandmanagementofacentralregister.Thisincludesthe

operationofacentralWhois repositoryat theregistry level (notingthat thedisclosureofdatawill

occuraccordingtothestandardsdescribedinPartCofthispaper).

Theregistryasresponsibleentityforthenamespaceoperatedbyitcanalsoassertalegitimateinterest

intheabilitytoallocateandidentifytherelevantregistrantsforwhichitprovidesservicesunderits

remit for the namespace. In the process, central management always also brings with it certain

advantages,e.g.maintainingdataaccuracyinonelocation.Technicalandorganizationalmeasuresto

maintainconfidentialityandintegrityofthisdatamayinthiscasebetakenbytheregistryitselfatits

ownresponsibility.

Thisalsodoesnotcontradictthedataminimizationprinciplestandardized inArt.5 (1) lit.c)GDPR,

because in this respect, theregistry isalso justified in retaining thisdata,basedonthepurposeof

centralmanagementandprocessingofdatabytheregistryaswell.Basedonitsowninterestforcentral

datamanagement, the registry alsohas a legitimatepurpose fordataprocessing thatexceeds the

purposeunderDRL1.

51

c) Securityandstability

The current thick whois system is based on redundancies regarding failure controls. As described

above,thefailureofoneofthecontractedpartiescangenerallybecoveredbythedataescrows,which

istheirsolepurpose.However,incasearegistrarfailstoproperlyescrowitsregistrantdata,asecond

fallbackoption for recovering thisdatacan increase thestabilityandsecurityof thedomainname

systemimmensely.Ifinthiscasethedatahasbeentransferredtotheregistry,itcanactasasecond

safeguardbesidesthedataescrowtoprotecttheregistrants.

Itshouldbenoted,thatthecurrentthickwhoismodelhasbeentheresultofacommunitywidemulti-

stakeholder effort, via the ThickWhoisWorkingGroup, to improve the resiliencyof theDNS. This

community effort also included representatives ofmany if not allmember states of the European

Union via the Governmental Advisory Board and can therefore not be ignored when discussing

legitimateinterest.

d) Result

Asdescribedabove, the legitimate interestsdescribedwithin thisdocumentareonlyexamplesof

common purposes and interests that registries might have, which we believe to be generally

acceptableasalegalgroundforthetransferofdatatotheregistry.Thisdoes,however,notexempt

thecontroller,i.e.theregistry,fromreviewingandevaluatingthelegitimateinterestsintheirindividual

case.

Also,althoughtransferofdatatoregistriescanbebasedonlegitimateinterestsbytheregistry,these

purposesand interests shallnotbeenforcedby ICANN in theirpoliciesand requirementswith the

contractedparties.

2. ResponsibilityTheresponsibilityforcollectionandtransferofthisdatafromtheregistrartotheregistryliesinthis

casewiththeregistry.

Inthisrespect,theregistrarisactiveinthecollectionofthepreviouslylisteddatarecordswithadual

purpose,becauseitreceivesthedataforitselfanditsowncontractfulfillmentontheonehand,but

on the other hand also collects this data at the instruction of the registry. The registrar therefore

collectsthedataatitsownresponsibilityandsimultaneouslyasaprocessorfortheregistry.

52

The informationobligationunderArt. 14GDPR in this respect in particular applies to the registry,

becausethecollectionoftheregistrants’dataisnotdirectlycollectedbytheregistrybutthedatais

collectedbytheregistrarandtransferredtotheregistry.

3. RiskIntheprocessingofpersonaldatabasedonabalancingdecisionunderArt.6(1)lit.f)GDPR,thedata

subjectisentitledtoarighttoobjectpursuanttoArt.21GDPR.Art.21GDPRrequires“groundsrelating

tohisorherparticularsituation”fromthedatasubjecttoexerciseitsrighttoobject.

Therequirementsthataretobeplacedtothespecialsituationarecurrentlynotforeseeable.However,

it now already follows from the formulation “particular situation” that in comparison to other

constellations,significantlyhigherrequirementswillbeplacedundertheGDPR.

Whenassertingsuchaparticularsituation,theresponsibleentitythengenerallymuststopprocessing

thepersonaldataunlessitcanverifycompulsorygroundsworthyofprotectionforprocessing,which

outweigh the interests, rights,and freedomsof thedata subjector serve toprocess theassertion,

exercise,ordefenseoflegalclaims.

4. Conclusion

Thecollectionofdataby theregistrarand forwardingto theregistrypursuant toDRL2takesplace

exclusivelyandtotheextentasprovidedbytheregistry,subjecttothejustifiedinterestintheRRA.

Thisistogivetheregistrartheopportunityofreviewingtheplausibilityofajustifiedinterest.

If theregistrydoesnotspecifyparticularrequirements inthisrespect, theregistrarmuststopdata

processing. Iftheregistrar isoftheopinionthattheinformationconcerningjustifiedinterest isnot

sustainable,registryandregistrarmustclarifythisbywayofnegotiation.Ifajustifiedinterestexists

onthesideoftheregistry,data isprocessedbytheregistrar infulfillmentofthecontractwiththe

registry,i.e.theRRA.

Under no circumstances should the processing of data be specified or enforced pursuant to this

regulationbyICANN.

53

VIII. DRL3–Datacollectedbasedonconsent

Evenwithregardtodataminimizationandthedatamodeldescribedabove,theremaybeaspecific

interestforregistriestoobtain(anddisclose)personaldatainexcesstothedescribeddatasets,e.g.

someregistrantsmaywishtopublishtheirdatainapublicWhoisdirectorytoincreasetrustintheir

services.Suchspecial interestsbyregistries(orotherparticipants)canonlybelegitimizedbasedon

consentbythedatasubjectsasalloftheprovisionsmentionedabovedonotapply.

SuchdataprocessesarealwayspossibleincaseavalidconsentasrequiredbyGDPRiscollectedfrom

thedatasubject.

PartC–DisclosureofData

Mostregistriesoperateaso-calledThickWhois.While,fromatechnicalpointofview,thismodelisto

bemaintained,fewerdatafieldsarepopulatedand,unlesstheregistrydefinesspecialrequirements,

thedataof the registrant is alsonotpassedon to the registry. Therefore, thequestion is towhat

recipientrequestsforinformationaretobeaddressedandhowsuchrequestscanbeanswered.As

alreadydiscussed,allprocedures relating to theprocessingofpersonaldatamustcomplywith the

principleofdataminimization.Thus,aregistrywouldonlybeabletoprovidelessdatainthecontext

ofaWhoisserviceofsomekindthanaregistrar.

