Privacy issues have been important to parts of the ICANN community for many years. I can attest to that fact as a long time veteran of Whois debates as far back as 1998 when I was with the U.S. Federal Trade Commission. However, they have started to receive the general ICANN community visibility only relatively recently. These efforts must continue in order to protect rights, to avoid increasing potential conflicts between ICANN rules and applicable laws, and to generally maintain trust in the Internet as a place to be.

Previously, privacy questions were discussed within groups or at forums. They arose in discussions about possible legitimate reasons for falsifying domain registration information and in conversations regarding whether privacy and proxy services should be allowed and for what kinds of registrations. Unfortunately, we who worked on the Thick Whois PDP Working Group, for which I served as Chair of the Data Protection and Privacy Subteam, found little evidence of any systematic analysis within the ICANN community of the intersection between ICANN practices and privacy protections.

ICANN has been active in privacy issues on the surface, such as through promulgations of the ICANN Procedure for Handling Whois Conflicts with Privacy Laws. In addition, questions have arisen in Registry Service Evaluation Process proceedings concerning .cat and .tel. However, these activities have happened on one-off bases.

Relatively recently though, suggestions and opportunities for thorough examination of privacy questions have stepped up significantly. The report of the ICANN Whois Policy Review Team noted data protections concerns and public comments that had been submitted about them. The Expert Working Group on gTLD Directory Services has spent much time on questions related to data protection, and continues to examine them.

The Thick Whois PDP group conducted as thorough a look at the questions as its resources and expertise allowed, both with respect to maintaining data registration data and transferring it across borders. The 2013 Registrar Accreditation Agreement expanded the ability of registrars to seek exemptions from Whois contract requirements in the event of conflicts. Some level of data protection and privacy review also will be part of the work of the Privacy and Proxy Services Accreditation Issues PDP Working Group, which I chair.

This increased formal ICANN attention to privacy questions is essential and long overdue. However, there must be follow through and it must be done systematically. A comprehensive catalogue of data protection and privacy laws and how they might affect all parts of the ICANN community and all contracts or rules is impossible, but some level of consideration and guideline development must be done. These guidelines must be developed with due consideration for the laws of all nations and full examinations of their strengths and weaknesses. A growing number of countries around the world have data protection regimes or are part of international compacts that govern relevant issues. In addition, sometimes entities that are cited as weak on privacy protection in fact have stronger safeguards with respect to certain topics than others that are held out as examples of model practices.

I am discussing privacy related to ICANN, its practices, and its community here. The topic is not about surveillance practices of any government, the United States or elsewhere. No amount of work within ICANN or changes to its structure will obviate those kinds of privacy risks. ICANN arguably is very late to the game in giving data protection and privacy their due regard, but confluence of activities that have occurred over the last year or so, and are continuing now, make this period a perfect time to address legitimate concerns.