Home / Blogs

European Data Protection Supervisor Smacks ICANN Over Privacy Issues With 2013 RAA

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Michele Neylon

ICANN has been sent a letter by the European Data Protection Supervisor calling them out with respect to both data collection, retention and privacy within the context of the 2013 Registrar contract (RAA).

The letter is the first instance of one, to my knowledge, which makes reference to the ECJ's recent ruling that rendered the data retention directive null and void.

While the letter is very polite, as they always are, they make it very clear that they consider the RAA's default requirements to be in breach of EU law. (Of course they're not the first entity to tell ICANN this, but obviously ICANN is a bit hard of hearing...). It's almost understandable at this stage why one GAC representative from the EU referred to ICANN as "deaf or stupid" a few years ago.

Here's the "meat" of the letter:

… the 2013 RAA and the Draft Specification continue to fall short of compliance with European data protection law.

The Draft Specification should only require collection of personal data, which is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing) or for other compatible purposes such as fighting fraud related to domain name registration. This data should be retained for no longer than is necessary for these purposes. It would not be acceptable for the data to be retained for longer periods or for other, incompatible purposes, such as law enforcement purposes or to enforce copyright.

Processing contrary to these recommendations would be contrary to three key principles of European data protection law set forth in Directive 95/46/EC. It would violate the principle of purpose limitation under Article 6(1)(b) of Directive 95/46/EC, which prohibits the processing of personal data for incompatible purposes4, the requirement under Article 7 of the Directive to have an appropriate legal ground for the processing of data, such as contract, consent or the legitimate interest of the controller, and the requirement of proportionality, including the requirement not to retain data 'longer than is necessary for the purposes for which the data were collected or for which they are further processed' (Article 6(1)(e)). These provisions are specifications of the fundamental rights to privacy and the protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Retention of personal data originally collected for commercial purposes, and subsequently retained for law enforcement purposes, has been the subject of a recent landmark ruling by the European Court of Justice, which held Directive 2006/24/EC to be invalid, as an unjustified interference with those rights.6 The Court recognised that the retention of personal data might be considered appropriate for the purposes of the detection, investigation and prosecution of serious crime, but judged that the Directive 'exceeded the limits imposed by compliance with the principle of proportionality'. It is reasonable to expect requirements for retaining personal data to be subject to increasing scrutiny and legal challenges in the EU.

And the full letter is here.

By Michele Neylon, MD of Blacknight Solutions. More blog posts from Michele Neylon can also be read here.

Related topics: Domain Names, Intellectual Property, ICANN, Policy & Regulation, Privacy

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

i2Coalition to Present Tucows CEO Elliot Noss With Internet Community Leadership Award

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Michele Neylon Appointed Chair Elect of i2Coalition

2016 U.S. Election: An Internet Forecast

Afilias Chairman Jonathan Robinson Wins ICANN's 2016 Leadership Award at ICANN 57

MarkMonitor Supports Brand Holders' Efforts Regarding .Feedback Registry

8 Tips to Find Your Perfect .COM Domain Name

Why .com is the Venture Capital Community's Power Player

Understanding the Risks of the Dark Web

Radix Launches Startup League at TechCrunch

Celebrating One Year of .online

LogicBoxes Launches the New Elite Reseller Program

Effective Strategies to Build Your Reseller Channel (Webinar)

Facilitating a Trusted Web Space for Financial Service Professionals

Verisign Named to the Online Trust Alliance's 2016 Honor Roll