Inordertoallowfortheconsistentprovisionofinformation,informationfromdifferentsourcesshould

becompiledbymeansofRDAP(delegatedWhois).Furthermore,itneedstobeclarifiedthat,evenat

this point, registries and registrarsmight havemore information than they provide via theWhois

service.However,disclosureaccordingtothispaper,wouldonlygoasfarasrevealingtheregistrant

datafieldsascurrentlyshowninthepublicWhois.Thatmeansthatdataofaprivacyorproxyservice

willbeshownwheretheregistrantusessuchservices.Disclosurebyprivacyorproxyserviceswould

bebasedontheprinciplesappliedtodayandremainunaffected.

Inaccordancewiththisprinciple,itisexaminedwhichinformationmayberetrievedpubliclyorinthe

contextof inquirers informing themselves andwhich informationmustbe subjected toa separate

54

assessmentbeforebeingreleased.Furthermore,wewould liketopointoutthatthetermWhois is

usedbothfortheWhoisprotocolandtheWhoisdata.Inthecontextofthispaper,weusetheterm

merelywithregardtothedata,since,asatechnicalvehicle,RDAPispreferablefortheprovisionofthe

dataovertheWhoisprotocol.

GiventhattheWhoisservesasaglobaldatabase,theinternationaltransferofdataundertheGDPR

isoffundamentalimportanceformanypotentialdisclosureprocesses.Againstthisbackground,itis

importanttounderstandthateachtransferofWhoisdataoutsidetheEEArequiresitsown,separate

legalbasisinadditiontothelegalbasisfortheprocessingofpersonaldata.Inotherwords:Havinga

legalbasisfortheinternationaldatatransferdoesnotsubstitutetherequirementofalegalgroundfor

thedataprocessingitself.

Please do also note that Chapter 5 of the GDPR provides only potential legal grounds for the

international transfer of data by entities like registries, registrars, private stakeholders or non-law

enforcementauthorities.Theregulationdoesnotapplytotheprocessingortransferringofpersonal

data by law enforcement agencies.14 This is rather regulated by the European Directive on the

protectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthorities

forthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesorthe

executionofcriminalpenalties.15

TheEWGfinalreporthasestablishedalistofWhoisusersandtheirrespectiveinterestsinaccessing

Whoisdata16.ThegTLDRegistrationDataflowMatrixandInformationdocumentalsolistsusersand

usecases17,allofwhichhavebeenreviewedbythedraftingteamofthispaper.However,asoutlined

above,requestsforinformationfromallthoseusergroupsrequirealegalgroundfortheproviderofa

Whoisdatabasefordisclosure.Inthispartofthepaper,wefirstpresentthatapubliclyaccessiblewhois

directorycannotbejustifiedundertheupcomingGDPR(I.).Inasecondstep,thecriteriafordisclosure

fordifferentpurposesaretobeexamined(II.),followedbythanalysisofthelegalrequirementsfor

internationaldatatransfer(III.).Afterdevelopingaprocedureforhandlinginformationrequestsand

14SeematerialscopeoftheGDPRaccordingtoArt.2(2)d.15Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016.16ICANN:EWGfinalreportongTLDDirectoryServices,p.21.17ICANN:DraftdTLDRegistrationDataflowMatrixandInformation.

55

disclosureofWhoisdata inpractice(IV.),wefinally provideaproposalforaTrustedDataClearing

Houseforthedomainindustry(V.).

I.NoJustificationforaPublicWHOISundGDPRAlreadyunderthecurrentEuropeanlegaldataprotectionframework,therearedoubtsastowhether

ornotthepublicationofpersonaldataofdomainownersviaapubliclyaccessibleWHOISdatabaseis

admissible.However,oncetheGDPRcomesintoeffectinMay2018,itwillhavetobeassumedthat

theWHOISdatabaseswillnotbeabletocontinuetoexistintheircurrentform.18

1. LegallyIneffectiveConsentSection3.7.7.5,theRAA2013requiresthattheregistrantmustconsenttothedataprocessingalso

including thepublicationofWhoisdata.However, thereare significantdoubtsas towhether such

consentwillstillbeabletobeconsideredlegallyvalid.

AccordingtoArt.4no.11GDPR,consentofthedatasubjectmeans

“anyfreelygiven,specific,informedandunambiguousindicationofthedatasubject’swishes

bywhichheorshe,byastatementorbyaclearaffirmativeaction,signifiesagreementtothe

processingofpersonaldatarelatingtohimorher”.

Inaddition,Art.7(4)GDPRfurtherstatesthat,

"whenassessingwhetherconsent is freelygiven,utmostaccountshallbetakenofwhether,

interalia,theperformanceofacontract,includingtheprovisionofaservice,isconditionalon

consenttotheprocessingofpersonaldatathatisnotnecessaryfortheperformanceofthat

contract."

This provision prevents that data controllers withhold or offer a degraded version of service for

subjectswhorefuseor(later)withdrawconsent.Consentbasedonthecontractualobligation(Section

3.7.7.5,theRAA2013)willthereforenotbevalid.

18 cf. Nygren/Stenbeck, gTLD Registration Directory Services and the GDPR - Part 1, p.10 ff.;Voigt/Pieper,ImpactoftheGDPRregardingWHOISsystem,p.3etseqq.

56

2. NoJustificationunderStatutoryLawLikewise,noneofthestatutorylegalgroundsoftheGDPRisabletojustifytheWhoisdirectoryinits

currentform,inwhichalldataismadeavailableonlinetothegeneralpublic.

The publication of data in a freely accessible directory is not necessary for the performance of

contractualrelationbetweentheregistrantandtheregistrar/registrysothatajustificationunderArt.

6(1)lit.b)GDPRisnotpossible.

Furthermore,contrarytowhatisthecaseforpublictrademarkandcommercialregisters,thereisno

specific legal basis legitimizing or even requiring the operation of a public domain directory. The

coordinationofinternetcommunicationand,therefore,alsoofdomainregistrationhasalwaysbeen

performedonthebasisoflegalrelationsbetweenprivateindividuals.Thisiswhyapublicregulatory

framework,whichwoulde.g.alsorequireapublicdirectory,doesnotexist.Consequently,itcannot

bearguedthatapublicWhoiscanbejustifiedunderArt.6(1) lit.e)GDPR.Thedefinitionofpublic

interests is also subject to legislative action, which has not taken place in relation to a publicly

accessibleWhoisdata.

Ultimately,thecurrentpublicWHOISdirectorywillalsonotbeabletobejustifiedonthebasisofArt.

6 (1) lit. f) GDPR. The circumstances described therein require a weighing of the interests in the

respectivedataprocessingontheonehandandtheinterestsofthedatasubjectontheotherhandon

acase-by-casebasis.Itistruethatthereareavarietyofreasonswhycertainauthorities,individualsor

groupsofindividualshaveprofoundinterestinaccessingWhoisdata,thereforejustifyingdisclosure

(e.g.foridentificationofapersonwhohasregisteredacertaindomain)undertheGDPR.19However,

theseindividualinterestsdonotjustifythepublicationofpersonaldatainapubliclyaccessibleWhois

directory,sincethepublicationisnotnecessaryforotherpurposesortopersonsotherthantheholder

ofalegitimateinterest.

