Proposed EU Digital Services Rules Will Affect ICANN, Whois

ICANN staff said the regime would increase responsibilities for online service providers, including platforms and other intermediary providers. The cybersecurity package (see 2012230096) would directly affect all providers of DNS services, they told a webcast last week. The legislation raises the question of whether ICANN should halt its policymaking on access to Whois registrant personal data, lawyers said.

The DSA would impose EU-wide rules on illegal content and would apply to companies that offer digital services and goods to consumers, said ICANN Vice President-Government and IGO Engagement Elena Plexida. It would revise the 2000 EU e-commerce directive, though it wouldn't remove the prohibition against general online monitoring or change the "safe harbor" provisions exempting "mere conduit" providers from liability for content posted by users. Rules would affect a variety of intermediary services such as ISPs, domain name registrars, hosting services and platforms.

The cybersecurity strategy includes several actions involving the DNS, Plexida said. The EC intends to create a public DNS resolver service, DNS4EU, and to speed take-up of IPv6 and internet security standards. The NIS2 directive would apply to all providers of DNS services along the DNS resolution chain, such as root name server operators and top-level domain servers. The DSA carries technical and operational considerations, said ICANN Chief Technology Officer David Conrad. The EC plans to work with and fund European entities to "deal with extreme scenarios affecting the integrity and availability of the global DNS root system." There's no intent to create a "European internet," only to deal with extreme cybersecurity risks, he said. The question is what can be done to ensure the proposals don't fragment the internet, he said.

NIS2's Article 23 "will likely cause a few tremors through the ICANN community, if not a wider earthquake in 'ICANNland,' with regard to the future of WHOIS or its eventual successor," said Hogan Lovells domain name attorney David Taylor in an email. While fully supportive of the general data protection regulation and data protection principles, he hopes the provision could help ICANN refocus its Whois policies toward the centralized global access model many want, and revamping Whois accuracy requirements: The proposals are "a potential means to resolve the problems created by over-application of the GDPR by the ICANN community."

Given the significant regulatory action from the EU in NIS2 and Congress' instruction to NTIA to work with ICANN to expedite a global access model for timely access to accurate domain name registration data for legitimate purposes, ICANN "is approaching a crossroads and needs to look carefully at the direction" its Whois policy development team is taking, said Taylor: The organization should consider pausing until it understands the potential impact of the EU and congressional developments.

The DSA appears to cover DNS providers such as registries and registrars, but it's unclear what category they're in or whether the e-commerce directive's safe harbor provisions apply, said Coalition for Online Accountability Executive Director Dean Marks in an interview. Coalition members include MPA, RIAA, Disney and AT&T's Warner Media.

Some stakeholders believe it's up to domain name holders to decide what Whois information they supply -- regardless of whether the data is correct -- and that under the GDPR, accuracy is a right solely for the data subject and not an independent imperative, Marks said. He and law enforcement and copyright owners believe accuracy means the information must be objectively correct.

EU is trying "to circumvent ICANN DNS policies" via NIS2, the Internet Governance Project blogged in December. "Not only is it seeking to layer EU Directives over ICANN rules, it is doing so to cater to the demands of the same privacy-hostile interests which Europe claims to be saving us from."