ICANN Chair Maarten Botterman spoke at the recent Domain Pulse conference in Innsbruck, giving a keynote address titled My Vision for Internet Governance and ICANN. He also participated in a panel on Internet Governance: Next Generation, which focused on how to get young people more involved in internet governance issues and then spoke to me. In part one of our interview with Botterman we discussed issues such as data protection, the differences between Europeans and others when it comes to privacy, whether European and US views will ever be compatible, as well as a WHOIS replacement that complies with the GDPR.
In part 2 of the interview we’ll discuss getting young people involved in internet governance, the future of the DNS, how ICANN participates in legislation and policy developments around the world (and how successful this is), and what he’d like to see changed at ICANN.
First up we asked Maarten to have ‘A Look into His Crystal Ball”, the conference theme, regarding he sees as the key issues and differences between countries and regions around the world when it comes to privacy.
Maarten responded by saying that “if you go around the world there are differences in all regions.” He explained that the differences when it comes to what’s important aren’t just about privacy. There are also differences that go “beyond ICANN, but touch upon ICANN. For example, in Africa, there is a focus on getting connected, in the first place. In India, there is a lot of emphasis on fighting poverty and how the internet can help resolve that. If you look at the differences between Europe and America particularly, then there are two elements that are quite different when it comes to privacy. In the US, privacy is an economic right that can be traded but in Europe it’s seen as a human right that cannot be traded. So now the world tries to find a balance. It’s important for us to find that balance as the stakes go up because of increasing digitisation. Most of us have a greater digital footprint than we realize, between social media, professional content, banking, credit cards and the like. If you combined it all together, a pretty intrusive picture is formed allowing for bad actors to abuse. And it’s important that this be addressed. And we don’t have all the solutions yet as I said on stage.”
“The privacy rules currently discussed are not that different from before the GDPR [European Union’s General Data Protection Regulation] to now, but they’re now more strongly enforced and have more focus. Because of this I think we’re doing the right thing by addressing these issues consciously. So that’s the privacy part where the US and the EU try to find a way together.
“I think if you look at both issues, and also at a global level, you’ll find that in many ways the European principled based approach provides a useful “middle” between the more market-driven American approach, and that of Asian states. It’s of course an oversimplification. This difference has affected the domain name industry as well.”
The European Union’s GDPR was implemented almost two years ago, so we asked Maarten about ICANN’s response, since it’s now not permissible to collect the registrant data that ICANN previously required be collected under their registrar and registry agreements for gTLDs, and why ICANN still doesn’t have a permanent response.
“Well, that depends on two things. One is we’re working on an arrangement where we can offer registrant data to those who are entitled to it. Steps have been taken toward this, ranging from the way data is collected and presented in the WHOIS replacement, RDAP, as you are aware. RDAP supports secure access to data, and the ability to provide differentiated access to registration data. The community is working on modifications to existing requirements in the Registrar Accreditation and Registry Agreements in order to comply with the GDPR through an EPDP (Expedited Policy Development Process). Within ICANN, the community develop the policies, as stated in our Bylaws. And I think we’re getting to the best possible outcome. However, we don’t know what solution will be found acceptable from a GDPR perspective, so we’re seeking clarity from Europe’s data protection authorities as well as the European Commission. We’re looking for what is good enough, what would work and what the EU believes would fulfill the intentions of GDPR. We don’t want to break the law, but GDPR was clearly not developed for the purpose of the WHOIS.”
Lastly on privacy, we asked whether the American view of privacy and the European’s view will ever be compatible?
Delving into his crystal ball Maarten, said he thinks “it has to as the world becomes more and more global. If I look back to an evaluation I did with RAND Corporation on the European Data Protection Directive around 10 years ago, it was already becoming clear that, ultimately, there will be a move toward a principal-based front end and a harms-based backend when it comes to privacy.”
“The harm-based backend drives the American system more and the principal-based drives the European system. At some point this will need to come together because data, including those related to private persons, go across borders, which is happening now too. Further developments are likely to happen over the time to come. The principles are becoming clearer: people need to be protected against the abuse of their data. How we get there this is one part, and WHOIS is just a small aspect of the issues to be tackled by the GDPR.”