19 cf. in this regard ICANN: EWG final report on gTLD Directory Services, available at:https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf; ICANN: Draft dTLD RegistrationDataflow Matrix and Information, available at: https://www.icann.org/en/system/files/files/gdpr-dataflow-matrix-whois-11sep17-en.pdf.

57

Forthesereasons,aclosedWhoissystemwhichcanbeaccessedinindividualcasesonly(namelyif

disclosurecanbejustifiedunderdataprotectionlaw)and/orfromwhichinformationisprovidedin

individualcaseswillberequiredoncetheGDPRentersintoeffect.Compliancewiththeprovisionsof

theregulationisparticularlyimportantforanyproviderofaWhoisdatabase,asviolationssuchasnon-

justifieddisclosurecancausesignificantfinestobeimposedbydataprotectionauthorities.

II.LegalGroundsforDisclosureofRegistrationDatato3rdPartiesTherearedifferentgroupsof3rdpartieswhichmayhaveaninterestinthedisclosureofregistration

data.DisclosurethroughdatatransferisatypeofdataprocessingwithinthescopeofArt.4no.(2)

GDPR.InthecontextofdisclosureofWhoisdata,Art.6GDPRexhaustivelynamestheprerequisites

underwhichtheprocessingofpersonaldatashallbelawful.IntherelevantcontexthereArt.6(1)lit.

b),c)andf)GDPRarecrucial.Inthisregard,itmakessensetodistinguishbetween3rdpartiesfrom

thepublicandtheprivatesector,respectively,asdifferentlegalgroundshavetobeconsidered.

1. Art.6(1)lit.b)GDPR-PerformanceofaContract–(PrivateSectorOnly)

AccordingtoArticle6(1)lit.b)GDPRdisclosurecanbejustifiedwhere

"processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectisparty

orinordertotakestepsattherequestofthedatasubjectpriorenteringintoacontract."

Thecontractualbasisofdomainregistrationalsocontains,interalia,provisionsthatsubjectregistrants

to certain conflict resolution regimes aiming to avoid and to resolve potential conflictswithin the

domainnameregistrationecosystem.Onlythosedomainnamescanberegisteredandtheregistration

of domain names can only be retained if there is no violation of third party rights. To the extent

necessaryfortheassessmentofpossiblelegalconflictsrelatedtothedomainnames,dataprocessing

including disclosure of personal data - can therefore be seen as being admissible under the

performance of a contract clause. This especially concerns these following two programs that are

includedinthecontractualrelationshipbetweentheregistrantandtheregistrar/registry:

• UniformDomainNameDisputeResolutionServiceforGenericTop-LevelDomains(UDRP)

• UniformRapidSuspensionSystem(URS)

58

Totheextentthatthedisclosureofpersonaldataisrequiredwithintheseprocedures,inparticularfor

thepreparationofclaimsorinquiriesbyanyonewhocrediblydemonstratestohavealegalposition

subjecttotheseprograms,WhoisdatamaybedisclosedonthebasisofArt.6(1)b)GDPR.20

2. Art.6(1)lit.c)GDPR(PublicSectorOnly)

Disclosure ofWhois data is further justified under Art. 6 (1) c) GDPR to the extent necessary for

compliancewithalegalobligationtowhichthecontrollerissubject.Art.6(1)c)GDPRitselfdoesnot

constitutealegalbasisfordataprocessing,butinsteadrequiresalegalobligationinthelawsofthe

EUortheMemberStates.21Fromthis,itcanbeinferredthatlegalprovisionsofthird-partycountries

whichhavenotbeenadoptedbytheEUortherelevantMemberState,forexamplebytransforming

internationaltreatiesintonationallaw,cannottriggeranylegalobligationwithinthescopeofArt.6

(1)c)GDPR.Therefore,adisclosurerequestsofpublicauthoritiesofnon-EUstatescannotbejustified

onthebasisofArt.6(1)c)GDPR.Foreignauthorities,however,mayrequestpersonaldataofEUdata

subjectsfromEuropeanlawenforcementagencies.Theseagencieswouldthenhavetocheckwhether

thereisalegalbasisavailablethatallowsdatatobepassedontotheforeignauthority.22Duetothe

globaldomainnamesystemandthefactthatnon-Europeanlawenforcementauthoritiesalsohave

interestsinregistrationdata,which,atleasttheoretically,mightalsocontaindataofEUcitizens,this

constitutesatremendouschallengetotheproperdesignofaconsistentdisclosureprocess.

Theterm"legalobligations"inthemeaningofArt.6(1)lit.c)GDPRdoesnotnecessarilyrequireanact

ofparliament.23Differentkindsofsubstantivelawprovisionscanbeconsideredassufficientlegalbasis

forprocessingofdata(e.g.regulationsandstatutesonthebasisofwhichpublicauthoritiessuchas

lawenforcementauthoritiesorfinancialauthoritiesaregivencompetencesorinvestigativerights).As

ageneral rule,however, thesestatutoryprovisionsmustnot fall shortof thedataprotection level

guaranteedbytheGDPR;withtheexceptionofcaseswheretheGDPRitselfprovidesforlimitationsof

the relevant rights to private life and data protection arising from Art. 7 and 8 of the Charter of

FundamentalRightsoftheEuropeanUnion.SuchanoptionforpossiblelimitationsisprovidedbyArt.

23 GDPRwhichmentions, inter alia, national and public security or the prevention, investigation,

20Pleasenotethatthislegalassessmentdoesnotconcernthequestionofwhethersuchanagreementcanbelegallyvalidlyagreedbetweentheparties,butrelatessolelytoquestionsofEuropeandataprotectionlaw.21Recitals40and45.22Pleasenotethatalsotheprovisionsforinternationaldatatransfersapply(seebelowIII.).23TherequirementsforthelegalbasisarespecifiedinRecital41;withregardtotheprinciplesofArt.5(1)aGDPR(lawfulness,fairnessandtransparency),theexplanationsinRecital39aretobetakenintoconsideration.

59

detectionorprosecutionofcriminaloffencesandtheexecutionofcriminalpenaltiesaswellasthe

protection of other important objectives such as taxation matters or social security. Provisions

regardingthedataprocessingbyauthoritiesforthepurposeofpreventing,investigating,detectingor

prosecuting criminal offences as well as for the execution of criminal penalties are regulated in

Directive(EU)2016/68024.Legalbasisinthisregardwouldbetherespectiverulesundernationallaws

ofthememberstatestransformingtheprovisionsoftheDirectiveintonationallaw.

