ICANN has granted another two European registrars data retention waivers following concerns over how the Registrar Accreditation Agreement conflicts with European data retention laws.
One waiver was granted to Blacknight Internet Solutions who submitted to ICANN a Registrar Data Retention Waiver Request on the basis of Registrar’s contention that compliance with the data collection and/or retention requirements of the Data Retention Specification in the 2013 RAA violates applicable law in Ireland.
The second waiver was granted to Nameweb BVBA on the basis of the Registrar’s contention that compliance with the data collection and/or retention requirements of the Data Retention Specification in the 2013 RAA violates applicable law in Belgium.
The waivers shall remain in effect for the duration of the term of the 2013 RAA signed by the registrars.
The issue has come about as some registrars, particularly in Europe, have expressed concerns that local data protection and other privacy laws make it difficult for them to comply with these new requirements. ICANN has noted these concerns and that laws vary from country to country and that some of the new data retention requirements in the 2013 RAA may conflict with certain European data protection and privacy regulations. In a posting on the ICANN blog, ICANN’s Cyrus Namazi said, “to be clear, governing laws take precedence over the terms of the RAA.”
The issue from a European perspective was made clear in a letter from the European Commission’s Article 29 Working Party in June 2013 who said “the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe.” Obviously this hasn’t happened and ICANN is issuing waivers on a registrar-by-registrar basis on the specific laws that are being violated in the country the registrar is located.
The Working Party also reiterated “its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement. If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political rights.”
“The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the propose d data retention requirement violates data protection law in Europe.”