Art.6(3)GDPRprovidesacatalogueofcriteriawithregardtotheproperdesignoftherequiredlegal

basis. These criteria can be used as a guideline for the assessment ofwhether or not a provision

satisfiestherequirementsfora“legalobligation”withinthescopeofArt.6(1)lit.c)GDPR.

Theprovisionshouldspecify

● whichgeneralconditionsgovernthelawfulnessofprocessingbythecontroller,● whichtypesofdataaresubjecttoprocessing,● whichdatasubjectsareconcerned,● towhichentitiesandforwhatpurposesthepersonaldatamaybedisclosed,● whichpurposelimitationthedataissubjectto,● howlongdatamaybestoredand● whichprocessingoperationsandproceduresmaybeused.

Whether and to what extent processing is necessary depends on the purpose for which data is

processed.Therefore,thelegalobligationmustpreciselyspecifythepurpose.25

Itis,ofcourse,notadatacontroller´sobligationtorevieweverypossiblelegalbasisforcompliance

with these requirements.However, theoutlined standardsprovidevaluable indicationsas towhat

standardsinformationrequestsformgovernmentagencieshavetomeet.

For the operationalization of requests from public authorities, we recommend to check for the

followingformalcriteria:

24Directive(EU)2016/680oftheEuropeanParliamentandtheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA.ThisdirectivewaspassedtogetherwiththeGDPR,however,itisnotapplicabletoactivitiessubjecttoUnionlaw(Art.2(3)bGDPR).SincepublicsecurityisnotgovernedbyUnionlaw,therightsofdatasubjectsmayonlybelimitedbyEUprovisionsoutsidethescopeofpublicsecurity.25Cf.Recital41;alsoconsiderRecital45,pursuanttowhichalawcanalsobethebasisforseveralprocessingoperations.

60

● therequestingorganizationorauthoritywouldhavetoelectronicallysubmittherequestonaletterheadofitsorganizationshowingwheretherequestforinformationcomesfrom.

● therequestmustshowwhichauthorizedrepresentativehassignedtherequestandhowsaidrepresentativecanbecontactedbytelephoneoremail.

● therequestmustbesigned.● thelegalbasismustbespecifiedfromwhichtherighttoaccessWhoisdatacanbeinferred.● Itmustbeaffirmedthatthedatawillonlybeviewedandusedinthecontextofthestatutory

competencesoftherespectiveorganizationorpublicauthority.

3. Art.6(1)lit.f)GDPR–LegitimateInterests(PrivateSectorOnly)

Insomecases,thedisclosureofWhoisdatamayalsobejustifiedundertheGDPRdueto“legitimate

interests”.AccordingtoArt.6(1)f)GDPR,disclosureofdatacanbejustifiedwhere

"processingisnecessaryforthepurposesofthelegitimateinterestspursuedbythecontroller

or by a third party, except where such interests are overridden by the interests or

fundamental rightsand freedomsof thedatasubjectwhich requireprotectionofpersonal

data,inparticularwherethedatasubjectisachild"

Withregardtotheinformationrequestsfromforeignauthorities,therearenodifferencescompared

tothesituationunderArt.6(1)lit.c)GDPR.Disclosureofinformationtoforeigncountryauthorities

cannotbejustified.Recital47oftheGDPRclearlystatesthatdataprocessingofthepublicsectormust

notbebasedonlegitimateinterestsbutonalegalbasisunderArt.6(1)lit.c)GDPR:

"Giventhatitisforthelegislatortoprovidebylawforthelegalbasisforpublicauthorities

to process personal data, that legal basis should not apply to the processing by public

authoritiesintheperformanceoftheirtasks."

Nothingdifferentcanapplytoforeignauthorities.Otherwiselowerdataprotectionstandardswould

apply to foreign authorities than to authorities of the EU or EU Member states. It is up to the

competentlegislatorstoprovidelegalgroundsforjustifyingdisclosureofdatatoforeignauthorities.

Only within the limited scope of Article 49 (1) lit. d) GDPR, where international data transfer is

necessaryforimportantreasonsofpublicinterest,disclosuretoforeignpublicauthoritiesbejustified

underlegitimateinterests(seebelowPartCIII2).

61

a)"LegitimateInterests"

Hardlyanyindicatorscurrentlyexistastohowtheundefinedlegaltermof“legitimateinterest”willbe

interpreted by data protection authorities and courts after the entry into force of the GDPR. The

regulationitselfdoesnotcontainadefinitionofthistermandprovidesonlyveryfewindicationson

whichinterestsmaybedeemedtobe“legitimate”.However,severalreferencesspeakforthefactthat

abroadinterpretationofthetermcanbeassumed.Restrictions,proposedinthelegislativeprocess,

havenotbeenreflectedinthefinaldraft26.Recital47furthermorementionscustomerrelationsand

theservicerelationshiponlyasexamplesforlegitimateinterests(“e.g.ifthedatasubjectisacustomer

ofthecontrollerorinitsservice”)andthusleavesabroadmarginforinterpretation.Thecharacterof

Art.6(1)lit.f)GDPRasa"catchallelement"alsospeaksforabroadunderstandingoftheterm.Against

thisbackground,allinterestsincludingfactual,economic,andimmaterialinterestscanbedeemedto

be“legitimate”.

Themain purpose of any data processing operation in connectionwith domain registration is the

provision of the services associated with domain registration within the scope of the contractual

relation.However,theactivityoftheenterpriseparticipatingindomainregistrationcannotbereduced

tothissingularpurpose.Rather,theregistrationofdomainsisaservice,which-jointlywiththeservices

ofothercompanies-guaranteestheoverallfunctionalityoftheInternet(namelyconveyingcontent

available in theWorldWideWeb). The special roles of registrar and registrywithin this technical

ecosystemisalsoreflectede.g.inthefactthattheyaresubjecttocertaindutiesasoperatorsofcritical

infrastructures.27Theactivityofregistryandregistrar-inthislight-alsoservesotherpurposesbeyond

themeredomainregistrationforcustomers,inparticularalsowithregardtothefunctionalityofthe

technical infrastructure as such. Registrar and registry therefore also have to a certain extent a

regulatory function, which for example may include participation in the prosecution of legal

infringementscommittedunderusageofthisecosystem.Againstthisbackgroundwewouldconsider

processing of data for the purpose of maintaining security measures or technical analysis (also

operatedbythirdpartyproviders)as likely(dependingontheindividualcase)beingjustifiedunder

Art.6(1)lit.f)GDPR.

26cf.Voigt/Pieper:ImpactoftheGDPRregardingWHOISsystems",p.11etseq.27cf.e.g.inGermanlawSec.5oftheCrisisDirectiveoftheGermanFederalOfficeofSecurityinInformationTechnology,BSI-KritisV,implementingDirective2008/114/EC

62

b)BalancingofInterests

However,thirdpartyinterestsindataprocessingmustbebalancedagainsttheinterestsofthedata

subject.Thepersonalrightsofthedatasubjectaswellastheeffectsforthedatasubjectarisingfrom

thisprocessingoftherelevantdataisthestartingpointofthebalancingofinterestwithinthescope

ofArt.6 (1) lit. f)GDPR,which iscontrastedby the interestsof the thirdparty in thespecificdata

processing.Toputitinanutshell:Themoresubstantialtheinterestofthethirdparty,themorelikely

disclosurecanbejustified.

However,statingthatthereisageneralinterestforapubliclyaccessibleWhoisdatabaseconsidering

theroleregistriesandregistrarsareplayingforthefunctioningofthe internet(asoutlinedabove),

wouldbeatoobroadinterpretationofthelegitimateinterestclause.InitsinterpretationofArticle7

ofthecurrentDirective95/46/ECthatalsoincludesalegitimateinterestclause,theArticle29Data

ProtectionWorkingPartymadequiteclearthatonlythoseinterestmaybejustifiedthatcanbe

formulatedinasufficientlyconcretemanner,asalackofconcretenesshindersanybalancingof

interests.

"An interestmust be sufficiently clearly articulated to allow the balancing test to be

carriedoutagainsttheinterestsandfundamentalrightsofthedatasubject.Moreover,the

interestatstakemustalsobe'pursuedbythecontroller'.Thisrequiresarealandpresent

interest,somethingthatcorrespondswithcurrentactivitiesorbenefitsthatareexpected

intheverynearfuture.Inotherwords,intereststhataretoovagueorspeculativewillnot

besufficient."28

AlthoughthisopinionwasformulatedinviewofthecurrentDirective,thisinterpretationislikely

toalsoapplytotheinterpretationofArticle7(f)oftheGDPR,astherehasbeennochangeinthe

needforabalancingtest.

AnimportantindicatorforhowtobalanceinterestsfollowsfromRecital47p.1,3.Accordingtoit,a

balancing of interestsmust also consider whether a data subject at the time of collection of the

28Article29DataProtectionWorkingParty:WP2017,p.24.

63

personaldataandinlightofthecircumstancesunderwhichitwascollectedcanreasonablyforesee

thataprocessing for thispurposewill possibly takeplace. This generally limits thepossibilities for

justificationofdataprocessingactivitiesbasedonArt.6(1)lit.fGDPR.Althoughitwillnotbepossible

toclarifytheexpectationsthatweretiedtodataprocessinginthespecificindividualcase(sothatan

objectifyingconsiderationoftheseexpectationsmusttakeplace)itfollowsfromthisthatprocessing

cannotbe justified if it takesplace forpurposes thatwerenot foreseeableby the registrantupon

registrationofthedomain.AlthoughtheexistingpublicWhoisisbasedontheregistrant'scontractual

consent,itcanbearguedinthiscontextthatregistrantsknowaboutpublicdisclosure(atleastofparts

of) registrant data and therefore must assume that personal data provided when registering the

domainwillbemadepubliclyaccessible.

TheGeneralDataProtectionRegulationitselfprovidesfurtherindicationsastowhichinterestscan,in

principle,bedeemedtobejustified.Art.21(1)GDPRexpresslystatestheestablishment,exercise,or

defenseoflegalclaimsasjustificationfordataprocessingdespiteanobjectionofthedatasubject.In

thecontextofArticle21(1)GDPR,however,itisreferredtodataprocessinginthecontextofadata

controller´sownclaimsandresponsibilities.However,fromthisstandarditcanalsobeinferredthat

Europeandata protection law considers data processing in the context of legal claims as interests

worthyofprotection.Thislegalvaluationevenappliestothetransmissionofdatatonon-European

countries,Art.49(1)lit.e)GDPR(seebelowPartCIII1).Thismustalsoaffectthebalancingofinterests

withinthescopeofArt.6(1)lit.f)GDPR.

c)NecessityofDataProcessing

Asageneralrule,disclosureofregistrantdatato3rdpartiescanonlybejustifiedtotheextentthatitis

necessaryforthefulfillmentoftherespectivelegitimateinterest.Thisprincipleof"necessity"limits

theextentofdatadisclosuretotheminimalmeanswithwhichthepurposeofdataprocessingcanbe

reached.AnydataprocessingexceedingthisextentcannotbejustifiedunderArt.6(1)lit.f)GDPR.For

thisreasonalone,arestrictionofthedisclosureoftheWHOISdatatothedatacontainedinDRL1is

necessary. Further limitations may be necessary depending on the individual interest in data

processing.29However, thedataprovided inthissetofdata isatthesametimerequiredasabare

minimumtoensurethefulfilledofthelegitimateinterests.30

29Formanythirdpartyinterests,identificationofregistrantswillbesufficient.Thereforeitcanbearguedthatemailaddresseswouldhavetoberemovedfromthedatabeingdisclosed,cf.Voigt/Pieper,ImpactoftheGDPRregardingWHOISsystem,p.3etseqq.30FordetailsonDLR1PartBII.above.

64

d)RighttoObject,Art.21GDPR

UnderArt. 21GDPR, everydata subject is entitled toobject at any timeagainst theprocessingof

personaldatabasedonArt.6 (1) lit. f)GDPRongrounds relating tohisorherparticular situation.

However,thespecific legalmeaningof“particularsituation”remainsopen.Therecitalsalsodonot

contain any further indications.However, itmust be assumed that only atypical constellations fall

underthisclause.Fordatacontrollershowever,theregulationmeansthatitmusttakemeasuresto

ensurearesponsetotheobjectionofadatasubjectintheindividualcaseandthatthisdataisdisclosed

only if (i) compelling legitimategrounds for theprocessingwhichoverride the interests, rightsand

freedomsofthedatasubjector(ii)fortheestablishment,exerciseordefenseoflegalclaims(ofthe

controller).However,theatypicalconstellationsthatauthorizeanobjectionintheindividualcaseand

thecompulsorygroundsworthyofprotectionthatintheindividualcasejustifythedisclosureofdata

issubjecttoacase-to-casereview.

e)Legitimate3rdPartyInterestsforDisclosureofWhoisData

Againstthebackgroundofthelegalstandardsoutlinedabove,itcanbeassumedthatthebalancingof

interestswilltypicallyjustifydisclosureofWhoisdatainthefollowingcontexts:31

3rdpartygroup 3rdpartyinterest CriteriaforDisclosure Datatobedisclosed(IPR)AttorneysRightholders andTrademarkAgents

Legal action against(IP)lawinfringements

• proof of admission tothebar

• credibledemonstration of lawinfringement relatedtoacertainDomain

DRL1

Consumer ProtectionAssociations

Legal Action againstconsumer protectionlawinfringements

• proof of entitlementto prosecution ofconsumer protectionlawinfringements

• credibledemonstration ofconsumer protectionlaw infringementrelated to a certaindomain

DRL1

CertificationAuthorities

VerificationofDomainOwnership

• proof of operation ofcertification services

DRL1

31 Cf. in this regard also Voigt/Pieper: Impact of the GDPR regarding WHOIS systems", p. 16;Nygren/Stenbeck,gTLDRegistrationDirectoryServicesandtheGDPR-Part1,p.13;;Nygren/Stenbeck,gTLDRegistrationDirectoryServicesandtheGDPR-Part3,p.8etseq..

65

(orknowncertificationauthority)

• proof for request forcertification byRegistrant

Althoughweseestrongargumentsthatdisclosurecanbejustifiedintheabovementionedcontexts,

thisdoesnotnecessarilymeanthatacontrolleratthesametimeisunderanobligationtodoso(e.g.

registrarsmaychoosetotakedownawebsiteratherthantodiscloseregistrantdata).

Finally,weshouldnotethatthelimitationsimposedbyGDPRwillhavesignificantimpactoncompanies

andindividualsworkingonsafetyandsecurityissues.TheselimitationsshouldbediscussedwithDPAs

withthegoaloffindingsolutionsthatallowforefficientworkonITandnetworksecurity.

4. Otherrequests

With regard to third party requests, the justifications for disclosure of data outlined above are

exhaustive.Anyotherthirdpartyrequests,suchasgeneral inquiriestotheregistrantcannot justify

disclosureofregistrantdata.Itisthereforeadvisablethatregistrarsoffereitherananonymizedemail

addressfortheregistrantsviaawebinterfaceorawebformwheremessagesfortheregistrantscan

beenteredandwillthenbeforwardedtotheregistrant’semailaddresstoensureanonymity.

5. Note:DataSubject´sRights,Art.12etseq.GDPR

GDPRalsocontainsanumberofsocalleddatasubject´srights.Inparticular,itmustbeensuredthat

theperson,whosepersonalisbeingprocessed(i.e.inparticulartheregistrant)receivesinformation

abouthispersonaldataprocessedbythedatacontrolleronrequest,Art.15GDPR.Furtherdatasubject

rightsrefere.g.tothedeletion(Art.17GDPR)orrectification(Art.16GDPR)ofdata.Consequently

registriesandregistrarsmustensurecorrespondingprocedures.Themostconvenientwaytoprovide

thosefunctionswithinprotectedcustomerareas.

6. Disclaimer

ThelegalrequirementsfordisclosureofWhoisdatadescribedaboveexclusivelyrefertotheprovisions

oftheGDPR.Pleasenotethattheremightbeadditionallimitationsofwhatdatacanbedisclosedunder

nationallawsacontractedpartymightbesubjectto.Theotherwayaround,lawsofnon-EUmember

states may entail legal obligations for disclosure of data (e.g. for criminal law enforcement). The

resulting conflicts between thedifferent legal systemsarenotpart of the legal assessment in this

paper.

66

III. InternationalTransferofDataAsnotedabove,furtherlegalrequirementsapplytodisclosureof(Whois-)dataincasedataisbeing

transferredoutsidetheEEA.Asthecurrentdataprotectiondirective,theGDPRstipulatesasetofrules

forinternationaldatatransferstoensureanadequatelevelofdataprotection,evenifdataisbeing

transferredabroad.Theserequirements(Articles44et.seq.GDPR)apply inadditiontothegeneral

rulesonthelawfulnessofdataprocessingassuch(esp.Article6GDPR,seePartCIIabove).Thismeans

inpractice,onceprocessingofdata(inthiscase:disclosure)canbejustifiedunderArt.6GDPR,this

doesnotnecessarilymeanthattransferofWhoisdatatonon-EUMemberStatescanbejustified,too.

Similar requirements to thoseofGDPRexist for thedata transfer fromEuropean lawenforcement

authoritiestothoseofthirdcountriesonthebasisoftheDirective(EU)2016/680.

1.InternationalDataTransferunderGDPR

TheGDPRprovidesvariouspossibilitiestojustifytransferofdataoutsidetheEU,suchas

• Article45GDPR:DatatransferonthebasisofanadequacydecisionbytheEUCommission

(non-EUstatescanapplyfortheEUCommissiontoissueanadequacydecisionthatrecognises

thelevelofdataprotectionascomparabletoEUstandards).

• Article 46 GDPR: "appropriate safeguards", such as legally binding and enforceable

instrumentsbetweenpublicauthoritiesorbodies,bindingcorporaterules("BCRs")withina

groupofcompanies,StandardContractClauses("SCCs")providedbytheEUCommissionor

safeharbourcertification.

More importantly, theGDPRprovides furtherexceptions for internationaldata transfers in certain

contexts,Art.49GDPR.Datatransfercanbejustifiedwithouttheneedforanadequacyassessmentor

appropriate safeguards, among other things, if the transfer is necessary for the performance of a

contractbetweenthedatasubjectandthecontroller(Art.49(1)lit.bGDPR),forimportantreasonsof

publicinterest(Art.49(1)lit.dGDPR)orifitisnecessaryforestablishing,exercisingordefendinglegal

claims(Art.49(1)lit.eGDPR):

Article49(1)lit.b)GDPRreflectstheconcept,alreadylaiddownforjustificationofdataprocessing

underArt.6(1)lit.b)GDPR.Accordingtothisprovisiondataprocessingisjustifiedwhereitisnecessary

fortheperformanceofacontract(seeabovePartCII1).Article49(1)lit.b)GDPRextendsthislegal

valuation to international data transfers. Consequently, where data transfer is necessary for the

67

performanceofthedisputeresolutionprograms"UDPR"and"URS",atransfertothenon-EUcountry

maybeconsideredasbeingjustified.

Article49(1)lit.d)GDPRjustifiesinternationaldatatransferifitisnecessaryforimportantreasonsof

publicinterest.Article49(4)GDPRfurtherclarifiesthatanythirdcountryinterestpresentedinorder

tojustifydatatransferunderArticle49(1)lit.d)GDPRmustalsoberecognisedeitherinEUlaworin

the laws of the respective EUMember State. The scope of this provision is quite limited as only

particularlyimportantpublicinterestscanbetakenintoaccount.Inthisrespectrecital112explicitly

names international data exchange between competition authorities, between tax or customs

administrations,betweenfinancialsupervisoryauthoritiesandbetweenservicescompetentforsocial

securitymatter or for public health. Furthermore, an excessive use of this justification clause for

transferstoforeignpublicauthoritiesmayunderminelegislativedecisionsfororagainstinternational

cooperationwiththirdcountries.Internationaldatatransferforpubliclawenforcementpurposesis

regulatedwithinDirective(EU)2016/680andisthereforeoutsidethescopeoftheGDPR.

Article49(1)lit.d)GDPRfurtherallowsinternationaldatatransferstonon-EUstatesifitisnecessary

fortheestablishment,exerciseordefenceoflegalclaims.ThisprovisionenablescontrollersofWhois

datatosatisfyinformationdemandsrelatedtoprivate(IP-)lawenforcementfromoutsidetheEU.The

wordingoftheprovisionisnotlimitedtoadatatransferinthecontextofcourtproceedings.Therefore,

theprovisionalsopermitsdatatransfertoprivatepartiesorpublicauthorities,aslongasthisatransfer

serves the purpose of establishing, exercising or defending of a legal claim (e.g. in administrative

proceedings).

Theexceptionforatransferofpersonaldataaccessiblewithinpublicregisters(Art.49(1)lit.g)GDPR),

however, does not apply to a publicWhois directory. This provision only covers registers that are

intendedtoprovideinformationtothepublicunderthelawsoftheEUortheMemberStates,suchas

commercialorlandregisters.ThisisnotthecasewithprivatedirectoriesliketheexistingpublicWhois.

2.InternationalTransferofWhoisDatatoNon-EULawEnforcementAgencies

According to Directive (EU) 2016/680, EuropeanMember States should ensure that a transfer by

Europeanlawenforcementagenciestoathirdcountryortoaninternationalorganisationtakesplace

onlyifnecessaryfortheprevention,investigation,detectionorprosecutionofcriminaloffencesorthe

executionofcriminalpenalties, includingthesafeguardingagainstandthepreventionofthreatsto

publicsecurity,andthatthecontrollerinthethirdcountryorinternationalorganisationisacompetent

authorityaswell.SimilartotherequirementsforinternationaldatatransferaccordingtotheGDPR,

68

suchtransfersmaytakeplaceforinstanceincaseswheretheEuropeanCommissionhasdecidedthat

thethirdcountryorinternationalorganisationinquestionensuresanadequatelevelofprotectionor,

intheabsenceofanadequacydecisionandofappropriatesafeguards,certainderogationsforspecific

situationsapply(e.g.inordertoprotectthevitalinterestsofthedatasubjectoranotherpersonorfor

thepreventionofan immediateandserious threat topublicsecurityofaMemberStateora third

country).

IV. ProceduralAspects

a)CertificationofPublicAuthorities

Allinall,evenifthecriterialistedabove(PartCII2)areusedasabasisforthedisclosuredecision,

theremaystillbealargevarietyoflegalbasesand,therefore,ofpublicauthoritiesactingonthebasis

of such. In practice, this would lead to the result that, in case of information disclosure requests

submitted to registrars or registries, the assessment of the legal basis to be performedmight be

extremelycomplexanddifficultandrequiresignificantadministrativeeffortsandtime,forwhichquite

anumberofresourceswouldhavetobeprovided.Saideffortandtimeincreaseswiththenumberof

expectedrequests.In2014,forexample,DeutscheTelekom,alone,disclosedtheownersof733,377

69

IPaddresses,whichinaccordancewithEuropeanlawmustalsobeconsideredpersonaldata,tolaw

enforcementauthorities32.

Inaddition, in caseof the investigationandprosecutionof criminaloffences ithas tobegenerally

assumedthattherequestofthepublicauthorityisurgent.Anindividualassessmentofallrequestsfor

informationwouldstandinoppositiontotheurgentneedfor informationofthepublicauthorities;

evenmisjudgmentsoftheassessorcouldnotbeexcluded.

Aregistrationand/orcertificationofpublicauthoritieslenditselfasapossiblesolutionforpreventing

this.Thus,acase-by-caseassessmentbasedonthecriteriashownabovewouldnotbenecessaryand

quickaccessforthepublicauthoritieswouldbeensured.

Inthiscontext,inaregistrationand/orcertificationprocess,firstofallanassessmentbasedonformal

criteriacanbeconducted inordertoassesswhetherornottherespectivepublicauthoritymaybe

entitledduetoalegalbasistorequestinformationontheownershipofadomain(atthesametime

constitutesjustificationfordatadisclosureunderArt.6(1)lit.c)GDPRfortheregistry/registrar).

Afterthecertification,thepublicauthoritieswouldbeabletoviewtheDRL1dataofsuchdomains

whicharerelevante.g.inconnectionwiththeinvestigationofacriminaloffense.

Inapolicyfortheuseofthedata,anypublicauthoritywouldfurthermorebeobligated

● nottoperformabusiveormassdatainquiries,● nottoforwardtheobtaineddatatounauthorizedthirdparties.

Oncecertificationtookplaceonthisbasis,accesstoDRL1datacanbegivenwithinthescopeofterms

ofuse.

Althoughdisclosureofdatawouldnotbestrictlylimitedtoindividualregistrantdata,theeffectstothe

registrant arising from a certification model compared to a generally publicly accessible WHOIS

directory significantly lowers the impact on the data subject due to strict access restrictions and

32 Cf. https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/archiv-datenschutznews/news/transparency-report-2014---cooperation-with-government-agencies-362418.

70

purpose limitations. The impact to the registrant´s right and freedoms can be further reduced by

implementingtechnicalmeasureslike

• limitationtoinquiriesforindividualdomains

• limitationsofthetotalnumbersofqueries

• localizationoftherequestbasedonIPaddress

• theuseofCAPTCHAs

However, there are also critical voices about such a model. Their argument is that access by

"automatically qualified parties" that have beenqualifiedwithin a certification process cannot

replace the required legal assessment in each individual case.33 This argument cannot be

completelydismissed.However,evenifdirectaccessbasedoncertifiedaccessonlyshouldnotbe

legallypossible,certificationofthoseauthoritiesbeingentitledtorequestinformationatallwould

alreadybeaconsiderablefacilitationoftheprocessjustifyingtheeffort.

b)CertificationofPrivate3rdParties

Such certificationmodel could also be used for information requests fromprivate 3rd parties. The

certificationprocesswouldneedtofulfillataminimumthefollowingcriteriatojustifydisclosureof

registrantdata:

Firstly,thecertificationwouldfromthestartberestrictedtothelimitedgroupof3rdpartiestypically

havinglegitimateinterestsindisclosureofWhoisdata(asoutlinedabove).

Fortheregistrationitself,theapplicantwouldneedtoprovideevidenceconcerningtheassociation

withoneofthose3rdpartygroups.Thismaytakeplacee.g.throughelectronictransferofanattorney’s

ID card or the excerpt of the register of the association or the chamber of commerce, aswell as

providingdetails likeorganization’swebsitesetc.Theprecisemodalitiesofregistrationcanalsobe

orientedtowardtherespectivenationalspecifications(e.g.reviewingthelistinginapubliclyaccessible

attorney’sdirectory,ifavailable).

Further,therequestwouldhavetobefiledbyapersonauthorizedtorepresenttherespective3rdparty

group.Inapolicyfortheuseofthedata,anyapplicantwouldfurthermorebeobligated

● nottoperformabusiveormassdatainquiries,33Cf.Nygren/Stenbeck,gTLDRegistrationDirectoryServicesandtheGDPR-Part3,p.11.

71

● nottoperformdatainquiriesforadvertisementordirectmarketingpurposes;● onlytoviewdataifthisisnecessarytoestablish,exerciseordefendlegalclaims,● nottoforwardtheobtaineddatatounauthorizedthirdparties.

Oncecertificationtookplaceonthisbasis,accesstoDRL1datacanbegivenwithinthescopeofterms

ofuse.

Althoughdisclosureofdatawouldnotbestrictlylimitedtoindividualregistrantdata,theeffectstothe

registrant arising from a certification model compared to a generally publicly accessible WHOIS

directory significantly lowers the impact on the data subject due to strict access restrictions and

purpose limitations. The impact to the registrant´s right and freedoms can be further reduced by

implementingtechnicalmeasureslike

• limitationtoinquiriesforindividualdomains

• limitationsofthetotalnumbersofqueries

• localizationoftherequestbasedonIPaddress

• theuseofCAPTCHAs

Note:

RDAPmakes it possible for CAs to issue certificates granting tiered access basedonpre-defined

parameters.Certificationcanthereforebegrantedformultiplecontractedpartiesandmustnotbe

conductedwitheachandeverycontractedparty.

c)LogicalStructureofaDisclosureProcess

IfarequestortypesinaWhoisqueryonadomainname,theWhoisquerywillreturndatathatcomes

fromtheregistrar,including

• Domain Name, Registry Domain ID, RegistrarWhois Server, Registrar URL, Updated Date,

Creation Date, Registry Expiry Date, Registrar, Registrar IANA ID, Registrar Abuse Contact

Email,RegistrarAbuseContactPhone,DomainStatus,NameServer,DNSSEC,NameServerIP

Address,LastUpdateofWhoisDatabase.

Incasearequestorisinterestedinfurtherinformationaboutaregistereddomain,heisprovidedwith

thefollowingoptions:

72

Certifiedusergroupssuchaspublicauthoritiesandthirdpartiesthatcanpresentlegitimateinterests

canaccessDRL1dataviatheCertifiedRequestorProgram:

73

ForothergeneralquerieswheredisclosurecannotbejustifiedunderGDPR,requestorwillbeprovided

withananonymizedemailaddressorawebformfromwhichmessagescanbesenttotheregistrant

emailaddress.

V. ProposalofaTrustedDataClearinghouse(TDC)

AGDPRcompliantWHOISsystemmandatorilyresultsinthefactthatamoreefficientprocessmustbe

found,whichatthesametimecontinuestoprovideaccesstotheauthoritiesand3rdpartiesoutlined

above.

Theoutlinedprocedureforprocessinginformationrequestswillentailanextremeorganizationaland

procedural effort both for the requesting party aswell as for the responsible entity, because the

inquiring partywould first have to research the competent registrar or registry for the respective

domain towhich itmustaddress its request for information.The relevantcontactpartnersand its

contactinformationmustthenbediscovered,inparticularinurgentcases.

Anexpertlyqualifiedandtrustworthyinstanceasaneutralinformationbrokercouldcoordinateaccess

totherelevantWHOISdataandhandletheparties’relevantobligationstodatadisclosuretounifythis

processonagloballevelforallplayersparticipatinginit.ThisTrustedDataClearinghouse(hereinafter

“TDC”)wouldoperateaplatformonwhichtheoutlinedregistrationcertificationprocesswouldbeset

upfortheidentifiedgroupofauthoritiesand3rdpartygroupsauthorizedtoreceiveinformation.

OnlydatacategoryDRL1wouldbeaccessiblethroughthisplatform.Thiscategoryincludesinparticular

nameandcontactdetailsoftheregistrantaswellasthetimeofdomainregistrationandthusprovide

authorized entities with the information concerning the entity that is legally responsible for

registrationofthedomain.Basedonthis,interestsconcerningpubliclawenforcementaswellasthe

legitimate interest in theestablishment, exerciseordefenseof legal claimsunder civil law (e.g. to

prosecutecopyrightortrademarkviolations)wouldbepossible.

Further,acommunicationtoolcouldbesetup fornon-certifiedrequestors throughwhichtheTDC

mediatescontacttothedomainownerandleaves ituptothedomainownertoeithercontactthe

inquiringpartyortoconsenttothedisclosureofitsdata.

74

With regard to information for the prosecution of claims under civil law, this system would be

restricted only in cases in which the registrant asserts its right to object under Art. 21 GDPR. As

presentedabove,Europeanregistrantsareentitledtoobjecttotheprocessingoftheirpersonaldata

forgroundsrelatingtotheir“particularsituation”.

The TDC could also handle the processing of these objections. The registrars and registrieswould

provideacorrespondingemailaddresswithinthescopeoftheirobligationtorefertotheexistenceof

thisrighttoobjectintheirprivacynotice.Anyobjectionsreceivedatwouldthenbelegallyanalyzed

bytheTDCtoreviewwhetherarighttoobjectexistsintheindividualcase.Ifthatisthecase,datacan

be anonymized, or at least disclosure of such data to requestors can be denied. Art. 21 (1) GDPR

generallyprovidesthattheinterestsoftheresponsibleentityindataprocessingcaninparticularbe

predominantiftheprocessingservestheassertionoflegalclaims,buttheregulationheremeanslegal

claimsintherelationshipbetweentheresponsibleentityandthedatasubject,notlegalclaimsofthird

partiesdecisivehere,e.g.oforiginatorsortrademarkowners.

PartD–Outlook

Ideally,thecontractedpartieswouldagreeonajointdatamodelwithICANN.

Implementationoftheplaybookmodelinatimelyfashionposesanadditionalchallengetoallparties

involved.Technicalimplementationneedstobedone,registryrequirementsneedtobedefinedboth

contractuallyaswellasinEPP.Registrarsmightneedtowaiveorshortennoticeperiodsforchanges

ofregistryrequirements.Itwouldbeadvisabletodefinedifferentclassesofregistryrequirementsand

centrallydefineEPPandRRAstandardizedlanguage.

75